How to load-balance Kiwi Syslog servers

December 23, 2013, 12:31 pm

≫ Next: Log Forwarder Service Fails to Start (Windows XPe/POSReady2009)

≪ Previous: Kiwi Syslog Server does not display secure ASA syslogs

I've got a set of 3 Kiwi servers sitting behind an F5, which I *thought* would effectively load balance the incoming syslog volume (I'm seeing around 5-8million messages per hour, and we haven't really turned everything on yet).

The problem, I just discovered, is that F5 load balances based on connections, not messages/packets. So round robin isn't round robin since most of my sending systems are passing new messages (and therefore creating a connection) more than even the lowest "disconnect after" option on the F5 (which is 1 second).

So my first server is maxing out at about 5million MPH and 0% buffer, while server 02 gets 2million messages and 80% buffer, and server 03 gets barely anything at all.

Has anyone else tried this, and have you found a work around (it doesn't have to be an F5. I just need the ability to create a pool of Kiwi servers and have all the systems in my enterprise sending to ONE ip address.

Thanks!

- Leon

↧

Log Forwarder Service Fails to Start (Windows XPe/POSReady2009)

September 19, 2015, 9:04 pm

≫ Next: Kiwi Syslog 9.5 Release Candidate is now Available!

≪ Previous: How to load-balance Kiwi Syslog servers

I am having issues getting the Log Forwarder service starting on WindowsXPe and POSReady2009 machines...seems to work on the Win7 and server OS. One error indicates that the service did not respond to the start or control request in a timely fashion (Error 1053), the other says that I don't have sufficient privileges to start system services, even though the account has local admin rights.

Error 1:

Error 2:

I also found this post from a few years ago that seems applicable, but seems to apply to older version of the Log Forwarder: https://thwack.solarwinds.com/thread/29840 The machines that are failing do not have any internet access.

All machines are WinXPe or POSReady2009 , have .NET 4.0 installed and accounts running the service have local admin rights.

↧

Kiwi Syslog 9.5 Release Candidate is now Available!

July 9, 2015, 11:40 am

≫ Next: Faulting application name: Syslogd_Service.exe

≪ Previous: Log Forwarder Service Fails to Start (Windows XPe/POSReady2009)

The Release Candidate for Kiwi Syslog Server 9.5 is now ready! The new Kiwi Syslog version is packed with great new features and improvements. RC is the last step before general availability, and it is a chance for existing customers to get the newest functionality before it is available to everyone else. You can download it from the LATEST DOWNLOADS FOR YOUR PRODUCTS section of the customer portal. Change filter to "Release Candidate" and click on download button next to Kiwi Syslog RC version.

This release contains various improvements such as

SNMP v3 Trap support
SNMP Trap Forwarding
Trap fields to VarBinds Elements in Output
Logging to Papertrail cloud
IPv6 Support
Statistics email reports based on different interval
Ability to create more than five web console users

RC builds are made available to existing customers prior to the formal release. These are used to get customer feedback in production environments and are fully supported. If you have any questions I encourage you to leverage the KSS forum on thwack.

Now go and download new version now!

↧

Faulting application name: Syslogd_Service.exe

June 30, 2015, 8:40 am

≫ Next: Kiwi Syslog not receiving SNMP Traps

≪ Previous: Kiwi Syslog 9.5 Release Candidate is now Available!

I have installed and configured Kiwi Syslog, i recently started noticing the service stops randomly. after looking through event logs im finding that the app keeps crashing and i get the below. any ideas?

Faulting application name: Syslogd_Service.exe, version: 9.4.0.2, time stamp: 0x54fda0c5

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x064edf14

Faulting process id: 0x%9

Faulting application start time: 0x%10

Faulting application path: %11

Faulting module path: %12

Report Id: %13

Faulting package full name: %14

Faulting package-relative application ID: %15

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.2

P3: 54fda0c5

P4: unknown

P5: 0.0.0.0

P6: 00000000

P7: c0000005

P8: 064edf14

P9:

P10:

Attached files:

C:\Windows\Temp\WER751C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\memory.hdmp

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\minidump.mdmp

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e

Analysis symbol:

Rechecking for solution: 0

Report Id: e3d4b04b-1f3b-11e5-80de-005056aa628b

Report Status: 4

Hashed bucket:

↧

Kiwi Syslog not receiving SNMP Traps

September 10, 2015, 6:14 am

≫ Next: Procurve switches not sending syslog messages in KIWI syslog

≪ Previous: Faulting application name: Syslogd_Service.exe

Hi all.

