How do you detect specific clients that have not sent syslog messages to the server in a specified amount of time?

The logforwarder v1.1 is installed on a german 2008R2 Server.

In the eventlog on the server i see aps.net warnings and errors with the following message:

/*

Ereigniscode: 3005
Ereignismeldung: Es ist eine unbehandelte Ausnahme aufgetreten.
Ereigniszeit: 16.12.2011 08:10:49
Ereigniszeit (UTC): 16.12.2011 07:10:49
Ereignis-ID: 00e80467722a4ddaa60928cab11be830
Ereignissequenz: 2
Vorkommen: 1
Ereignisdetailcode: 0
 
Anwendungsinformationen:
    Anwendungsdomäne: /LM/W3SVC/19/ROOT-****************
    Vertrauensebene: Full
    Virtueller Anwendungspfad: /
    Anwendungspfad: ******
    Computername: ******
 
Prozessinformationen:
    Prozess-ID: 9796
    Prozessname: w3wp.exe
    Kontoname: IIS APPPOOL\AppsService
 
Ausnahmeinformationen:
    Ausnahmetyp: NullReferenceException
    Ausnahmemeldung: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei System.Web.HttpApplication.set_AsyncResult(HttpAsyncResult value)
   bei System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   bei System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)

 
 
Anforderungsinformationen:
    Anforderungs-URL: http://127.0.0.1/*******
    Anforderungspfad: /********
    Benutzerhostadresse: 127.0.0.1
    Benutzer: 
    Ist authentifiziert: False
    Authentifizierungstyp: 
    Threadkontoname: IIS APPPOOL\AppsService
 
Threadinformationen:
    Thread-ID: 1
    Threadkontoname: IIS APPPOOL\AppsService
    Identitätswechsel für: False
    Stapelüberwachung:    bei System.Web.HttpApplication.set_AsyncResult(HttpAsyncResult value)
   bei System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   bei System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
 
 
Details des benutzerdefinierten Ereignisses:

*/

But on the syslog server i see the following error message:

/*

12-16-2011    08:12:10    System4.Warning    192.168.6.**    Dez 16 08:10:49 ****** MSWinEventLog   4   Application   20   Fr Dez 16 08:10:49 2011   1309   ASP.NET 4.0.30319.0      N/A   Warning   *****   3   The description for Event ID 1309 from source ASP.NET 4.0.30319.0 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 3005. FormatMessage failed with error 1815, Die angegebene Sprachenkennung f³r die Ressourcen wurde nicht in der Image-Datei gefunden.

*/

I know that this is a problem with the language, but how can i solve this.

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

We have a kiwi syslog server that is collecting data from a few devices.  Is there any way to get that data into NPM so that our helpdesk can view it from the Orion web console?

Jim

Hi,

I have a strange problem with Kiwi Syslog Server 9.03.

It started to receive messages with incorrect hostname IP-addresses. For example, a message would normally say that the host-IP is 192.168.0.55, but now the host-IP would become something like 192.168.0.4. I haven't quite figured out the pattern for this, but the tendency is that the last octet goes toward the beginning of the number series. It would seem that the incorrect IP-addressses are always addresses that are even not in use in our network. Attached is a screenshot from actual output. I dotted the false messages with green dot..

I managed to solve the cause for this; We have Solarwinds Engineer's toolset v10.1 installed on the same computer (Win2003 SRV SP2). After I upgraded it to v10.3 or v10.4, the problem started to appear. Uninstalling the toolset and reinstalling Kiwi Syslog Server does not help.

I even took a system state -backup with ntbackup and restored the system state prior to Engineer's toolset 10.3/10.4 installation, but it didn't help.

If I use the syslog server included in Engineer's Toolset, the problem does not appear.

