I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

Prior to receiving syslogs from the 5 devices (this is the limit in the free version) they will need to added under Setup\Inputs section.  See below:

The CPU on my Kiwi Syslog Server is Pegged.  Here is the Diagnostic info file from the server.

Kiwi Syslog Server [Registered] Version 9.0.3

///       Kiwi Syslog Server Statistics         ///
---------------------------------------------------
24 hour period ending on: Wed, 08 Sep 2010 14:44:34
Syslog Server started on: Wed, 08 Sep 2010 13:37:39
Syslog Server uptime:     1 hour, 7 minutes
---------------------------------------------------

+ Messages received - Total:          1098753
+ Messages received - Last 24 hours:  1098753
+ Messages received - Since Midnight: 1098753
+ Messages received - Last hour:      996804
+ Message queue overflow - Last hour: 416654
+ Messages received - This hour:      101949
+ Message queue overflow - This hour: 12336
+ Messages per hour - Average:        996804

+ Messages forwarded:                 769810
+ Messages logged to disk:            1194581

+ Errors - Logging to disk:           0
+ Errors - Invalid priority tag:      0
+ Errors - No priority tag:           2
+ Errors - Oversize message:          309

+ Disk space remaining on drive E:    41554 MB

    Breakdown of Syslog messages by severity  
+--------------------+------------+------------+
| Message Level      |  Messages  | Percentage |
+--------------------+------------+------------+
| 0 - Emerg          |         0  |      0.00% |
| 1 - Alert          |      2753  |      0.25% |
| 2 - Critical       |       496  |      0.05% |
| 3 - Error          |      5745  |      0.52% |
| 4 - Warning        |    103603  |      9.43% |
| 5 - Notice         |     42938  |      3.91% |
| 6 - Info           |    775902  |     70.62% |
| 7 - Debug          |    167316  |     15.23% |
+--------------------+------------+------------+

Custom statistics
-----------------
CustomStats01: 0
CustomStats02: 0
CustomStats03: 0
CustomStats04: 0
CustomStats05: 0
CustomStats06: 0
CustomStats07: 0
CustomStats08: 0
CustomStats09: 0
CustomStats10: 0
CustomStats11: 0
CustomStats12: 0
CustomStats13: 0
CustomStats14: 0
CustomStats15: 0
CustomStats16: 0

End of Report.

DNS Cache size  20000
DNS Cache entries 2
Entries in queue 0
DNS Cache hits  0
DNS Cache misses 0
DNS Cache TTL  1440 minutes
Total DNS Lookups 0
Successful cache hits 0%

IP Address Hostname TTL (minutes)
127.0.0.1       localhost Static
::1             localhost Static

Message Buffer Information
==========================
Message Queue Max Size: 20000
Message Queue overflow: 428990
Message Count:          19932
Message Count Max:      20000
Percentage free:        1

E-mail Buffer Information
==========================
Message Queue Max Size: 1000
Message Queue overflow: 0
Message Count:          0
Message Count Max:      13
Percentage free:        100

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

I have written a perl script to take data from Kiwi, parse out some information and pass it into our Palo Alto UserID agent.  It runs fine when I pass the message in on the command line but when I have kiwi run it (so to pull the data from kiwi) it fails with an error:

Error Info: invalid charater on line 1

My script looks like this:

sub Main() {

  use PAN::API;

  $string = Fields.VarCleanMessageText;

  $SERVER = '127.0.0.1';

 

  #Extract user and IP from string

  if ($string =~ /(\w+)([.+]|(\s))(\w+)(\s|\+|.)(\d+\.\d+\.\d+\.\d+)/) {

       $delim = ($3 eq "+") ? " " : $3;

       $username = "$1\\$2$delim$5";

       $ip_address = $7;

  }

  print "$username : $ip_address \n";

 

  # Create User ID API connection

  $uid=PAN::API::UID->new($SERVER);

 

  #Post data to agent

  $uid->add('login',$name,$address);

  $uid->submit();

 

  return "OK"; #return value for Kiwi

}

Thanks for any guidance.

Kevin

This is probably me being silly.

I have defined a cloud MS loopback from GNS3 emulated router. Wireshark can see the packet. If I replace Kiwi with a quick VB programme it can see the record but I can not get Kiwi to display the record.

