On faster Windows 7 machines it has been reported that the Kiwi SyslogGen (Syslog Message Generator) test utility sometimes does not actually send messages to a locally installed Kiwi Syslog Server.  If SyslogGen does not send messages to your syslog server through localhost, please try the following suggestions in your Kiwi Syslog Message Generator configuration.

1. Change Target IP Address from "127.0.0.1" to your machine's LAN IP address (e.g., "10.230.230.204"). 
2. Change Source IP address to "Random Class C addresses"
3. Change Source Port to 1468 (or another other fixed port; don't use a random port)
4. Use the "Send continuously" option with a very low "Inter-message delay" (e.g., 10ms)
5. If clicking "Send" doesn't work the first time, click "Stop" and try "Send" again

You can download a free copy of Kiwi SyslogGen from the Kiwi Downloads page. 

Many of us still use Kiwi Syslog Server's GUI "Service Manager" to watch logs rather than Kiwi's web interface.  Over time

My Favorite Highlighting Rules

This is my favorite set of Highlighting Rules in action:

Notice that I don't use Kiwi's icons.  If you don't use them either, you can turn off all icons by unchecking "View | Show/Hide Columns | Icons" from the main Service Manager menu. 

To implement this configuration on your Kiwi Syslog Server, make sure the following lines are in the INI file you import into Kiwi Syslog Server.  (See next section for instructions.)

[Highlighting]

HighlightCount=8

H001=MAkyCUVtZXJnCTE2Nzc3MjE1CTQ5MzI4NDQJMAkwCTAJMQkxCTEJMAkwCWtzZF9Qcmlvcml0eUljb24y

H002=MAkyCUFsZXJ0CTAJNDkzMjg0NAkwCTAJMAkxCTEJMQkwCTAJa3NkX1ByaW9yaXR5SWNvbjI=

H003=MAkyCUNyaXQJMAk0NjI5NzQ4CTAJMAkwCTEJMQkxCTAJMAlrc2RfUHJpb3JpdHlJY29uMg==

H004=MAkyCUVycm9yCTAJMzIxMDQ5MgkwCTAJMAkxCTEJMQkwCTAJa3NkX1ByaW9yaXR5SWNvbjQ=

H005=MAkyCVdhcm4JMAk0Nzc5MjU2CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNA==

H006=MAkyCU5vdGljZQkxNjc3NzIxNQk3MDYxODU0CTAJMAkwCTEJMQkwCTAJMAlrc2RfQmxhbms=

H007=MAkyCUluZm8JMTQzMjY4NDcJMTY3NzcyMTUJMAkwCTAJMQkxCTAJMAkwCWtzZF9CbGFuaw==

H008=MAkyCURlYnVnCTEyNjMyMjU2CTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfQmxhbms=

...

[Properties]

DisplayColumnsEnabled=223

How to Import/Export Service Manager Highlighting Rules

Although the Service Manager doesn't include a facility to import/export Highlighting Rules, it does include a facility to import/export the entire Kiwi Syslog Server configuration as an INI file.  To use this to import/export your Highlighting Rules:

1. Stop the Kiwi Syslog Service.
2. Select "File | Export settings to INI file" from the Service Manager's main menu.  Save the INI file.
3. Make a copy of the exported INI file in case as a backup (in case the import of your modified file doesn't work). 
4. Open the INI file with notepad or an appropriate text editor.
5. Find the [Highlighting] tag. Make the necessary changes, and double-check your value of "HighlightCount".
6. Optionally, find the [Properties] tag and the "DisplayColumnsEnabled" property just below it.  Make changes.  (Or set/reset to "255" to turn everything back on.) 
7. Save the INI file.
8. Select "File | Import settings from INI file" and import your modified file. 
9. Close and relaunch the Service Manager application.  (Optionally, select "View | Highlighting options" after relaunching to see if your INI file changes worked.) 
10. Start the Kiwi Syslog Service. 

Remember also that Highlighting Rules only work in the Syslog Server Comparison | Kiwi Free vs Kiwi Commercial.  You can apply INI files to the Free Edition, but Highlighting Rules will be ignored.

Default Highlighting Rules

The default Highlighting Rules in action:

To implement (or reset) this configuration, make sure the following lines are in the INI file you import into Kiwi Syslog Server. 

[Highlighting]

HighlightCount=8

H001=MAkyCUVtZXJnCTY1NTM1CTI1NQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjA=

H002=MAkyCUFsZXJ0CTYyOTE0NTYJNTA0MzEJMAkwCTAJMQkxCTAJMAkwCWtzZF9Qcmlvcml0eUljb24x

H003=MAkyCUNyaXQJNjI5MTQ1Ngk2NTUzNQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjI=

H004=MAkyCUVycm9yCTIxMwkxMjkxMDU5MQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjM=

H005=MAkyCVdhcm4JMAkxNTI2Mzk3NgkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjQ=

H006=MAkyCU5vdGljZQk0MjEwNzUyCTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNQ==

H007=MAkyCUluZm8JODM4ODYwOAkxNjc3NzIxNQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjY=

H008=MAkyCURlYnVnCTI0NTc2CTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNw==

...

