Syslog Message Logging to MYSQL DB

September 14, 2012, 3:03 pm

≫ Next: Kiwi Syslog - Windows Server 2008 Compatibility

≪ Previous: Syslogd_Service.exe crash - out of stack space

I am new to kiwi syslog server. Configured kiwi syslog server with default fields to log messages to MYSQL DB and working fine.

But I wish to parse the message and log to MYSQL DB using custom fields. I dont have any knowledge about scripting.

Sample log is shown below. Each field is separated by a single space character. The message content is highlighted in red.

2012-09-01 10:37:14 Local6.Warning HQ-IPS-01 DefensePro: 01-04-2012 19:49:25 WARNING 300000 Intrusions "BO-WINXP" TCP ACCTS-C-PC1 1607 ACCTS-C-PC2 80 3 Regular "DMZ-Policy" occur 1 0 N/A 0 N/A low drop FFFFFFFF-FFFF-FFFF-0001-00004F7B1BE5

Only the following things needs to be extracted and logged to DB.

MsgDate: 2012-09-01

MsgTime: 10:37:14

MsgHostname: HQ-IPS-01

AttackId: 300000

AttackType: Intrusions

AttackDesc: BO-WINXP

AttackSrc: ACCTS-C-PC1

AttackDst: ACCTS-C-PC2

The number of such logs that needs parsing by the script will be more.

Request provide me guidance in configuring this.

Any help on this would be greatly appreciated!

Thanks all...

↧

Kiwi Syslog - Windows Server 2008 Compatibility

January 16, 2009, 2:42 am

≫ Next: Kiwi syslog server service can't start

≪ Previous: Syslog Message Logging to MYSQL DB

Does version 8.3.48 work on Windows Server 2008?

Kiwi Syslog installed in application mode with out error.

I am trying to get a test message, but the 'Test' button is greyed out even if I enter 127.0.01 as the IP address. I wonder is this my error or an incompatibility problem.

Guy Thomas.

↧

Kiwi syslog server service can't start

August 30, 2012, 3:37 am

≫ Next: Kiwi Secure Tunnel listening ports

≪ Previous: Kiwi Syslog - Windows Server 2008 Compatibility

Hi everyone,

I'm using Kiwi syslog server 9 on Windows 2008 R2 server (VMware virtual machine). On 17.8.2012. physical server has stopped responding and customer had to restart it manually. Since then Kiwi syslog server doesn't work. When I try to access it, server's CPU raises to 100%, it is stuck like that for few minutes and then it displays error message in Kiwi grid pop up window saying 'Run-time error '0''.

Kiwi syslog service also can't be started, when I try to start it, it says it couldn't be started in timely fashion.

I've tried to delete/rename files in c:\program files\solarwinds\kiwi web access\html\app_data but with no success. I've renamed event.sdf to Old_event.sdf and made a copy of Event-blank.sdf and then renamed it to event.sdf.

I've raised a support ticket but with no results till now.

Do you have any idea what's the problem here?

Regards, O

↧

Kiwi Secure Tunnel listening ports

April 25, 2013, 6:53 am

≫ Next: Kiwi Syslog 9.3.4 is Now Generally Available

≪ Previous: Kiwi syslog server service can't start

Hi,

For compliance purposes we must document all listening ports on certain systems, including network management stations.

We run Kiwi Secure Tunnel Server, and in addition to the user defined TCP ports, the application also listens on apparently random high UDP ports.

I need some sort of documentation from the vendor/developer about these listening ports and SolarWinds support suggested I post here.

Thanks!

↧

Kiwi Syslog 9.3.4 is Now Generally Available

November 8, 2012, 2:29 am

≫ Next: Changing syslog message received

≪ Previous: Kiwi Secure Tunnel listening ports

Kiwi Syslog v9.3.4 is now available for download in your customer portal, for those of you who have an active maintenance.

Below is a list of the changes in this version.

Fixes

Resolution for daily statistics and alarm emails in HTML format garbled
Resolution for changes in setup not effective until service restart

Note

Please note that due to technical reasons, the version that can be downloaded for evaluation purposes is still 9.3.3.

If you are evaluating Kiwi Syslog and need to have the above problems fixed, please let us know and we will provide you with v9.3.4.

↧

Changing syslog message received

December 1, 2010, 11:53 am

≫ Next: How to detect clients that stop sending Syslog messages to the server

≪ Previous: Kiwi Syslog 9.3.4 is Now Generally Available

I'm getting a syslog from Cisco ACS and it reads like this on Kiwi:

Dec 1 18:44:56 10.16.162.129- sv-chof-acs01.na.bluecap123.net CisACS_01_PassedAuth 1as18p83x 1 0 User-Name=pete,Access Device=SW-CHCL-EXC2

I would like to edit this message to omit some of the garbage I don't care about and display something like this:

PassedAuth - User-Name=pete,Access Device=SW-CHCL-EXC2

Does anyone know of a way to modify incoming syslog messages?

Any help would be appreciated.

Pete

↧

How to detect clients that stop sending Syslog messages to the server

January 29, 2013, 7:28 am

≫ Next: log forwarder and dhcp auditing?

≪ Previous: Changing syslog message received

How do you detect specific clients that have not sent syslog messages to the server in a specified amount of time?

↧

log forwarder and dhcp auditing?

October 15, 2011, 10:57 am

≫ Next: Kiwi Syslog failed to start - error code 1053 - System local account

≪ Previous: How to detect clients that stop sending Syslog messages to the server

I am needing to forward all of our DHCP audits to the syslog, however I cannot figure out how to do that with the Log Forwarder. Which source do I use in the Event Viewer? The audit is logged to a file. Is there any way to forward changes to files?

