Problem with Syslog Message Delay and out of Order.

September 2, 2010, 7:37 am

≪ Previous: Kiwi Free version 9.4.2 all UTC times

Has anyone experienced a problem where their Syslogs messages are delayed and out of order?
Note the time the time it was queued and then the time it was sent. Sent at 8:31, but the message came into the syslog server at 7:28.

2010-08-24 08:31:25 PI Message to: networkadmin@removed.net

2010-08-24 08:31:25 PI Message from: Ospf-Syslog

2010-08-24 08:31:25 PI Subject: 10.5.0.2: 3552813: Aug 24 07:28:31.274: %OSPF-5-ADJCHG: Process 1, Nbr 10.12.1.41 on Vlan600 from F

2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400

2010-08-24 08:31:25 PI Message to: networkadmin@removed.net

2010-08-24 08:31:25 PI Message from: Ospf-Syslog

2010-08-24 08:31:25 PI Subject: 10.128.254.230: 49512: 049509: Aug 24 07:28:31: %OSPF-5-ADJCHG: Process 1, Nbr 10.12.1.41 on Vlan60

2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400

2010-08-24 08:31:25 PI Message to: networkadmin@removed.net

2010-08-24 08:31:25 PI Message from: HSRP-Syslog

2010-08-24 08:31:25 PI Subject: HSRP message from 10.7.4.2

2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400

↧

PCI compliance with Kiwi Syslog

October 27, 2010, 7:46 am

≫ Next: Kiwi Syslog WebAccess Installation Error (error code is 2869)

≪ Previous: Problem with Syslog Message Delay and out of Order.

Does Kiwi have any features that cover these PCI requriements:

10.5.2 Protect audit trail files from unauthorized modifications.

10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should
not cause an alert).

We're doing our syslogging to .txt files if that helps. Thanks!

↧

Kiwi Syslog WebAccess Installation Error (error code is 2869)

October 27, 2010, 8:29 pm

≫ Next: SSL support for Kiwi Syslog server

≪ Previous: PCI compliance with Kiwi Syslog

*Kiwi Syslog Server V.9.1.0
*Windows 2008 SP1 and SP2 64bit

Our client encountered a Kiwi Syslog WebAccess installation error.

The error message is as follows:
=============================================
The installer has encountered an unexpected error
installing this package. This may indicate a problem
with this package.The error code is 2869.
=============================================
*Kiwi Syslog Server service runs correctly.

*The client stopped Anti-Virus service before the installation.

Are there some information to resolve the problem?

↧

SSL support for Kiwi Syslog server

March 9, 2015, 2:23 am

≫ Next: Kiwi Syslog multi-site design

≪ Previous: Kiwi Syslog WebAccess Installation Error (error code is 2869)

Hi All,

Few months back we bought Kiwi Syslog Server license version because of the SSL feature only. I enabled the option Secured TCP option. But unfortunately it is unable to bind the port itself.

It says "invalid certificate provided". We use the same SSL certificate for other products with no issues. If use the same port for TCP or UDP only then it is working fine. I could not find what is the exact issue.

I contacted the SolarWinds customer portal few months back. They are not able tell what is exactly going on. Can you some one help me in fixing the problem?

Regards,

Abdun

↧

Kiwi Syslog multi-site design

May 29, 2015, 12:31 pm

≫ Next: Syslog messages format

≪ Previous: SSL support for Kiwi Syslog server

I have a small environment that is being required(regulated) to gather and store Windows Server and Cisco FW logs. We currently have two sites with servers. Whats the best practice to get High Availability of log collection without killing WAN link. I was thinking that you can have every server send logs to a log collector at each site, Is this best practice?

Thanks,

JimBob

↧

Syslog messages format

July 10, 2015, 8:06 am

≫ Next: Kiwi with SQL Server: OK for high volumes of syslog? (> 500 megabytes / day) ?

≪ Previous: Kiwi Syslog multi-site design

Why, when I send to Kiwi Syslog Server a message like "<25>Jul 10 18.04.33 Hostname Appname Message", it only understand the priority, but the timestamp and hostname has ignored and the log look like "2015-07-10 18:04:33 127.0.0.1 Daemon.Alert Jul 10 18.04.33 Hostname Appname Message"

↧

Kiwi with SQL Server: OK for high volumes of syslog? (> 500 megabytes / day) ?

March 14, 2011, 8:20 am

≫ Next: Kiwi syslog 9.4 on windows server 2012 64bit Service crash - Possible bug!

≪ Previous: Syslog messages format

Greetings!

We have a web app that generates a ton of internal diagnostic data. It dumps this data out to syslog, for us to analyze and look up later.

It is OK for some messages to be dropped. This is not critical data... it is useful data.

Questions:

Is kiwi plus SQL Server appropriate for this?

