We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day.  We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network.  We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's.  We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often. 

Has anyone else seen this problem and if so, what kinds of things did you try/do?  Is this box just getting pegged so hard that it's causing the service to malfunction and trip up?  I'm not a Windows guy but is this issue even Windows related?  The only other application we have running on this server is CatTools and it runs clean with no service issues.  The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself. 

Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.

Thankyou in advance!

I am trying to filter on the hostname which happens to be an IP address. Kiwi syslog server gives me a red X whenever I attempt to test the filter. I can't convert it using DNS so I have to use the IP address. It keep telling me to put quotes around it but when I do it still doesn't work. I am trying to filter so I can dump this host in a separate LOG file. Any ideas?

Brand new KIWI 9.1 eval user... succeeded in getting my SYSLOG fed to a SQL table, but need to parse the msgtext field.   I'm not a script writer, but hope there is a way to do this without scripting???    I've attached an exerpt from what ends up in the SQL table.  The delimiter for the MSGText field is Binary 09 which I believe is a tab?    Also, a screen shot of how my rules are currently set up (and feeding but not parsing...)

The actual log entry would look like this with the underlined bold part being the msgtext to be parsed.......

2010-11-05 13:22:11 Local4.Info 10.0.1.11 Nov  5 13:22:11 iprism: WEB<009>http<009>1288988531<009>P<009>10.31.40.248<009>CKHS_Students<009>cksduser\vollmer3861m<009>287<009>http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif?labels=NewsAndReference<009>internet services<009>0<009>HTTPGET<009>200<009>image/gif

Any thoughts would be greatly appreciated!

Thanks all...

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server.  Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders.  (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

• 0:00 Opening Kiwi Syslog's configuration dialog
• 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
• 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

I have installed and configured Kiwi Syslog, i recently started noticing the service stops randomly. after looking through event logs im finding that the app keeps crashing and i get the below. any ideas?

Faulting application name: Syslogd_Service.exe, version: 9.4.0.2, time stamp: 0x54fda0c5

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x064edf14

Faulting process id: 0x%9

Faulting application start time: 0x%10

Faulting application path: %11

Faulting module path: %12

Report Id: %13

Faulting package full name: %14

Faulting package-relative application ID: %15

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.2

P3: 54fda0c5

P4: unknown

P5: 0.0.0.0

P6: 00000000

P7: c0000005

P8: 064edf14

P9:

P10:

Attached files:

C:\Windows\Temp\WER751C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\memory.hdmp

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\minidump.mdmp

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e

Analysis symbol:

Rechecking for solution: 0

Report Id: e3d4b04b-1f3b-11e5-80de-005056aa628b

Report Status: 4

Hashed bucket:

Hello,

I just installed 9.1 on a 2008 R2 x64 server. I installed it in service mode and when I run the manager, it just crashes immediately. When I install it in application mode, it works fine.

Here's the error info, any help would be appreciated, thanks!!

Problem signature:

  Problem Event Name:     APPCRASH

  Application Name:     Syslogd_Manager.exe

  Application Version:     9.1.0.0

  Application Timestamp:     4b78631b

  Fault Module Name:     StackHash_5b2b

  Fault Module Version:     0.0.0.0

  Fault Module Timestamp:     00000000

  Exception Code:     c0000005

  Exception Offset:     02fe194e

  OS Version:     6.1.7600.2.0.0.274.10

  Locale ID:     1033

  Additional Information 1:     5b2b

  Additional Information 2:     5b2b4bbe2374c240b72f833a3ef7e30e

  Additional Information 3:     f660

  Additional Information 4:     f660de6916f397fec31d7584f0e23743

I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

I am having trouble updating the hostname cache in SysLog Server after I update the hosts.txt file.

Here is a typical example:

You can see the hostname field has an old entry. The NetBIOS name in the message field shows the current NetBIOS name.

The current host name entry in the hosts.txt file:

SysLog Server is supposed to flush address entries every 24 hours but I do not see the static cache entries update. I have cleared all entries in the DNS cache then chosen the static entries text file again but it now doesn't show any static entries in the cache view. Is there another step I need to take?

Dear All,

We are planning to setup a syslog server. i.e, move from Orion inbuilt syslog to kiwi syslog.

We are not utilizing orion inbuilt at this point to fullest. Just few devices are configured to send logs to this inbuilt syslog

We have around 5 devices per centers across 60 location (13 Countries)

1) 2 Routers

2) 1 Bandwidth Shaper

3) 2 Switch Stacks

4) 1 WLC with 10 APs minimum

Total=250 Devices.

I would like to what is the best approach.

1) How many syslog license i should be looking at?

2) What kind of server configuration is required ?

3) We need a log retention policy of 15 days. Should I consider to setup a DB to for log storage?