I have just installed Kiwi Syslog Server 9.5 on a test machine to evaluate its suitability for a project I'm working on. It's currently still running in 14-day Evaluation mode.

We can't seem to get it to receive SNMP traps at all. No matter what we do, netstat shows nothing listening on UDP port 162. SNMPv1 traps are being sent to the server, and we can see them in Wireshark arriving at the server, but Kiwi isn't listening for them.

In desparation, we tried enabling the Windows SNMP Trap service (although we understand this isn't required?) and this 'absorbed' the traps, but nothing appeared in Kiwi.

The test machine is running Windows 7 (32-bit) with the Windows Firewall switched off.

Should the 14-day Evaluation be able to receive SNMP traps?

Thanks in advance for any advice!

↧

Procurve switches not sending syslog messages in KIWI syslog

July 25, 2013, 6:58 am

≫ Next: Kiwi Syslog Server does not display secure ASA syslogs

≪ Previous: Kiwi Syslog not receiving SNMP Traps

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

Source IP Selection: Outgoing Interface
Destination:
Logging --
'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap

↧

Kiwi Syslog Server does not display secure ASA syslogs

June 9, 2015, 1:32 am

≫ Next: Kiwi Syslog Service Keeps crashing

≪ Previous: Procurve switches not sending syslog messages in KIWI syslog

Hello to the community!

I have been confused with this for a while and i would like to get your help!

I have a network topology with an ASA 5520 and a Kiwi Syslog server 9.3.4-eval. I also have a CA server.

I have installed the root CA certificate on both the Kiwi Syslog Server and the ASA.

Also i have generated a certificate request for the Kiwi server which was signed by the CA server and also made a trustpoint on the ASA with that certificate (The signed one)

When i try to send syslogs it doesn't display anything.

I have installed Kiwi SyslogGen and have made some tests.

When i make a test with destination port 1468 (TCP default) it works and displays something on the Kiwi manager.

But when i make a test with destination port 6514 (Default Secure TCP) it fails.

On the command prompt i issued the following:

netstat -ano

there were the following entries regarding syslog:

TCP: 0.0.0.0 1468

UDP: 0.0.0.0:514

But nothing is listening to 6514

What can be the problem? Thank you very much in advance!!

Somethin i saw on the error log:

Unable to bind TCP listener to port 6514 There might be a problem with the certificate provided.

Here are some pictures of the settings:

↧

Kiwi Syslog Service Keeps crashing

March 19, 2010, 11:05 am

≫ Next: Unable to bind secure TCP listener to port 6514 There might be a problem with the certificate provided

≪ Previous: Kiwi Syslog Server does not display secure ASA syslogs

We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day. We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network. We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's. We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often.

Has anyone else seen this problem and if so, what kinds of things did you try/do? Is this box just getting pegged so hard that it's causing the service to malfunction and trip up? I'm not a Windows guy but is this issue even Windows related? The only other application we have running on this server is CatTools and it runs clean with no service issues. The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself.

Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.

Thankyou in advance!

↧

Unable to bind secure TCP listener to port 6514 There might be a problem with the certificate provided

September 25, 2015, 11:27 am

≫ Next: Kiwi filter for dstip not working

≪ Previous: Kiwi Syslog Service Keeps crashing

I set up Secure TCP port 6514 in in Kiwi Syslog Server version 9.5.0.332.

I'm getting the following error :

Unable to bind secure TCP listener to port 6514 There might be a problem with the certificate provided

I'm using a self-signed certificate that I created in IIS.

Why doesn't the error message tell exactly what is wrong with the certificate?

Could somebody suggest a solution or a workaround?

Thanks!