Does kiwi have a "search messages" api?

Where can I find the table schema, to do some testing on an actual SQL DB?

Can kiwi automatically purge out old data, based on data age or based on db size?

Thanks!

↧

Kiwi syslog 9.4 on windows server 2012 64bit Service crash - Possible bug!

October 2, 2013, 4:10 am

≫ Next: Kiwi Syslog Server does not display secure ASA syslogs

≪ Previous: Kiwi with SQL Server: OK for high volumes of syslog? (> 500 megabytes / day) ?

Hello , kiwi friends!

I am trying to get Kiwi syslog 9.4 to work on windows server 2012 64bit but having problems with the service crashing then i try to start the kiwi syslog server console.

I have applied the kb fix for Microsoft .Net Framework 2 , before that i couldnt install kiwi syslog successfully becuse the service could not start.

http://knowledgebase.solarwinds.com/kb/questions/4386/

I have the following errors in the windows event viewer!

Error 7000: The Kiwi Syslog Server service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion

Error 7009 : A timeout was reached (30000 milliseconds) while waiting for the Kiwi Syslog Server service to connect.

Do you have a solution for this or could it be a new bug in windows server 2012 and the old dot net framework combined ?

Thanks in advance.

↧

Kiwi Syslog Server does not display secure ASA syslogs

June 9, 2015, 1:32 am

≫ Next: Kiwi Syslog Small Windows Environment

≪ Previous: Kiwi syslog 9.4 on windows server 2012 64bit Service crash - Possible bug!

Hello to the community!

I have been confused with this for a while and i would like to get your help!

I have a network topology with an ASA 5520 and a Kiwi Syslog server 9.3.4-eval. I also have a CA server.

I have installed the root CA certificate on both the Kiwi Syslog Server and the ASA.

Also i have generated a certificate request for the Kiwi server which was signed by the CA server and also made a trustpoint on the ASA with that certificate (The signed one)

When i try to send syslogs it doesn't display anything.

I have installed Kiwi SyslogGen and have made some tests.

When i make a test with destination port 1468 (TCP default) it works and displays something on the Kiwi manager.

But when i make a test with destination port 6514 (Default Secure TCP) it fails.

On the command prompt i issued the following:

netstat -ano

there were the following entries regarding syslog:

TCP: 0.0.0.0 1468

UDP: 0.0.0.0:514

But nothing is listening to 6514

What can be the problem? Thank you very much in advance!!

Somethin i saw on the error log:

Unable to bind TCP listener to port 6514 There might be a problem with the certificate provided.

Here are some pictures of the settings:

↧

Kiwi Syslog Small Windows Environment

June 8, 2015, 12:19 pm

≫ Next: Not Able to forward logs from Unix device to syslog server

≪ Previous: Kiwi Syslog Server does not display secure ASA syslogs

I'm looking to use Kiwi for a small windows environment and had a question regarding the collection. I was wondering what best practice is for forwarding the events to the syslog server. I would prefer to not install the windows event forwarder on all of the servers (about 25). Is it possible to create a windows subscription and then forward all from that host to Kiwi?

Thank!

↧

Not Able to forward logs from Unix device to syslog server

July 6, 2015, 12:42 am

≫ Next: Log forwarder fail to start on windows server 2012

≪ Previous: Kiwi Syslog Small Windows Environment

Configured the syslog.conf file successfully, restarted services, checked IP tables - IPtable disabled, Logs are getting generated in the mount point, still logs are not getting delivered to syslog server. Why ?

Please suggest.

↧

Log forwarder fail to start on windows server 2012

July 7, 2015, 1:27 pm

≫ Next: How to create filter in kiwi syslog web access to filter only windows logon events

≪ Previous: Not Able to forward logs from Unix device to syslog server

today i installed the log forwarder on a windows server 2012 machine but i am facing the following error:

after the installation, it seems that the log forwarder agent doesn't want to start (also the console seems to be unresponsive)

and if i try to start manually the log forwarder agent service, i receive a message box that informs me that :''the solarwinds event forwarder for windows service, started and than stopped. some services stops automatically if they are not used by any program or service''

did you ever faced something like this?

how do i have to procede?

thanks a lot

↧

How to create filter in kiwi syslog web access to filter only windows logon events

April 21, 2015, 9:23 pm

≫ Next: More than 25 displays

≪ Previous: Log forwarder fail to start on windows server 2012

Dear All,

I want to create filter in syslog server to view the windows logon and logoff (event logs).

Please help me to create the filter.

↧

More than 25 displays

April 28, 2015, 9:40 am

≫ Next: filter optimization

≪ Previous: How to create filter in kiwi syslog web access to filter only windows logon events

Does anyone know if there is a way (even if unsupported) to make/edit more than 25 displays in Syslog? I would love to have a display for each server for troubleshooting, without going in to SQL etc...