TIA,

Sami

We use the syslog server to notify us of port security violations.  Normally all messages will show the full IP address of what switch the message is coming from.  Whenever there is a port about to violate, it will only show the ip up to the last number,  ex...10.197.157.245 cshowed up as 10.197.157.24.  is there a solution to this?  We have the engineers toolset and syslog server both installed.  thanks

The CPU on my Kiwi Syslog Server is Pegged.  Here is the Diagnostic info file from the server.

Kiwi Syslog Server [Registered] Version 9.0.3

///       Kiwi Syslog Server Statistics         ///
---------------------------------------------------
24 hour period ending on: Wed, 08 Sep 2010 14:44:34
Syslog Server started on: Wed, 08 Sep 2010 13:37:39
Syslog Server uptime:     1 hour, 7 minutes
---------------------------------------------------

+ Messages received - Total:          1098753
+ Messages received - Last 24 hours:  1098753
+ Messages received - Since Midnight: 1098753
+ Messages received - Last hour:      996804
+ Message queue overflow - Last hour: 416654
+ Messages received - This hour:      101949
+ Message queue overflow - This hour: 12336
+ Messages per hour - Average:        996804

+ Messages forwarded:                 769810
+ Messages logged to disk:            1194581

+ Errors - Logging to disk:           0
+ Errors - Invalid priority tag:      0
+ Errors - No priority tag:           2
+ Errors - Oversize message:          309

+ Disk space remaining on drive E:    41554 MB

    Breakdown of Syslog messages by severity  
+--------------------+------------+------------+
| Message Level      |  Messages  | Percentage |
+--------------------+------------+------------+
| 0 - Emerg          |         0  |      0.00% |
| 1 - Alert          |      2753  |      0.25% |
| 2 - Critical       |       496  |      0.05% |
| 3 - Error          |      5745  |      0.52% |
| 4 - Warning        |    103603  |      9.43% |
| 5 - Notice         |     42938  |      3.91% |
| 6 - Info           |    775902  |     70.62% |
| 7 - Debug          |    167316  |     15.23% |
+--------------------+------------+------------+

Custom statistics
-----------------
CustomStats01: 0
CustomStats02: 0
CustomStats03: 0
CustomStats04: 0
CustomStats05: 0
CustomStats06: 0
CustomStats07: 0
CustomStats08: 0
CustomStats09: 0
CustomStats10: 0
CustomStats11: 0
CustomStats12: 0
CustomStats13: 0
CustomStats14: 0
CustomStats15: 0
CustomStats16: 0

End of Report.

DNS Cache size  20000
DNS Cache entries 2
Entries in queue 0
DNS Cache hits  0
DNS Cache misses 0
DNS Cache TTL  1440 minutes
Total DNS Lookups 0
Successful cache hits 0%

IP Address Hostname TTL (minutes)
127.0.0.1       localhost Static
::1             localhost Static

Message Buffer Information
==========================
Message Queue Max Size: 20000
Message Queue overflow: 428990
Message Count:          19932
Message Count Max:      20000
Percentage free:        1

E-mail Buffer Information
==========================
Message Queue Max Size: 1000
Message Queue overflow: 0
Message Count:          0
Message Count Max:      13
Percentage free:        100

My customoer uses the Kiwi syslog server ver9.2.1 and he ask me how to disable the debug more.

I checked the Manage menu on Kiwi Syslog Service Manger and I could onfirm the action of "Enable Service Debug mode(Maneger->Debug options->Enable Service Debug Mode) only and I could confirm the disable action.

If I tried to perform the action "Enable Service Debug Mode", can we stop it?  If we can be disable the Debug mode, I want to know how to disable the Debug Mode.

