SYSLOG error with windows server 2012

June 9, 2015, 12:24 am

≫ Next: Kiwi Syslog Console Crashing Constantly After Upgrading 9.5.0 To 9.5.1

≪ Previous: Need help - New to Kiwi Syslog!

i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog 6 Application 127 lun giu 08 17.03.41 2015 1003 Microsoft-Windows-Security-SPP N/A Information srv-av.astergenova.it 0 The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."

do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed

↧

Kiwi Syslog Console Crashing Constantly After Upgrading 9.5.0 To 9.5.1

April 21, 2016, 10:54 am

≫ Next: Mail error: SMTP protocol error. 504 5.7.4 Unrecognized authentication type

≪ Previous: SYSLOG error with windows server 2012

After upgrading to v9.5.1, from v9.5.0, we started experiencing constant crashing on our console. Other than a few minor quirks and annoyances, the previous version had not really crashed too often after we applied the hotfix.

Windows Server 2012

Virtual

4 CPUs(2 Cores per Socket, 2 Sockets)

24 GB RAM

150 GB Hard Disk

Kiwi Syslog Server, Installed as a Service

I began to notice the message buffer would quickly drop down from 100%, shortly after starting up the console. Sometimes we would only reach 43K MPH before crashing, while other times we made it up around 350K+ MPH before crashing. And, every time it would crash, the message buffer would be far away from 100%. Previously, the message buffer rarely, if ever, dropped under 100% free.

After reading through various other user issues of the past, I found something that mentioned the "MsgBufferSize" settings in the registry. I went looking into the registry for those settings, however, "MsgBufferSize" was nowhere to be found. I added the "MsgBufferSize" with the value of "10000000", which is shown to be the max value. After adding the settings into the registry, and restarting everything, our system appears to be running fairly smooth, so far. Currently, we are roughly around 430K MPH, with a full 100% buffer free.

Previously posted thread regarding the "MsgBufferSize" registry entry:

Does the Kiwi Syslog buffer with SQL Server

Registry values documentation:

Kiwi Syslog Server

Section: HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties

Value (STRING): MsgBufferSize

Registered mode:
Min value:        100
Max value:        10000000 (10 million)
Default value:        500000
Type:                Maximum number of message buffer entries

So, did something change from 9.5.0 to 9.5.1 that would have removed those settings from the registry? If not, then what else would have removed the entry altogether? Or, has the "MsgBufferSize" registry entry been removed all along, and the documentation just not updated? If it has been removed, and is not used anymore, then why would adding the entry back into the registry make everything suddenly start working again?

Thank you,

-Will

↧

Mail error: SMTP protocol error. 504 5.7.4 Unrecognized authentication type

December 21, 2016, 10:11 am

≫ Next: Kiwi Syslog Server Log Location won't change.

≪ Previous: Kiwi Syslog Console Crashing Constantly After Upgrading 9.5.0 To 9.5.1

I'm having trouble configuring email alerts. I'm trying to send alerts to my Office 365 email address. Can someone see if I've input one of these settings incorrectly? I'm using my full Office 365 email for each of the blacked out sections in the screen shot below. For "SMTP Password," I'm using my Office 365 password.

↧

Kiwi Syslog Server Log Location won't change.

September 17, 2012, 10:44 am

≫ Next: How to encrypt syslog from cisco switch or router into Kiwi syslog?

≪ Previous: Mail error: SMTP protocol error. 504 5.7.4 Unrecognized authentication type

Hey all,

I have recently taken over a sys admin position, and am required to move the location of the Kiwi Syslog Server logs to another file location. I have never used it prior. However, I can't seem to move the file.

Kiwi Syslog Server 9.2.1 (Free version.)

Windows Server 2003 SP2 (WORKGROUP)(VM)

Current configuration:

Log to Log File

Path and file name: C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt

If I test the configuration, I can see the test messages in the location noted about. However, after I apply the settings, the older location (a CIFS share) continues to receive the actual syslogs of the devices we monitor.

