Hi guys,

I recently installed Kiwi Syslog on a Windows Server 2008 machine, however I had to uninstalled the program as the customer wants to be on the D:\ . But now I am not able to install the program on D:\ or even back

on C:\ as I get the error message "an unlicensed version is detected" hence the installation cannot proceed any longer.

Can anyone help? Where can I delete the old files so i am able to install the software again? I need to install this quite urgently, I have the license with me but I did not activate the license in my previous installation since it was not installed on the right drive.

Please help.

Thanks.

The SolarWinds Kiwi team are working on some enhancements and additional platform support for the product, such as...

• Windows 8 and Windows Server 2012 Support for Kiwi Syslog, Log Viewer & Windows Event Log Forwarder
• Migration to SolarWinds Licensing Framework
• Internet Explorer 10 Support
  
• Bug Fixes

PLEASE NOTE: We are working on these items based on this priority order, but this is NOT a commitment that all of these enhancements will make the next release.  We are working on a number of other smaller features in parallel.   If you have comments or questions on any of these items (e.g. how would it work?) or would like to be included in a preview demo, please let us know!

What is the best way to log Windows Event Logs with Kiwi Syslog Server?

Hello,

my kiwi web access database is 4gb great. And i have some timeout errors executing filters.

I am trying to use an external MSSQL DB with kiwi syslog server.

Is possible for Web access to use this external DB?

Thanks

I am new to kiwi syslog server. Configured kiwi syslog server with default fields to log messages to MYSQL DB and working fine.

But I wish to parse the message and log to MYSQL DB using custom fields. I dont have any knowledge about scripting.

Sample log is shown below. Each field is separated by a single space character. The message content is highlighted in red.

2012-09-01 10:37:14 Local6.Warning HQ-IPS-01 DefensePro: 01-04-2012 19:49:25 WARNING 300000 Intrusions "BO-WINXP" TCP ACCTS-C-PC1 1607 ACCTS-C-PC2 80 3 Regular "DMZ-Policy" occur 1 0 N/A 0 N/A low drop FFFFFFFF-FFFF-FFFF-0001-00004F7B1BE5

Only the following things needs to be extracted and logged to DB.

MsgDate:  2012-09-01

MsgTime:  10:37:14

MsgHostname: HQ-IPS-01

AttackId:   300000

AttackType: Intrusions

AttackDesc: BO-WINXP

AttackSrc: ACCTS-C-PC1

AttackDst: ACCTS-C-PC2

The number of such logs that needs parsing by the script will be more.

Request provide me guidance in configuring this.

Any help on this would be greatly appreciated!

Thanks all...

During installation of Syslog Web Access, you are prompted for a userid and password.  The password can be changed at any time easily.

But how does one change the userid?  Where is it stored?

We even went as far as trying to reinstall syslog web access to get to the initial userid prompt again.  But having already asked us once, it did not ask us again.

Thanks,

-Ken

The Cassini web server, was accidentally uninstalled on our log server. using the Kiwi Syslog Web Access repair fails with a cannot find file error. is there a way to re-install Cassini with out re-installing all of Kiwi?

.thanks

.rick..

What it does:

Log Forwarder for Windows allows you to forward Windows events as Syslog to your Kiwi Syslog Server

• Works on Windows XP, 2003, Vista, and 2008 (32-bit or 64-bit)
• Provides .MSI version for silent installs, allowing use with remote software distribution systems (e.g., Microsoft SMS)
• Enables definition of filters that describe which events are forwarded

How to get it:

If you download the Kiwi Syslog Server 9.0 from your customer portal, you will see there is an additional Log Forwarder executable included with your download.   The Log Forwarder for Windows was developed by the Kiwi Syslog team.  It is available at no cost to Kiwi Syslog customers current on maintenance.

Try it out and let us know what you think!

HI all,

My first post, i wish to share you some tips i found.

My main goal was to have access to the kiwi web site working with SSL...

But looking at Cassinni Web Server, it wasn't possible.

After searching more on this forum I found a post about a Rewriting Module with Apache ; so why dont we do it with IIS ?

Here we go !

Setup

- Win 2008 R2 , IIS 7 (with auth modules etc ...) , at least a working SSL certificate for the HTTPS listener (this post will not cover how PKI works, certs installation etc .... sorry).

- We will use the ARR 2.0 module x64 for IIS... See References at bottom for DL link, install it.

- A running Kiwi Syslog Server and the Web Access working on port 8088. Access via a browser works on this port.

