I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

Which method should be used to calculate a Syslog message priority?

Hi

Does anyone know where to delete the devices so I can add other to test while using the trial version?

thanks

I need an alert when a message arrives containing the word "OSPF" or "STP", I want it to send an email to a group of ADM Network. There is that possibility?

Thanks =).

syslog_manager.exe 9.4.0.1 will not open correctly on windows 8.1. The process starts and can be seen in task manager, but closes a few second later. No GUI is seen at all not even the splash screen or the notification area icon.

there are no logs inside:

C:\Program Files (x86)\Syslogd\Dated logs

C:\Program Files (x86)\Syslogd\Logs

i tried calling (Service – Debug start-up: www.kiwisyslog.com/help/syslogd7/index.html?adv_reg_servicedebugstart_up.htm):

syslog_manager.exe DEBUGSTART

syslog_manager.exe /DEBUGSTART

syslog_manager.exe -DEBUGSTART

syslog_manager.exe --DEBUGSTART

but still no log or debug log files are created in the C:\Program Files (x86)\Syslogd directory or any of its sub directories.

i checked the window event log and found the same four error reoccurring every time the syslog_manager.exe is started up

==============================

Error 1

==============================

Fault bucket -339880763, type 1

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_4527

P5: 0.0.0.0

P6: 00000000

P7: c000041d

P8: PCH_1C_FROM_actskn43+0x00014197

P9:

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7A1F.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._1c26be14be8bc7e884ee84c763454f0becaea_d6be21d2_0a3f7cfe

Analysis symbol:

Rechecking for solution: 0

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: ee82e4cf87c028d8fde4d29d457939f8

==============================

Error 2

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc000041d

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

==============================

Error 3

==============================

Fault bucket 50, type 5

Event Name: BEX

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_f2c9

P5: 0.0.0.0

P6: 00000000

P7: PCH_3D_FROM_ntdll+0x0003C1AC

P8: c0000005

P9: 00000008

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7676.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._4bac366436d77f4150a9f635e3ff4264d568c57d_d6be21d2_070f7973

Analysis symbol:

Rechecking for solution: 0

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: 18c71da6583848b95798fbf0fc6b19c1

==============================

Error 4

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

Dears,

It is a noticeable that Kiwi Syslog Server does not support log collection in SDEE format sent by Cisco IPS appliances and modules, like IPS 4270.

CISCO IOS IPS supports sending syslog messages, however Cisco IPS appliances only support sending messages in SDEE format, which make their collection impossible.

We are wondering if it's in the scope for Kiwi Syslog Server to support SDEE format in its coming versions.

Thanks,

Roland Daccache.

I seem to have an issue where rules that I setup disappear in setup. I have ensured the rules were active.

Hello , kiwi friends!

I am trying to get Kiwi syslog 9.4 to work on windows server 2012 64bit but having problems with the service crashing then i try to start the kiwi syslog server console.

I have applied the kb fix for Microsoft .Net Framework 2 , before that i couldnt install kiwi syslog successfully becuse the service could not start.

http://knowledgebase.solarwinds.com/kb/questions/4386/

I have the following errors in the windows event viewer!

Error 7000: The Kiwi Syslog Server service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion

Error 7009 : A timeout was reached (30000 milliseconds) while waiting for the Kiwi Syslog Server service to connect.

Do you have a solution for this or could it be a new bug in windows server 2012 and the old dot net framework combined ?

Thanks in advance.

I've got a set of 3 Kiwi servers sitting behind an F5, which I *thought* would effectively load balance the incoming syslog volume (I'm seeing around 5-8million messages per hour, and we haven't really turned everything on yet).

The problem, I just discovered, is that F5 load balances based on connections, not messages/packets. So round robin isn't round robin since most of my sending systems are passing new messages (and therefore creating a connection) more than even the lowest "disconnect after" option on the F5 (which is 1 second).

So my first server is maxing out at about 5million MPH and 0% buffer, while server 02 gets 2million messages and 80% buffer, and server 03 gets barely anything at all.

Has anyone else tried this, and have you found a work around (it doesn't have to be an F5. I just need the ability to create a pool of Kiwi servers and have all the systems in my enterprise sending to ONE ip address.

Thanks!

- Leon

Hi all.

I have just installed Kiwi Syslog Server 9.5 on a test machine to evaluate its suitability for a project I'm working on. It's currently still running in 14-day Evaluation mode.

We can't seem to get it to receive SNMP traps at all. No matter what we do, netstat shows nothing listening on UDP port 162. SNMPv1 traps are being sent to the server, and we can see them in Wireshark arriving at the server, but Kiwi isn't listening for them.

In desparation, we tried enabling the Windows SNMP Trap service (although we understand this isn't required?) and this 'absorbed' the traps, but nothing appeared in Kiwi.

The test machine is running Windows 7 (32-bit) with the Windows Firewall switched off.

Should the 14-day Evaluation be able to receive SNMP traps?

Thanks in advance for any advice!

