Dear all,

I would like to know how to backup a Kiwi Syslog Server.  We are installing this in VM, but the environment only has NetBackup.

I know that I can export the data out as log file for backup, but how about backup when log are still in the Kiwi Syslog Server database?

I am not able to find any reference in the Admin guide.

Best Regards,

Rayson Wong

Hi, I was hoping someone can explain the log files ('SolarWinds.SyslogServer.Engine.log') created in the Syslogd folder to me. What purpose do they serve? Are they safe to delete? Can I set them to be created in a different directory?

Thank you.

I downloaded the community version of kiwi.

I've got an app that I'm developing that will submit an event to a syslog server.  So, I need to find out how to quickly configure it to look for a udp message at a specific ip address.

Any suggestions?

I'm trying to forward events from Kiwi Syslog to QRadar SIEM. 

In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.

The test event was the only event received by the QRadar.  None of the events I'm forwarding have been received as incoming logs on QRadar.

I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.

Do I need to install a universal DSM on the Kiwi Syslog servers?

how to setup snort-log link to syslog server?

in snort.conf  (windows 7 32 bits)

output alert_syslog: host=127.0.0.1:8080, LOG_AUTH LOG_ALERT

command :

snort -i 1 -c c:\snort\etc\snort.conf -s

then get a file in c:\snort\log\snort.log.1493058792.

please tell me, how to send log to syslog server?

thank you

Hi,

I use Kiwi Syslog Server on Windows Server 2016.

I got an error on Kiwi Syslog Server due to conflict with Windows Update several times.

1) Performed on April 26, 2017

*Environment

- Windows Server 2016

- Kiwi Syslog Server version 9.5.2

The following patchs were installed by Windows Update successfully.

KB4015217

KB890830

Then KSS is unable to load and presents the following error:

---------------------------

Syslogd

---------------------------

Component 'KiwiSocket.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

---------------------------

2) Performed on May 19, 2017

*Environment

- Windows Server 2016

- Kiwi Syslog Server version 9.6.1

The following patchs were installed by Windows Update successfully.

KB3150513

KB4019472

KB890830

KB4013418

Then KSS is unable to load and presents the following error:

---------------------------

Syslogd

---------------------------

Component 'XceedZip.dll' or one of its dependencies not correctly registered: a file is missing or invalid.

---------------------------

[Resolution]

Both cases, I uninstalled and re-installed Kiwi Syslog Server.

Please refer:

https://support.solarwinds.com/Success_Center/Kiwi_Syslog_Server/KSS_error_Component_XceedZip_dll_or_one_of_its_dependencies_not_correctly_registered_a_file_is_missing_or_invalid

3) Performed on June 21, 2017

*Environment

- Windows Server 2016

- Kiwi Syslog Server version 9.6.1 

The following patchs were installed by Windows Update successfully.

(KB3186568)

(KB4023834)

(KB4022715)

(KB890830)

(KB3150513)

Then KSS is unable to load and presents the following error:

---------------------------

Syslogd

---------------------------

Component 'XceedZip.dll' or one of its dependencies not correctly registered: a file is missing or invalid.

---------------------------

[Resolution]

I uninstalled and re-installed Kiwi Syslog Server.

メッセージ編集者:

Date: June 28, 2017

JTC Osaka　

After Windows Update(2017-June-21), KSS can not start again.

KiWi Syslogd error: Maximum number of TCP connections has been reached. Not accepting connection.

Why? Thanks..

Many of us still use Kiwi Syslog Server's GUI "Service Manager" to watch logs rather than Kiwi's web interface.  Over time

My Favorite Highlighting Rules

This is my favorite set of Highlighting Rules in action:

Notice that I don't use Kiwi's icons.  If you don't use them either, you can turn off all icons by unchecking "View | Show/Hide Columns | Icons" from the main Service Manager menu. 

To implement this configuration on your Kiwi Syslog Server, make sure the following lines are in the INI file you import into Kiwi Syslog Server.  (See next section for instructions.)

[Highlighting]

HighlightCount=8

H001=MAkyCUVtZXJnCTE2Nzc3MjE1CTQ5MzI4NDQJMAkwCTAJMQkxCTEJMAkwCWtzZF9Qcmlvcml0eUljb24y

H002=MAkyCUFsZXJ0CTAJNDkzMjg0NAkwCTAJMAkxCTEJMQkwCTAJa3NkX1ByaW9yaXR5SWNvbjI=

H003=MAkyCUNyaXQJMAk0NjI5NzQ4CTAJMAkwCTEJMQkxCTAJMAlrc2RfUHJpb3JpdHlJY29uMg==

H004=MAkyCUVycm9yCTAJMzIxMDQ5MgkwCTAJMAkxCTEJMQkwCTAJa3NkX1ByaW9yaXR5SWNvbjQ=

H005=MAkyCVdhcm4JMAk0Nzc5MjU2CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNA==

H006=MAkyCU5vdGljZQkxNjc3NzIxNQk3MDYxODU0CTAJMAkwCTEJMQkwCTAJMAlrc2RfQmxhbms=

H007=MAkyCUluZm8JMTQzMjY4NDcJMTY3NzcyMTUJMAkwCTAJMQkxCTAJMAkwCWtzZF9CbGFuaw==

H008=MAkyCURlYnVnCTEyNjMyMjU2CTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfQmxhbms=

...

[Properties]

DisplayColumnsEnabled=223

How to Import/Export Service Manager Highlighting Rules

Although the Service Manager doesn't include a facility to import/export Highlighting Rules, it does include a facility to import/export the entire Kiwi Syslog Server configuration as an INI file.  To use this to import/export your Highlighting Rules:

1. Stop the Kiwi Syslog Service.
2. Select "File | Export settings to INI file" from the Service Manager's main menu.  Save the INI file.
3. Make a copy of the exported INI file in case as a backup (in case the import of your modified file doesn't work). 
4. Open the INI file with notepad or an appropriate text editor.
5. Find the [Highlighting] tag. Make the necessary changes, and double-check your value of "HighlightCount".
6. Optionally, find the [Properties] tag and the "DisplayColumnsEnabled" property just below it.  Make changes.  (Or set/reset to "255" to turn everything back on.) 
7. Save the INI file.
8. Select "File | Import settings from INI file" and import your modified file. 
9. Close and relaunch the Service Manager application.  (Optionally, select "View | Highlighting options" after relaunching to see if your INI file changes worked.) 
10. Start the Kiwi Syslog Service. 

Remember also that Highlighting Rules only work in the Syslog Server Comparison | Kiwi Free vs Kiwi Commercial.  You can apply INI files to the Free Edition, but Highlighting Rules will be ignored.

Default Highlighting Rules

The default Highlighting Rules in action:

To implement (or reset) this configuration, make sure the following lines are in the INI file you import into Kiwi Syslog Server. 

[Highlighting]

HighlightCount=8

H001=MAkyCUVtZXJnCTY1NTM1CTI1NQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjA=

H002=MAkyCUFsZXJ0CTYyOTE0NTYJNTA0MzEJMAkwCTAJMQkxCTAJMAkwCWtzZF9Qcmlvcml0eUljb24x

H003=MAkyCUNyaXQJNjI5MTQ1Ngk2NTUzNQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjI=

H004=MAkyCUVycm9yCTIxMwkxMjkxMDU5MQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjM=

H005=MAkyCVdhcm4JMAkxNTI2Mzk3NgkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjQ=

H006=MAkyCU5vdGljZQk0MjEwNzUyCTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNQ==

H007=MAkyCUluZm8JODM4ODYwOAkxNjc3NzIxNQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjY=

H008=MAkyCURlYnVnCTI0NTc2CTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNw==

...

[Properties]

DisplayColumnsEnabled=255

Discussion

What are YOUR favorite Kiwi Syslog Server highlighting rules?  Please paste a screenshot and the [Highlighting] section from your Kiwi INI export below. 

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.

External link to Jing: Multiple Displays - justinfinley's library

Video Guide:

• 0:00 Unfiltered display (Display 00)
• 0:10 Showing the rule that sends all messages to Display 00
• 0:20 Changing the unfiltered display from Display 00 to Display 05
• 0:25 Checking that the switch happened
• 0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
• 1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
• 2:05 Checking that the new filters work
• 2:25 Renaming "Display 05" to "All Messages"
• 2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
• 3:10 Checking that the display renaming worked

Remember to "LIKE" this if you find it useful - that helps other find it too!

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server.  Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders.  (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

• 0:00 Opening Kiwi Syslog's configuration dialog
• 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
• 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

Hello,

I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.

Should the following work:

Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error

This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?

Should this work or is there a "Supported" switch configuration that I should be using.

Thank you,

Chris

An Infoblox device is reporting that Kiwi Syslog is receiving "connection failed" errors in its logs from the Kiwi server.  According to the engineer asking the question the interface sending the syslog messages is not behind a firewall.

I assume the syslog server does not randomly drop or refuse connections from a device sending it syslog messages. 

Any ideas as to what might be causing this?

I'm trying to forward events from Kiwi Syslog to QRadar SIEM. 

In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.

The test event was the only event received by the QRadar.  None of the events I'm forwarding have been received as incoming logs on QRadar.

I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.

Do I need to install a universal DSM on the Kiwi Syslog servers?

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

I am having kiwi syslog 9.5 installed.

I choose to install as service and also installed the web access.

The syslog console opened fine and I see logs on displayed and also to file.

However, with the web access, it shows nothing (what so ever).  I checked the Setup on Console Manager and see that under Rules i have 2 exact same option for "Log to Syslog Web Access".  Everything under that options checked.

But I still see no log on web access.

1) I tried to uncheck all the "Log to Syslog Web Access".

2) Closed the Console Manager and reopened it

3) Checked mark one of the 2 optioins "Log to Syslog Web Access" and everything below it.

4) Opened and log in to web access -> Still see nothing.

any idea?

I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.

Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.

DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer

I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:

"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."

So would a script similar to the following work? Anyone have any experience with this?

"Function Main()
  ' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
  ' Return OK to tell syslog that the script ran correctly.
Main = "OK"
  End Function"

Thanks,
Ryan

I have never used Syslogs before but was asked to setup one.

I am having trouble setting it up with my Cisco ASA 5505 security Device.

I can ping FROM the server to the Cisco ASA

I can ping FROM the ASA to the Server.

Things I have done.

1. I have downloaded the Solarwind Kiwi Sylog server.
2. I installed it as a service.
3. I tested the Kiwi Syslog server using it's built in testing tool and I received messages. They came in on 127.0.0.1.
4. In Kiwi Sys Log server I added the IP address of the Cisco ASA.
   1. File - Setup - Input - 192.168.200.1 (Server address)
5. Inputs - UDP
   1. Made sure Port was set to 514
6. Logged into the Cisco ADSM management.
7. Went to:
   1. Configuration - Device Management - Logging
8. Under Logging setup I selected "Enable"
9. Logging filters
   1. I enabled Sys Log and selected "Severity:Warnings" for all event classes.
10. Clicked on "Sys Log Server" from the menu. I added:
    1. Interface: Data (inside which the Sys Log is connected to)
    2. IP Address ( IP address of the Syslog server)
    3. UDP Port 514
    4. EMBLEM and Secure is set to "NO"
11. Click on "Syslog Setup" on the ASA in the menu structure
    1. Include Timestamp in syslogs
12. I applied the settings to the ASA and then committed the changes to flash.

Any ideas on why the syslog server isn't displaying the info?

Thanks so much in advance!

syslog_manager.exe 9.4.0.1 will not open correctly on windows 8.1. The process starts and can be seen in task manager, but closes a few second later. No GUI is seen at all not even the splash screen or the notification area icon.

there are no logs inside:

C:\Program Files (x86)\Syslogd\Dated logs

C:\Program Files (x86)\Syslogd\Logs

i tried calling (Service – Debug start-up: www.kiwisyslog.com/help/syslogd7/index.html?adv_reg_servicedebugstart_up.htm):

syslog_manager.exe DEBUGSTART

syslog_manager.exe /DEBUGSTART

syslog_manager.exe -DEBUGSTART

syslog_manager.exe --DEBUGSTART

but still no log or debug log files are created in the C:\Program Files (x86)\Syslogd directory or any of its sub directories.

i checked the window event log and found the same four error reoccurring every time the syslog_manager.exe is started up

==============================

Error 1

==============================

Fault bucket -339880763, type 1

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_4527

P5: 0.0.0.0

P6: 00000000

P7: c000041d

P8: PCH_1C_FROM_actskn43+0x00014197

P9:

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7A1F.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._1c26be14be8bc7e884ee84c763454f0becaea_d6be21d2_0a3f7cfe

Analysis symbol:

Rechecking for solution: 0

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: ee82e4cf87c028d8fde4d29d457939f8

==============================

Error 2

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc000041d

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

==============================

Error 3

==============================

Fault bucket 50, type 5

Event Name: BEX

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_f2c9

P5: 0.0.0.0

P6: 00000000

P7: PCH_3D_FROM_ntdll+0x0003C1AC

P8: c0000005

P9: 00000008

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7676.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._4bac366436d77f4150a9f635e3ff4264d568c57d_d6be21d2_070f7973

Analysis symbol:

Rechecking for solution: 0

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: 18c71da6583848b95798fbf0fc6b19c1

==============================

Error 4

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

I am trying to connect to kiwi syslog server in secure TCP mode. From my client side (c# code) I try to connect to kiwi syslog sever using TLS 1.2 protocol. But SSL Handshake from server is set to TLS 1.0

I installed kiwi server in Windows 7 SP1 and enabled TLS 1.2 in the system by modifying the system registry.

SSL handshakes captured using Network monitor are given below

Client HandShake

Server HandShake

Client side code( c#)

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

var tcpClient = new TcpClient(hostname, port);

var tcpClientStream = tcpClient.GetStream();

var sslStream = new SslStream(tcpClientStream, false, ValidateServerCertificate)

{

        ReadTimeout = timeout,

        WriteTimeout = timeout

};

sslStream.AuthenticateAsClient(hostname, new X509CertificateCollection(), System.Security.Authentication.SslProtocols.Tls12, false);

Hi eveyone

I have a problem with my syslog server, it send he following messages:

Service running, but Service/Manager comm link is not connecting.

Unable to connect to Service socket on TCP port 3300

The server is installed on a windows 7 virtual machine on an vmware enviroment, I already verified the TCP port  and it belongs to the syslog server, also the windows firewall is down

Do you have any ideas?

Regards