We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day.  We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network.  We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's.  We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often. 

Has anyone else seen this problem and if so, what kinds of things did you try/do?  Is this box just getting pegged so hard that it's causing the service to malfunction and trip up?  I'm not a Windows guy but is this issue even Windows related?  The only other application we have running on this server is CatTools and it runs clean with no service issues.  The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself. 

Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.

Thankyou in advance!

Hello, I am trying to log the value of the variable Global01. I have tried different ways - however without success.

I have written a Script which sets VarGlobal01 according to certain text components of a snmp message. The following Action "Run external Programm" calls a Batch file an passes the variable. Everything fine so far.

Now I want to log the value of the variable in seperate log file. I tried a separate Batch file: >> path\logfiletxt echo %1

I works well when the Batch file is executed directly and also when clicking the test button in the syslog Server console. However, no log file is created during the regular logggin. All Actions are beeing excecuted - so the filter can't be the reason.

Any ideas how to log the variable every time the script runs?

THANKS

Hi,

We are using the Kiwi Syslog Web Access as a syslog for all the network and security devices. Due to this we are unable to fetch events for any specific filters applied on the Kiwi Syslog Web Access.

We alternatively go to the location: \Program Files (x86)\Syslogd\Logs and try to open the logs in text editor like notepad++.

The problem is:

1. That file size is too large (~700 MB) and we are unable to open via the text editor. Is there any way to limit the size.

2. On the Web Access, when a filter is applied, the software crashes with the error:

Exception of type 'System.Web.HttpUnhandledException' was thrown.

Status Code: 500

System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.Web.HttpException: Maximum request length exceeded.
  at System.Web.HttpRequest.GetEntireRawContent()
  at System.Web.HttpRequest.FillInFormCollection()
  at System.Web.HttpRequest.get_Form()
  at System.Web.HttpRequest.get_HasForm()
  at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
  at System.Web.UI.Page.DeterminePostBackMode()
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  --- End of inner exception stack trace ---
  at System.Web.UI.Page.HandleError(Exception e)
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  at System.Web.UI.Page.ProcessRequest()
  at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
  at System.Web.UI.Page.ProcessRequest(HttpContext context)
  at ASP.events_aspx.ProcessRequest(HttpContext context)
  at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Resource: http://10.240.22.194:8088/Events.aspx
Referrer: http://10.240.22.194:8088/Events.aspx

Click here to return to the previous page    Click here to return to the login page

Please suggest.

Details: Kiwi Syslog Web Access ver 1.5.1

Thanks,

Richard

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server.  Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders.  (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

• 0:00 Opening Kiwi Syslog's configuration dialog
• 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
• 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

After installing the permanent license for Kiwi Syslog server the Syslog service will not start.  It started without problems when running as the trial version.  No errors appear in the Kiwi Syslog error log, but the Windows event viewer shows the following error:

The Kiwi Syslog Server service failed to start due to the following error: The service did not start due to a logon failure.

I can't find anything in the Kiwi Syslog documentation about having to login.  The OS is Windows 2008 R2.  I am starting the Syslog service from Service Manager > Manage, and Service Manager was Run As Administrator.

Is this a known problem?

Thanks, Glenn

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

  Source IP Selection: Outgoing Interface
  Destination:
   Logging --
     'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap

Just installed the licensed version based on the SNMP component to do some filtering/forwarding as a temporary work around.

From the product description it looked like this should be possible.

I've searched around the product doco, KB and THWACK but I couldn't find anything specific to receive and forward on specific traps, not all. Is this possible?

There was a similar question part of another thread which went unanswered Re: SNMP forwarding

I do have NPM and know it's possible there, however the amount of SNMP traps being sent is causing performance degradation on the <other vendors> alarming collector so it was intended to use a Solarwinds/Kiwi tool for the SNMP Trap filtering to help the other servers workload.

An NPM license to do just SNMP trap filtering is a bit of an overkill for a temporary solution whilst the customer modifies all their device configs over the next couple of months.