Regards,

Ryuichi

I have written a perl script to take data from Kiwi, parse out some information and pass it into our Palo Alto UserID agent.  It runs fine when I pass the message in on the command line but when I have kiwi run it (so to pull the data from kiwi) it fails with an error:

Error Info: invalid charater on line 1

My script looks like this:

sub Main() {

  use PAN::API;

  $string = Fields.VarCleanMessageText;

  $SERVER = '127.0.0.1';

 

  #Extract user and IP from string

  if ($string =~ /(\w+)([.+]|(\s))(\w+)(\s|\+|.)(\d+\.\d+\.\d+\.\d+)/) {

       $delim = ($3 eq "+") ? " " : $3;

       $username = "$1\\$2$delim$5";

       $ip_address = $7;

  }

  print "$username : $ip_address \n";

 

  # Create User ID API connection

  $uid=PAN::API::UID->new($SERVER);

 

  #Post data to agent

  $uid->add('login',$name,$address);

  $uid->submit();

 

  return "OK"; #return value for Kiwi

}

Thanks for any guidance.

Kevin

Hi,

Can someone help me.

I wish to pickup the events send to Kiwi syslog server using IBM TSIEM.

According to the manuals is supports syslog and syslog ng. The instructions for syslog ng the logs are picked up when TSIEM logs in using ssh and collects the events from log files in the directory /var/log/tsiem/$HOST/syslog-$YEAR-$MONTH-$DAY.log

• Can Kiwi syslog be configured the same way?
• Doe is use the same format log file?

Thanks, Mark

Hi community. I ve searched about my problem but only found topics related about Orin software. I am getting an exception in Kiwi Syslog Web Access. Status Code 500. Any one have experienced this issue ? Thanks a lot.

Exception of type  'System.Web.HttpUnhandledException' was thrown.

Status Code: 500

System.Web.HttpUnhandledException:  Exception of type 'System.Web.HttpUnhandledException' was thrown. --->  System.ArgumentOutOfRangeException: 'capacity' must be  non-negative.
Parameter name: capacity
at  System.Collections.ArrayList..ctor(Int32 capacity)
at  RadGridUserSettings.GetSerializedSettings()
at _Event.Render(HtmlTextWriter  writer)
at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer,  ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter  writer, ControlAdapter adapter)
at  System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at  Telerik.Web.UI.RadAjaxControl.RenderPageInAjaxMode(HtmlTextWriter writer,  Control page)
at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter  writer, ICollection children)
at  System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
at  System.Web.UI.Page.Render(HtmlTextWriter writer)
at  _Event.Render(HtmlTextWriter writer)
at  System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer,  ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter  writer, ControlAdapter adapter)
at  System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at  Telerik.Web.UI.RadAjaxControl.RenderPageInAjaxMode(HtmlTextWriter writer,  Control page)
at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter  writer, ICollection children)
at  System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
at  System.Web.UI.Page.Render(HtmlTextWriter writer)
at  _Event.Render(HtmlTextWriter writer)
at  System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer,  ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter  writer, ControlAdapter adapter)
at  System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint,  Boolean includeStagesAfterAsyncPoint)
--- End of inner exception stack trace  ---
at System.Web.UI.Page.HandleError(Exception e)
at  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint,  Boolean includeStagesAfterAsyncPoint)
at  System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean  includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at  System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at  System.Web.UI.Page.ProcessRequest(HttpContext context)
at  ASP.events_aspx.ProcessRequest(HttpContext context)
at  System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at  System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&  completedSynchronously)

Resource: http://localhost:8088/Events.aspx
Referrer: http://localhost:8088/Gateway.aspx

Click here to return to the previous  page    Click here to return to the login  page

Hello group!

Is there a difference between what we see in the KIWI Syslog Service Manager and what we see in the KIWI Syslog Web Access? We currently have one of our appliances sending SNMP traps to KIWI, however I am trying to run a script that is looking for a particular attribute in the SNMP trap which is cldcClientIPAddress.0

What is strange is, I see this information in the KIWI Syslog Web Access monitor but I do not see it in the KIWI Syslog Service Manager. I have gone through all of the options within the service manager and cannot figure this one out.

Any assistance would be appreciated!

GMF

Hello,

I've started evaluating KiwiSyslog Server.

