SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.

External link to Jing: Multiple Displays - justinfinley's library

Video Guide:

• 0:00 Unfiltered display (Display 00)
• 0:10 Showing the rule that sends all messages to Display 00
• 0:20 Changing the unfiltered display from Display 00 to Display 05
• 0:25 Checking that the switch happened
• 0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
• 1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
• 2:05 Checking that the new filters work
• 2:25 Renaming "Display 05" to "All Messages"
• 2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
• 3:10 Checking that the display renaming worked

Remember to "LIKE" this if you find it useful - that helps other find it too!

i have ms sql 2008 r2 express. can i use kiwi syslog server for tracking sql transaction log of my database and how? some guide or manual?

thanks

Hey all,

I have recently taken over a sys admin position, and am required to move the location of the Kiwi Syslog Server logs to another file location. I have never used it prior.  However, I can't seem to move the file.

Kiwi Syslog Server 9.2.1 (Free version.)

Windows Server 2003 SP2 (WORKGROUP)(VM)

Current configuration:

Log to Log File

Path and file name:  C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt

If I test the configuration, I can see the test messages in the location noted about.  However, after I apply the settings, the older location (a CIFS share) continues to receive the actual syslogs of the devices we monitor.

There are three local users, all of which show the same configuration.

I have tried deleting and recreating the Log to Log File rule.  No change.

I have tried starting and stopping the service.  No change.

I have tried exporting the system settings, and then reimporting them.  No change.

I have tried searching the registery for the old location.  Nothing found.

I have two theories.

1.  The settings are locked for some reason.

2.  The settings are stored somewhere else.

Any help would be great.

Thanks,

Aaron

Solarwinds Padawan

I am looking to review logs from specific device for the Aug 25th as example

I have Kiwisyslog 9.1 version. New to this product. Any help will be appreciated.

Thanks,

Vaibhav

I have installed and configured Kiwi Syslog, i recently started noticing the service stops randomly. after looking through event logs im finding that the app keeps crashing and i get the below. any ideas?

Faulting application name: Syslogd_Service.exe, version: 9.4.0.2, time stamp: 0x54fda0c5

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x064edf14

Faulting process id: 0x%9

Faulting application start time: 0x%10

Faulting application path: %11

Faulting module path: %12

Report Id: %13

Faulting package full name: %14

Faulting package-relative application ID: %15

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.2

P3: 54fda0c5

P4: unknown

P5: 0.0.0.0

P6: 00000000

P7: c0000005

P8: 064edf14

P9:

P10:

Attached files:

C:\Windows\Temp\WER751C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\memory.hdmp

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\minidump.mdmp

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e

Analysis symbol:

Rechecking for solution: 0

Report Id: e3d4b04b-1f3b-11e5-80de-005056aa628b

Report Status: 4

Hashed bucket:

PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.

Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk

I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.

Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6

I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.

Appreciate any help on this..........

Example from Kiwi Syslog

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf:     10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]

Hello,

I was asked to enable logging from 3 Cisco Teleprence servers to a Kiwi that hasn't been used much. Since we already have a server my company wants me to use it and not spend any money. The maintenance plan expired 3 years ago so I could not get phone support.

My question is how do I extract information from this program? When I go to the catch all file I only see data up until march 1st. Is there a best practice for extracting data from this service? I need to be able to have our NOC team pull logs etc.

Any info is GREATLY appreciated!

Ian

Hello to the community!

I have been confused with this for a while and i would like to get your help!

I have a network topology with an ASA 5520 and a Kiwi Syslog server 9.3.4-eval. I also have a CA server.

I have installed the root CA certificate on both the Kiwi Syslog Server and the ASA.

Also i have generated a certificate request for the Kiwi server which was signed by the CA server and also made a trustpoint on the ASA with that certificate (The signed one)

When i try to send syslogs it doesn't display anything.

I have installed Kiwi SyslogGen and have made some tests.

