I'm using kiwi syslog ver 9.3. I'm getting the following syslog message that I'd like to modify before it displays on my screen.
Nov 19 16:17:38 opchmon0001 %OrionAlertEngine: .blu-c01-trd-csw02 is Down
All I care about is things after the colon, so essentially just blu-c01-trd-csw02 is Down
I created a regex filter to include ": .*" but this still doesn't work, but it seems like ti should. Does anyone have an suggestion to get this to work?
Thanks for looking,
Pete
Hello,
I just installed Syslog on a Windows 8 VM (ESXi 5.5).
However... I don't received any message from the router (Cisco RV042G) I want to log.
I tried the generic troubleshhoting :
• Check network connectivity by pinging from the sending device to the Syslog Server machine => OK
• Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list) => OK, only one
• Disable any personal firewall software such as ZoneAlarm or BlackIce => Disabled
• Use a sniffer to check if messages from the routing are reaching the PC => Yes, I can see them
• Check DNS resolution is working as expected by pinging a hostname from the Command Prompt => OK
• Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on. => OK
• Send a test message to yourself by pressing Ctrl+T => Displayed
• Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads => Done
• Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host). => Not displayed, and I don't see them in a local packet capture.
• Try sending messages with SyslogGen from another machine to the host running the Syslog Server => Not displayed, but see them on a packet capture (on Syslog PC)
Do you have any idea about the cause of this issue ?
Thanks in advance for your help.
We are having problems getting EMET to allow the kiwi syslog server service to run on an Windows 2012 R2 Server VM. We have case 999667 open and still haven't gotten it working. One of my partners working on this opened the case.
Dear All,
I want to create filter in syslog server to view the windows logon and logoff (event logs).
Please help me to create the filter.
We are using windows Server 2012 Standard version for Windows log forwarder but logs are not coming on Kiwi Syslog Server 9.6
We are running Kiwi Syslog Server v. 9.3.0.
We are sending syslogs from about 45 Cisco devices to this server. We have a filter setup to identify any Emerg, Alert, Crit, Error, Warn, or Notice logs. We then setup an action for it to email the network administrators anytime any of these are received by Kiwi.
The problem we are having is as follows:
We've logged into the cisco device in question and have done a "show clock" and confirmed that date and time are accurate.
We've confirmed the time is accurate on the server we have Kiwi installed on (Windows Server 2003 Stanadard x64 Edition w/ SP2, 2.04GB ram).
Looking in the bottom right corner of Kiwi Syslog Service Manager, we can see the time and date are accurate.
In addition, all Cisco devices and Windows servers point to our NTP server to ensure clocks stay sync'd.
Why are we having such a huge delay from the time Kiwi receives a log record to the time it sends us an email notification?
I mistakenly put in more than one email address in the return address for an email notification. I realized what I had done and then corrected it yet Kiwi still is saying
Mail error: 501 5.4.4 Invalid address
Requeing 48 e-mail messages. Will try again in 1 minute.
I have cleared everything I could and cycled services and yet it still shows this error over and over.
Where is the stupid mail queue so I can either correct it or delete them?
Hi
i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog 6 Application 127 lun giu 08 17.03.41 2015 1003 Microsoft-Windows-Security-SPP N/A Information srv-av.astergenova.it 0 The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."
do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed
Hello Everyone,
First time poster here. I am trying to track event log service status and power downs. I cannot get the windows machines to forward event logs 6005, 6006, 6008, 6009 and 1074.
I have event log forwarder configured correctly, at least the log preview shows the correct logs being forwarded. I do have a custom filter built just for these event IDs but I also have a catch all file that is not filtered. I am checking in both the web access and the syslog server itself. Neither of them receive these event logs from the windows machines. I haven't noticed any other events not being forwarded. All of my other filters are producing the information correctly.
Any tips on how to collect these logs?
Windows 2012R2 and Windows 7 Enviorment
Using Kiwi Syslog Server 9.6 and Event log Forwarder
Hi,
i never used syslog servers and i would like to setup a logging system for my meraki mr32 devices.
I tried to setup myself Kiwi with the mr32 but with no success.
Can someone help?
Hello All,
I am planning to Deploy a Kiwi Syslog server to my NPM Environment.
We are planning to enable snmp traps and syslog messages to be sent from other tools to SolarWinds NPM hoping to have one alert dashboard focused on SolarWinds NPM.
I don't want to flood the polling engine and peg the processing power dealing will all the additional noise.
Instead the Kiwi Syslog server will process the items and forward the actionable items to the SolarWinds Server to be alerted and ticketed.
Any thoughts, concerns , or tips are appreciated.
Thank you,
Raymond
We are running Kiwi Syslog Server v. 9.3.0.