Goal

- Enable the rewrite/proxy module in IIS

- Create a new IIS Web Site with HTTPS Listener on TCP Port 8090

- Create a rule to rewrite requests from 8090 to 8088

- When connecting on https://server:8090 , we would see Kiwi Web page.

HOW TO

1. Enabling the rewrite module

"C:\Windows\System32\inetsrv\appcmd.exe" set config  -section:system.webServer/proxy /enabled:"True"  /commit:apphost

2. New Site creation

set syslogwebdir=c:\inetpub\syslog

set syslogsitename=SYSLOG

"C:\Windows\System32\inetsrv\appcmd.exe" add site /name:"%syslogsitename%" /id:15 /bindings:https/*:8090: /physicalPath:"%syslogwebdir%"

3. Attach the SSL Certificate to the Binding 8090

3.1 With batch/cmd line(copy/past to a BAT file)

set CERTHASH=EnterYourHashHere

netsh http add sslcert ipport=0.0.0.0:8090 certhash=%CERTHASH% appid={00000000-0000-0000-0000-000000000000}

3.2 With IIS Manager (if you don't know where to read Hash Certificate).

-Right Click on SYSLOG site, modify Bindings.

-Select https 8090 * Listener > Modify.

-On the "box" SSL Certificate, choose your certificate for the server.

-"OK"

4. Create the rule (copy/past to a BAT file)

set syslogsitename=SYSLOG

set syslogrulename="Rewrite to Kiwi localhost 8088"

:: Rewrite Rule creation
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /+[name='%syslogrulename%']

:: Rule Parameters (one line)
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /[name='%syslogrulename%'].action.type:"Rewrite" /[name='%syslogrulename%'].match.url:"(.*)" /[name='%syslogrulename%'].action.url:"http://localhost:8088/{R:1}"

5. End

Test with your browser https://localhost:8090/

Now you can access from an "admin desktop" to this new SSL web site ...

Configure your firewalls to forbid access on port 8088 to this server (or/and configure the internal Windows Firewall of this server to allow only Localhost connection on 8088).

6. Refs Used

http://learn.iis.net/page.aspx/659/reverse-proxy-with-url-rewrite-v2-and-application-request-routing/

http://learn.iis.net/page.aspx/489/using-the-application-request-routing-module/

---

At the beginning i was thinking to use http://mysite/syslog/ as a virtual directory, but I got some troubles with events.aspx and the rewrite module.

Inbound Rules was OK ; But Outbound Rules to rewrite URLS were not working as expected ; and filters in Kiwi were not working anymore.

That's why i decided to create a new site on another binding, with a root site ; so don't need to create Outbound Rules ...

---

Sorry for my English ...  i'm french :)

Got KIWI Syslog running and playing with action filters. Anyone here in similar situation with figuring out a working filter set  or building one that attempts to meet PCI DSS 2 (credit card company) requirements for the 'review logs daily' portion. More expensive 'paid for LEM's' have pre-built correlations so you know your parsing what's 'expected' by reqs.

Thanks, Doug

Hi,

For compliance purposes we must document all listening ports on certain systems, including network management stations.

We run Kiwi Secure Tunnel Server, and in addition to the user defined TCP ports, the application also listens on apparently random high UDP ports.

I need some sort of documentation from the vendor/developer about these listening ports and SolarWinds support suggested I post here.

Thanks!

I am trying to quiet down my kiwi syslog server a bit. I have reporting working well for several functions.

I have it alerting on any service "entered the stopped state" but this is making my server noisy.

I want to exclude "The Application Experience service" from sending an alert, but can't seem to get the text to parse properly to do this.

I have made my rule like so, but it's not working properly.

Am I doing this right, or should I be doing this another way?

Does anyone else notify on services stopping?

Thanks.og_setup

I'm getting a syslog from Cisco ACS and it reads like this on Kiwi:

Dec  1 18:44:56 10.16.162.129- sv-chof-acs01.na.bluecap123.net  CisACS_01_PassedAuth 1as18p83x 1 0 User-Name=pete,Access Device=SW-CHCL-EXC2

I would like to edit this message to omit some of the garbage I don't care about and display something like this: 

PassedAuth -  User-Name=pete,Access Device=SW-CHCL-EXC2

Does anyone know of a way to modify incoming syslog messages?

Any help would be appreciated. 

Pete

I'm trying to get logging to a MS SQL database working on the trial version of Kiwi Syslog, the current version.

I'm following this walkthrough  http://www.kiwisyslog.com/kb/how-to:-log-to-a-ms-sql-database-using-v8.3.2-and-above/ 

When choosing the data provider there is no option for SQL Native Client.  I have not been able to make it work with any of the other options present (mostly Microsft OLE DB options).  Is SQL Native Client option for the data provider only available in the paid version of the software?