[Properties]

DisplayColumnsEnabled=255

Discussion

What are YOUR favorite Kiwi Syslog Server highlighting rules?  Please paste a screenshot and the [Highlighting] section from your Kiwi INI export below. 

arHi

I have been looking for user manual for windows event log forwarder, but no success so far, basically I just want to find out if windows event log forwarded is compatible with Windows NT Server/Workstation

Thanks

Hi, I have installed kiwi syslog daemon service on a windows xp. I have installed it to read logs from my mikrotik router.

I can't get a good analytical view of the logs and I thought could be better if I access kiwi syslog with kiwi web access. is web access integrated with the syslog daemon service or should I download it from the solarwinds homepage?

thanks

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server.  Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders.  (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

• 0:00 Opening Kiwi Syslog's configuration dialog
• 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
• 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to resolve IP addresses into hostnames in Kiwi Syslog Server.

External link to Jing: DNS Resolution - justinfinley's library

Video Guide:

• 0:00 Watching traffic come in with unresolved IP addresses
• 0:10 Turning on IP address resolution (this affects what appears in the "Hostname" column)
• 0:20 Turning on in-message IP address resolution (this is optional, can be slow, and affects what appears in the "Message" column)
• 0:27 A quick glance at the DNS server settings (which DNS server to use, whether NetBIOS is to be used, etc.)
• 0:29 A quick glance at the DNS cache settings
• 0:30 Turning on resolution of frequently-uses IPs from a local hosts file (this is very fast, but ignores changes to DNS servers)
• 0:35 How to edit the hosts file
• 1:30 Watching traffic come in with properly resolved IP addresses

Remember to "LIKE" this if you find it useful - that helps others find it too!

We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day.  We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network.  We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's.  We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often. 

Has anyone else seen this problem and if so, what kinds of things did you try/do?  Is this box just getting pegged so hard that it's causing the service to malfunction and trip up?  I'm not a Windows guy but is this issue even Windows related?  The only other application we have running on this server is CatTools and it runs clean with no service issues.  The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself. 

Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.

Thankyou in advance!

The CPU on my Kiwi Syslog Server is Pegged.  Here is the Diagnostic info file from the server.

Kiwi Syslog Server [Registered] Version 9.0.3

///       Kiwi Syslog Server Statistics         ///
---------------------------------------------------
24 hour period ending on: Wed, 08 Sep 2010 14:44:34
Syslog Server started on: Wed, 08 Sep 2010 13:37:39
Syslog Server uptime:     1 hour, 7 minutes
---------------------------------------------------

+ Messages received - Total:          1098753
+ Messages received - Last 24 hours:  1098753
+ Messages received - Since Midnight: 1098753
+ Messages received - Last hour:      996804
+ Message queue overflow - Last hour: 416654
+ Messages received - This hour:      101949
+ Message queue overflow - This hour: 12336
+ Messages per hour - Average:        996804

+ Messages forwarded:                 769810
+ Messages logged to disk:            1194581

+ Errors - Logging to disk:           0
+ Errors - Invalid priority tag:      0
+ Errors - No priority tag:           2
+ Errors - Oversize message:          309

+ Disk space remaining on drive E:    41554 MB

    Breakdown of Syslog messages by severity  
+--------------------+------------+------------+
| Message Level      |  Messages  | Percentage |
+--------------------+------------+------------+
| 0 - Emerg          |         0  |      0.00% |
| 1 - Alert          |      2753  |      0.25% |
| 2 - Critical       |       496  |      0.05% |
| 3 - Error          |      5745  |      0.52% |
| 4 - Warning        |    103603  |      9.43% |
| 5 - Notice         |     42938  |      3.91% |
| 6 - Info           |    775902  |     70.62% |
| 7 - Debug          |    167316  |     15.23% |
+--------------------+------------+------------+

Custom statistics
-----------------
CustomStats01: 0
CustomStats02: 0
CustomStats03: 0
CustomStats04: 0
CustomStats05: 0
CustomStats06: 0
CustomStats07: 0
CustomStats08: 0
CustomStats09: 0
CustomStats10: 0
CustomStats11: 0
CustomStats12: 0
CustomStats13: 0
CustomStats14: 0
CustomStats15: 0
CustomStats16: 0

End of Report.

DNS Cache size  20000
DNS Cache entries 2
Entries in queue 0
DNS Cache hits  0
DNS Cache misses 0
DNS Cache TTL  1440 minutes
Total DNS Lookups 0
Successful cache hits 0%

IP Address Hostname TTL (minutes)
127.0.0.1       localhost Static
::1             localhost Static

Message Buffer Information
==========================
Message Queue Max Size: 20000
Message Queue overflow: 428990
Message Count:          19932
Message Count Max:      20000
Percentage free:        1

E-mail Buffer Information
==========================
Message Queue Max Size: 1000
Message Queue overflow: 0
Message Count:          0
Message Count Max:      13
Percentage free:        100

After installing the permanent license for Kiwi Syslog server the Syslog service will not start.  It started without problems when running as the trial version.  No errors appear in the Kiwi Syslog error log, but the Windows event viewer shows the following error:

The Kiwi Syslog Server service failed to start due to the following error: The service did not start due to a logon failure.

