We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day. We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network. We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's. We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often.
Has anyone else seen this problem and if so, what kinds of things did you try/do? Is this box just getting pegged so hard that it's causing the service to malfunction and trip up? I'm not a Windows guy but is this issue even Windows related? The only other application we have running on this server is CatTools and it runs clean with no service issues. The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself.
Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.
Hello, I am trying to log the value of the variable Global01. I have tried different ways - however without success.
I have written a Script which sets VarGlobal01 according to certain text components of a snmp message. The following Action "Run external Programm" calls a Batch file an passes the variable. Everything fine so far.
Now I want to log the value of the variable in seperate log file. I tried a separate Batch file: >> path\logfiletxt echo %1
I works well when the Batch file is executed directly and also when clicking the test button in the syslog Server console. However, no log file is created during the regular logggin. All Actions are beeing excecuted - so the filter can't be the reason.
Any ideas how to log the variable every time the script runs?
We are using the Kiwi Syslog Web Access as a syslog for all the network and security devices. Due to this we are unable to fetch events for any specific filters applied on the Kiwi Syslog Web Access.
We alternatively go to the location: \Program Files (x86)\Syslogd\Logs and try to open the logs in text editor like notepad++.
The problem is:
1. That file size is too large (~700 MB) and we are unable to open via the text editor. Is there any way to limit the size.
2. On the Web Access, when a filter is applied, the software crashes with the error:
Exception of type 'System.Web.HttpUnhandledException' was thrown.
Status Code: 500
System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.Web.HttpException: Maximum request length exceeded. at System.Web.HttpRequest.GetEntireRawContent() at System.Web.HttpRequest.FillInFormCollection() at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) --- End of inner exception stack trace --- at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.events_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Resource: http://10.240.22.194:8088/Events.aspx Referrer: http://10.240.22.194:8088/Events.aspx
SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server. Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders. (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")
I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log. When I click on the Security Log I don't see Audit Success or Audit Failure as an event type. It just has Error, Warning and Information. If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change. Am I doing something wrong? How can I see Audit Failure as an Event Type?
After installing the permanent license for Kiwi Syslog server the Syslog service will not start. It started without problems when running as the trial version. No errors appear in the Kiwi Syslog error log, but the Windows event viewer shows the following error:
The Kiwi Syslog Server service failed to start due to the following error: The service did not start due to a logon failure.
I can't find anything in the Kiwi Syslog documentation about having to login. The OS is Windows 2008 R2. I am starting the Syslog service from Service Manager > Manage, and Service Manager was Run As Administrator.
Just installed the licensed version based on the SNMP component to do some filtering/forwarding as a temporary work around.
From the product description it looked like this should be possible.
I've searched around the product doco, KB and THWACK but I couldn't find anything specific to receive and forward on specific traps, not all. Is this possible?
There was a similar question part of another thread which went unanswered Re: SNMP forwarding
I do have NPM and know it's possible there, however the amount of SNMP traps being sent is causing performance degradation on the <other vendors> alarming collector so it was intended to use a Solarwinds/Kiwi tool for the SNMP Trap filtering to help the other servers workload.
An NPM license to do just SNMP trap filtering is a bit of an overkill for a temporary solution whilst the customer modifies all their device configs over the next couple of months.
I turned to NTA today and found the front page couldn't show the graphs I usually see.
Then corporate Security asked me to check NPM's syslog for a few specific events and it timed out, unable to display anything.
A review of the database showed it was far bigger than expected. And it was 99% fragmented.
A short Support case later with Solarwinds, and after a review of the logs and database, I added to my learning about certain Cisco products, their syslog exports, and NPM's native syslog solution:
Cisco 5508 Wireless Controllers can send VAST amounts of syslog info. I knew this from a previous message of concern from a DBA,when he informed me that Orion's database was growing far too quickly. At that time I stopped our WLC's from sending their syslogs directly to Orion, and pointed them to our Splunk solution.