Regards Conwyn

Waiting for broadcast

Received broadcast from 10.10.10.1:65347 :

0j☻☺ ♦♠public?]♠        +♠☺♦☺           +☻@♦

☺☻☺♠☻☺☺C♥6"[0?0‼♠♫+♠☺♦☺         +☺☺♠☺♥‼☻☺☺0‼♠♫+♠☺♦☺             +☺☺♠☺♦‼☻☺☻0‼♠♫+♠

☺♦☺             +☺☺♠☺♣‼☻☺♥

Waiting for broadcast

Here is Kiwi

I have a server with Orion and Kiwi syslog.   The log files are going to Orion syslog instead of Kiwi.   I know this works because this is a new server replacing an old server with the same setup.   On the old server it goes to Kiwi as I want.

I successfully installed Kiwi Syslog server (latest version) and successfully received 18.8 million logs in 5 – 6 hours and after that the application crashes and every time I re-start the service it keeps crashing. I too would like to know if this issue has been resolvable? and if so how was it done. We are required to log these messages because of audit regulations and we have multiple firewalls logging to this one server.  If Kiwi cannot keep up kindly let us know or suggest any other option.

following are the system events:

Faulting application name: Syslogd_Service.exe, version: 9.4.0.1, time stamp: 0x5256d794

Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7

Exception code: 0xc0000005

Fault offset: 0x000552a2

Faulting process id: 0x49c

Faulting application start time: 0x01cfedd553cc3c0b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe

Faulting module path: C:\Windows\SysWOW64\ntdll.dll

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.1

P3: 5256d794

P4: ntdll.dll

P5: 6.1.7601.18247

P6: 521ea8e7

P7: c0000005

P8: 000552a2

P9:

P10:

Attached files:

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d

Analysis symbol:

Rechecking for solution: 0

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.1

P3: 5256d794

P4: ntdll.dll

P5: 6.1.7601.18247

P6: 521ea8e7

P7: c0000005

P8: 000552a2

P9:

P10:

Attached files:

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d

Analysis symbol:

Rechecking for solution: 0

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Report Status: 0

Is there no way to create a custom Event log and log items to it? Can you not change the event IDs of any of your rules? Can you at least parse any of the syslog message to the event in order to change the hostname its coming from or source? can you not modify the message as it is logged maybe to strip out the date and time (In order to set consolidation of alerting in other programs you are catching these alerts)? All I am able to do is change the message type (Event Level).

This is a HUGE win for us if ANY of these ideas can be added.

Currently we are sending SAN array alerts through syslog and catching it through Kiwi. Kiwi is logging to the event log and SCOM is picking it up and notifying the correct party. However, there is not much we can do at the moment in Kiwi to have the event logged in a way to use several different actions in SCOM since your choices are only Warning, Error, or informational.

Please let me know if you are having any of these same problems or if you know another way around this. There are free syslog servers that aren't nearly as good as syslog for filtering and rules, but you have the options to send alerts to several different custom Event logs.

Hello,

I just installed Syslog on a Windows 8 VM (ESXi 5.5).

However... I don't received any message from the router (Cisco RV042G) I want to log.

I tried the generic troubleshhoting :

• Check network connectivity by pinging from the sending device to the Syslog Server machine  => OK
• Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list) => OK, only one
• Disable any personal firewall software such as ZoneAlarm or BlackIce => Disabled

• Use a sniffer to check if messages from the routing are reaching the PC => Yes, I can see them
• Check DNS resolution is working as expected by pinging a hostname from the Command Prompt => OK
• Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on. => OK
• Send a test message to yourself by pressing Ctrl+T => Displayed
• Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads => Done
• Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host). => Not displayed, and I don't see them in a local packet capture.
• Try sending messages with SyslogGen from another machine to the host running the Syslog Server => Not displayed, but see them on a packet capture (on Syslog PC)

Do you have any idea about the cause of this issue ?

Thanks in advance for your help.

My question is - in creating a Kiwi (v9.0.3) Syslog Web Access filter to filter on a certain string within the Syslog message text, is there a wildcard character that I can use?  Thanks for any help! bp

PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.

Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk

I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.

Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6

I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.

Appreciate any help on this..........

Example from Kiwi Syslog

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf:     10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]

I've just upgraded to v9.4, and discovered an issue...

I'm using the email statistics functionnality for a long time and it worked correctly till v9.3.4.

I've set the "for every" option to 24 hours, and the mail is always being sent at midnight (12:00 AM + some minutes/seconds).

Now, I'm still receiving the mail correctly, but its content is partially reset at midnight.