I can't find anything in the Kiwi Syslog documentation about having to login.  The OS is Windows 2008 R2.  I am starting the Syslog service from Service Manager > Manage, and Service Manager was Run As Administrator.

Is this a known problem?

Thanks, Glenn

  I have searched, and don't see this one anywhere obvious... Does the KIWI web access function on the same box if Orion NPM (and other tools) are also installed?  KIWI is working (I have orion SYSLOG off...  it was getting overwhelmed at times and sinking everything) however my web access is not.working on KIWI (the port 5480 or whatever it is).  It is Windows server 2008 R2... I tried to reinstall the web service, but it failed with some neutral message.  It would make sense to me if they were not compatible, with the Orion IIS running already.

However, if folks have them on the same server, I'll have to look elsewhere, but thought I would ask.

Thanks!

-Mike

Folks I have three Ciscos that are added as devices in Kiwi. Each sends the correct info to the syslog server as tested with WireShark. Kiwi shows the correct source IP from two machines but shows the other as 127.0.0.1 Thing is it is random. If I delete the working device and restart Kiwi the non working one from before delete/restart now shows correct? I am on the 5 licence latest version on WinXP SP3 Pro server all ports default. If I shut down Kiwi and run The Dude syslog shows in its syslog page the correct IP from all the remote Cisco devices (10.1.0.50) any ideas?

What programs should I uninstall when I would like to remove Kiwi Syslog Web Access and the related components?

Our customer had installed Kiwi Syslog Web Access, but they would like to remove it because they do not use.

Should we uninstall the following programs from Add/Remove programs?

• Kiwi Syslog Web Access
• UltiDev Cassini Web Server Explorer
• UltiDev Cassini Web Server for ASP.NET 2.0
• Microsoft SQL Server Compact 3.5

Could you please advice me?

hey all,

i'm new in the forum i need to know how i can make 

weekly  Syslog reports and sending them automatically (schedule) to specific email address. 

thanks,

Kiwi Syslog

When attempting to start the Kiwi Syslog Server service (on Windows 2008 R2), I get the message "The Kiwi Syslog Server service on [my server name] started and then stopped.  Some services stop automatically if they are not in use by other services or programs."  Any ideas what could be causing this?

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

Hi guys,

I recently installed Kiwi Syslog on a Windows Server 2008 machine, however I had to uninstalled the program as the customer wants to be on the D:\ . But now I am not able to install the program on D:\ or even back

on C:\ as I get the error message "an unlicensed version is detected" hence the installation cannot proceed any longer.

Can anyone help? Where can I delete the old files so i am able to install the software again? I need to install this quite urgently, I have the license with me but I did not activate the license in my previous installation since it was not installed on the right drive.

Please help.

Thanks.

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.

External link to Jing: Multiple Displays - justinfinley's library

Video Guide:

• 0:00 Unfiltered display (Display 00)
• 0:10 Showing the rule that sends all messages to Display 00
• 0:20 Changing the unfiltered display from Display 00 to Display 05
• 0:25 Checking that the switch happened
• 0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
• 1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
• 2:05 Checking that the new filters work
• 2:25 Renaming "Display 05" to "All Messages"
• 2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
• 3:10 Checking that the display renaming worked

Remember to "LIKE" this if you find it useful - that helps other find it too!

Good morning

The server that our Syslog application (V8.3.15) runs on crashed a few days ago and once we got it back up and running it (the Syslog application) stopped sending us email notifications of notices and anything other than “info” level messages from our Cisco routers. The application was installed and configured by a colleague who is no longer with us and after having spent some time trying to get our logging back to how it was I have been unsuccessful. What we used to receive were message such as this:

2013-06-27 15:42:17 Local7.Notice ROUTER_NAM_8.3 734945: 15961040: *Jun 27 14:20:07.054 GMT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer x.x.x.x.dsl.zen.co.uk:500 Id: x.x.x.x.dsl.zen.co.uk

Try as I might I cannot get this type of logging switched back on. In the “priority” filtering I have all but “info” ticked – if I tick “info” then we get hundreds of messages logged (and emailed to us) – but it is only those ones we don’t need.

Any help you could offer would be very gratefully received.

Many thanks.

Hello,

I've got a registered version of Kiwi Syslog Server.

I've got the "Log To Syslog Web Access" Filters set up.

But I don't have any log in the web access.

The only little clue I have is when I do a Syslog_Diagnostics I've got this :

SolarWinds.KiwiSyslog.WebAccess.Data

====================================
Component not started.

And this error :

2010-06-01 20:26:46    SolarWinds.KiwiSyslog.WebAccess.Data error: Unable to start component, SQL exception. System.Data.SqlServerCe.SqlCeError: The database file is larger than the configured maximum database size. This setting takes effect on the first concurrent database connection only. [ Required Max Database Size (in MB; 0 if unknown) = 0 ]

Any Ideas ?