Thanks

I turned to NTA today and found the front page couldn't show the graphs I usually see.

Then corporate Security asked me to check NPM's syslog for a few specific events and it timed out, unable to display anything.

A review of the database showed it was far bigger than expected.  And it was 99% fragmented.

A short Support case later with Solarwinds, and after a review of the logs and database, I added to my learning about certain Cisco products, their syslog exports, and NPM's native syslog solution:

• Cisco 5508 Wireless Controllers can send VAST amounts of syslog info.  I knew this from a previous message of concern from a DBA,when he informed me that Orion's database was growing far too quickly.  At that time I stopped our WLC's from sending their syslogs directly to Orion, and pointed them to our Splunk solution.
• Cisco ASA's whose duty is isolating a Cisco 5508 Wireless Anchor Controller in a DMZ ALSO can send COPIOUS amounts of syslog data--apparently mostly about the 5508's traffic.  I had NOT redirected the ASA's output to Splunk, and it was killing my Orion syslog solution.
• NPM (according to Solarwinds Tech Support) had the syslog module added in as a nice feature, but not as a robust one.  Tech Support recommended I purchase/install Kiwi Syslog and point my high volume Cisco sylsog devices at it.  It should safely handle up to 2 million messages per time period (per minute?  per hour?  I missed that part while mulling over the concept that Orion NPM syslog had limitations).

After my DBA set a scheduled job to re-index and defragment my Orion database, and after stopping the ASA's and WLC's from overloading my Orion syslog solution, things appear much better.  I honestly didn't understand the amount of syslog data the ASA's and 5508's were sending to Orion Syslog.

Learn from my learning.

And swift packets to you and your clients!

Rick Schroeder

Dear all,

Recently we have deploied a Kiwi Syslog, after a couple of days it starting to show Kernel.Error in the Priority Column.

Does anybody faced similar issue, if so, how did you solve it ?

On faster Windows 7 machines it has been reported that the Kiwi SyslogGen (Syslog Message Generator) test utility sometimes does not actually send messages to a locally installed Kiwi Syslog Server.  If SyslogGen does not send messages to your syslog server through localhost, please try the following suggestions in your Kiwi Syslog Message Generator configuration.

1. Change Target IP Address from "127.0.0.1" to your machine's LAN IP address (e.g., "10.230.230.204"). 
2. Change Source IP address to "Random Class C addresses"
3. Change Source Port to 1468 (or another other fixed port; don't use a random port)
4. Use the "Send continuously" option with a very low "Inter-message delay" (e.g., 10ms)
5. If clicking "Send" doesn't work the first time, click "Stop" and try "Send" again

You can download a free copy of Kiwi SyslogGen from the Kiwi Downloads page. 

In order for the syslogs that come from an ISE server you must change the message length to 8192 on the device or the messages will be messed up.

Is there a setting on the KIWI server I need to adjust to accommodate this?

It appears when viewing the logs coming in thru the manager console they look ok, but if you send that to a log file the entries in the file are incomplete or truncated.

I'm slowly picking up Solarwinds Orion but I've run into a roadblock.  Our shop has our devices now correctly showing up in the Orion syslog on the web.  What I want to do is filter these by their function. 

Ex. Firewall, Switches, Routers, etc.

What I have instead is a filter for "type of device".  So I can filter Cisco 3750 or ASR1004.  The problem is I have ASR1001 and ASR1004 which are separate because they are different types but I want them listed together as they are both firewalls.

Can anyone point me in the right direction?

After upgrading to v9.5.1, from v9.5.0, we started experiencing constant crashing on our console. Other than a few minor quirks and annoyances, the previous version had not really crashed too often after we applied the hotfix.

Windows Server 2012

Virtual

4 CPUs(2 Cores per Socket, 2 Sockets)

24 GB RAM

150 GB Hard Disk

Kiwi Syslog Server, Installed as a Service

I began to notice the message buffer would quickly drop down from 100%, shortly after starting up the console. Sometimes we would only reach 43K MPH before crashing, while other times we made it up around 350K+ MPH before crashing. And, every time it would crash, the message buffer would be far away from 100%. Previously, the message buffer rarely, if ever, dropped under 100% free.

After reading through various other user issues of the past, I found something that mentioned the "MsgBufferSize" settings in the registry. I went looking into the registry for those settings, however, "MsgBufferSize" was nowhere to be found. I added the "MsgBufferSize" with the value of "10000000", which is shown to be the max value. After adding the settings into the registry, and restarting everything, our system appears to be running fairly smooth, so far. Currently, we are roughly around 430K MPH, with a full 100% buffer free.

Previously posted thread regarding the "MsgBufferSize" registry entry:

Does the Kiwi Syslog buffer with SQL Server

Registry values documentation:

Kiwi Syslog Server

Section: HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties

 

Value (STRING): MsgBufferSize

 

 

Registered mode:

Min value:        100

Max value:        10000000 (10 million)

Default value:        500000

Type:                Maximum number of message buffer entries

So, did something change from 9.5.0 to 9.5.1 that would have removed those settings from the registry? If not, then what else would have removed the entry altogether? Or, has the "MsgBufferSize" registry entry been removed all along, and the documentation just not updated? If it has been removed, and is not used anymore, then why would adding the entry back into the registry make everything suddenly start working again?

Thank you,

-Will

HI all,

My first post, i wish to share you some tips i found.

My main goal was to have access to the kiwi web site working with SSL...

But looking at Cassinni Web Server, it wasn't possible.

After searching more on this forum I found a post about a Rewriting Module with Apache ; so why dont we do it with IIS ?

Here we go !

Setup

- Win 2008 R2 , IIS 7 (with auth modules etc ...) , at least a working SSL certificate for the HTTPS listener (this post will not cover how PKI works, certs installation etc .... sorry).

- We will use the ARR 2.0 module x64 for IIS... See References at bottom for DL link, install it.

- A running Kiwi Syslog Server and the Web Access working on port 8088. Access via a browser works on this port.

Goal

- Enable the rewrite/proxy module in IIS

- Create a new IIS Web Site with HTTPS Listener on TCP Port 8090

- Create a rule to rewrite requests from 8090 to 8088

- When connecting on https://server:8090 , we would see Kiwi Web page.

HOW TO

1. Enabling the rewrite module

"C:\Windows\System32\inetsrv\appcmd.exe" set config  -section:system.webServer/proxy /enabled:"True"  /commit:apphost

2. New Site creation

set syslogwebdir=c:\inetpub\syslog

set syslogsitename=SYSLOG

"C:\Windows\System32\inetsrv\appcmd.exe" add site /name:"%syslogsitename%" /id:15 /bindings:https/*:8090: /physicalPath:"%syslogwebdir%"

3. Attach the SSL Certificate to the Binding 8090

3.1 With batch/cmd line(copy/past to a BAT file)

set CERTHASH=EnterYourHashHere

netsh http add sslcert ipport=0.0.0.0:8090 certhash=%CERTHASH% appid={00000000-0000-0000-0000-000000000000}

3.2 With IIS Manager (if you don't know where to read Hash Certificate).

-Right Click on SYSLOG site, modify Bindings.

-Select https 8090 * Listener > Modify.

-On the "box" SSL Certificate, choose your certificate for the server.

-"OK"

4. Create the rule (copy/past to a BAT file)

set syslogsitename=SYSLOG

set syslogrulename="Rewrite to Kiwi localhost 8088"

:: Rewrite Rule creation
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /+[name='%syslogrulename%']

:: Rule Parameters (one line)
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /[name='%syslogrulename%'].action.type:"Rewrite" /[name='%syslogrulename%'].match.url:"(.*)" /[name='%syslogrulename%'].action.url:"http://localhost:8088/{R:1}"

5. End

Test with your browser https://localhost:8090/

Now you can access from an "admin desktop" to this new SSL web site ...

