After installing the permanent license for Kiwi Syslog server the Syslog service will not start.  It started without problems when running as the trial version.  No errors appear in the Kiwi Syslog error log, but the Windows event viewer shows the following error:

The Kiwi Syslog Server service failed to start due to the following error: The service did not start due to a logon failure.

I can't find anything in the Kiwi Syslog documentation about having to login.  The OS is Windows 2008 R2.  I am starting the Syslog service from Service Manager > Manage, and Service Manager was Run As Administrator.

Is this a known problem?

Thanks, Glenn

I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

I have written a perl script to take data from Kiwi, parse out some information and pass it into our Palo Alto UserID agent.  It runs fine when I pass the message in on the command line but when I have kiwi run it (so to pull the data from kiwi) it fails with an error:

Error Info: invalid charater on line 1

My script looks like this:

sub Main() {

  use PAN::API;

  $string = Fields.VarCleanMessageText;

  $SERVER = '127.0.0.1';

 

  #Extract user and IP from string

  if ($string =~ /(\w+)([.+]|(\s))(\w+)(\s|\+|.)(\d+\.\d+\.\d+\.\d+)/) {

       $delim = ($3 eq "+") ? " " : $3;

       $username = "$1\\$2$delim$5";

       $ip_address = $7;

  }

  print "$username : $ip_address \n";

 

  # Create User ID API connection

  $uid=PAN::API::UID->new($SERVER);

 

  #Post data to agent

  $uid->add('login',$name,$address);

  $uid->submit();

 

  return "OK"; #return value for Kiwi

}

Thanks for any guidance.

Kevin

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to resolve IP addresses into hostnames in Kiwi Syslog Server.

External link to Jing: DNS Resolution - justinfinley's library

Video Guide:

• 0:00 Watching traffic come in with unresolved IP addresses
• 0:10 Turning on IP address resolution (this affects what appears in the "Hostname" column)
• 0:20 Turning on in-message IP address resolution (this is optional, can be slow, and affects what appears in the "Message" column)
• 0:27 A quick glance at the DNS server settings (which DNS server to use, whether NetBIOS is to be used, etc.)
• 0:29 A quick glance at the DNS cache settings
• 0:30 Turning on resolution of frequently-uses IPs from a local hosts file (this is very fast, but ignores changes to DNS servers)
• 0:35 How to edit the hosts file
• 1:30 Watching traffic come in with properly resolved IP addresses

Remember to "LIKE" this if you find it useful - that helps others find it too!

Good Day,

We are have an issue getting SNMP trap inputs to work on Kiwi v9. We have installed Kiwi on both a WinXP (with SNMP trap service) and Win2k3 Virtual Machine. When collecting syslogs it works fine. However when we configure the SNMP inputs under setup, we get a message stating that it "cannot open snmp listener on port 162" 

There was no other SNMP software installed as it suggested that the port is already bound to an interface. We then installed the Solarwinds Engineer's toolset on the VM and used the trap receiver. Once alarms were generated this worked well while Kiwi is still unable to receive the traps.

Finally, we used a standalone laptop and loaded Kiwi. Using the same address as the VM we were able to receive the SNMP traps from the device under test. The platform that Kiwi was loaded onto was WinXP with Trap service installed.

Any ideas anyone? Any assistance will be greatly appreciated. I saw in the forum something about UDP Spoofing being unable to work as well and I was wondering if it had any connection.

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

Installed Kiwi Syslog Free version 9.3.4 on Windows Server 2008 R2.  Trying to capture syslog from a Cisco ASA 5510.  I have confirmed that the syslog events are hitting the server with Wireshark.  Nothing is coming through to Kiwi Syslog.  Current settings are all default.  No filters in place.  Not sure what is wrong as I can see the syslog messages coming through Wireshark. Any ideas as to why the syslog messages are not being seen by Kiwi?

KiWi Syslogd error: Maximum number of TCP connections has been reached. Not accepting connection.