We will be using KiwiSyslog Server (gui and webclient) to listen to UDP traffic broadcasted by our applicaitons by the Log4Net Library.

I was able to receive the traffic in the following default form which is not what I'm looking for.

Contacted Sales Support and they told me to search the forums (nothing relevant found) and post a thread here if I still need assistance.

Will be glad for some assistance because This SysLog server does exactly what we need but the output formatting is too RAW.

The default fields look like this:

Date, Time, Priority, Hostname, Message.

I'm not interested in these fields except Message which contains all relevant information.

The problem is the "Message" field is in "Log4Net" format which is basicly a kind of XML.

I"ve tried writing custom scripts but wasn't able to succeed.

I would be glad for some assistance in parsing this output and using these fields.

Here is an example of the "Message" syntax:

<log4net:eventlogger="Logger"timestamp="Timestamp"level="Level"thread="Thread"domain="Domain"username="Username">
   <log4net:message>Message</log4net:message>
   <log4net:properties>
      <log4net:dataname="DataName"value="DataValue"/>
   </log4net:properties>
   <log4net:locationInfoclass="Class"method="Method"file="File"line="Line"/>
</log4net:event>

In the above format, the boldblack text are the fields the value in these attributes/keys should be.

Thanks in advance,

Idan.

Hello!

I install Kiwi Syslog Server & Web Access.

 Kiwi Syslog Server start and i see events from my devices, but when i start Kiwi Syslog Server Web Access its could not start:

"Kiwi Syslog WebAccess requires Kiwi Syslog Server to be online, but it is offline"

What's problem?

Version 9.2

Hi all !

past weekend we were unable to login to to Kiwi Syslog webaccess as a result of the follow error message:

" Session initialization error
An error occurred while initializing this session.
The session has been abandoned.

Event database initialization failure.
The database file may be corrupted. Run the repair utility to check the database file. [ Database name = C:\Programme\SolarWinds\Kiwi Syslog Web Access\html\App_Data\Event.sdf ] "

I have taken a look at the errorlog of Kiwi and noticed that there are three messages regarding this error:

2010-11-15 11:51:35 SolarWinds.KiwiSyslog.WebAccess.Data error: General exception. System.Runtime.InteropServices.SEHException: External component has thrown an exception. at System.Data.SqlServerCe.NativeMethods.ExecuteQueryPlan(IntPtr pTx, IntPtr pQpServices, IntPtr pQpCommand, IntPtr pQpPlan, IntPtr prgBinding, Int32 cDbBinding, IntPtr pData, Int32& recordsAffected, ResultSetOptions& cursorCapabilities, IntPtr& pSeCursor, Int32& fIsBaseTableCursor, IntPtr pError) at System.Data.SqlServerCe.SqlCeCommand.ExecuteCommandText(IntPtr& pCursor, Boolean& isBaseTableCursor) at System.Data.SqlServerCe.SqlCeCommand.ExecuteCommand(CommandBehavior behavior, String method, ResultSetOptions options) at System.Data.SqlServerCe.SqlCeCommand.ExecuteNonQuery() at SolarWinds.KiwiSyslog.WebAccess.Data.Logger.KiwiSyslogEventUpdate(Object state)

2010-12-04 20:58:48 SolarWinds.KiwiSyslog.WebAccess.Data error: Unable to start component, SQL exception. System.Data.SqlServerCe.SqlCeError: The database file may be corrupted. Run the repair utility to check the database file. [ Database name = C:\Programme\SolarWinds\Kiwi Syslog Web Access\html\App_Data\Event.sdf ]

2010-12-04 21:22:04 SolarWinds.KiwiSyslog.WebAccess.Data error: Unable to start component, SQL exception. System.Data.SqlServerCe.SqlCeError: The database file may be corrupted. Run the repair utility to check the database file. [ Database name = C:\Programme\SolarWinds\Kiwi Syslog Web Access\html\App_Data\Event.sdf ]

I start/stopped the webserver service without any success on saturday.
This morning i tried to access the page again and I got correctly redirected to http://10.x.x.x:8088/gateway.aspx.
At the moment the login is possible but I'm concerned that my database file may be corrupted!