Cisco ASA's whose duty is isolating a Cisco 5508 Wireless Anchor Controller in a DMZ ALSO can send COPIOUS amounts of syslog data--apparently mostly about the 5508's traffic. I had NOT redirected the ASA's output to Splunk, and it was killing my Orion syslog solution.
NPM (according to Solarwinds Tech Support) had the syslog module added in as a nice feature, but not as a robust one. Tech Support recommended I purchase/install Kiwi Syslog and point my high volume Cisco sylsog devices at it. It should safely handle up to 2 million messages per time period (per minute? per hour? I missed that part while mulling over the concept that Orion NPM syslog had limitations).
After my DBA set a scheduled job to re-index and defragment my Orion database, and after stopping the ASA's and WLC's from overloading my Orion syslog solution, things appear much better. I honestly didn't understand the amount of syslog data the ASA's and 5508's were sending to Orion Syslog.
On faster Windows 7 machines it has been reported that the Kiwi SyslogGen (Syslog Message Generator) test utility sometimes does not actually send messages to a locally installed Kiwi Syslog Server. If SyslogGen does not send messages to your syslog server through localhost, please try the following suggestions in your Kiwi Syslog Message Generator configuration.
Change Target IP Address from "127.0.0.1" to your machine's LAN IP address (e.g., "10.230.230.204").
Change Source IP address to "Random Class C addresses"
Change Source Port to 1468 (or another other fixed port; don't use a random port)
Use the "Send continuously" option with a very low "Inter-message delay" (e.g., 10ms)
If clicking "Send" doesn't work the first time, click "Stop" and try "Send" again
In order for the syslogs that come from an ISE server you must change the message length to 8192 on the device or the messages will be messed up.
Is there a setting on the KIWI server I need to adjust to accommodate this?
It appears when viewing the logs coming in thru the manager console they look ok, but if you send that to a log file the entries in the file are incomplete or truncated.
I'm slowly picking up Solarwinds Orion but I've run into a roadblock. Our shop has our devices now correctly showing up in the Orion syslog on the web. What I want to do is filter these by their function.
Ex. Firewall, Switches, Routers, etc.
What I have instead is a filter for "type of device". So I can filter Cisco 3750 or ASR1004. The problem is I have ASR1001 and ASR1004 which are separate because they are different types but I want them listed together as they are both firewalls.
After upgrading to v9.5.1, from v9.5.0, we started experiencing constant crashing on our console. Other than a few minor quirks and annoyances, the previous version had not really crashed too often after we applied the hotfix.
Windows Server 2012
Virtual
4 CPUs(2 Cores per Socket, 2 Sockets)
24 GB RAM
150 GB Hard Disk
Kiwi Syslog Server, Installed as a Service
I began to notice the message buffer would quickly drop down from 100%, shortly after starting up the console. Sometimes we would only reach 43K MPH before crashing, while other times we made it up around 350K+ MPH before crashing. And, every time it would crash, the message buffer would be far away from 100%. Previously, the message buffer rarely, if ever, dropped under 100% free.
After reading through various other user issues of the past, I found something that mentioned the "MsgBufferSize" settings in the registry. I went looking into the registry for those settings, however, "MsgBufferSize" was nowhere to be found. I added the "MsgBufferSize" with the value of "10000000", which is shown to be the max value. After adding the settings into the registry, and restarting everything, our system appears to be running fairly smooth, so far. Currently, we are roughly around 430K MPH, with a full 100% buffer free.
Previously posted thread regarding the "MsgBufferSize" registry entry:
So, did something change from 9.5.0 to 9.5.1 that would have removed those settings from the registry? If not, then what else would have removed the entry altogether? Or, has the "MsgBufferSize" registry entry been removed all along, and the documentation just not updated? If it has been removed, and is not used anymore, then why would adding the entry back into the registry make everything suddenly start working again?
My first post, i wish to share you some tips i found.
My main goal was to have access to the kiwi web site working with SSL...
But looking at Cassinni Web Server, it wasn't possible.