↧

Kiwi filter for dstip not working

September 25, 2015, 6:17 am

≫ Next: How to Split Log Files by IP Address and Date in Kiwi Syslog Server

≪ Previous: Unable to bind secure TCP listener to port 6514 There might be a problem with the certificate provided

Kiwi 9.5

I am trying to create a filter to look at the syslog message field and take action if a certain IP comes across. So far I can't get it to work and not sure why.

I have a simple filter using a Simple include of "dstip=172.16." and action is to go to a display.

Nothing comes across. I even moved it to the top of the list and yes, I cycled the syslog service just in case.

Ideas for something so simple?

↧

How to Split Log Files by IP Address and Date in Kiwi Syslog Server

May 31, 2013, 9:19 am

≫ Next: Custom Stats...What are you tracking?

≪ Previous: Kiwi filter for dstip not working

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server. Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders. (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

0:00 Opening Kiwi Syslog's configuration dialog
0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

↧

Custom Stats...What are you tracking?

April 29, 2015, 12:25 pm

≫ Next: Kiwi Syslog Server does not display secure ASA syslogs

≪ Previous: How to Split Log Files by IP Address and Date in Kiwi Syslog Server

Hello all,

Trying to get a little deeper into the KIWI Syslog waters and looking for some ideas on what to configure for the Custom Stats in the Daily Syslog e-mail.

↧

Kiwi Syslog Server does not display secure ASA syslogs

June 9, 2015, 1:32 am

≫ Next: syslog server crashing

≪ Previous: Custom Stats...What are you tracking?

Hello to the community!

I have been confused with this for a while and i would like to get your help!

I have a network topology with an ASA 5520 and a Kiwi Syslog server 9.3.4-eval. I also have a CA server.

I have installed the root CA certificate on both the Kiwi Syslog Server and the ASA.

Also i have generated a certificate request for the Kiwi server which was signed by the CA server and also made a trustpoint on the ASA with that certificate (The signed one)

When i try to send syslogs it doesn't display anything.

I have installed Kiwi SyslogGen and have made some tests.

When i make a test with destination port 1468 (TCP default) it works and displays something on the Kiwi manager.

But when i make a test with destination port 6514 (Default Secure TCP) it fails.

On the command prompt i issued the following:

netstat -ano

there were the following entries regarding syslog:

TCP: 0.0.0.0 1468

UDP: 0.0.0.0:514

But nothing is listening to 6514

What can be the problem? Thank you very much in advance!!

Somethin i saw on the error log:

Unable to bind TCP listener to port 6514 There might be a problem with the certificate provided.

Here are some pictures of the settings:

↧

syslog server crashing

September 17, 2015, 6:40 am

≫ Next: Kiwi syslog server service can't start

≪ Previous: Kiwi Syslog Server does not display secure ASA syslogs

we've recently built a new syslog server on a 2012 physical box. it has other solarwinds tools.

the syslog service will start, run for a brief amount of time, then crash. both kiwi and solarwinds syslog servers do this. the error for kiwi is something to the effect of 'error 13 type mismatch' which is usually when an insert into a db is done with the wrong type of data (text into an integer field for example).

only certain devices seem to crash the server. these are cisco nexus and 2921's. other devices such as an ASA 5525, a PIX, WAP's etc, do not crash the service. say for example i point router A to a test VM with kiwi on it. the test vm kiwi service will stay up and not crash. i then reconfigure router A to the new physical and it crashes almost immediately.

i've done packet captures and notice something very odd i cannot yet explain. on the test vm the incoming packets have a different format than on the physical server. specifically the date field is formatted different.

can anyone shed light on this? very odd. i'm wondering if it is a nic driver issue. this is on an HP proliant dl360G7 but the windows drivers for the nic's only go up to 2008. how on earth could the packets be arriving differently? i dont think they can, i think something is changing them or formatting them oddly.

↧

Kiwi syslog server service can't start

August 30, 2012, 3:37 am

≫ Next: Procurve switches not sending syslog messages in KIWI syslog

≪ Previous: syslog server crashing

Hi everyone,

I'm using Kiwi syslog server 9 on Windows 2008 R2 server (VMware virtual machine). On 17.8.2012. physical server has stopped responding and customer had to restart it manually. Since then Kiwi syslog server doesn't work. When I try to access it, server's CPU raises to 100%, it is stuck like that for few minutes and then it displays error message in Kiwi grid pop up window saying 'Run-time error '0''.