Is there a plan to add more than 25? Or maybe a tree view, where you can categorize them? I'm only familiar with Syslog, so I don't know if it's already included with other products.

Thanks!

Scott

↧

filter optimization

May 26, 2015, 9:01 am

≫ Next: Syslog stops logging with no notification

≪ Previous: More than 25 displays

I would like to get the best performance possible out of our syslog server. I have placed catchall logs for each firewall at the beginning of the rules list. Each rule has 2 actions: 1. log to file, 2. display the messages. My question is "When there is no one logged into the server will the be any significant performance improvement if I turn off the display action and only enable it when needed?"

We're not having problems but will be adding quite a few more devices and would like to avoid issues if possible.

Any ideas to get the best performance out of the syslog server would be greatly appreciated.

Walt

↧

Syslog stops logging with no notification

May 29, 2015, 4:18 am

≫ Next: Parsing logs from Windows Event logs

≪ Previous: filter optimization

I discovered this morning (only because I didn't receive the nightly report) that two of our Syslog servers stopped logging yesterday afternoon. The nightly archiving and cleanup jobs did not run. The service did not crash. The drive has 63 GB of free space. There are no entries under the Application or System logs in Windows. Under the Errorlog I see this for all of the reporting nodes ("ip.address.#" is placeholder for the actual values in the logs):

2015-05-28 15:38:59 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:38:59 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address1.txt

2015-05-28 15:39:00 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:00 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1..txt

2015-05-28 15:39:02 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:02 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.2.txt

2015-05-28 15:39:03 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.3.txt

2015-05-28 15:39:03 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:06 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:06 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:07 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:07 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.4.txt

2015-05-28 15:39:08 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:08 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:11 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:11 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:16 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:16 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:16 Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:16 Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.5.txt

The log stops there. When I restart the service I see these additional entries in the Error log:

2015-05-29 07:17:16 Unable to open InterApp listening socket on TCP port 3300

2015-05-29 07:17:16 Unable to open UDP socket on port 514

2015-05-29 07:19:08 Service running, but Service/Manager comm link is not connecting.

2015-05-29 07:19:28 Unable to connect to Service socket on TCP port 3300

2015-05-29 07:19:38 Service running, but Service/Manager comm link is not connecting.

Any ideas?

↧

Parsing logs from Windows Event logs

March 24, 2015, 2:33 pm

≫ Next: Kiwi Syslog Server Setup Window is Blank

≪ Previous: Syslog stops logging with no notification

Good day,

How can we get windows event logs to be stored in the database with there specific fields

Event ID
DATE and TIME
EVENT DESCRIPTION
AUDIT TYPE
SERVER NAME
ACCOUNT NAME
DOMAIN NAME
FAILURE CODE
FAILURE REASON
LOGON TYPE

Currently the information is stored in one (1) field. Is there a parse script or way to split the information as seen above and store in the database.

My project team is urgently awaiting a response to complete an overdue task. Can someone kindly provide some assistance, guidance or information.

Thanks in advance.

George

↧

Kiwi Syslog Server Setup Window is Blank

June 6, 2014, 1:47 pm

≫ Next: How to encrypt syslog from cisco switch or router into Kiwi syslog?

≪ Previous: Parsing logs from Windows Event logs

The program was originally setup before I started working here. Recently I was asked to have some data emailed to the IT here, well I opened up the interface, and the Kiwi Syslog Server Setup window is blank, except for the menu items at the top and the buttons at the bottom right.

After some searching around on google, I figured out that the interface was missing a lot of stuff.

Besides the setup interface being blank, the server functions and is performing email tasks that were previously setup.

Any suggestions on resolving this issue?

Kiwi Syslog Server V9.2 licensed, maintenance has expired

Windows 7 Pro 64 Bit

↧

How to encrypt syslog from cisco switch or router into Kiwi syslog?

June 16, 2014, 4:01 am

≫ Next: Error upgrading to 9.4.2

≪ Previous: Kiwi Syslog Server Setup Window is Blank

I want to encrypt syslog from Cisco swirtch or router into Kiwi Syslog.

I read somewhere I can use syslog tls or snmp trap v3

Is that possible using Kiwi Syslog

thanks

↧

Error upgrading to 9.4.2

April 1, 2015, 4:13 am

≫ Next: Has anyone upgraded the Ultidev web server that is bundled with Kiwi Syslog?

≪ Previous: How to encrypt syslog from cisco switch or router into Kiwi syslog?

I have had this same problem upgrading the last 3 versions of Kiwi Syslog. I am logged onto the server as a domain administrator, I am chosing Run As Administrator, and I get this error:

I have to abort the installation and move the file out, then re-run the installation. Surely there's a better way?

↧