I have an issue wherein syslog messages from one host are being duplicated. We have a Secure Tunnel client running at one site, with network devices set up to send syslog messages to this client. No syslog messages from any other network device at this site are duplicated. I have verified that this appears to be a Secure Tunnel issue by configuring the offending network device to send syslog messages directly to the Kiwi Syslog Server. When this is done, only one syslog message is logged. When I reconfigure the network device to log to the Secure Tunnel client, two identical syslog messages are logged. I have also verified that there is only one syslog configuration line in the network device (i.e. that it is not configured to send syslogs both directly to the Syslog Server and to the SecureTunnel client.) This is eating up twice as much filespace, obviously... any help would be appreciated.

On faster Windows 7 machines it has been reported that the Kiwi SyslogGen (Syslog Message Generator) test utility sometimes does not actually send messages to a locally installed Kiwi Syslog Server.  If SyslogGen does not send messages to your syslog server through localhost, please try the following suggestions in your Kiwi Syslog Message Generator configuration.

1. Change Target IP Address from "127.0.0.1" to your machine's LAN IP address (e.g., "10.230.230.204"). 
2. Change Source IP address to "Random Class C addresses"
3. Change Source Port to 1468 (or another other fixed port; don't use a random port)
4. Use the "Send continuously" option with a very low "Inter-message delay" (e.g., 10ms)
5. If clicking "Send" doesn't work the first time, click "Stop" and try "Send" again

You can download a free copy of Kiwi SyslogGen from the Kiwi Downloads page. 

I have installed and configured Kiwi Syslog, i recently started noticing the service stops randomly. after looking through event logs im finding that the app keeps crashing and i get the below. any ideas?

Faulting application name: Syslogd_Service.exe, version: 9.4.0.2, time stamp: 0x54fda0c5

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x064edf14

Faulting process id: 0x%9

Faulting application start time: 0x%10

Faulting application path: %11

Faulting module path: %12

Report Id: %13

Faulting package full name: %14

Faulting package-relative application ID: %15

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.2

P3: 54fda0c5

P4: unknown

P5: 0.0.0.0

P6: 00000000

P7: c0000005

P8: 064edf14

P9:

P10:

Attached files:

C:\Windows\Temp\WER751C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\memory.hdmp

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e\minidump.mdmp

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._db17ea651912375fcb9862559d784039662e_00000000_cab_1012775e

Analysis symbol:

Rechecking for solution: 0

Report Id: e3d4b04b-1f3b-11e5-80de-005056aa628b

Report Status: 4

Hashed bucket:

I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

I seem to have an issue where rules that I setup disappear in setup. I have ensured the rules were active.

We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day.  We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network.  We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's.  We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often. 

Has anyone else seen this problem and if so, what kinds of things did you try/do?  Is this box just getting pegged so hard that it's causing the service to malfunction and trip up?  I'm not a Windows guy but is this issue even Windows related?  The only other application we have running on this server is CatTools and it runs clean with no service issues.  The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself. 

Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.

Thankyou in advance!

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

  Source IP Selection: Outgoing Interface
  Destination:
   Logging --
     'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap

We are currently trying to migrate all UDP senders of syslog to TCP.  Our fortigate security appliances only support the RFC 3195 standard for syslog over TCP.  syslog-ng does not support this and rsyslog says that they support RFC 3195, but it is not working.  Please, any assistance with this request would be appreciated.  Running syslog with UDP is no longer an option.

Thanks in advance.

we've recently built a new syslog server on a 2012 physical box.  it has other solarwinds tools.

the syslog service will start, run for a brief amount of time, then crash.  both kiwi and solarwinds syslog servers do this.  the error for kiwi is something to the effect of 'error 13 type mismatch' which is usually when an insert into a db is done with the wrong type of data (text into an integer field for example).

only certain devices seem to crash the server.  these are cisco nexus and 2921's.  other devices such as an ASA 5525, a PIX, WAP's etc, do not crash the service.  say for example i point router A to a test VM with kiwi on it.  the test vm kiwi service will stay up and not crash.  i then reconfigure router A to the new physical and it crashes almost immediately.

i've done packet captures and notice something very odd i cannot yet explain.  on the test vm the incoming packets have a different format than on the physical server.  specifically the date field is formatted different.

can anyone shed light on this?  very odd.  i'm wondering if it is a nic driver issue.  this is on an HP proliant dl360G7 but the windows drivers for the nic's only go up to 2008.  how on earth could the packets be arriving differently?  i dont think they can, i think something is changing them or formatting them oddly.

Hello , kiwi friends!

I am trying to get Kiwi syslog 9.4 to work on windows server 2012 64bit but having problems with the service crashing then i try to start the kiwi syslog server console.

I have applied the kb fix for Microsoft .Net Framework 2 , before that i couldnt install kiwi syslog successfully becuse the service could not start.

http://knowledgebase.solarwinds.com/kb/questions/4386/

I have the following errors in the windows event viewer!

Error 7000: The Kiwi Syslog Server service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion

Error 7009 : A timeout was reached (30000 milliseconds) while waiting for the Kiwi Syslog Server service to connect.

Do you have a solution for this or could it be a new bug in windows server 2012 and the old dot net framework combined ?

Thanks in advance.