Here is a sample mail:

---

///       Kiwi Syslog Server Statistics         ///

---------------------------------------------------

24 hour period ending on: Tue, 17 Sep 2013 00:02:56

Syslog Server started on: Wed, 11 Sep 2013 11:33:10

Syslog Server uptime:     5 days, 12 hours, 27 minutes

---------------------------------------------------

+ Messages received - Total:          3046381

+ Messages received - Last 24 hours:  776286

+ Messages received - Since Midnight: 197

+ Messages received - Last hour:      7545

+ Message queue overflow - Last hour: 0

+ Messages received - This hour:      3441

+ Message queue overflow - This hour: 0

+ Messages per hour - Average:        32202

+ Messages forwarded:                 0

+ Messages logged to disk:            212

+ Errors - Logging to disk:           0

+ Errors - Invalid priority tag:      0

+ Errors - No priority tag:           0

+ Errors - Oversize message:          0

+ Disk space remaining on drive D:    107889 MB

---------------------------------------------------

      Breakdown of Syslog messages by sending host 

+--------------------------+------------+------------+

| Top  25 Hosts             |  Messages  | Percentage |

+--------------------------+------------+------------+

| router                   |       197  |    100,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

|                          |         0  |      0,00% |

+--------------------------+------------+------------+

     Breakdown of Syslog messages by severity  

+--------------------+------------+------------+

| Message Level      |  Messages  | Percentage |

+--------------------+------------+------------+

| 0 - Emerg          |         0  |      0,00% |

| 1 - Alert          |         0  |      0,00% |

| 2 - Critical       |         0  |      0,00% |

| 3 - Error          |         0  |      0,00% |

| 4 - Warning        |         0  |      0,00% |

| 5 - Notice         |         0  |      0,00% |

| 6 - Info           |       197  |    100,00% |

| 7 - Debug          |         0  |      0,00% |

+--------------------+------------+------------+

Custom statistics

-----------------

CustomStats01: 0

CustomStats02: 0

CustomStats03: 0

CustomStats04: 0

CustomStats05: 0

CustomStats06: 0

CustomStats07: 0

CustomStats08: 0

CustomStats09: 0

CustomStats10: 0

CustomStats11: 0

CustomStats12: 0

CustomStats13: 0

CustomStats14: 0

CustomStats15: 0

CustomStats16: 0

End of Report.

---

The first summary part seems to be OK.

But the Top 25 hosts and the severity dispatching are reset at 00:00, instead of showing datas for the past day !

Therefore, the 197 messages are only those received since midnight, as the mail was sent at 00:02:56

So, either there's an unwanted clearing of counters (at 00:00 instead of after the mail was sent), or there should be a more precise scheduling option (every XX hours, that's not precise at all !) where for example it could be possible to specify the time of sending (00:00 or 23:59)...

I was using those datas for statistics, but they're now completely unuseful !!!

For me, this is clearly a bug that appeared in v9.4...

What's your opinion ?

In that case, can you correct it, please ?

syslog_manager.exe 9.4.0.1 will not open correctly on windows 8.1. The process starts and can be seen in task manager, but closes a few second later. No GUI is seen at all not even the splash screen or the notification area icon.

there are no logs inside:

C:\Program Files (x86)\Syslogd\Dated logs

C:\Program Files (x86)\Syslogd\Logs

i tried calling (Service – Debug start-up: www.kiwisyslog.com/help/syslogd7/index.html?adv_reg_servicedebugstart_up.htm):

syslog_manager.exe DEBUGSTART

syslog_manager.exe /DEBUGSTART

syslog_manager.exe -DEBUGSTART

syslog_manager.exe --DEBUGSTART

but still no log or debug log files are created in the C:\Program Files (x86)\Syslogd directory or any of its sub directories.

i checked the window event log and found the same four error reoccurring every time the syslog_manager.exe is started up

==============================

Error 1

==============================

Fault bucket -339880763, type 1

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_4527

P5: 0.0.0.0

P6: 00000000

P7: c000041d

P8: PCH_1C_FROM_actskn43+0x00014197

P9:

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7A1F.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._1c26be14be8bc7e884ee84c763454f0becaea_d6be21d2_0a3f7cfe

Analysis symbol:

Rechecking for solution: 0

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: ee82e4cf87c028d8fde4d29d457939f8

==============================

Error 2

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc000041d

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

==============================

Error 3

==============================

Fault bucket 50, type 5

Event Name: BEX

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_f2c9

P5: 0.0.0.0

P6: 00000000

P7: PCH_3D_FROM_ntdll+0x0003C1AC

P8: c0000005

P9: 00000008

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7676.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._4bac366436d77f4150a9f635e3ff4264d568c57d_d6be21d2_070f7973

Analysis symbol:

Rechecking for solution: 0

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: 18c71da6583848b95798fbf0fc6b19c1

==============================

Error 4

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

This is probably me being silly.

