Configured the syslog.conf file successfully, restarted services, checked IP tables - IPtable disabled, Logs are getting generated in the mount point, still logs are not getting delivered to syslog server. Why ?

Please suggest.

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.

External link to Jing: Multiple Displays - justinfinley's library

Video Guide:

• 0:00 Unfiltered display (Display 00)
• 0:10 Showing the rule that sends all messages to Display 00
• 0:20 Changing the unfiltered display from Display 00 to Display 05
• 0:25 Checking that the switch happened
• 0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
• 1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
• 2:05 Checking that the new filters work
• 2:25 Renaming "Display 05" to "All Messages"
• 2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
• 3:10 Checking that the display renaming worked

Remember to "LIKE" this if you find it useful - that helps other find it too!

I have logs saved to separate files every day.  At the end of the quarter, I will need to look thru the logs to collect statistics for the report.

Is there a way for me to use Syslog Web Access to look thru the old log files and filter out information that I need?

I am using Syslog v9.5

I am having kiwi syslog 9.5 installed.

I choose to install as service and also installed the web access.

The syslog console opened fine and I see logs on displayed and also to file.

However, with the web access, it shows nothing (what so ever).  I checked the Setup on Console Manager and see that under Rules i have 2 exact same option for "Log to Syslog Web Access".  Everything under that options checked.

But I still see no log on web access.

1) I tried to uncheck all the "Log to Syslog Web Access".

2) Closed the Console Manager and reopened it

3) Checked mark one of the 2 optioins "Log to Syslog Web Access" and everything below it.

4) Opened and log in to web access -> Still see nothing.

any idea?

We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day.  We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network.  We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's.  We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often. 

Has anyone else seen this problem and if so, what kinds of things did you try/do?  Is this box just getting pegged so hard that it's causing the service to malfunction and trip up?  I'm not a Windows guy but is this issue even Windows related?  The only other application we have running on this server is CatTools and it runs clean with no service issues.  The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself. 

Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.

Thankyou in advance!

What it does:

Log Forwarder for Windows allows you to forward Windows events as Syslog to your Kiwi Syslog Server

• Works on Windows XP, 2003, Vista, and 2008 (32-bit or 64-bit)
• Provides .MSI version for silent installs, allowing use with remote software distribution systems (e.g., Microsoft SMS)
• Enables definition of filters that describe which events are forwarded

How to get it:

If you download the Kiwi Syslog Server 9.0 from your customer portal, you will see there is an additional Log Forwarder executable included with your download.   The Log Forwarder for Windows was developed by the Kiwi Syslog team.  It is available at no cost to Kiwi Syslog customers current on maintenance.

Try it out and let us know what you think!

Hi

i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog   6   Application   127   lun giu 08 17.03.41 2015   1003   Microsoft-Windows-Security-SPP      N/A   Information   srv-av.astergenova.it   0   The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."

do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

Is there any way for me to export Kiwi Syslogs.  I want to be able to export the syslogs from a licensed Kiwi server into another database for viewing.  Specifically the NPM database.  I would think that there would have been something to do this already since both are SolarWinds products, but I am unable to find it.
  I want to be able to take the logs off the Kiwi server and view them elsewhere, without viewing through Kiwi.  I want to view them through NPM, but I guess I can get by viewing them through something like Access.  Is there a way (even if it isn't easy) to do this?

Got a couple of these yesterday. When I searched the forum, a post from 2011 suggested that updating to 9.2.1 would increase the buffer to 500 thousand; however this is well below that amount.

Syslog Alarm: 41596 messages overflowed the message queue this hour.
The current maximum threshold is set at 1 messages per hour.
This could indicate a problem, please check the log files and syslog statistics below.