↧

Kiwi Syslog failed to start - error code 1053 - System local account

November 21, 2011, 10:22 am

≫ Next: Freeware Kiwi Syslog Server v9.3.1

≪ Previous: log forwarder and dhcp auditing?

Hi people !

I am testing Kiwi Syslog Server Service edition with Evaluation Version....

I am running Kiwi on a 2008r2 SP1 (R2 is x64).

I am trying to run the Kiwi daemon with the system local account ; but i have the error 1053 poping:

" The service did not respond to the start or control request in a timely fashion "

I tried to adjust the timeout Value in the Registry to 60 (30 by default) ; no way the kiwi syslog Service don't start.

I created the debugging value to see what happening on startup, but i have only :

2011-11-21 18:50:19    Start-up file Initialized.
2011-11-21 18:50:19    Performing NT Service setup for Kiwi Syslog Server
2011-11-21 18:50:19    Service Starting - NTServiceSetup

When i am using the administrator account of the server ; the service starts quickly ...here is the debug log :

2011-11-21 19:03:44    Start-up file Initialized.
2011-11-21 19:03:44    Performing NT Service setup for Kiwi Syslog Server
2011-11-21 19:03:44    Service Starting - NTServiceSetup
2011-11-21 19:03:44    Service startup triggered. Parameters:
2011-11-21 19:03:45    Startup entered
2011-11-21 19:03:45    About to initialise sockets
2011-11-21 19:03:45    Listening on InterApp TCP port 3300
2011-11-21 19:03:45    Listening on UDP port 514
2011-11-21 19:03:46    Message check timer started
2011-11-21 19:03:46    Startup completed

But for security reason i can't use an admin Account, i need to use the local system account.

I ran procmon to see what's wrong ; no errors about File/Registry denied access.

When using Local system account, the process stops here :

When using an Admin account , the process starts, and "hits" an .INI file (KRDP_Sessions.ini) :

Can you have any information on this ?

Regards,

↧

Freeware Kiwi Syslog Server v9.3.1

May 15, 2012, 7:40 pm

≫ Next: Kiwi Syslog Service slow to start, possibly causing install to fail

≪ Previous: Kiwi Syslog failed to start - error code 1053 - System local account

Hi,

How can I use Kiwi Syslog Server v9.3.1 Freeware version?

I've downloaded the Free Trial program and installed it by "Kiwi_Syslog_Server_9.3.1.Eval.setup.exe".

After the evaluation period, Kiwi Syslog Server turned to "Unlicensed version", not "Freeware version".

I remember the previous version turned to "Freeware version" after the expiration of the trial or when installed by the installer from our customer portal.

But I cannot use v9.3.1 Freeware mode...

If there's information about it, please let me know.

Thank you.

Chito

↧

Kiwi Syslog Service slow to start, possibly causing install to fail

April 15, 2013, 12:44 pm

≫ Next: Sending events from Cisco 3750 switch

≪ Previous: Freeware Kiwi Syslog Server v9.3.1

Hello, I ran the Kiwi Syslog trial previously with no problems at all on a virtual server running Windows Server 2008 R2 64 bit. When I came to upgrade it to a registered version, the install failed at the end, at the part where the Kiwi Syslog server gets started.

The error is: Kiwi Syslog Server Service Installation failed. The Kiwi Syslog Server Service could not be installed using account. Please run the installer again and try another user account (eg. LocalSystem or a member of the local Administrators group).

Sometimes the error is: Kiwi Syslog Server Service failed to start. Please try installing the service again using a member of the Administrators group.

I ran the setup application as administrator, using a domain user account which is in a security group in the local administrators group. I chose LocalSystem as the account to run it as.

I also tried using the local administrator, with the same results.

If I try to start the service manually, it eventually starts, but takes about 40 or so seconds. But it doesn't stay up for long.

The Windows Event Viewer doesn't seem to log anything when the service quits.

I had no such problems with the evaluation copy. Perhaps a clean install is required? How would I go about doing this? I've uninstalled, then deleted C:\Program Files (x86)\syslogd, then deleted c:\Program Data\solarwinds and also HKLM\Software\Wow6432Node\SolarWinds. Have I missed anything?

Thank you.

↧

Sending events from Cisco 3750 switch

January 19, 2011, 8:13 am

≫ Next: Kiwi Syslog not displaying Cisco ASA 5505 syslogs

≪ Previous: Kiwi Syslog Service slow to start, possibly causing install to fail

Hello,

I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.

Should the following work:

Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error

This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?

Should this work or is there a "Supported" switch configuration that I should be using.

Thank you,

Chris

↧

Kiwi Syslog not displaying Cisco ASA 5505 syslogs

April 2, 2011, 7:21 pm

≫ Next: Changing the userid for Syslog Web Access

≪ Previous: Sending events from Cisco 3750 switch

I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

↧

Changing the userid for Syslog Web Access

October 13, 2009, 2:06 pm

≫ Next: Microsoft Active Directory monitoring using Solarwinds

≪ Previous: Kiwi Syslog not displaying Cisco ASA 5505 syslogs

During installation of Syslog Web Access, you are prompted for a userid and password. The password can be changed at any time easily.

But how does one change the userid? Where is it stored?

We even went as far as trying to reinstall syslog web access to get to the initial userid prompt again. But having already asked us once, it did not ask us again.

Thanks,

-Ken

↧

Microsoft Active Directory monitoring using Solarwinds

October 22, 2009, 4:36 am

≫ Next: Kiwi Syslog not displaying Cisco ASA 5505 syslogs

≪ Previous: Changing the userid for Syslog Web Access

Has anyone deployed Solarwinds to monitor Microsoft AD, if yes than can you please share the list of attributes which we can monitor using Solarwinds. Please let me know.

Thanks in advance.

VMayank

↧