We are sending syslogs from about 45 Cisco devices to this server. We have a filter setup to identify any Emerg, Alert, Crit, Error, Warn, or Notice logs. We then setup an action for it to email the network administrators anytime any of these are received by Kiwi.
The problem we are having is as follows:
We've logged into the cisco device in question and have done a "show clock" and confirmed that date and time are accurate.
We've confirmed the time is accurate on the server we have Kiwi installed on (Windows Server 2003 Stanadard x64 Edition w/ SP2, 2.04GB ram).
Looking in the bottom right corner of Kiwi Syslog Service Manager, we can see the time and date are accurate.
In addition, all Cisco devices and Windows servers point to our NTP server to ensure clocks stay sync'd.
Why are we having such a huge delay from the time Kiwi receives a log record to the time it sends us an email notification?
Hi all,
New here, searched for discussions but found no entry on procurve switch(es).
The Procurve switches will not send any syslog messages (wiresharked the server)
Turned on logging on the switch: logging 'ip-address'
show debug
Debug Logging
Source IP Selection: Outgoing Interface
Destination:
Logging --
'ip-address' Kiwi Syslog server
Protocol = UDP
Port = 514
Facility = user
Severity = info
System Module = all-pass
Priority Desc =
tried facility 'syslog' still nothing.
Only the Procurve switches will not send any syslog messages.
Other devices such as Cisco ASA's work fine.
Anyone ideas to solve this?
TIA Jaap
My Kiwi Syslog server is receiving syslog messages from my vCSA. I have not filtered the level of messages being sent.
Kiwi is reporting Emerg level messages being sent by vCSA, but looking inside the messages, they are all at INFO level. This is causing concern.
Is there some configurations/settings, either on Kiwi or vCSA, that needs to be checked/changed/fixed?
Much appreciated.
J J
I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.
Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.
DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer
I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:
"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."
So would a script similar to the following work? Anyone have any experience with this?
"Function Main()
' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
' Return OK to tell syslog that the script ran correctly.
Main = "OK"
End Function"
Thanks,
Ryan
Hi guys, my boss has asked me to consider moving our syslogging services to PRTG syslog. I am very happy with Kiwi Syslog and don't want to migrate.
I want to come up with a list of reasons why this is not a good idea i.e. what things KiwiSyslog does better.
Can someone who is familiar with both of these packages assist me.
Thanks kindly for any help.
I am having kiwi syslog 9.5 installed.
I choose to install as service and also installed the web access.
The syslog console opened fine and I see logs on displayed and also to file.
However, with the web access, it shows nothing (what so ever). I checked the Setup on Console Manager and see that under Rules i have 2 exact same option for "Log to Syslog Web Access". Everything under that options checked.
But I still see no log on web access.
1) I tried to uncheck all the "Log to Syslog Web Access".
2) Closed the Console Manager and reopened it
3) Checked mark one of the 2 optioins "Log to Syslog Web Access" and everything below it.
4) Opened and log in to web access -> Still see nothing.
any idea?
I'm having trouble configuring email alerts. I'm trying to send alerts to my Office 365 email address. Can someone see if I've input one of these settings incorrectly? I'm using my full Office 365 email for each of the blacked out sections in the screen shot below. For "SMTP Password," I'm using my Office 365 password.
Hi all,
New here, searched for discussions but found no entry on procurve switch(es).
The Procurve switches will not send any syslog messages (wiresharked the server)
Turned on logging on the switch: logging 'ip-address'
show debug
Debug Logging
Source IP Selection: Outgoing Interface
Destination:
Logging --
'ip-address' Kiwi Syslog server
Protocol = UDP
Port = 514
Facility = user
Severity = info
System Module = all-pass
Priority Desc =
tried facility 'syslog' still nothing.
Only the Procurve switches will not send any syslog messages.
Other devices such as Cisco ASA's work fine.
Anyone ideas to solve this?
TIA Jaap
Hi everyone,
I wonder if Kiwi Syslog Server has any limitation on how many servers that it can collect the logs from or how many servers can send the logs to the syslog server?
I know the Web Access has 4GB db limitation. What is the best practice for this limitation when you have more than 10 servers sending the logs to syslog server? I don't want to see only 1 or 2 day logs every day from Web Access. I hope at least 4GB db limitation can store like a month logs of all 10+ servers. I am trying first with the windows event logs (using the free tool Solwarwinds Event Log Forwarder)
Is there any limitation that i should be aware with Kiwi Syslog Server and Event Forwarder tool?
Another question:
Does Solarwinds Event Log Forwarder can work with other vendor syslog server? If so, which vendor and which syslog server product is that?
Thanks in advance!