I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

I'm using Kiwi Syslog free edition. I'm testing it to see if it does what I need, and I've already run into a snag.

I have to identical 2821 voice routers. They both are configured with the same logging setup.

logging trap debugging

logging facility local2

logging source-interface GigabitEthernet0/0

logging 10.2.100.235

On the syslog setup, I've specified the IP addresses of each router as "inputs"

The syslog messages are coming in as expected, but one of the 2 hosts always shows up as 127.0.0.1 in the hostname field.

I've double checked the source interfaces and they're correct.

Anyone have any idea why this is happening?

Thanks!

We have installed on Kiwi Syslog Server in a workstation in the hopes of displaying syslog messages from our Cisco Catalyst 3560G switch. We entered the following commands into the 3560G switch to turn logging on and direct those messages to the Kiwi Syslog server. The Cisco IOS commands we entered were as follows:

Enable mode

config t

logging <IP Address of the workstation that Kiwi syslog server is installed on>

logging trap 7

End

Wr mem

Everything appears to be set up properly but there are no syslog messages displayed in the Kiwi Syslog Server. We are trying to capture all messages from the switch because we are trying to troubleshoot an issue with it. Does anyone have an idea as to why we aren't getting any messages in Syslog Server.

Thanks,

Ben

What it does:

Log Forwarder for Windows allows you to forward Windows events as Syslog to your Kiwi Syslog Server

• Works on Windows XP, 2003, Vista, and 2008 (32-bit or 64-bit)
• Provides .MSI version for silent installs, allowing use with remote software distribution systems (e.g., Microsoft SMS)
• Enables definition of filters that describe which events are forwarded

How to get it:

If you download the Kiwi Syslog Server 9.0 from your customer portal, you will see there is an additional Log Forwarder executable included with your download.   The Log Forwarder for Windows was developed by the Kiwi Syslog team.  It is available at no cost to Kiwi Syslog customers current on maintenance.

Try it out and let us know what you think!

The logforwarder v1.1 is installed on a german 2008R2 Server.

In the eventlog on the server i see aps.net warnings and errors with the following message:

/*

Ereigniscode: 3005
Ereignismeldung: Es ist eine unbehandelte Ausnahme aufgetreten.
Ereigniszeit: 16.12.2011 08:10:49
Ereigniszeit (UTC): 16.12.2011 07:10:49
Ereignis-ID: 00e80467722a4ddaa60928cab11be830
Ereignissequenz: 2
Vorkommen: 1
Ereignisdetailcode: 0
 
Anwendungsinformationen:
    Anwendungsdomäne: /LM/W3SVC/19/ROOT-****************
    Vertrauensebene: Full
    Virtueller Anwendungspfad: /
    Anwendungspfad: ******
    Computername: ******
 
Prozessinformationen:
    Prozess-ID: 9796
    Prozessname: w3wp.exe
    Kontoname: IIS APPPOOL\AppsService
 
Ausnahmeinformationen:
    Ausnahmetyp: NullReferenceException
    Ausnahmemeldung: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei System.Web.HttpApplication.set_AsyncResult(HttpAsyncResult value)
   bei System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   bei System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)

 
 
Anforderungsinformationen:
    Anforderungs-URL: http://127.0.0.1/*******
    Anforderungspfad: /********
    Benutzerhostadresse: 127.0.0.1
    Benutzer: 
    Ist authentifiziert: False
    Authentifizierungstyp: 
    Threadkontoname: IIS APPPOOL\AppsService
 
Threadinformationen:
    Thread-ID: 1
    Threadkontoname: IIS APPPOOL\AppsService
    Identitätswechsel für: False
    Stapelüberwachung:    bei System.Web.HttpApplication.set_AsyncResult(HttpAsyncResult value)
   bei System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   bei System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
 
 
Details des benutzerdefinierten Ereignisses:

*/

But on the syslog server i see the following error message:

/*

12-16-2011    08:12:10    System4.Warning    192.168.6.**    Dez 16 08:10:49 ****** MSWinEventLog   4   Application   20   Fr Dez 16 08:10:49 2011   1309   ASP.NET 4.0.30319.0      N/A   Warning   *****   3   The description for Event ID 1309 from source ASP.NET 4.0.30319.0 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 3005. FormatMessage failed with error 1815, Die angegebene Sprachenkennung f³r die Ressourcen wurde nicht in der Image-Datei gefunden.

*/

I know that this is a problem with the language, but how can i solve this.

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.