When i make a test with destination port 1468 (TCP default) it works and displays something on the Kiwi manager.

But when i make a test with destination port 6514 (Default Secure TCP) it fails.

On the command prompt i issued the following:

netstat -ano

there were the following entries regarding syslog:

TCP: 0.0.0.0 1468

UDP: 0.0.0.0:514

But nothing is listening to 6514

What can be the problem? Thank you very much in advance!!

Somethin i saw on the error log:

Unable to bind TCP listener to port 6514 There might be a problem with the certificate provided.

Here are some pictures of the settings:

I am needing to forward all of our DHCP audits to the syslog, however I cannot figure out how to do that with the Log Forwarder.  Which source do I use in the Event Viewer?  The audit is logged to a file.  Is there any way to forward changes to files?

Hey all,

I have recently taken over a sys admin position, and am required to move the location of the Kiwi Syslog Server logs to another file location. I have never used it prior.  However, I can't seem to move the file.

Kiwi Syslog Server 9.2.1 (Free version.)

Windows Server 2003 SP2 (WORKGROUP)(VM)

Current configuration:

Log to Log File

Path and file name:  C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt

If I test the configuration, I can see the test messages in the location noted about.  However, after I apply the settings, the older location (a CIFS share) continues to receive the actual syslogs of the devices we monitor.

There are three local users, all of which show the same configuration.

I have tried deleting and recreating the Log to Log File rule.  No change.

I have tried starting and stopping the service.  No change.

I have tried exporting the system settings, and then reimporting them.  No change.

I have tried searching the registery for the old location.  Nothing found.

I have two theories.

1.  The settings are locked for some reason.

2.  The settings are stored somewhere else.

Any help would be great.

Thanks,

Aaron

Solarwinds Padawan

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server.  Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders.  (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

• 0:00 Opening Kiwi Syslog's configuration dialog
• 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
• 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

Server 2008 R2 Std

Kiwi Syslog Server 9.4.1

I have an older version of Kiwi installed on an old server that is being retired.  I've installed it on the new server, but I cannot get it to display anything.  I exported settings from the other server and imported on this one, then went to Inputs-UDP and set the correct IP to bind it to.

• I've gone through ALL the steps at SolarWinds Knowledge Base :: Kiwi Syslog Daemon is not receiving messages and Kiwi Syslog Server but had no luck getting it to work.
• I know for a fact that messages are being received -- when I run WireShark with the filter, "udp port 514", I see PLENTY of traffic from my firewall.  Both my firewall and VPN device are sending syslog messages to the old server and the new one.  The old server is still working just fine.
• Windows Firewall on the new server is completely disabled.
• I loaded the default rules and settings but still had no luck.
• I disabled all DNS resolution - no luck.
• There is no Errorlog.txt in C:\Program Files (x86)\Syslogd.
• Test messages from within Kiwi work just fine.
• I finally uninstalled Kiwi, rebooted the server, then reinstalled, and have the same problem.

Kiwi is running as LocalService -- I wondered if that might be the problem, but that's how it's running on the old server as well.

I'm at a loss as to what to do now.  I tried contacting support, but since I'm using the free version I was directed here.

Hi,

I have recently been handed over Kiwi Syslog server to manage which has both Fat Client and Web Server. Fat Client is directly logged in however Web console could not be logged in. When I checked regarding the password of "Administrator", I have been informed that resource handling it has left long ago and there is no one to tell.

Is there a way we can reset the password of Administrator or create a new user from Syslog Fat Client. I cant raise the request with Support as we do not have active maintanence.

Thanks,

Syed

Hi

i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog   6   Application   127   lun giu 08 17.03.41 2015   1003   Microsoft-Windows-Security-SPP      N/A   Information   srv-av.astergenova.it   0   The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."

do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

  Source IP Selection: Outgoing Interface
  Destination:
   Logging --
     'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap

I have installed and configured Kiwi Syslog, i recently started noticing the service stops randomly. after looking through event logs im finding that the app keeps crashing and i get the below. any ideas?