///       Kiwi Syslog Server Statistics         ///
---------------------------------------------------
24 hour period ending on: Tue, 25 Jun 2013 08:14:38
Syslog Server started on: Sun, 23 Jun 2013 20:12:19
Syslog Server uptime:     1 day, 12 hours, 1 minute
---------------------------------------------------

+ Messages received - Total: 37905206
+ Messages received - Last 24 hours: 26657147
+ Messages received - Since Midnight: 8207057
+ Messages received - Last hour: 1314425
+ Message queue overflow - Last hour: 77312
+ Messages received - This hour: 39648
+ Message queue overflow - This hour: 41596
+ Messages per hour - Average: 1109062

+ Messages forwarded:                 0
+ Messages logged to disk: 8207765

+ Errors - Logging to disk:           0
+ Errors - Invalid priority tag:      0
+ Errors - No priority tag:           0
+ Errors - Oversize message:          676

+ Disk space remaining on drive E:    88880 MB

Hi

i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog   6   Application   127   lun giu 08 17.03.41 2015   1003   Microsoft-Windows-Security-SPP      N/A   Information   srv-av.astergenova.it   0   The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."

do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed

My name is Juliana. I am a recruiter with Clarus Group and I am hiring a team of 2 Solarwinds Certified Professionals. I need one Senior and one Junior-mid level for a long term contract/contract-hire opportunity (1yr+) in Washington, DC. This project would not start for another month or so but, we need to identify our team now. This team would have to be on site for this role.

Great opportunity, competitive pay! I do have a deadline TODAY by Close of Business. Send resumes to jbuonanno@clarusgp.com if interested and call 443-478-4365 to discuss this opportunity further. Talk to you soon!

I am looking to review logs from specific device for the Aug 25th as example

I have Kiwisyslog 9.1 version. New to this product. Any help will be appreciated.

Thanks,

Vaibhav

Hi.

We use the snmp trap feature of syslogd, receiving and forwarding SNMP traps as syslog messages.

The following problem was discovered with syslogd 9.4.x. It is still present in 9.5.0, but slightly different. See update below.

The attached file shows two network packets captured with wireshark. Both packets appears to be completely valid packets, and also decodes perfectly with the appropriate mibs loaded in wireshark.

Kiwi syslogd somehow manages to mistreat one of the packets. This is illustrated below, where you can see that cldcClientMacAddress.0 reads as ‘L?XÉöh’ in one case, and ‘Hex String=70 18 8B 44 B3 4F’ in the other. Obviously, we prefer the latter parsing of the data.

This problem is very visible to us, as approximately one third to one half of all client MAC addresses are unintelligible in our logs.

The source of the messages are SNMPtraps from a Cisco WLC wireless controller.

The captured packets (in the attachment) are taken from the inbound snmptraps to the KIWI syslog server.

The Kiwi Display function shows the same corrupted MAC as shown below.

We have not managed to figure out any pattern in corrupted/noncorrupted packets.

Also the AP MAC address shows the same corruption. There is no obvious correlation between corruption of one or the other.

(I.e. if a client MAC  is corrupted this does not imply that the AP MAC is corrupted and vice versa.)

We *think* a MAC address coming through as corrupted always comes through as corrupted.

UPDATE:

After having updated syslogd to 9.5.0, *all* MAC-addresses now arrives garbled. I do prefer consistency over randomness. But still....

I have found no way to decode the received text as a valid MAC address.

None of the options in the options under 'Input | SNMP' appear to have any impact on this issue.

Is this a bug, or an intended feature? If the latter, how am I meant to parse the received data?

From kiwi syslogd:

Client 4c:bb:58:90:94:68/10.115.170.85:

13:02:25 | community=kiwi201, enterprise=1.3.6.1.4.1.9.9.599.0.4, enterprise_mib_name=ciscoLwappDot11ClientMovedToRunState, uptime=2013100, agent_ip=10.120.5.205, version=Ver2, cldcClientMacAddress.0=L?XÉöh, cLApName.0=H-BERGEN-NGV-AP30, cldcApMacAddress.0=³¹¹?Ä, cLApDot11IfSlotId.0=0, cldcClientIPAddress.0=10.115.170.85, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=username, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=HFK-Skole

Client 70:18:8b:44:b3:4f/10.114.58.15:

13:05:59 | community=kiwi201, enterprise=1.3.6.1.4.1.9.9.599.0.4, enterprise_mib_name=ciscoLwappDot11ClientMovedToRunState, uptime=2034500, agent_ip=10.120.5.205, version=Ver2, cldcClientMacAddress.0="Hex String=70 18 8B 44 B3 4F", cLApName.0=H-LINDAS-KNV-AP38, cldcApMacAddress.0="Hex String=70 10 5C 93 D4 E0", cLApDot11IfSlotId.0=1, cldcClientIPAddress.0=10.114.58.15, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=anotherusername, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=HFK-Skole

Hey all,

I have recently taken over a sys admin position, and am required to move the location of the Kiwi Syslog Server logs to another file location. I have never used it prior.  However, I can't seem to move the file.

Kiwi Syslog Server 9.2.1 (Free version.)

Windows Server 2003 SP2 (WORKGROUP)(VM)

Current configuration:

Log to Log File

Path and file name:  C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt

If I test the configuration, I can see the test messages in the location noted about.  However, after I apply the settings, the older location (a CIFS share) continues to receive the actual syslogs of the devices we monitor.

There are three local users, all of which show the same configuration.

I have tried deleting and recreating the Log to Log File rule.  No change.

I have tried starting and stopping the service.  No change.

I have tried exporting the system settings, and then reimporting them.  No change.

I have tried searching the registery for the old location.  Nothing found.

I have two theories.

1.  The settings are locked for some reason.

2.  The settings are stored somewhere else.

Any help would be great.

Thanks,

Aaron

Solarwinds Padawan

I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

What it does:

Log Forwarder for Windows allows you to forward Windows events as Syslog to your Kiwi Syslog Server

• Works on Windows XP, 2003, Vista, and 2008 (32-bit or 64-bit)
• Provides .MSI version for silent installs, allowing use with remote software distribution systems (e.g., Microsoft SMS)
• Enables definition of filters that describe which events are forwarded

How to get it:

If you download the Kiwi Syslog Server 9.0 from your customer portal, you will see there is an additional Log Forwarder executable included with your download.   The Log Forwarder for Windows was developed by the Kiwi Syslog team.  It is available at no cost to Kiwi Syslog customers current on maintenance.

Try it out and let us know what you think!

Hi

Any one on the new 9.5 GR and have a memory leak that stop  the service ?

/SJA

Hello,

When KSS v9.5 RC2 received a SNMP Trap(v1), Kiwi Syslog Server service has stopped with Error.

Kiwi Syslog Server Version: v9.5 RC2(v9.5.0.323)

OS: Windows Server 2008 R2 SP1

Errorlog.txt:

2015-08-06 15:29:18 *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***

2015-08-06 15:29:18 Service Version 9.5.0.323 | Error Number: 6 | Description: Overflow | Module Name: Syslogd.frm | Procedure Name: SNMPMgr_Trap | Line Number: 770 | Date and time: 2015/08/06 15:29:18

I can re-start it by Manage>Start the Syslogd service.

When KSS received the SNMP Trap again, Kiwi Syslog Server service has stopped with Error.

Please fix this problem.

Best Regards,

I have installed and configured Kiwi Syslog, i recently started noticing the service stops randomly. after looking through event logs im finding that the app keeps crashing and i get the below. any ideas?

Faulting application name: Syslogd_Service.exe, version: 9.4.0.2, time stamp: 0x54fda0c5

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x064edf14

Faulting process id: 0x%9

Faulting application start time: 0x%10

Faulting application path: %11

Faulting module path: %12

Report Id: %13

Faulting package full name: %14

Faulting package-relative application ID: %15

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.2

P3: 54fda0c5

P4: unknown

P5: 0.0.0.0

P6: 00000000

P7: c0000005

P8: 064edf14

P9:

P10:

Attached files:

C:\Windows\Temp\WER751C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\memory.hdmp

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\minidump.mdmp

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e

Analysis symbol:

Rechecking for solution: 0

Report Id: e3d4b04b-1f3b-11e5-80de-005056aa628b

Report Status: 4

Hashed bucket: