KIWI syslog service manager vs. syslog webaccess

February 12, 2013, 8:11 am

≫ Next: Monitor Cisco Firewall and Router "Bad Password" Attempt Failures

≪ Previous: Kiwi syslog server service can't start

$

0

0

Hello group!

Is there a difference between what we see in the KIWI Syslog Service Manager and what we see in the KIWI Syslog Web Access? We currently have one of our appliances sending SNMP traps to KIWI, however I am trying to run a script that is looking for a particular attribute in the SNMP trap which is cldcClientIPAddress.0

What is strange is, I see this information in the KIWI Syslog Web Access monitor but I do not see it in the KIWI Syslog Service Manager. I have gone through all of the options within the service manager and cannot figure this one out.

 

Any assistance would be appreciated!

 

GMF

---

Monitor Cisco Firewall and Router "Bad Password" Attempt Failures

March 11, 2013, 10:48 am

≫ Next: Archive schedule task failure

≪ Previous: KIWI syslog service manager vs. syslog webaccess

$

0

0

I am setting up Cisco Routers and assorted firewall with Kiwi to listen and alert on Bad Passwords with little success.  I have also allowed SNMP.  Has anyone have success with doing this and have any examples of the Cisco devices.  We are using an assorted number of Cisco Routers, Switches, ASA firewalls, and VPN 3000 series gear.

 

logging trap errors

logging source-interface Ethernet0/0

logging 172.16.7.57

snmp-server community readmib RO

snmp-server enable traps snmp

snmp-server enable traps syslog

snmp-server host 172.16.7.57 traps writemib

!

Archive schedule task failure

September 15, 2009, 8:36 am

≫ Next: Kiwi Secure Tunnel listening ports

≪ Previous: Monitor Cisco Firewall and Router "Bad Password" Attempt Failures

$

0

0

Using Syslog Service Manager Version 9.0.3  I am trying to archive the logs on an hourly basis.  When I test the schedule with the run now it errors with: Task engine aborted with error: Problem copying file [Syslogd_Taskengine.exe 2.5.148] (45600) Main () Win32 file rename failed [Line: 0]

Kiwi Secure Tunnel listening ports

April 25, 2013, 6:53 am

≫ Next: kiwi vs orion syslog

≪ Previous: Archive schedule task failure

$

0

0

Hi,

 

For compliance purposes we must document all listening ports on certain systems, including network management stations.

 

We run Kiwi Secure Tunnel Server, and in addition to the user defined TCP ports, the application also listens on apparently random high UDP ports.

 

I need some sort of documentation from the vendor/developer about these listening ports and SolarWinds support suggested I post here.

 

Thanks!

kiwi vs orion syslog

August 17, 2009, 10:05 am

≫ Next: Kiwi Web Access authentication methods ?

≪ Previous: Kiwi Secure Tunnel listening ports

$

0

0

What is the differencse between the two? Do i need both running?  Can i have both running on the same box?  Currently i have both installed on the same box.  the orion syslog is running but the kiwi gives error messages like "Unable to open UDP socket on port 514" or "Registered action was found in settings and disabled"

Kiwi Web Access authentication methods ?

October 16, 2012, 6:13 am

≫ Next: Cassini web server accidentally deleted

≪ Previous: kiwi vs orion syslog

$

0

0

Does anyone know if there are plans to be able to use external authentication for Kiwi Syslog Web Access ?  Rather than be restricted to 5 accounts wouldnt it be a good idea to be able to hand off the authentication to an external source like LDAP, AD etc... ?

 

Cheers

 

Florrie

Cassini web server accidentally deleted

April 8, 2013, 7:54 am

≫ Next: What are Your Favorite Kiwi Syslog Server Highlighting Rules? (Non-Web)

≪ Previous: Kiwi Web Access authentication methods ?

$

0

0

The Cassini web server, was accidentally uninstalled on our log server. using the Kiwi Syslog Web Access repair fails with a cannot find file error. is there a way to re-install Cassini with out re-installing all of Kiwi?

 

.thanks

.rick..

What are Your Favorite Kiwi Syslog Server Highlighting Rules? (Non-Web)

May 3, 2013, 3:21 pm

≫ Next: Using Kiwi SyslogGen and Kiwi Syslog Server on the Same Machine (localhost)

≪ Previous: Cassini web server accidentally deleted

$

0

0

Many of us still use Kiwi Syslog Server's GUI "Service Manager" to watch logs rather than Kiwi's web interface.  Over time

 

My Favorite Highlighting Rules

 

This is my favorite set of Highlighting Rules in action:

 

 

Notice that I don't use Kiwi's icons.  If you don't use them either, you can turn off all icons by unchecking "View | Show/Hide Columns | Icons" from the main Service Manager menu. 

 

To implement this configuration on your Kiwi Syslog Server, make sure the following lines are in the INI file you import into Kiwi Syslog Server.  (See next section for instructions.)

 

[Highlighting]

HighlightCount=8

H001=MAkyCUVtZXJnCTE2Nzc3MjE1CTQ5MzI4NDQJMAkwCTAJMQkxCTEJMAkwCWtzZF9Qcmlvcml0eUljb24y

H002=MAkyCUFsZXJ0CTAJNDkzMjg0NAkwCTAJMAkxCTEJMQkwCTAJa3NkX1ByaW9yaXR5SWNvbjI=

H003=MAkyCUNyaXQJMAk0NjI5NzQ4CTAJMAkwCTEJMQkxCTAJMAlrc2RfUHJpb3JpdHlJY29uMg==

H004=MAkyCUVycm9yCTAJMzIxMDQ5MgkwCTAJMAkxCTEJMQkwCTAJa3NkX1ByaW9yaXR5SWNvbjQ=

H005=MAkyCVdhcm4JMAk0Nzc5MjU2CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNA==

H006=MAkyCU5vdGljZQkxNjc3NzIxNQk3MDYxODU0CTAJMAkwCTEJMQkwCTAJMAlrc2RfQmxhbms=

H007=MAkyCUluZm8JMTQzMjY4NDcJMTY3NzcyMTUJMAkwCTAJMQkxCTAJMAkwCWtzZF9CbGFuaw==

H008=MAkyCURlYnVnCTEyNjMyMjU2CTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfQmxhbms=

...

[Properties]

DisplayColumnsEnabled=223

 

How to Import/Export Service Manager Highlighting Rules

 

Although the Service Manager doesn't include a facility to import/export Highlighting Rules, it does include a facility to import/export the entire Kiwi Syslog Server configuration as an INI file.  To use this to import/export your Highlighting Rules:

1. Stop the Kiwi Syslog Service.
2. Select "File | Export settings to INI file" from the Service Manager's main menu.  Save the INI file.
3. Make a copy of the exported INI file in case as a backup (in case the import of your modified file doesn't work). 
4. Open the INI file with notepad or an appropriate text editor.
5. Find the [Highlighting] tag. Make the necessary changes, and double-check your value of "HighlightCount".
6. Optionally, find the [Properties] tag and the "DisplayColumnsEnabled" property just below it.  Make changes.  (Or set/reset to "255" to turn everything back on.) 
7. Save the INI file.
8. Select "File | Import settings from INI file" and import your modified file. 
9. Close and relaunch the Service Manager application.  (Optionally, select "View | Highlighting options" after relaunching to see if your INI file changes worked.) 
10. Start the Kiwi Syslog Service. 

 

Remember also that Highlighting Rules only work in the Syslog Server Comparison | Kiwi Free vs Kiwi Commercial.  You can apply INI files to the Free Edition, but Highlighting Rules will be ignored.

 

Default Highlighting Rules

 

The default Highlighting Rules in action:

 

To implement (or reset) this configuration, make sure the following lines are in the INI file you import into Kiwi Syslog Server. 

 

[Highlighting]

HighlightCount=8

H001=MAkyCUVtZXJnCTY1NTM1CTI1NQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjA=

H002=MAkyCUFsZXJ0CTYyOTE0NTYJNTA0MzEJMAkwCTAJMQkxCTAJMAkwCWtzZF9Qcmlvcml0eUljb24x

H003=MAkyCUNyaXQJNjI5MTQ1Ngk2NTUzNQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjI=

H004=MAkyCUVycm9yCTIxMwkxMjkxMDU5MQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjM=

H005=MAkyCVdhcm4JMAkxNTI2Mzk3NgkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjQ=

H006=MAkyCU5vdGljZQk0MjEwNzUyCTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNQ==

H007=MAkyCUluZm8JODM4ODYwOAkxNjc3NzIxNQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjY=

H008=MAkyCURlYnVnCTI0NTc2CTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNw==

...

[Properties]

DisplayColumnsEnabled=255

 

Discussion

 

What are YOUR favorite Kiwi Syslog Server highlighting rules?  Please paste a screenshot and the [Highlighting] section from your Kiwi INI export below. 

---

Using Kiwi SyslogGen and Kiwi Syslog Server on the Same Machine (localhost)

May 3, 2013, 2:10 pm

≫ Next: When Launching Kiwi Syslog is starts minimized

≪ Previous: What are Your Favorite Kiwi Syslog Server Highlighting Rules? (Non-Web)

$

0

0

On faster Windows 7 machines it has been reported that the Kiwi SyslogGen (Syslog Message Generator) test utility sometimes does not actually send messages to a locally installed Kiwi Syslog Server.  If SyslogGen does not send messages to your syslog server through localhost, please try the following suggestions in your Kiwi Syslog Message Generator configuration.

 

1. Change Target IP Address from "127.0.0.1" to your machine's LAN IP address (e.g., "10.230.230.204"). 
2. Change Source IP address to "Random Class C addresses"
3. Change Source Port to 1468 (or another other fixed port; don't use a random port)
4. Use the "Send continuously" option with a very low "Inter-message delay" (e.g., 10ms)
5. If clicking "Send" doesn't work the first time, click "Stop" and try "Send" again

 

You can download a free copy of Kiwi SyslogGen from the Kiwi Downloads page. 

When Launching Kiwi Syslog is starts minimized

August 31, 2010, 3:34 pm

≫ Next: Losting messages

≪ Previous: Using Kiwi SyslogGen and Kiwi Syslog Server on the Same Machine (localhost)

$

0

0

I installed Kiwi on my 2003 server. When I open the console to configure syslog, it flashes on the screen for a sec then is gone. i know it is running because I can see the process in Task manager.

 

I have uninstalled, installed as an app and a service, rebooted - still to no avail, does the same thing.

 

Any help would be awesome.

Losting messages

December 3, 2010, 10:07 am

≫ Next: Sending events from Cisco 3750 switch

≪ Previous: When Launching Kiwi Syslog is starts minimized

$

0

0

Hi,

 

We are having an issue with the Kiwi Syslog Server  (ver. 8.3.7), and i would like you to help us.

 

We have a Kiwi Server, with only one rule: No filters, ... writes to a TXT file and Stop the message.

Using the "Kiwi_SyslogGen" utility ... and allways using UDP - Port 514 - we did several test:

 

Test 1. Send 2.000 messages to the kiwi server, sending continously ... with an inter-delay messages of 10 ms.

Results: The Kiwi writes a TXT file with 2.000 lines.

All seems to be Ok.

 

Test 2. Send 2.000 messages, sending in 100 packet burst every 10 seconds.

Results: The Kiwi writes a TXT file with 2.000 lines.

All seems to be Ok.

 

Test 3. Send 2.000 messages, sending in 500 packet burst every 10 seconds.

Results: The kiwi writes a TXT file with 854 lines.

Where is the 1.146 messages that does not appears in the file ???

 

Could be a network problem? We installed the "Wireshark" utility (Sniffer) ... and the WireShark tells us that the machine received 2.000 packets from that IP address.

So, the network seems to works fine.  Furthermore, we install the KiwiSyslog Gen Utility ... IN THE SAME machine that the kiwi server.

The results is a TXT files with 935 lines.

 

We had did this test dozens of times, and the results it seems to be random. 854, 935, 1.056, 1.132 ... Always is rounding the 45- 50% of the messages.

In all the test, we had chequed the message queu overflow.  Always is 0.

 

What is happening? Could you, please, help us with this?

Thank you in advance.

Sending events from Cisco 3750 switch

January 19, 2011, 8:13 am

≫ Next: Kiwi syslog server external DB

≪ Previous: Losting messages

$

0

0

Hello,

I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.

Should the following work:

Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error

This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?

Should this work or is there a "Supported" switch configuration that I should be using.

Thank you,

Chris

Kiwi syslog server external DB

March 21, 2012, 3:56 am

≫ Next: Syslogd_Service.exe crash - out of stack space

≪ Previous: Sending events from Cisco 3750 switch

$

0

0

Hello,

my kiwi web access database is 4gb great. And i have some timeout errors executing filters.

I am trying to use an external MSSQL DB with kiwi syslog server.

Is possible for Web access to use this external DB?

Thanks

Syslogd_Service.exe crash - out of stack space

March 15, 2012, 4:28 pm

≫ Next: SYSLOG WEBACCESS PASSWORD RESET

≪ Previous: Kiwi syslog server external DB

$

0

0

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

SYSLOG WEBACCESS PASSWORD RESET

July 23, 2012, 4:47 am

≫ Next: drop syslog messages before they are captured by the Syslog Statistics

≪ Previous: Syslogd_Service.exe crash - out of stack space

$

0

0

Dear All,

 

can someone help me in resting the KIWI-SYSLOG WEB ACCESS PASSWORD. I forgot it ..

 

thanks

---

drop syslog messages before they are captured by the Syslog Statistics

November 5, 2012, 2:15 am

≫ Next: Kiwi Syslog Alert

≪ Previous: SYSLOG WEBACCESS PASSWORD RESET

$

0

0

Hi there.

I havemade ​​a ruletofilter"access-list loggingrate-limited""list100permitted"and Actions"StopProcessingmessage".But itseems thatthe message stillappearsunderTop 20Hostsin theSyslogStatistics.

Is it possibleto remove themessagescompletelybefore itis captured bythe program?

friendlygreeting
Jens ASkage
Norway

PS

I Am using Ver 9.2 of Kiwi Syslog

Kiwi Syslog Alert

April 4, 2013, 12:49 am

≫ Next: Windows event log forwarder for Windows NT

≪ Previous: drop syslog messages before they are captured by the Syslog Statistics

$

0

0

Hi,

 

I am one of the user of kiwi syslog, in the log I am running the rules with filter of IP Address Range & action place - am using email action So whenever logs are coming this action is working.

I want to create the alert when the logs are stopping for my created rules. Anyone having the idea how to do that?

 

Once the logs generation is stopped i should get email alert?

Windows event log forwarder for Windows NT

October 25, 2012, 3:11 am

≫ Next: Filtering out certain messages in Kiwi Syslog...

≪ Previous: Kiwi Syslog Alert

$

0

0

arHi

 

I have been looking for user manual for windows event log forwarder, but no success so far, basically I just want to find out if windows event log forwarded is compatible with Windows NT Server/Workstation

 

 

Thanks

Filtering out certain messages in Kiwi Syslog...

January 10, 2013, 8:12 am

≫ Next: Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)

≪ Previous: Windows event log forwarder for Windows NT

$

0

0

Hello,

 

I am in a situation where I need to filter out a certain string. It is a little complicated however. The string(s) I am trying to filter out usually looks like this:

 

"port D10-High collision or drop rate."

 

D10 is a device bay in a chassis and that is what we are really interested in here. There are 16 device bays so it can be D1, D2, D3....D16.

 

The only problem is that there is no space between D10 and "-High"

 

And we WOULD like to keep getting messaged that dont have the Dx part in it so we cant just filter out "collision or drop rate."

 

Is the only way to do this by putting 16 separate filters like so: ...?

 

"D1-High"

"D2-High"

"D3-High"

...."D16-High"

 

or is there a wildcard we can put in place of the number? Catch is that sometimes it could be a single digit (1-9) or it could be a double digit (10-16).

 

You input is appreciated. Thank you.

Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)

February 6, 2013, 5:04 am

≫ Next: Kiwi Syslog Server not displaying messages

≪ Previous: Filtering out certain messages in Kiwi Syslog...

$

0

0

PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.

 

Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk

 

I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.

 

Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6

 

I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.

 

Appreciate any help on this..........

 

 

Example from Kiwi Syslog

 

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf:     10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]