I have defined a cloud MS loopback from GNS3 emulated router. Wireshark can see the packet. If I replace Kiwi with a quick VB programme it can see the record but I can not get Kiwi to display the record.

Regards Conwyn

Waiting for broadcast

Received broadcast from 10.10.10.1:65347 :

0j☻☺ ♦♠public?]♠        +♠☺♦☺           +☻@♦

☺☻☺♠☻☺☺C♥6"[0?0‼♠♫+♠☺♦☺         +☺☺♠☺♥‼☻☺☺0‼♠♫+♠☺♦☺             +☺☺♠☺♦‼☻☺☻0‼♠♫+♠

☺♦☺             +☺☺♠☺♣‼☻☺♥

Waiting for broadcast

Here is Kiwi

Hello,

I just installed Syslog on a Windows 8 VM (ESXi 5.5).

However... I don't received any message from the router (Cisco RV042G) I want to log.

I tried the generic troubleshhoting :

• Check network connectivity by pinging from the sending device to the Syslog Server machine  => OK
• Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list) => OK, only one
• Disable any personal firewall software such as ZoneAlarm or BlackIce => Disabled

• Use a sniffer to check if messages from the routing are reaching the PC => Yes, I can see them
• Check DNS resolution is working as expected by pinging a hostname from the Command Prompt => OK
• Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on. => OK
• Send a test message to yourself by pressing Ctrl+T => Displayed
• Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads => Done
• Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host). => Not displayed, and I don't see them in a local packet capture.
• Try sending messages with SyslogGen from another machine to the host running the Syslog Server => Not displayed, but see them on a packet capture (on Syslog PC)

Do you have any idea about the cause of this issue ?

Thanks in advance for your help.

What it does:

Log Forwarder for Windows allows you to forward Windows events as Syslog to your Kiwi Syslog Server

• Works on Windows XP, 2003, Vista, and 2008 (32-bit or 64-bit)
• Provides .MSI version for silent installs, allowing use with remote software distribution systems (e.g., Microsoft SMS)
• Enables definition of filters that describe which events are forwarded

How to get it:

If you download the Kiwi Syslog Server 9.0 from your customer portal, you will see there is an additional Log Forwarder executable included with your download.   The Log Forwarder for Windows was developed by the Kiwi Syslog team.  It is available at no cost to Kiwi Syslog customers current on maintenance.

Try it out and let us know what you think!

I am currently running Kiwi Syslog 8.3.52

I am logging some edge switches deployed that do not perform DHCP snooping, however the distribution layer switch they connect to does. I am able to have the distribution switch snoop for DHCP replies from untrusted ports (link to access layer) and generate a syslog message, like this:

005904: Mar  1 17:38:13.216: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa: 0800.27dd.71b8

I have these sent to my Kiwi syslog server and can filter on message text to log offenders, but that will require active checking of the logs or waiting for clients to call indicating they are getting a bogus DHCP address if a rogue server is running in an edge location.

I was wondering if it is possible to somehow extract the MAC address listed after the MAC sa: string and if so pass that as well as the IP address of the sending distribution switch to a file in which I can reference in a script to SSH to the edge and run a port shutdown or da MAC filter.

Any thoughts would be appreciated, thanks.

Rob

Is there no way to create a custom Event log and log items to it? Can you not change the event IDs of any of your rules? Can you at least parse any of the syslog message to the event in order to change the hostname its coming from or source? can you not modify the message as it is logged maybe to strip out the date and time (In order to set consolidation of alerting in other programs you are catching these alerts)? All I am able to do is change the message type (Event Level).

This is a HUGE win for us if ANY of these ideas can be added.

Currently we are sending SAN array alerts through syslog and catching it through Kiwi. Kiwi is logging to the event log and SCOM is picking it up and notifying the correct party. However, there is not much we can do at the moment in Kiwi to have the event logged in a way to use several different actions in SCOM since your choices are only Warning, Error, or informational.

Please let me know if you are having any of these same problems or if you know another way around this. There are free syslog servers that aren't nearly as good as syslog for filtering and rules, but you have the options to send alerts to several different custom Event logs.

We have a syslog server collecting logs from other servers using kiwi log forwarder.  The host name from my DMZ machines often show up wrong.  I have updated the Host file for the SysLog server but the problem is still there.