There are three local users, all of which show the same configuration.

I have tried deleting and recreating the Log to Log File rule. No change.

I have tried starting and stopping the service. No change.

I have tried exporting the system settings, and then reimporting them. No change.

I have tried searching the registery for the old location. Nothing found.

I have two theories.

1. The settings are locked for some reason.

2. The settings are stored somewhere else.

Any help would be great.

Thanks,

Aaron

Solarwinds Padawan

↧

How to encrypt syslog from cisco switch or router into Kiwi syslog?

June 16, 2014, 4:01 am

≫ Next: How to export Kiwi syslogs

≪ Previous: Kiwi Syslog Server Log Location won't change.

I want to encrypt syslog from Cisco swirtch or router into Kiwi Syslog.

I read somewhere I can use syslog tls or snmp trap v3

Is that possible using Kiwi Syslog

thanks

↧

How to export Kiwi syslogs

November 1, 2012, 12:40 pm

≫ Next: LOG FORWARDER 2012 server DOES NOT FORWARD EVENTS

≪ Previous: How to encrypt syslog from cisco switch or router into Kiwi syslog?

Is there any way for me to export Kiwi Syslogs. I want to be able to export the syslogs from a licensed Kiwi server into another database for viewing. Specifically the NPM database. I would think that there would have been something to do this already since both are SolarWinds products, but I am unable to find it.
I want to be able to take the logs off the Kiwi server and view them elsewhere, without viewing through Kiwi. I want to view them through NPM, but I guess I can get by viewing them through something like Access. Is there a way (even if it isn't easy) to do this?

↧

LOG FORWARDER 2012 server DOES NOT FORWARD EVENTS

June 29, 2017, 4:06 am

≫ Next: Log Forwarder .net error

≪ Previous: How to export Kiwi syslogs

We are using windows Server 2012 Standard version for Windows log forwarder but logs are not coming on Kiwi Syslog Server 9.6

↧

Log Forwarder .net error

October 26, 2017, 9:03 am

≫ Next: Can not receive message from Cisco switch 3750

≪ Previous: LOG FORWARDER 2012 server DOES NOT FORWARD EVENTS

We are testing LF and it's working so far on all our 2012 and 2016 servers.

Multiple 2008 servers with .net 1.1, 3.5 sp1, and 4.5.2, produce this error over and over:

Application: LogForwarder.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.NullReferenceException

Stack:

at LogForwarder.LogForwarderService.LoadConfigFile()

at LogForwarder.LogForwarderService.InitService()

at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)

at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)

at System.Threading.ThreadHelper.ThreadStart()

As I understood it, 4.5 was an inplace replacement for 4.0. Is this not correct? Or do I have to troubleshoot something else? Running the .net 4 installer says a higher version is installed.

Thanks!

↧

Can not receive message from Cisco switch 3750

July 28, 2013, 11:37 pm

≫ Next: Kiwi Syslog Server limitations

≪ Previous: Log Forwarder .net error

Hello guys,

I setup kiwi syslog server and could receive message from other devices, such cisco switch 2960, 5510, and windows server. But can not get any message from 3750. I enclosed 3750 configuration as below. Please help to take a look and where am I wrong. Thank you.

logging trap notifications

logging facility local5

logging 192.168.0.51

↧

Kiwi Syslog Server limitations

July 28, 2017, 9:00 am

≫ Next: Syslog Server is Unable to Capture Logs

≪ Previous: Can not receive message from Cisco switch 3750

Hi everyone,

I wonder if Kiwi Syslog Server has any limitation on how many servers that it can collect the logs from or how many servers can send the logs to the syslog server?

I know the Web Access has 4GB db limitation. What is the best practice for this limitation when you have more than 10 servers sending the logs to syslog server? I don't want to see only 1 or 2 day logs every day from Web Access. I hope at least 4GB db limitation can store like a month logs of all 10+ servers. I am trying first with the windows event logs (using the free tool Solwarwinds Event Log Forwarder)

Is there any limitation that i should be aware with Kiwi Syslog Server and Event Forwarder tool?

Another question:

Does Solarwinds Event Log Forwarder can work with other vendor syslog server? If so, which vendor and which syslog server product is that?

Thanks in advance!

↧

Syslog Server is Unable to Capture Logs

August 28, 2017, 1:08 am

≫ Next: Display original source of message when logs are aggregated through rsyslog server

≪ Previous: Kiwi Syslog Server limitations

Hi Team,

We have newly installed Kiwi Syslog Server (Version 9.6) on or environment.
Earlier it was working properly but now after some days, no logs are reported on that.
I have reinstalled it but still not working.
Need urgent help regarding this.

Thank You,
Ankur Gadwal

↧

Display original source of message when logs are aggregated through rsyslog server

December 6, 2015, 3:58 pm

≫ Next: Windows Events 6005, 6006, 6008, 6009 and 1074 not logging in kiwi syslog server

≪ Previous: Syslog Server is Unable to Capture Logs

I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.

Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.

DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer

I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:

"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."

So would a script similar to the following work? Anyone have any experience with this?

"Function Main()
' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
' Return OK to tell syslog that the script ran correctly.
Main = "OK"
End Function"

Thanks,
Ryan

↧

Windows Events 6005, 6006, 6008, 6009 and 1074 not logging in kiwi syslog server

September 27, 2017, 4:21 am

≫ Next: SNMP polling utility?

≪ Previous: Display original source of message when logs are aggregated through rsyslog server

Hello Everyone,

First time poster here. I am trying to track event log service status and power downs. I cannot get the windows machines to forward event logs 6005, 6006, 6008, 6009 and 1074.

I have event log forwarder configured correctly, at least the log preview shows the correct logs being forwarded. I do have a custom filter built just for these event IDs but I also have a catch all file that is not filtered. I am checking in both the web access and the syslog server itself. Neither of them receive these event logs from the windows machines. I haven't noticed any other events not being forwarded. All of my other filters are producing the information correctly.

Any tips on how to collect these logs?

Windows 2012R2 and Windows 7 Enviorment

Using Kiwi Syslog Server 9.6 and Event log Forwarder

↧

SNMP polling utility?

March 26, 2017, 12:27 pm

≫ Next: Kiwi Syslog Server v9.6.0/9.6.1 need ".NET Framework 4.0" ?

≪ Previous: Windows Events 6005, 6006, 6008, 6009 and 1074 not logging in kiwi syslog server

I've got devices at various sites that can't send syslogs or traps but the data I want can be queried. Are there any suggestions for a simple utility that can perform a local SNMP query every couple minutes and send it to my Kiwi. Thank you.

↧

Kiwi Syslog Server v9.6.0/9.6.1 need ".NET Framework 4.0" ?

June 14, 2017, 10:04 pm

≫ Next: Log Forwarder - service won't start - Error 15007

≪ Previous: SNMP polling utility?

I tried to install v9.6.1 on Windows Server 2008 R2.

I had already installed ".NET Framework 3.5 SP1" on this system.

When I executed v9.6.1 installer, I got the following message.

----------------------

Kiwi Syslog Server 9.6.1 Installer

Microsoft .Net Framework 4.0 is not installed on this system

[OK]

----------------------

I can not install v9.6.1.

I got the same message, when I tried to install v9.6.0.

SolarWinds discribed the System Requirements as below:

NET Framework: .NET Framework 3.5 SP1

http://www.kiwisyslog.com/kiwi-syslog-server

https://support.solarwinds.com/Success_Center/Kiwi_Syslog_Server/Kiwi_Syslog_Server_Installation_Guide/020_System_requirements_for_Kiwi_Syslog_Server

http://www.solarwinds.com/ja/kiwi-syslog-server#requirements

Question:

Do Kiwi Syslog Server v9.6.0/9.6.1 need ".NET Framework 4.0" or Higher?

Best Regards,

↧

Log Forwarder - service won't start - Error 15007

April 25, 2017, 12:55 am

≫ Next: Log Forwarder for Windows (available to all Kiwi customers on maint)

≪ Previous: Kiwi Syslog Server v9.6.0/9.6.1 need ".NET Framework 4.0" ?

I am getting error 15007, info about this error is in my language (czech), but here it is:

25.4.2017 8:42:52 - Unable to setup Windows Event Log subscribers. Subscribe failed with error 15007, Zadan? kan?l nebyl nalezen. Zkontrolujte konfiguraci kan?lu.

25.4.2017 8:42:52 - Server Initialization Failed. See previous event messages for reason.

25.4.2017 8:42:52 - SolarWinds Event Log Forwarder for Windows; Service Stopped.

↧

Log Forwarder for Windows (available to all Kiwi customers on maint)

October 19, 2009, 10:39 am

≫ Next: Need Help Troubleshooting - Not Receiving/Displaying Messages

≪ Previous: Log Forwarder - service won't start - Error 15007

What it does:

Log Forwarder for Windows allows you to forward Windows events as Syslog to your Kiwi Syslog Server

Works on Windows XP, 2003, Vista, and 2008 (32-bit or 64-bit)
Provides .MSI version for silent installs, allowing use with remote software distribution systems (e.g., Microsoft SMS)
Enables definition of filters that describe which events are forwarded

How to get it:

If you download the Kiwi Syslog Server 9.0 from your customer portal, you will see there is an additional Log Forwarder executable included with your download. The Log Forwarder for Windows was developed by the Kiwi Syslog team. It is available at no cost to Kiwi Syslog customers current on maintenance.

Try it out and let us know what you think!

↧

Need Help Troubleshooting - Not Receiving/Displaying Messages

January 13, 2014, 11:00 am

≫ Next: SolarWinds.SyslogServer.Engine.log

≪ Previous: Log Forwarder for Windows (available to all Kiwi customers on maint)

Server 2008 R2 Std

Kiwi Syslog Server 9.4.1

I have an older version of Kiwi installed on an old server that is being retired. I've installed it on the new server, but I cannot get it to display anything. I exported settings from the other server and imported on this one, then went to Inputs-UDP and set the correct IP to bind it to.

I've gone through ALL the steps at SolarWinds Knowledge Base :: Kiwi Syslog Daemon is not receiving messages and Kiwi Syslog Server but had no luck getting it to work.
I know for a fact that messages are being received -- when I run WireShark with the filter, "udp port 514", I see PLENTY of traffic from my firewall. Both my firewall and VPN device are sending syslog messages to the old server and the new one. The old server is still working just fine.
Windows Firewall on the new server is completely disabled.
I loaded the default rules and settings but still had no luck.
I disabled all DNS resolution - no luck.
There is no Errorlog.txt in C:\Program Files (x86)\Syslogd.
Test messages from within Kiwi work just fine.
I finally uninstalled Kiwi, rebooted the server, then reinstalled, and have the same problem.

Kiwi is running as LocalService -- I wondered if that might be the problem, but that's how it's running on the old server as well.

I'm at a loss as to what to do now. I tried contacting support, but since I'm using the free version I was directed here.

↧

SolarWinds.SyslogServer.Engine.log

April 6, 2017, 11:52 am

≫ Next: How to encrypt syslog from cisco switch or router into Kiwi syslog?

≪ Previous: Need Help Troubleshooting - Not Receiving/Displaying Messages

Hi, I was hoping someone can explain the log files ('SolarWinds.SyslogServer.Engine.log') created in the Syslogd folder to me. What purpose do they serve? Are they safe to delete? Can I set them to be created in a different directory?

Thank you.

↧