Why? Thanks..

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

  Source IP Selection: Outgoing Interface
  Destination:
   Logging --
     'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap

Hello,

I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.

Should the following work:

Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error

This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?

Should this work or is there a "Supported" switch configuration that I should be using.

Thank you,

Chris

syslog_manager.exe 9.4.0.1 will not open correctly on windows 8.1. The process starts and can be seen in task manager, but closes a few second later. No GUI is seen at all not even the splash screen or the notification area icon.

there are no logs inside:

C:\Program Files (x86)\Syslogd\Dated logs

C:\Program Files (x86)\Syslogd\Logs

i tried calling (Service – Debug start-up: www.kiwisyslog.com/help/syslogd7/index.html?adv_reg_servicedebugstart_up.htm):

syslog_manager.exe DEBUGSTART

syslog_manager.exe /DEBUGSTART

syslog_manager.exe -DEBUGSTART

syslog_manager.exe --DEBUGSTART

but still no log or debug log files are created in the C:\Program Files (x86)\Syslogd directory or any of its sub directories.

i checked the window event log and found the same four error reoccurring every time the syslog_manager.exe is started up

==============================

Error 1

==============================

Fault bucket -339880763, type 1

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_4527

P5: 0.0.0.0

P6: 00000000

P7: c000041d

P8: PCH_1C_FROM_actskn43+0x00014197

P9:

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7A1F.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._1c26be14be8bc7e884ee84c763454f0becaea_d6be21d2_0a3f7cfe

Analysis symbol:

Rechecking for solution: 0

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: ee82e4cf87c028d8fde4d29d457939f8

==============================

Error 2

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc000041d

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

==============================

Error 3

==============================

Fault bucket 50, type 5

Event Name: BEX

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_f2c9

P5: 0.0.0.0

P6: 00000000

P7: PCH_3D_FROM_ntdll+0x0003C1AC

P8: c0000005

P9: 00000008

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7676.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._4bac366436d77f4150a9f635e3ff4264d568c57d_d6be21d2_070f7973

Analysis symbol:

Rechecking for solution: 0

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: 18c71da6583848b95798fbf0fc6b19c1

==============================

Error 4

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

I successfully installed Kiwi Syslog server (latest version) and successfully received 18.8 million logs in 5 – 6 hours and after that the application crashes and every time I re-start the service it keeps crashing. I too would like to know if this issue has been resolvable? and if so how was it done. We are required to log these messages because of audit regulations and we have multiple firewalls logging to this one server.  If Kiwi cannot keep up kindly let us know or suggest any other option.

following are the system events:

Faulting application name: Syslogd_Service.exe, version: 9.4.0.1, time stamp: 0x5256d794

Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7

Exception code: 0xc0000005

Fault offset: 0x000552a2

Faulting process id: 0x49c

Faulting application start time: 0x01cfedd553cc3c0b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe

Faulting module path: C:\Windows\SysWOW64\ntdll.dll

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.1

P3: 5256d794

P4: ntdll.dll

P5: 6.1.7601.18247

P6: 521ea8e7

P7: c0000005

P8: 000552a2

P9:

P10:

Attached files:

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d

Analysis symbol:

Rechecking for solution: 0

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.1

P3: 5256d794

P4: ntdll.dll

P5: 6.1.7601.18247

P6: 521ea8e7

P7: c0000005

P8: 000552a2

P9:

P10:

Attached files:

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d

Analysis symbol:

Rechecking for solution: 0

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Report Status: 0

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server.  Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders.  (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

• 0:00 Opening Kiwi Syslog's configuration dialog
• 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
• 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

I am setting up a kiwi syslog server.  Running into a problem with the filtering not working the way I would expect.  I have used Kiwi but that was several years ago.  I have setup a display for a specific switch and have tried several different filter possibilities but still getting syslog messages on the display that dont belong to the switch I am trying to watch. 