4) Can the Orion inbuilt syslog write messages to external DB storage

Hello.

I am new to the Thwack forums. We have just installed Orion NCM, and we are using it to monitor < 50 Cisco devices. We are using Syslog to monitor those devices, and I have a few questions.

Apologies in advance if there are resources I should otherwise be using to answer these questions, and thanks for any help or assistance you can offer. If there are other resources or knowledgebase articles I haven't found yet, I would be grateful for any links.

My questions:

1. We used to use Kiwi Syslogger before it was purchased by Solarwinds and made a part of the NCM suite.

The Syslog database used to be a flat file that was easy to back up, but according to my reading, the Syslogger database is now part of the SQL database maintained by Orion.

Is this correct?

2. What is the best way to retain old syslogs using the NCM SQL database?

I have been asked to configure the Syslog database to keep logs for 365 days. I am quickly finding out that this is not feasible, as I haven't even added all of our firewalls to the Syslog server, but I'm getting notices such as, "Syslog reached 2450674 rows, which is above warning threshold of 1000000. For more information, see SolarWinds Knowledge Base."

The KB article gives instructions on trimming the database. But what if I want to keep the database and either offload old entries or put limits on the information collected so that longterm monitoring and storage is possible?

Is there a way to tune Syslogger so that the out-of-the-box settings retain less unimportant information? Or is it best practice to somehow save older database entries for review later if needed?

3. How do you set the NCM database for remote connectivity?

When I try to use SQL studio to reach the database I can't. The credentials work when I log in locally, but not when I attempt to reach the database using SQL Studio from another computer.lo

Looking for a tool to send a real-time email alert when the number of builds to a specific IP address from any single machine exceeds 100 in a minute.  Does anyone have experience with a tool that can accomplish this?

We are the paid version Kiwi Syslog to filter the log and output interesting traffic to a file.

Walt

Hi

i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog   6   Application   127   lun giu 08 17.03.41 2015   1003   Microsoft-Windows-Security-SPP      N/A   Information   srv-av.astergenova.it   0   The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."

do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed

Has anyone else ever run into this issue?

I'm receiving the following error whenever I try to open the Kiwi Syslog Manager (Console).

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.2, time stamp: 0x54fda0df

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x043c05b8

Faulting process id: 0x780

Faulting application start time: 0x01d0b3331378b7a3

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report Id: 51d9622d-1f26-11e5-80eb-0050569a06c7

Faulting package full name:

Faulting package-relative application ID:

This is on a fresh physical Windows 2012 server and is running as a local system service.  The service runs, collects logging, and we have web access working.  However, whenever I try to open the Kiwi Manager, it crashes.  I do have a support ticket in place but as of now, it has been sent up to the developers.  It's frustrating for the syslog catchall files because we can't filter what we want.

What's weird is that it run perfectly fine on Windows 2003 Storage Server. 

Before install i did the following:

Disabled UAC

Disabled any HIPS / HBSS so that doesn't block the install.

Set a different TMP / TEMP directory with read/write privileges.

Tried a dedicated local admin-account to run the service and tried just local system.

Any help or information in this regards would be a HUGE help.  I'm pretty stumped at the moment.

Good day Community,

I am experiencing an urgent issue. The sys log server forwarder is forwarding the following message to the KIWI sys log server. The actual security logs are showing the correct information, however the message below is being showed. I thought it was the server, but wen I added another sever to forward security logs, I am getting the same message as shown below.

Can anyone who have encountered this message or know how to resolve this issue. The security logs are on the server and I can view them using event viewer properly and audit logs are reflecting fine.

I would really appreciate your humble assistance or comments.

Apr 08 14:36:34 CASSIOPEIA1.carimed.local MSWinEventLog 5 Security 495 Wed Apr 08 14:36:33 2015

4624 Microsoft-Windows-Security-Auditing N/A Audit Success CASSIOPEIA1.carimed.local 12544

The description for Event ID 4624 from source Microsoft-Windows-Security-Auditing cannot be

found. Either the component that raises this event is not installed on your local computer or

the installation is corrupted. You can install or repair the component on the local computer.If

the event originated on another computer, the display information had to be saved with the

event.The following information was included with the event: S-1-0-0. FormatMessage failed with

error 1815, The specified resource language ID cannot be found in the image file.

Hello , kiwi friends!

I am trying to get Kiwi syslog 9.4 to work on windows server 2012 64bit but having problems with the service crashing then i try to start the kiwi syslog server console.

I have applied the kb fix for Microsoft .Net Framework 2 , before that i couldnt install kiwi syslog successfully becuse the service could not start.

http://knowledgebase.solarwinds.com/kb/questions/4386/

I have the following errors in the windows event viewer!

