Kiwi Syslog Server Log Location won't change.

September 17, 2012, 10:44 am

≫ Next: Collect DHCP events from Windows DHCP server

≪ Previous: Kiwi Syslog Server limitations

$

0

0

Hey all,

 

I have recently taken over a sys admin position, and am required to move the location of the Kiwi Syslog Server logs to another file location. I have never used it prior.  However, I can't seem to move the file.

 

Kiwi Syslog Server 9.2.1 (Free version.)

Windows Server 2003 SP2 (WORKGROUP)(VM)

 

Current configuration:

Log to Log File

Path and file name:  C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt

 

If I test the configuration, I can see the test messages in the location noted about.  However, after I apply the settings, the older location (a CIFS share) continues to receive the actual syslogs of the devices we monitor.

 

There are three local users, all of which show the same configuration.

 

I have tried deleting and recreating the Log to Log File rule.  No change.

I have tried starting and stopping the service.  No change.

I have tried exporting the system settings, and then reimporting them.  No change.

I have tried searching the registery for the old location.  Nothing found.

 

I have two theories.

1.  The settings are locked for some reason.

2.  The settings are stored somewhere else.

 

Any help would be great.

 

Thanks,

 

Aaron

Solarwinds Padawan

---

Collect DHCP events from Windows DHCP server

November 26, 2016, 2:39 am

≫ Next: Encoding for Syslog Server Console?

≪ Previous: Kiwi Syslog Server Log Location won't change.

$

0

0

Hello,

 

Could you please tell me how to transfer all DHCP events (from a standard Windows 2012 DHCP server) to syslog ?

 

Thanks in advance for your help

Encoding for Syslog Server Console?

February 18, 2015, 12:50 am

≫ Next: LOG FORWARDER 2012 server DOES NOT FORWARD EVENTS

≪ Previous: Collect DHCP events from Windows DHCP server

$

0

0

Hello,

I've setup my Kiwi Syslog Server to log to an Oracle Database. That worked, except that german umlauts (like ä, ö, ü) were not written to the DB correctly. (however, they showed up fine in the Server Console).

 

Therefore I changed the encoding for the UDP Input to UTF-8 wich results in fine database logs, but now umlauts in the server console as well as logfiles where displayed incorrect. I could get the logfile problem resolved by setting the LogFileEncodingFormat registry key to UTF-8 (65001). But the problem in the Server Console persists.

 

The weird thing is, changing the UDP input back to "System" encoding doesn't resolve the issue for the console.

LOG FORWARDER 2012 server DOES NOT FORWARD EVENTS

June 29, 2017, 4:06 am

≫ Next: Kiwi Syslog Server

≪ Previous: Encoding for Syslog Server Console?

$

0

0

We are using windows Server 2012 Standard version for Windows log forwarder but logs are not coming on Kiwi Syslog Server 9.6

Kiwi Syslog Server

August 23, 2017, 7:01 pm

≫ Next: Forward Event Viewer subscriptions with Event Log Forwarder for Windows

≪ Previous: LOG FORWARDER 2012 server DOES NOT FORWARD EVENTS

$

0

0

Does anyone familiar with Kiwi syslog server? I understand that it comes with SQL CE. If my requirement is to keep log historical for a year duration, do I need to buy a full MS SQL Server database for that? How big the size of the HDD would that be..

Forward Event Viewer subscriptions with Event Log Forwarder for Windows

March 8, 2017, 1:45 pm

≫ Next: Kiwi Syslog Server service starts then stops

≪ Previous: Kiwi Syslog Server

$

0

0

Has anyone been able to forward subscribed events (from other machines) to Kiwi Syslog server using Event Log Forwarder for Windows? I am trying to setup a single point to collect events to be forwarded to our syslog server.

 

I setup a test and subscribed to events from another machine to be placed in the Windows Logs -> Application. I see the forwarded events in Windows Event Viewer, but when viewing the "preview of matching event records" (Event Log Forwarder for Windows) I only see the events sources from the computer running the event log forwarder. (see the attached screenshot)

 

Thanks!

 

Jeremy

Kiwi Syslog Server service starts then stops

August 29, 2011, 2:29 pm

≫ Next: wrong host name in Syslog

≪ Previous: Forward Event Viewer subscriptions with Event Log Forwarder for Windows

$

0

0

When attempting to start the Kiwi Syslog Server service (on Windows 2008 R2), I get the message "The Kiwi Syslog Server service on [my server name] started and then stopped.  Some services stop automatically if they are not in use by other services or programs."  Any ideas what could be causing this?

wrong host name in Syslog

December 9, 2014, 7:38 am

≫ Next: [Log to file Action Error] Merging 2 or more hostnames in one file

≪ Previous: Kiwi Syslog Server service starts then stops

$

0

0

We have a syslog server collecting logs from other servers using kiwi log forwarder.  The host name from my DMZ machines often show up wrong.  I have updated the Host file for the SysLog server but the problem is still there.

---

[Log to file Action Error] Merging 2 or more hostnames in one file

February 10, 2015, 8:22 am

≫ Next: Uninstall Syslog service.

≪ Previous: wrong host name in Syslog

$

0

0

Hello folks.

 

My Kiwi Syslog is merging 2 or more hostnames (devices) in the same file when: "Log to file Action".

 

For example, i have 3 devices:

1. 10.168.1.20
2. 10.168.1.201
3. 10.168.1.202

 

In the root folder of files, i had 3 folders, one for each hostname.

The 10.168.1.201 and 10.168.1.202 are logging correctly. But when i should have the 10.168.1.20 logs, i have a merge of 10.168.1.201 and 10.168.202 (without the 10.168.1.20).

 

I check another scenario (that i consider worse)...

I had a file log from 10.120.1.2. But this device don't exist.

IN this file, are logged 6 devices: 10.120.1.20, 10.120.1.25, 10.120.1.26, 10.120.1.27, 10.120.1.28 and 10.120.1.29.

 

The logs below, are in same file:

2015-02-10 00:10:19	Local4.Warning	10.120.1.2	Feb 10 2015 02:10:19 HQ-BL1-HW9306-A1 %%01LLDP/4/BAD_PACKET(l)[2159934]:8 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/14.
2015-02-10 00:11:26	Local4.Warning	10.120.1.2	Feb 10 2015 02:11:26 HQ-BL1-HW9306-A3 %%01LLDP/4/BAD_PACKET(l)[3194428]:6 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/19.
2015-02-10 00:11:45	Local4.Warning	10.120.1.2	Feb 10 2015 02:11:45 HQ-BL1-HW9306-A2 %%01LLDP/4/BAD_PACKET(l)[6928978]:7 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/4.
2015-02-10 00:11:46	Local4.Info	10.120.1.2	Feb 10 2015 02:11:46 HQ-BL1-HW9306-A5 %%01MSTP/6/SET_PORT_LEARNING(l)[2711307]:In process 0 instance 0, MSTP set port GigabitEthernet2/0/29 state as learning.

 

Is a bug, or some misconfigured of my part?

 

Looking forward for a help,

 

Regards Fold

Uninstall Syslog service.

October 3, 2015, 4:31 am

≫ Next: Mail error: SMTP protocol error. 504 5.7.4 Unrecognized authentication type

≪ Previous: [Log to file Action Error] Merging 2 or more hostnames in one file

$

0

0

Hi,

 

I'm trying to uninstall the 14 day trial of syslog server (9.4.1) eval. installed on Windows Server 2003.

 

There is no uninstall service on the management menu drop down. as per the instructions.

 

"Using the Service Manager, uninstall the service

Use the Manage | Uninstall the Syslogd service menu."

 

Some help required please.

 

Simon.

Mail error: SMTP protocol error. 504 5.7.4 Unrecognized authentication type

December 21, 2016, 10:11 am

≫ Next: Kiwi Syslog 9.5 Release Candidate is now Available!

≪ Previous: Uninstall Syslog service.

$

0

0

I'm having trouble configuring email alerts. I'm trying to send alerts to my Office 365 email address. Can someone see if I've input one of these settings incorrectly? I'm using my full Office 365 email for each of the blacked out sections in the screen shot below. For "SMTP Password," I'm using my Office 365 password.

Kiwi Syslog 9.5 Release Candidate is now Available!

July 9, 2015, 11:40 am

≫ Next: Forward syslog events to QRadar

≪ Previous: Mail error: SMTP protocol error. 504 5.7.4 Unrecognized authentication type

$

0

0

The Release Candidate for Kiwi Syslog Server 9.5 is now ready! The new Kiwi Syslog version is packed with great new features and improvements. RC is the last step before general availability, and it is a chance for existing customers to get the newest functionality before it is available to everyone else. You can download it from the LATEST DOWNLOADS FOR YOUR PRODUCTS section of the customer portal. Change filter to "Release Candidate" and click on download button next to Kiwi Syslog RC version.

 

This release contains various improvements such as

 

• SNMP v3 Trap support
• SNMP Trap Forwarding
• Trap fields to VarBinds Elements in Output
• Logging to Papertrail cloud
• IPv6 Support
• Statistics email reports based on different interval
• Ability to create more than five web console users

 

RC builds are made available to existing customers prior to the formal release. These are used to get customer feedback in production environments and are fully supported. If you have any questions I encourage you to leverage the KSS forum on thwack.

 

Now go and download new version now!

Forward syslog events to QRadar

January 13, 2016, 11:55 am

≫ Next: Kiwi SyslogServer 9.2.0 (Eval) and WebAccess Error

≪ Previous: Kiwi Syslog 9.5 Release Candidate is now Available!

$

0

0

I'm trying to forward events from Kiwi Syslog to QRadar SIEM. 

 

In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.

 

The test event was the only event received by the QRadar.  None of the events I'm forwarding have been received as incoming logs on QRadar.

 

I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.

 

Do I need to install a universal DSM on the Kiwi Syslog servers?

Kiwi SyslogServer 9.2.0 (Eval) and WebAccess Error

December 22, 2010, 9:37 pm

≫ Next: How to Split Logs to Multiple Displays in Kiwi Syslog Server

≪ Previous: Forward syslog events to QRadar

$

0

0

Hi,

WebAccessdoes notwork for meinthetrial version.I getthe followingerrormessage.

"An error occurred while initializing this session.
The session has been abandoned.

Kiwi Syslog WebAccess requires Kiwi Syslog Server to be online, but it is offline."

The serviceshave beencheckedandarestarted.

Can youprovidethisupdate (9.2.1) forthetrialversionis available, otherwiseIcannottestWebAccess.Thisisourdecision to buybutveryimportant.

Regards
Jochen

How to Split Logs to Multiple Displays in Kiwi Syslog Server

May 31, 2013, 8:56 am

≫ Next: how to setup snort-log link to syslog server?

≪ Previous: Kiwi SyslogServer 9.2.0 (Eval) and WebAccess Error

$

0

0

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.

 

External link to Jing: Multiple Displays - justinfinley's library

 

Video Guide:

• 0:00 Unfiltered display (Display 00)
• 0:10 Showing the rule that sends all messages to Display 00
• 0:20 Changing the unfiltered display from Display 00 to Display 05
• 0:25 Checking that the switch happened
• 0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
• 1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
• 2:05 Checking that the new filters work
• 2:25 Renaming "Display 05" to "All Messages"
• 2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
• 3:10 Checking that the display renaming worked

 

Remember to "LIKE" this if you find it useful - that helps other find it too!

---

how to setup snort-log link to syslog server?

April 24, 2017, 12:31 pm

≫ Next: Need a Kiwi Syslog Server GUI Log searching utility.

≪ Previous: How to Split Logs to Multiple Displays in Kiwi Syslog Server

$

0

0

how to setup snort-log link to syslog server?

 

in snort.conf  (windows 7 32 bits)

output alert_syslog: host=127.0.0.1:8080, LOG_AUTH LOG_ALERT

 

command :

snort -i 1 -c c:\snort\etc\snort.conf -s

 

then get a file in c:\snort\log\snort.log.1493058792.

 

please tell me, how to send log to syslog server?

 

thank you

Need a Kiwi Syslog Server GUI Log searching utility.

April 1, 2011, 1:02 pm

≫ Next: SolarWinds LogForwarder 1.2 NOT WORKING

≪ Previous: how to setup snort-log link to syslog server?

$

0

0

Is there anything out there that will index Kiwi syslog and let me search through the log files like the SPLUNK product will do, without paying $40,000 for splunk.  The kiwi log viewer is not an option either, thay only opens log files up to 700 MB.  My log files are 1.5 gig plus.  Kiwi is startin to get slow and message times are off.

SolarWinds LogForwarder 1.2 NOT WORKING

February 20, 2017, 6:19 pm

≫ Next: Log Forwarder - service won't start - Error 15007

≪ Previous: Need a Kiwi Syslog Server GUI Log searching utility.

$

0

0

I have installed the kiwi syslog server 9.5 and I am using the SolarWinds LogForwarder 1.2 on all the other servers and endpoints to send the logs to the kiwi syslog server.

 

 

I noticed that I am not receiving any logs from the servers only network devices (switches, routers, etc.) I checked to see if the Log Forwarder for Windows is running, and I noticed that it was not. I manually started the service, and then sometime after that the service stopped. I checked the event viewer application log and saw the following each in a separate entry

 

 

1. Service started successfully.
2. Server Initialization Failed.  See previous event messages for reason.
3. SolarWinds Event Log Forwarder for Windows; Service Stopped.

 

I have the SolarWinds LogForwarder 1.2 installed on w2k8r2 and w2k12r2 servers.  I opened the log forwarder service log and I saw this

 

1/26/2017 4:57:57 PM - SolarWinds Event Log Forwarder for Windows; Service Started.

1/26/2017 4:58:58 PM - Configuration File Reloaded at 1/26/2017 4:58:58 PM

1/26/2017 5:30:10 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 5:30:10 PM - Configuration File Reloaded Failed at 1/26/2017 5:30:10 PM

1/26/2017 9:24:23 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:24:23 PM - Configuration File Reloaded Failed at 1/26/2017 9:24:23 PM

1/26/2017 9:27:29 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:29 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:29 PM

1/26/2017 9:27:33 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:33 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:33 PM

1/26/2017 9:27:41 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:41 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:41 PM

 

 

 

 

 

 

 

Can anyone help?

Log Forwarder - service won't start - Error 15007

April 25, 2017, 12:55 am

≫ Next: Windows Events 6005, 6006, 6008, 6009 and 1074 not logging in kiwi syslog server

≪ Previous: SolarWinds LogForwarder 1.2 NOT WORKING

$

0

0

I am getting error 15007, info about this error is in my language (czech), but here it is:

 

25.4.2017 8:42:52 - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15007, Zadan? kan?l nebyl nalezen. Zkontrolujte konfiguraci kan?lu.

25.4.2017 8:42:52 - Server Initialization Failed.  See previous event messages for reason.

25.4.2017 8:42:52 - SolarWinds Event Log Forwarder for Windows; Service Stopped.

Windows Events 6005, 6006, 6008, 6009 and 1074 not logging in kiwi syslog server

September 27, 2017, 4:21 am

≫ Next: Can't start Kiwi Syslog Service - Logon Failure

≪ Previous: Log Forwarder - service won't start - Error 15007

$

0

0

Hello Everyone,

First time poster here. I am trying to track event log service status and power downs. I cannot get the windows machines to forward event logs  6005, 6006, 6008, 6009 and 1074.

 

I have event log forwarder configured correctly, at least the log preview shows the correct logs being forwarded. I do have a custom filter built just for these event IDs but I also have a catch all file that is not filtered. I am checking in both the web access and the syslog server itself. Neither of them receive these event logs from the windows machines. I haven't noticed any other events not being forwarded. All of my other filters are producing the information correctly.

 

Any tips on how to collect these logs?

 

Windows 2012R2 and Windows 7 Enviorment

Using Kiwi Syslog Server 9.6 and Event log Forwarder