Do you have any suggestions for me?

Thanks in advance!

Dan

All

I have setup my KIWI syslog server to listen for SNMP traps, successfully.  Is there a way to setp KIWI, or an available action to forward the SNMP traps to other SNMP trap receivers as KIWI receives them.

Thanks

KIWI New Guy

Every night our log files are copied to a dated folder.

But on one syslogserver this doesn't work. At midnight when the scheduler starts the archiving ths syslog servers stops. Restarting the syslog servers is not possible, a restart of the server is needed.

I tried different versions, with all the same result.

The scheduler is configured very basic, only to perform a copy from one directory to another on the same local server. No other options are selected.

These are the messages in the errorlog file :

2011-01-15 00:03:22    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2011-01-15 00:03:22    Service Version 9.2.1 | Error Number: 429 | Description: ActiveX component can't create object | Module Name: ProxyScheduleArchiver.cls | Procedure Name: Class_Initialize | Line Number: 10 | Date and time: 15/01/2011 0:03:22

Somebody any ideas ?

Thanks.

Good Day,

We are have an issue getting SNMP trap inputs to work on Kiwi v9. We have installed Kiwi on both a WinXP (with SNMP trap service) and Win2k3 Virtual Machine. When collecting syslogs it works fine. However when we configure the SNMP inputs under setup, we get a message stating that it "cannot open snmp listener on port 162" 

There was no other SNMP software installed as it suggested that the port is already bound to an interface. We then installed the Solarwinds Engineer's toolset on the VM and used the trap receiver. Once alarms were generated this worked well while Kiwi is still unable to receive the traps.

Finally, we used a standalone laptop and loaded Kiwi. Using the same address as the VM we were able to receive the SNMP traps from the device under test. The platform that Kiwi was loaded onto was WinXP with Trap service installed.

Any ideas anyone? Any assistance will be greatly appreciated. I saw in the forum something about UDP Spoofing being unable to work as well and I was wondering if it had any connection.

Has anyone experienced a problem where their Syslogs messages are delayed and out of order?
Note the time the time it was queued and then the time it was sent.   Sent at 8:31, but the message came into the syslog server at 7:28.

2010-08-24 08:31:25 PI Message to: networkadmin@removed.net

2010-08-24 08:31:25 PI Message from: Ospf-Syslog

2010-08-24 08:31:25 PI Subject: 10.5.0.2: 3552813: Aug 24 07:28:31.274: %OSPF-5-ADJCHG: Process 1, Nbr 10.12.1.41 on Vlan600 from F

2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400

2010-08-24 08:31:25 PI Message to: networkadmin@removed.net

2010-08-24 08:31:25 PI Message from: Ospf-Syslog

2010-08-24 08:31:25 PI Subject: 10.128.254.230: 49512: 049509: Aug 24 07:28:31: %OSPF-5-ADJCHG: Process 1, Nbr 10.12.1.41 on Vlan60

2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400

2010-08-24 08:31:25 PI Message to: networkadmin@removed.net

2010-08-24 08:31:25 PI Message from: HSRP-Syslog

2010-08-24 08:31:25 PI Subject: HSRP message from 10.7.4.2

2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400

After installing the permanent license for Kiwi Syslog server the Syslog service will not start.  It started without problems when running as the trial version.  No errors appear in the Kiwi Syslog error log, but the Windows event viewer shows the following error:

The Kiwi Syslog Server service failed to start due to the following error: The service did not start due to a logon failure.

I can't find anything in the Kiwi Syslog documentation about having to login.  The OS is Windows 2008 R2.  I am starting the Syslog service from Service Manager > Manage, and Service Manager was Run As Administrator.

Is this a known problem?

Thanks, Glenn