Error 7000: The Kiwi Syslog Server service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion

Error 7009 : A timeout was reached (30000 milliseconds) while waiting for the Kiwi Syslog Server service to connect.

Do you have a solution for this or could it be a new bug in windows server 2012 and the old dot net framework combined ?

Thanks in advance.

During installation of Syslog Web Access, you are prompted for a userid and password.  The password can be changed at any time easily.

But how does one change the userid?  Where is it stored?

We even went as far as trying to reinstall syslog web access to get to the initial userid prompt again.  But having already asked us once, it did not ask us again.

Thanks,

-Ken

The logforwarder v1.1 is installed on a german 2008R2 Server.

In the eventlog on the server i see aps.net warnings and errors with the following message:

/*

Ereigniscode: 3005
Ereignismeldung: Es ist eine unbehandelte Ausnahme aufgetreten.
Ereigniszeit: 16.12.2011 08:10:49
Ereigniszeit (UTC): 16.12.2011 07:10:49
Ereignis-ID: 00e80467722a4ddaa60928cab11be830
Ereignissequenz: 2
Vorkommen: 1
Ereignisdetailcode: 0
 
Anwendungsinformationen:
    Anwendungsdomäne: /LM/W3SVC/19/ROOT-****************
    Vertrauensebene: Full
    Virtueller Anwendungspfad: /
    Anwendungspfad: ******
    Computername: ******
 
Prozessinformationen:
    Prozess-ID: 9796
    Prozessname: w3wp.exe
    Kontoname: IIS APPPOOL\AppsService
 
Ausnahmeinformationen:
    Ausnahmetyp: NullReferenceException
    Ausnahmemeldung: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei System.Web.HttpApplication.set_AsyncResult(HttpAsyncResult value)
   bei System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   bei System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)

 
 
Anforderungsinformationen:
    Anforderungs-URL: http://127.0.0.1/*******
    Anforderungspfad: /********
    Benutzerhostadresse: 127.0.0.1
    Benutzer: 
    Ist authentifiziert: False
    Authentifizierungstyp: 
    Threadkontoname: IIS APPPOOL\AppsService
 
Threadinformationen:
    Thread-ID: 1
    Threadkontoname: IIS APPPOOL\AppsService
    Identitätswechsel für: False
    Stapelüberwachung:    bei System.Web.HttpApplication.set_AsyncResult(HttpAsyncResult value)
   bei System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   bei System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
 
 
Details des benutzerdefinierten Ereignisses:

*/

But on the syslog server i see the following error message:

/*

12-16-2011    08:12:10    System4.Warning    192.168.6.**    Dez 16 08:10:49 ****** MSWinEventLog   4   Application   20   Fr Dez 16 08:10:49 2011   1309   ASP.NET 4.0.30319.0      N/A   Warning   *****   3   The description for Event ID 1309 from source ASP.NET 4.0.30319.0 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 3005. FormatMessage failed with error 1815, Die angegebene Sprachenkennung f³r die Ressourcen wurde nicht in der Image-Datei gefunden.

*/

I know that this is a problem with the language, but how can i solve this.

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day.  We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network.  We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's.  We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often. 

Has anyone else seen this problem and if so, what kinds of things did you try/do?  Is this box just getting pegged so hard that it's causing the service to malfunction and trip up?  I'm not a Windows guy but is this issue even Windows related?  The only other application we have running on this server is CatTools and it runs clean with no service issues.  The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself. 

Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.

Thankyou in advance!

I successfully installed Kiwi Syslog server (latest version) and successfully received 18.8 million logs in 5 – 6 hours and after that the application crashes and every time I re-start the service it keeps crashing. I too would like to know if this issue has been resolvable? and if so how was it done. We are required to log these messages because of audit regulations and we have multiple firewalls logging to this one server.  If Kiwi cannot keep up kindly let us know or suggest any other option.

following are the system events:

Faulting application name: Syslogd_Service.exe, version: 9.4.0.1, time stamp: 0x5256d794

Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7

Exception code: 0xc0000005

Fault offset: 0x000552a2

Faulting process id: 0x49c

Faulting application start time: 0x01cfedd553cc3c0b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe

Faulting module path: C:\Windows\SysWOW64\ntdll.dll

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.1

P3: 5256d794

P4: ntdll.dll

P5: 6.1.7601.18247

P6: 521ea8e7

P7: c0000005

P8: 000552a2

P9:

P10:

Attached files:

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d

Analysis symbol:

Rechecking for solution: 0

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.1

P3: 5256d794

P4: ntdll.dll

P5: 6.1.7601.18247

P6: 521ea8e7

P7: c0000005

P8: 000552a2

P9:

P10:

Attached files:

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d

Analysis symbol:

Rechecking for solution: 0

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Report Status: 0