Kiwi syslog service also can't be started, when I try to start it, it says it couldn't be started in timely fashion.

I've tried to delete/rename files in c:\program files\solarwinds\kiwi web access\html\app_data but with no success. I've renamed event.sdf to Old_event.sdf and made a copy of Event-blank.sdf and then renamed it to event.sdf.

I've raised a support ticket but with no results till now.

Do you have any idea what's the problem here?

Regards, O

↧

Procurve switches not sending syslog messages in KIWI syslog

July 25, 2013, 6:58 am

≫ Next: Kiwi Syslog Server does not display secure ASA syslogs

≪ Previous: Kiwi syslog server service can't start

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

Source IP Selection: Outgoing Interface
Destination:
Logging --
'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap

↧

Kiwi Syslog Server does not display secure ASA syslogs

June 9, 2015, 1:32 am

≫ Next: Manager always crashes on 2008 R2 x64

≪ Previous: Procurve switches not sending syslog messages in KIWI syslog

Hello to the community!

I have been confused with this for a while and i would like to get your help!

I have a network topology with an ASA 5520 and a Kiwi Syslog server 9.3.4-eval. I also have a CA server.

I have installed the root CA certificate on both the Kiwi Syslog Server and the ASA.

Also i have generated a certificate request for the Kiwi server which was signed by the CA server and also made a trustpoint on the ASA with that certificate (The signed one)

When i try to send syslogs it doesn't display anything.

I have installed Kiwi SyslogGen and have made some tests.

When i make a test with destination port 1468 (TCP default) it works and displays something on the Kiwi manager.

But when i make a test with destination port 6514 (Default Secure TCP) it fails.

On the command prompt i issued the following:

netstat -ano

there were the following entries regarding syslog:

TCP: 0.0.0.0 1468

UDP: 0.0.0.0:514

But nothing is listening to 6514

What can be the problem? Thank you very much in advance!!

Somethin i saw on the error log:

Unable to bind TCP listener to port 6514 There might be a problem with the certificate provided.

Here are some pictures of the settings:

↧

Manager always crashes on 2008 R2 x64

August 11, 2010, 12:05 pm

≫ Next: 9.5 Stat. about SNMP TRAP forward action ?

≪ Previous: Kiwi Syslog Server does not display secure ASA syslogs

Hello,

I just installed 9.1 on a 2008 R2 x64 server. I installed it in service mode and when I run the manager, it just crashes immediately. When I install it in application mode, it works fine.

Here's the error info, any help would be appreciated, thanks!!

Problem signature:

Problem Event Name: APPCRASH

Application Name: Syslogd_Manager.exe

Application Version: 9.1.0.0

Application Timestamp: 4b78631b

Fault Module Name: StackHash_5b2b

Fault Module Version: 0.0.0.0

Fault Module Timestamp: 00000000

Exception Code: c0000005

Exception Offset: 02fe194e

OS Version: 6.1.7600.2.0.0.274.10

Locale ID: 1033

Additional Information 1: 5b2b

Additional Information 2: 5b2b4bbe2374c240b72f833a3ef7e30e

Additional Information 3: f660

Additional Information 4: f660de6916f397fec31d7584f0e23743

↧

9.5 Stat. about SNMP TRAP forward action ?

September 29, 2015, 4:04 am

≫ Next: Kiwi Syslog Service Getting Stopped automatically.

≪ Previous: Manager always crashes on 2008 R2 x64

I think that forward stat. action is is counting syslog only and not SNMP TRAP

Will be nice to have counters about that action as well.

↧

Kiwi Syslog Service Getting Stopped automatically.

December 9, 2013, 8:08 am

≫ Next: Kiwi Syslog Service Keeps crashing

≪ Previous: 9.5 Stat. about SNMP TRAP forward action ?

Kiwi syslog service is getting stop and while restarting it, again after few sec it stop. Restarted the server but no luck. Do any one have idea what will be cuase of issue.

↧