Configure your firewalls to forbid access on port 8088 to this server (or/and configure the internal Windows Firewall of this server to allow only Localhost connection on 8088).

6. Refs Used

http://learn.iis.net/page.aspx/659/reverse-proxy-with-url-rewrite-v2-and-application-request-routing/

http://learn.iis.net/page.aspx/489/using-the-application-request-routing-module/

---

At the beginning i was thinking to use http://mysite/syslog/ as a virtual directory, but I got some troubles with events.aspx and the rewrite module.

Inbound Rules was OK ; But Outbound Rules to rewrite URLS were not working as expected ; and filters in Kiwi were not working anymore.

That's why i decided to create a new site on another binding, with a root site ; so don't need to create Outbound Rules ...

---

Sorry for my English ...  i'm french :)

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

Kiwi syslog service is getting stop and while restarting it, again after few sec it stop. Restarted the server but no luck. Do any one have idea what will be cuase of issue.

After upgrading to v9.5.1, from v9.5.0, we started experiencing constant crashing on our console. Other than a few minor quirks and annoyances, the previous version had not really crashed too often after we applied the hotfix.

Windows Server 2012

Virtual

4 CPUs(2 Cores per Socket, 2 Sockets)

24 GB RAM

150 GB Hard Disk

Kiwi Syslog Server, Installed as a Service

I began to notice the message buffer would quickly drop down from 100%, shortly after starting up the console. Sometimes we would only reach 43K MPH before crashing, while other times we made it up around 350K+ MPH before crashing. And, every time it would crash, the message buffer would be far away from 100%. Previously, the message buffer rarely, if ever, dropped under 100% free.

After reading through various other user issues of the past, I found something that mentioned the "MsgBufferSize" settings in the registry. I went looking into the registry for those settings, however, "MsgBufferSize" was nowhere to be found. I added the "MsgBufferSize" with the value of "10000000", which is shown to be the max value. After adding the settings into the registry, and restarting everything, our system appears to be running fairly smooth, so far. Currently, we are roughly around 430K MPH, with a full 100% buffer free.

Previously posted thread regarding the "MsgBufferSize" registry entry:

Does the Kiwi Syslog buffer with SQL Server

Registry values documentation:

Kiwi Syslog Server

Section: HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties

 

Value (STRING): MsgBufferSize

 

 

Registered mode:

Min value:        100

Max value:        10000000 (10 million)

Default value:        500000

Type:                Maximum number of message buffer entries

So, did something change from 9.5.0 to 9.5.1 that would have removed those settings from the registry? If not, then what else would have removed the entry altogether? Or, has the "MsgBufferSize" registry entry been removed all along, and the documentation just not updated? If it has been removed, and is not used anymore, then why would adding the entry back into the registry make everything suddenly start working again?

Thank you,

-Will

Hi folks,

I have not gone through any previous threads. Pardon me if this is a repeated query or clarification requested. Have started looking at trial version initially to make sure if this supports my requirements.

Have couple of queries, request to clarify these with request to secure tcp syslog server.

a. Currently seeing that although requested TLS version is set to v1.2 in client hello, Server negotiates back to v1.0. Is there a way to continue with TLSv1.2 protocol.

b. Also have CA signed certificates imported on both to Syslog server running on windows and also on corresponding router acting as a client. But Server doesnt request for Client certificate (as its optional) and unable to verify mutual authentication. Only server certificate is validated by the Client and connection is made. How to enforce mutual authentication where router to validates the client certificate.

c. Is there any IPv6 address support for Syslog server, or its only available in licensed version.

Thanks in advance.

-Gopal

We are having problems getting EMET to allow the kiwi syslog server service to run on an Windows 2012 R2 Server VM.  We have case 999667 open and still haven't gotten it working.  One of my partners working on this opened the case.