I am needing to forward all of our DHCP audits to the syslog, however I cannot figure out how to do that with the Log Forwarder. Which source do I use in the Event Viewer? The audit is logged to a file. Is there any way to forward changes to files?
↧
log forwarder and dhcp auditing?
↧
How to Split Log Files by IP Address and Date in Kiwi Syslog Server
SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server. Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders. (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")
External link to Jing: autosplit - justinfinley's library
Video Guide:
- 0:00 Opening Kiwi Syslog's configuration dialog
- 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
- 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date
Remember to "LIKE" this if you find it useful - that helps other find it too!
↧
↧
Log variable
Hello, I am trying to log the value of the variable Global01. I have tried different ways - however without success.
I have written a Script which sets VarGlobal01 according to certain text components of a snmp message. The following Action "Run external Programm" calls a Batch file an passes the variable. Everything fine so far.
Now I want to log the value of the variable in seperate log file. I tried a separate Batch file: >> path\logfiletxt echo %1
I works well when the Batch file is executed directly and also when clicking the test button in the syslog Server console. However, no log file is created during the regular logggin. All Actions are beeing excecuted - so the filter can't be the reason.
Any ideas how to log the variable every time the script runs?
THANKS
↧
Kiwi Syslog 9.5 Release Candidate is now Available!
The Release Candidate for Kiwi Syslog Server 9.5 is now ready! The new Kiwi Syslog version is packed with great new features and improvements. RC is the last step before general availability, and it is a chance for existing customers to get the newest functionality before it is available to everyone else. You can download it from the LATEST DOWNLOADS FOR YOUR PRODUCTS section of the customer portal. Change filter to "Release Candidate" and click on download button next to Kiwi Syslog RC version.
This release contains various improvements such as
- SNMP v3 Trap support
- SNMP Trap Forwarding
- Trap fields to VarBinds Elements in Output
- Logging to Papertrail cloud
- IPv6 Support
- Statistics email reports based on different interval
- Ability to create more than five web console users
RC builds are made available to existing customers prior to the formal release. These are used to get customer feedback in production environments and are fully supported. If you have any questions I encourage you to leverage the KSS forum on thwack.
Now go and download new version now!
↧
Kiwi Syslog not displaying Cisco ASA 5505 syslogs
I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.
I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.
I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.
I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.
Any ideas?
↧
↧
Need Help Troubleshooting - Not Receiving/Displaying Messages
Server 2008 R2 Std
Kiwi Syslog Server 9.4.1
I have an older version of Kiwi installed on an old server that is being retired. I've installed it on the new server, but I cannot get it to display anything. I exported settings from the other server and imported on this one, then went to Inputs-UDP and set the correct IP to bind it to.
- I've gone through ALL the steps at SolarWinds Knowledge Base :: Kiwi Syslog Daemon is not receiving messages and Kiwi Syslog Server but had no luck getting it to work.
- I know for a fact that messages are being received -- when I run WireShark with the filter, "udp port 514", I see PLENTY of traffic from my firewall. Both my firewall and VPN device are sending syslog messages to the old server and the new one. The old server is still working just fine.
- Windows Firewall on the new server is completely disabled.
- I loaded the default rules and settings but still had no luck.
- I disabled all DNS resolution - no luck.
- There is no Errorlog.txt in C:\Program Files (x86)\Syslogd.
- Test messages from within Kiwi work just fine.
- I finally uninstalled Kiwi, rebooted the server, then reinstalled, and have the same problem.
Kiwi is running as LocalService -- I wondered if that might be the problem, but that's how it's running on the old server as well.
I'm at a loss as to what to do now. I tried contacting support, but since I'm using the free version I was directed here.
↧
Sending events from Cisco 3750 switch
Hello,
I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.
Should the following work:
Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error
This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?
Should this work or is there a "Supported" switch configuration that I should be using.
Thank you,
Chris
↧
Syslogd_Service.exe crash - out of stack space
I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service. Here is the hardware platform:
HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1
I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:
Log Name: Application
Source: Application Error
Date: 3/15/2012 10:42:42 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
<EventRecordID>2945</EventRecordID>
<Channel>Application</Channel>
<Computer>************</Computer>
<Security />
</System>
<EventData>
<Data>Syslogd_Service.exe</Data>
<Data>9.2.0.1</Data>
<Data>4d069c0f</Data>
<Data>unknown</Data>
<Data>0.0.0.0</Data>
<Data>00000000</Data>
<Data>c0000005</Data>
<Data>0000000a</Data>
<Data>91d0</Data>
<Data>01cd02c944ab6d53</Data>
<Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
<Data>unknown</Data>
<Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
</EventData>
</Event>
---------------------------
The following was in the Syslogd Errorlog.txt:
2012-03-15 09:32:52 Command line license key accepted.
2012-03-15 10:42:41 *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41 Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------
I have opened SolarWinds case #323438 regarding this.
↧
Kiwi Syslog Server 9.4.1 - Active Directory Settings
Has anyone configured Active Directory Settings in Kiwi Syslog Server 9.4.1? Below are the available Active Directory Settings available in the Web Access interface under the Admin Tab.
- Domain URL: <Free Form Box> My domain prepopulated correctly.
- Authentication Type: <Free Form Box>. Is this supposed to be NTLM, Kerberos, etc?
- User Groups: <Free Form Box> Does the format need to be LDAP based?
↧
↧
Display original source of message when logs are aggregated through rsyslog server
I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.
Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.
DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer
I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:
"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."
So would a script similar to the following work? Anyone have any experience with this?
"Function Main()
' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
' Return OK to tell syslog that the script ran correctly.
Main = "OK"
End Function"
Thanks,
Ryan
↧
Changing the userid for Syslog Web Access
During installation of Syslog Web Access, you are prompted for a userid and password. The password can be changed at any time easily.
But how does one change the userid? Where is it stored?
We even went as far as trying to reinstall syslog web access to get to the initial userid prompt again. But having already asked us once, it did not ask us again.
Thanks,
-Ken
↧
Kiwi Syslog Service Keeps crashing
We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day. We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network. We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's. We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often.
Has anyone else seen this problem and if so, what kinds of things did you try/do? Is this box just getting pegged so hard that it's causing the service to malfunction and trip up? I'm not a Windows guy but is this issue even Windows related? The only other application we have running on this server is CatTools and it runs clean with no service issues. The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself.
Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.
Thankyou in advance!
↧
Problem with Syslog Message Delay and out of Order.
Has anyone experienced a problem where their Syslogs messages are delayed and out of order?
Note the time the time it was queued and then the time it was sent. Sent at 8:31, but the message came into the syslog server at 7:28.
2010-08-24 08:31:25 PI Message to: networkadmin@removed.net 2010-08-24 08:31:25 PI Message from: Ospf-Syslog 2010-08-24 08:31:25 PI Subject: 10.5.0.2: 3552813: Aug 24 07:28:31.274: %OSPF-5-ADJCHG: Process 1, Nbr 10.12.1.41 on Vlan600 from F 2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400 2010-08-24 08:31:25 PI Message to: networkadmin@removed.net 2010-08-24 08:31:25 PI Message from: Ospf-Syslog 2010-08-24 08:31:25 PI Subject: 10.128.254.230: 49512: 049509: Aug 24 07:28:31: %OSPF-5-ADJCHG: Process 1, Nbr 10.12.1.41 on Vlan60 2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400 2010-08-24 08:31:25 PI Message to: networkadmin@removed.net 2010-08-24 08:31:25 PI Message from: HSRP-Syslog 2010-08-24 08:31:25 PI Subject: HSRP message from 10.7.4.2 2010-08-24 08:31:25 PI Date: Tue, 24 Aug 2010 08:31:25 -0400
↧
↧
Forward syslog events to QRadar
I'm trying to forward events from Kiwi Syslog to QRadar SIEM.
In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.
The test event was the only event received by the QRadar. None of the events I'm forwarding have been received as incoming logs on QRadar.
I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.
Do I need to install a universal DSM on the Kiwi Syslog servers?
↧
Using Kiwi SyslogGen and Kiwi Syslog Server on the Same Machine (localhost)
On faster Windows 7 machines it has been reported that the Kiwi SyslogGen (Syslog Message Generator) test utility sometimes does not actually send messages to a locally installed Kiwi Syslog Server. If SyslogGen does not send messages to your syslog server through localhost, please try the following suggestions in your Kiwi Syslog Message Generator configuration.
- Change Target IP Address from "127.0.0.1" to your machine's LAN IP address (e.g., "10.230.230.204").
- Change Source IP address to "Random Class C addresses"
- Change Source Port to 1468 (or another other fixed port; don't use a random port)
- Use the "Send continuously" option with a very low "Inter-message delay" (e.g., 10ms)
- If clicking "Send" doesn't work the first time, click "Stop" and try "Send" again
You can download a free copy of Kiwi SyslogGen from the Kiwi Downloads page.
↧
How to Split Log Files by IP Address and Date in Kiwi Syslog Server
SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server. Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders. (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")
External link to Jing: autosplit - justinfinley's library
Video Guide:
- 0:00 Opening Kiwi Syslog's configuration dialog
- 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
- 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date
Remember to "LIKE" this if you find it useful - that helps other find it too!
↧
Can SolarWinds Log forwarder be use to parse and forward Radius logs
Hi,
I have a Windows NPS server, and I need to be able to forward the logs to a syslog server. Would Solarwinds log forwarder be able to do this?
Thank you
↧
↧
Limiting Log Retention
Hello.
I've installed the free version of Kiwi Syslog (I'm a long-time user of CatTools), and am unable to find a setup preference which tells Kiwi how long to retain syslog messages. I don't have unlimited drive space, and only want to keep certain messages for a limited period.
More specifically, need to keep the NAT translation messages from my firewall, so I can track down inappropriate use by students. These messages come at a rate of over 20,000/hr. I only want to keep them for a week.
Thanks
↧
Kiwi syslog - 2011-03-18 10:54:01Licensed action was found in settings and disabled.
Kiwi syslog stopped collecting information. The view error log button is red and blinking. When i click to view the log
is see the below message repeating itself:
2011-03-18 10:54:01 Licensed action was found in settings and disabled.
2011-03-18 10:54:01 Licensed action was found in settings and disabled.
2011-03-18 13:37:56 Licensed action was found in settings and disabled.
2011-03-18 13:37:57 Licensed action was found in settings and disabled.
2011-03-18 13:37:57 Licensed action was found in settings and disabled.
↧
Can not receive message from Cisco switch 3750
Hello guys,
I setup kiwi syslog server and could receive message from other devices, such cisco switch 2960, 5510, and windows server. But can not get any message from 3750. I enclosed 3750 configuration as below. Please help to take a look and where am I wrong. Thank you.
logging trap notifications
logging facility local5
logging 192.168.0.51
↧