After searching more on this forum I found a post about a Rewriting Module with Apache ; so why dont we do it with IIS ?
Here we go !
Setup
- Win 2008 R2 , IIS 7 (with auth modules etc ...) , at least a working SSL certificate for the HTTPS listener (this post will not cover how PKI works, certs installation etc .... sorry).
- We will use the ARR 2.0 module x64 for IIS... See References at bottom for DL link, install it.
- A running Kiwi Syslog Server and the Web Access working on port 8088. Access via a browser works on this port.
Goal
- Enable the rewrite/proxy module in IIS
- Create a new IIS Web Site with HTTPS Listener on TCP Port 8090
- Create a rule to rewrite requests from 8090 to 8088
Now you can access from an "admin desktop" to this new SSL web site ...
Configure your firewalls to forbid access on port 8088 to this server (or/and configure the internal Windows Firewall of this server to allow only Localhost connection on 8088).
I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service. Here is the hardware platform:
HP DL385G7 2x AMD Opteron 6174 2.2GHz 12-core processors 32GB memory RAID-1 for OS/Syslog Windows Server 2008 R2 x64 Enterprise SP1
I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:
2012-03-15 09:32:52 Command line license key accepted. 2012-03-15 10:42:41 *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ *** 2012-03-15 10:42:41 Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM ---------------------------
I have opened SolarWinds case #323438 regarding this.
Kiwi syslog service is getting stop and while restarting it, again after few sec it stop. Restarted the server but no luck. Do any one have idea what will be cuase of issue.
After upgrading to v9.5.1, from v9.5.0, we started experiencing constant crashing on our console. Other than a few minor quirks and annoyances, the previous version had not really crashed too often after we applied the hotfix.
Windows Server 2012
Virtual
4 CPUs(2 Cores per Socket, 2 Sockets)
24 GB RAM
150 GB Hard Disk
Kiwi Syslog Server, Installed as a Service
I began to notice the message buffer would quickly drop down from 100%, shortly after starting up the console. Sometimes we would only reach 43K MPH before crashing, while other times we made it up around 350K+ MPH before crashing. And, every time it would crash, the message buffer would be far away from 100%. Previously, the message buffer rarely, if ever, dropped under 100% free.
After reading through various other user issues of the past, I found something that mentioned the "MsgBufferSize" settings in the registry. I went looking into the registry for those settings, however, "MsgBufferSize" was nowhere to be found. I added the "MsgBufferSize" with the value of "10000000", which is shown to be the max value. After adding the settings into the registry, and restarting everything, our system appears to be running fairly smooth, so far. Currently, we are roughly around 430K MPH, with a full 100% buffer free.
Previously posted thread regarding the "MsgBufferSize" registry entry:
So, did something change from 9.5.0 to 9.5.1 that would have removed those settings from the registry? If not, then what else would have removed the entry altogether? Or, has the "MsgBufferSize" registry entry been removed all along, and the documentation just not updated? If it has been removed, and is not used anymore, then why would adding the entry back into the registry make everything suddenly start working again?
I have not gone through any previous threads. Pardon me if this is a repeated query or clarification requested. Have started looking at trial version initially to make sure if this supports my requirements.
Have couple of queries, request to clarify these with request to secure tcp syslog server.
a. Currently seeing that although requested TLS version is set to v1.2 in client hello, Server negotiates back to v1.0. Is there a way to continue with TLSv1.2 protocol.
b. Also have CA signed certificates imported on both to Syslog server running on windows and also on corresponding router acting as a client. But Server doesnt request for Client certificate (as its optional) and unable to verify mutual authentication. Only server certificate is validated by the Client and connection is made. How to enforce mutual authentication where router to validates the client certificate.
c. Is there any IPv6 address support for Syslog server, or its only available in licensed version.
We are having problems getting EMET to allow the kiwi syslog server service to run on an Windows 2012 R2 Server VM. We have case 999667 open and still haven't gotten it working. One of my partners working on this opened the case.