Faulting application name: Syslogd_Service.exe, version: 9.4.0.2, time stamp: 0x54fda0c5

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x064edf14

Faulting process id: 0x%9

Faulting application start time: 0x%10

Faulting application path: %11

Faulting module path: %12

Report Id: %13

Faulting package full name: %14

Faulting package-relative application ID: %15

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.2

P3: 54fda0c5

P4: unknown

P5: 0.0.0.0

P6: 00000000

P7: c0000005

P8: 064edf14

P9:

P10:

Attached files:

C:\Windows\Temp\WER751C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\memory.hdmp

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\minidump.mdmp

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e

Analysis symbol:

Rechecking for solution: 0

Report Id: e3d4b04b-1f3b-11e5-80de-005056aa628b

Report Status: 4

Hashed bucket:

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

Hello,

I have a problem with my Kiwi Syslog server and syslog messages received from my Aruba ClearPass Server. So I get the messages, no problem with that, but they are truncated. I mean, I don't get the full syslog message.

Here is an example : 10-09-2013 11:52:18 Local1.Debug 1.1.1.1 2013-10-09 10:48:42,270 1.1.0.1 Guest Access 66 1 0 RADIUS.Auth-Method=PAP,RADIUS.Auth-Source=Local:localhost,

Normally, here are all the information sent by Aruba ClearPass (and that should be present into the message) :

RADIUS.Acct-Authentic

RADIUS.Acct-Called-Station-Id

RADIUS.Acct-Calling-Station-Id

RADIUS.Acct-Delay-Time

RADIUS.Acct-Framed-IP-Address

RADIUS.Acct-Input-Octets

RADIUS.Acct-Input-Pkts

RADIUS.Acct-NAS-IP-Address

RADIUS.Acct-NAS-Port

RADIUS.Acct-NAS-Port-Type

RADIUS.Acct-Output-Octets

RADIUS.Acct-Output-Pkts

RADIUS.Acct-Service-Name

RADIUS.Acct-Session-Id

RADIUS.Acct-Session-Time

RADIUS.Acct-Status-Type

RADIUS.Acct-Termination-Cause

RADIUS.Acct-Timestamp

RADIUS.Acct-Username

RADIUS.Auth-Method

RADIUS.Auth-Source

As you can see, there are only the last 2 parameters which I can see on Kiwi Syslog. Is there something to setup in Kiwi ?

Thanks for you help.

Dimitri

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.

External link to Jing: Multiple Displays - justinfinley's library

Video Guide:

• 0:00 Unfiltered display (Display 00)
• 0:10 Showing the rule that sends all messages to Display 00
• 0:20 Changing the unfiltered display from Display 00 to Display 05
• 0:25 Checking that the switch happened
• 0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
• 1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
• 2:05 Checking that the new filters work
• 2:25 Renaming "Display 05" to "All Messages"
• 2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
• 3:10 Checking that the display renaming worked

Remember to "LIKE" this if you find it useful - that helps other find it too!

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to resolve IP addresses into hostnames in Kiwi Syslog Server.

External link to Jing: DNS Resolution - justinfinley's library

Video Guide:

• 0:00 Watching traffic come in with unresolved IP addresses
• 0:10 Turning on IP address resolution (this affects what appears in the "Hostname" column)
• 0:20 Turning on in-message IP address resolution (this is optional, can be slow, and affects what appears in the "Message" column)
• 0:27 A quick glance at the DNS server settings (which DNS server to use, whether NetBIOS is to be used, etc.)
• 0:29 A quick glance at the DNS cache settings
• 0:30 Turning on resolution of frequently-uses IPs from a local hosts file (this is very fast, but ignores changes to DNS servers)
• 0:35 How to edit the hosts file
• 1:30 Watching traffic come in with properly resolved IP addresses

Remember to "LIKE" this if you find it useful - that helps others find it too!