My syslog server archives the data into text files. How do I create reports from or view that data without using a text editor? Can I open the archived syslog data using the Syslog Web Access?
↧
How can I view or report on old syslog data?
↧
Syslog alerts, help?
Hello,
I made an alert - this is not difficult, but I want to add a message to that alert.
"1/28/2014 12:33 PM : SYS-5-CONFIG_I 43: Jan 28 12:33:08: %SYS-5-CONFIG_I: Configured from console by XXXXX on vty0 (192.168.190.221)"
For now it will only show that someone configured something on some device...
I would like to get message on which device configuration was made, and which lines are changed?
We had that before on our SolarWinds...
↧
↧
Filter and Store Windows Security Logs for 30 days?
Hi, I was wondering if someone could help with creating actions to store Windows Security Logs for a 30 day retention period? Could I have the server name at the beginning of the file, keep one log file per server, and have it contain the last 30 days of activity. I know that it will likely require the Log to File--> Insert Auto-Split Value feature. We have the full version of Kiwi.
Thanks!
Jon
↧
traffic capture
I've been tasked with looking into a method of capturing any traffic traversing a particular router interface to have it forwarded via syslog to secureworks for monitoring. Does anyone have any ideas on how to set this up? I was thinking of port mirroring on the switch but not sure where to go from there.
Thanks,
Larry
↧
Error: "Trial version of activeskin control" after upgrading to current Kiwi Syslog version 9.4.0
After upgrade, when I start the Kiwi Syslog app I get a box that comes up and says "Trial version of ActiveSkin control" and I need to click OK. Anyone else see this?
Debbi
↧
↧
Kiwi Syslog Server: Rule Action: Log to NT Event Log
Is there no way to create a custom Event log and log items to it? Can you not change the event IDs of any of your rules? Can you at least parse any of the syslog message to the event in order to change the hostname its coming from or source? can you not modify the message as it is logged maybe to strip out the date and time (In order to set consolidation of alerting in other programs you are catching these alerts)? All I am able to do is change the message type (Event Level).
This is a HUGE win for us if ANY of these ideas can be added.
Currently we are sending SAN array alerts through syslog and catching it through Kiwi. Kiwi is logging to the event log and SCOM is picking it up and notifying the correct party. However, there is not much we can do at the moment in Kiwi to have the event logged in a way to use several different actions in SCOM since your choices are only Warning, Error, or informational.
Please let me know if you are having any of these same problems or if you know another way around this. There are free syslog servers that aren't nearly as good as syslog for filtering and rules, but you have the options to send alerts to several different custom Event logs.
↧
Syslog alerts
Looking for a tool to send a real-time email alert when the number of builds to a specific IP address from any single machine exceeds 100 in a minute. Does anyone have experience with a tool that can accomplish this?
We are the paid version Kiwi Syslog to filter the log and output interesting traffic to a file.
Walt
↧
Ayuda con kiwi syslog server en un correo electronico
Hola tengo un inconveniente con Kiwi Syslog Server al tratar de hacer algunos test con mi correo electronico me sale este error:
Unable to send test message.
Reason: Mail error: SMTP protocol error. 535 5.7.8
http//:support.google.com/mail/bin/answer.py?answer=14257
p13sm9533348qax.8 - gsmtp
Desearia saber si alguien me podria ayudar, a resolverlo.
Tambien tengo una duda como configuro a las alarmas de kiwi al momento de tener una alerta que se me envie un correo?
Espero su gentil ayuda
↧
Kiwi Syslog Server 9.4 Free Collecting SNMP from GNS3 Cloud
This is probably me being silly.
I have defined a cloud MS loopback from GNS3 emulated router. Wireshark can see the packet. If I replace Kiwi with a quick VB programme it can see the record but I can not get Kiwi to display the record.
Regards Conwyn
Waiting for broadcast
Received broadcast from 10.10.10.1:65347 :
0j☻☺ ♦♠public?]♠ +♠☺♦☺ +☻@♦
☺☻☺♠☻☺☺C♥6"[0?0‼♠♫+♠☺♦☺ +☺☺♠☺♥‼☻☺☺0‼♠♫+♠☺♦☺ +☺☺♠☺♦‼☻☺☻0‼♠♫+♠
☺♦☺ +☺☺♠☺♣‼☻☺♥
Waiting for broadcast
Here is Kiwi
↧
↧
Does Kiwi Syslog Server Support Receiving Syslog over TCP via RFC3195
We are currently trying to migrate all UDP senders of syslog to TCP. Our fortigate security appliances only support the RFC 3195 standard for syslog over TCP. syslog-ng does not support this and rsyslog says that they support RFC 3195, but it is not working. Please, any assistance with this request would be appreciated. Running syslog with UDP is no longer an option.
Thanks in advance.
↧
Securing KIWI web access with https
A coworker created the following to secure the KIWI web server for https -
KIWI SYS-LOG SSL CONFIGURATION
1. Install Apache for Win32 x86 with OpenSSL. This usually comes as an MSI.
2. Modify the following files.
a. C:\Program Files\Apache Group\Apache 2\conf httpd.conf
b. C:\Program Files\Apache Group\Apache 2\conf ssl.conf
3. For the httpd.conf file you must add and change the following
Uncomment the following line
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule ssl_module modules/mod_ssl.so
Add
ServerName 10.x.x.x:80
<VirtualHost 0.0.0.0:80>
ServerName slog01
ServerAlias slog01
ProxyPass / http://localhost:8088/
ProxyPassReverse / http://localhost:8088/
</VirtualHost>
4. For the ssl.conf file you must add and change the following
Comment out the following
#<IfDefine SSL> and #</IfDefine>
Ensure the following
Listen 0.0.0.0:443
Add the following
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from 10.x.x.x/24
Allow from 10.x.x.x/24
Allow from 10.x.x.x/24
Allow from 10.x.x.x/24
Allow from 10.x.x.x/24
</Proxy>
<VirtualHost 0.0.0.0:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl.crt/new.cert.cert
SSLCertificateKeyFile conf/ssl.key/new.cert.key
ServerName log01
ServerAlias nsochinslog01
ErrorLog logs/ssl_error_log.txt
TransferLog logs/ssl_access_log.txt
ProxyPass / http://localhost:8088/
ProxyPassReverse / http://localhost:8088/
</VirtualHost>
5. Creating the SSL Certificate
a. Location of the cert file c:\Program Files\Apache Group\Apache2\conf\ssl.crt
b. Location of the key file c:\Program Files\Apache Group\Apache2\conf\ssl.key
Procedures using UNIX to create the SSL Certificate:
Generate Server CA Signer
openssl genrsa -des3 -out server.key 2048
Generate Certificate Service Request (CSR)
openssl req -new -key server.key -out server.csr
Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Generate Self Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
6. Once everything is setup stop and start the apache services. You should then be able to hit the Kiwi Syslog Server securely with apache acting as a reverse proxy to the kiwi server.
↧
Retention syslog webaccess
Hi to all,
is it now, with Kiwi Syslog version 9.0.3, possible to automatically delete contents older than x days from database (Event.sdf)?
Thanks
Claudio
↧
Kiwi Syslog Server and SNMP Traps on VMWare ESXi 4.0
Good Day,
We are have an issue getting SNMP trap inputs to work on Kiwi v9. We have installed Kiwi on both a WinXP (with SNMP trap service) and Win2k3 Virtual Machine. When collecting syslogs it works fine. However when we configure the SNMP inputs under setup, we get a message stating that it "cannot open snmp listener on port 162"
There was no other SNMP software installed as it suggested that the port is already bound to an interface. We then installed the Solarwinds Engineer's toolset on the VM and used the trap receiver. Once alarms were generated this worked well while Kiwi is still unable to receive the traps.
Finally, we used a standalone laptop and loaded Kiwi. Using the same address as the VM we were able to receive the SNMP traps from the device under test. The platform that Kiwi was loaded onto was WinXP with Trap service installed.
Any ideas anyone? Any assistance will be greatly appreciated. I saw in the forum something about UDP Spoofing being unable to work as well and I was wondering if it had any connection.
↧
↧
Trying to filter link up or down trap messages on a switch...
I am trying to filter out messages on a filter I have. I have a filter for a specific ip address range but I need to also filter out "link down trap" and "link up trap". I receive these messages anytime a port on the switch is active and inactive. Any thoughts??
Thanks
↧
Does kiwi queue records while SQL Server is offline
My production environment needs to have the SQL Server that Kiwi forwards Syslogs to restarted. When this restart is done I'm wondering if Kiwi will store the syslogs while the SQL is out of communication or if it will just send the packets blindly assuming the SQL Server will pick them up without verifying. If it won't auto-detect when the sql server isn't there then is there a way to manually begin queueing logs for a short time while we do some server maintenance?
↧
kiwi syslog service crashes
I successfully installed Kiwi Syslog server (latest version) and successfully received 18.8 million logs in 5 – 6 hours and after that the application crashes and every time I re-start the service it keeps crashing. I too would like to know if this issue has been resolvable? and if so how was it done. We are required to log these messages because of audit regulations and we have multiple firewalls logging to this one server. If Kiwi cannot keep up kindly let us know or suggest any other option.
following are the system events:
Faulting application name: Syslogd_Service.exe, version: 9.4.0.1, time stamp: 0x5256d794
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000005
Fault offset: 0x000552a2
Faulting process id: 0x49c
Faulting application start time: 0x01cfedd553cc3c0b
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: 98b25655-59c8-11e4-8349-005056bb1e35
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: Syslogd_Service.exe
P2: 9.4.0.1
P3: 5256d794
P4: ntdll.dll
P5: 6.1.7601.18247
P6: 521ea8e7
P7: c0000005
P8: 000552a2
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d
Analysis symbol:
Rechecking for solution: 0
Report Id: 98b25655-59c8-11e4-8349-005056bb1e35
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: Syslogd_Service.exe
P2: 9.4.0.1
P3: 5256d794
P4: ntdll.dll
P5: 6.1.7601.18247
P6: 521ea8e7
P7: c0000005
P8: 000552a2
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d
Analysis symbol:
Rechecking for solution: 0
Report Id: 98b25655-59c8-11e4-8349-005056bb1e35
Report Status: 0
↧
Kiwi Syslog Web Access Accounts
I understand I can create a maximum of five user accounts for web access. Does this limitation apply to the number of accounts that can access the web interface through AD, too? I have AD authentication set up and I noticed Kiwi automatically creates a local account with the domain\username when a user logs in. Thanks.
Jason
↧
↧
Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)
PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.
Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk
I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.
Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6
I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.
Appreciate any help on this..........
Example from Kiwi Syslog
02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: <009> Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]
02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: 10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]
02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)
02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: <009> Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]
↧
Kiwi Syslog Server 9.4.1 - Active Directory Settings
Has anyone configured Active Directory Settings in Kiwi Syslog Server 9.4.1? Below are the available Active Directory Settings available in the Web Access interface under the Admin Tab.
- Domain URL: <Free Form Box> My domain prepopulated correctly.
- Authentication Type: <Free Form Box>. Is this supposed to be NTLM, Kerberos, etc?
- User Groups: <Free Form Box> Does the format need to be LDAP based?
↧
Using Kiwi SyslogGen and Kiwi Syslog Server on the Same Machine (localhost)
On faster Windows 7 machines it has been reported that the Kiwi SyslogGen (Syslog Message Generator) test utility sometimes does not actually send messages to a locally installed Kiwi Syslog Server. If SyslogGen does not send messages to your syslog server through localhost, please try the following suggestions in your Kiwi Syslog Message Generator configuration.
- Change Target IP Address from "127.0.0.1" to your machine's LAN IP address (e.g., "10.230.230.204").
- Change Source IP address to "Random Class C addresses"
- Change Source Port to 1468 (or another other fixed port; don't use a random port)
- Use the "Send continuously" option with a very low "Inter-message delay" (e.g., 10ms)
- If clicking "Send" doesn't work the first time, click "Stop" and try "Send" again
You can download a free copy of Kiwi SyslogGen from the Kiwi Downloads page.
↧