I have tried a ip address - simple filter with the ip address of the switch "10.1.1.2".  On the cisco switch, I have used the command logging source-interface vlan 254 which should send out the syslog messages using the ip address in the simple filter I setup.  I have also tried the hostname option with the hostname of the switch "Switch1" but same problem.

It has got to be something simple but so far I havent found the problem.  Since this is the free version, I know I cant call Solar Winds support.

Any suggestions are appreciated.

Ron

Hello Thwack Community,

I am trying to set up some event log monitoring/alerting with Kiwi and I'm running into some issues.

The plan is to setup some east filter/actions to watch for certain event ID’s and then email when they are triggered.

Currently I am testing my setup using the Log Forwarder test alerts and am filtering for “MSWinEventLog 3”

Here is a copy of my filter.

However, when I trigger the test alert from the Log Forwarder, I can see where it hits the Kiwi system, it is logged.  But no alerts are sent out, no email is generated in the queue.  Nothing.  Not sure what I am doing wrong.  But any help would be appreciated. 

Hello Thwackers!!!

Quick question... I want to filter using excludes in the Syslog Viewer.  To be clear, I don't want to eliminate the messages from Syslog - I just want to filter inside the viewer for them.

For example, I can include only messages with this IP by putting %192.1.3.4% in the "Message Pattern" box.

I can EXCLUDE messages with this IP by putting !%192.1.3.4% in the "Message Pattern" box.

What I want to do is exclude an IP AND exclude a partial user name.  So in english:  I want only messages that do NOT include the IP address of 192.1.3.4 and also do NOT include any user with 'anon' in the name.

Can this be done?

I have tried to no avail:

!%192.1.3.4%.!%anon*%

!%192.1.3.4%.!%anon?%

!%192.1.3.4% & !%anon*%

!%192.1.3.4% && !%anon*%

..and other combinations of the above...

Thanks in advance!!!

Hello.

I've installed the free version of Kiwi Syslog (I'm a long-time user of CatTools), and am unable to find a setup preference which tells Kiwi how long to retain syslog messages.  I don't have unlimited drive space, and only want to keep certain messages for a limited period.

More specifically, need to keep the NAT translation messages from my firewall, so I can track down inappropriate use by students.  These messages come at a rate of over 20,000/hr.  I only want to keep them for a week.

Thanks

During installation of Syslog Web Access, you are prompted for a userid and password.  The password can be changed at any time easily.

But how does one change the userid?  Where is it stored?

We even went as far as trying to reinstall syslog web access to get to the initial userid prompt again.  But having already asked us once, it did not ask us again.

Thanks,

-Ken

Hello , kiwi friends!

I am trying to get Kiwi syslog 9.4 to work on windows server 2012 64bit but having problems with the service crashing then i try to start the kiwi syslog server console.

I have applied the kb fix for Microsoft .Net Framework 2 , before that i couldnt install kiwi syslog successfully becuse the service could not start.

http://knowledgebase.solarwinds.com/kb/questions/4386/

I have the following errors in the windows event viewer!

Error 7000: The Kiwi Syslog Server service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion

Error 7009 : A timeout was reached (30000 milliseconds) while waiting for the Kiwi Syslog Server service to connect.

Do you have a solution for this or could it be a new bug in windows server 2012 and the old dot net framework combined ?

Thanks in advance.

Hola tengo un inconveniente con Kiwi Syslog Server al tratar de hacer algunos test con mi correo electronico me sale este error:

Unable to send test message.

Reason: Mail error: SMTP protocol error. 535 5.7.8

http//:support.google.com/mail/bin/answer.py?answer=14257

p13sm9533348qax.8 - gsmtp

Desearia saber si alguien me podria ayudar, a resolverlo.

Tambien tengo una duda como configuro a las alarmas de kiwi al momento de tener una alerta que se me envie un correo?

Espero su gentil ayuda