I do not know if this is the correct place to post this question.
I am using Kiwi Syslog Server, and I have SolarWinds Event Log Forwarder for Windows installed on a computer.The forwarder will send test messages, but it is not sending the logs to the log server. Any suggestions?
Dejacpp...
I'm trying to forward events from Kiwi Syslog to QRadar SIEM.
In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.
The test event was the only event received by the QRadar. None of the events I'm forwarding have been received as incoming logs on QRadar.
I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.
Do I need to install a universal DSM on the Kiwi Syslog servers?
Hi, I was hoping someone can explain the log files ('SolarWinds.SyslogServer.Engine.log') created in the Syslogd folder to me. What purpose do they serve? Are they safe to delete? Can I set them to be created in a different directory?
Thank you.
Is there no way to create a custom Event log and log items to it? Can you not change the event IDs of any of your rules? Can you at least parse any of the syslog message to the event in order to change the hostname its coming from or source? can you not modify the message as it is logged maybe to strip out the date and time (In order to set consolidation of alerting in other programs you are catching these alerts)? All I am able to do is change the message type (Event Level).
This is a HUGE win for us if ANY of these ideas can be added.
Currently we are sending SAN array alerts through syslog and catching it through Kiwi. Kiwi is logging to the event log and SCOM is picking it up and notifying the correct party. However, there is not much we can do at the moment in Kiwi to have the event logged in a way to use several different actions in SCOM since your choices are only Warning, Error, or informational.
Please let me know if you are having any of these same problems or if you know another way around this. There are free syslog servers that aren't nearly as good as syslog for filtering and rules, but you have the options to send alerts to several different custom Event logs.
Hello folks.
My Kiwi Syslog is merging 2 or more hostnames (devices) in the same file when: "Log to file Action".
For example, i have 3 devices:
In the root folder of files, i had 3 folders, one for each hostname.
The 10.168.1.201 and 10.168.1.202 are logging correctly. But when i should have the 10.168.1.20 logs, i have a merge of 10.168.1.201 and 10.168.202 (without the 10.168.1.20).
I check another scenario (that i consider worse)...
I had a file log from 10.120.1.2. But this device don't exist.
IN this file, are logged 6 devices: 10.120.1.20, 10.120.1.25, 10.120.1.26, 10.120.1.27, 10.120.1.28 and 10.120.1.29.
The logs below, are in same file:
| 2015-02-10 00:10:19 | Local4.Warning | 10.120.1.2 | Feb 10 2015 02:10:19 HQ-BL1-HW9306-A1 %%01LLDP/4/BAD_PACKET(l)[2159934]:8 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/14. |
| 2015-02-10 00:11:26 | Local4.Warning | 10.120.1.2 | Feb 10 2015 02:11:26 HQ-BL1-HW9306-A3 %%01LLDP/4/BAD_PACKET(l)[3194428]:6 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/19. |
| 2015-02-10 00:11:45 | Local4.Warning | 10.120.1.2 | Feb 10 2015 02:11:45 HQ-BL1-HW9306-A2 %%01LLDP/4/BAD_PACKET(l)[6928978]:7 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/4. |
| 2015-02-10 00:11:46 | Local4.Info | 10.120.1.2 | Feb 10 2015 02:11:46 HQ-BL1-HW9306-A5 %%01MSTP/6/SET_PORT_LEARNING(l)[2711307]:In process 0 instance 0, MSTP set port GigabitEthernet2/0/29 state as learning. |
Is a bug, or some misconfigured of my part?
Looking forward for a help,
Regards Fold
I'm evaluation Kiwi Syslog server and using the Event Log Forwarder from my servers
The message I receive in the Syslog server looks like this
dec 01 11:00:36 SERVERNAME.CHANGED.TOTHISTEXT MSWinEventLog 6 TaskView 3 fre dec 01 11:00:34 2017 0 SolarWinds Event Log Forwarder for Windows (TaskView) N/A Information SERVERNAME.CHANGED.TOTHISTEXT 0 The description for Event ID 0 from source SolarWinds Event Log Forwarder for Windows (TaskView) cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: Test Message from Log Forwarder to the 'TaskView' event log.. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file.
Why?
Server versions is Windows server 2012 R2 Standard
The server use Swedish location Sweden, but language English
(Attached is pictures of langue settings)
Regards
Roland
Hi
i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog 6 Application 127 lun giu 08 17.03.41 2015 1003 Microsoft-Windows-Security-SPP N/A Information srv-av.astergenova.it 0 The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."
do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed
Good day Community,
I am experiencing an urgent issue. The sys log server forwarder is forwarding the following message to the KIWI sys log server. The actual security logs are showing the correct information, however the message below is being showed. I thought it was the server, but wen I added another sever to forward security logs, I am getting the same message as shown below.
Can anyone who have encountered this message or know how to resolve this issue. The security logs are on the server and I can view them using event viewer properly and audit logs are reflecting fine.
I would really appreciate your humble assistance or comments.
Apr 08 14:36:34 CASSIOPEIA1.carimed.local MSWinEventLog 5 Security 495 Wed Apr 08 14:36:33 2015
4624 Microsoft-Windows-Security-Auditing N/A Audit Success CASSIOPEIA1.carimed.local 12544
The description for Event ID 4624 from source Microsoft-Windows-Security-Auditing cannot be
found. Either the component that raises this event is not installed on your local computer or
the installation is corrupted. You can install or repair the component on the local computer.If
the event originated on another computer, the display information had to be saved with the
event.The following information was included with the event: S-1-0-0. FormatMessage failed with
error 1815, The specified resource language ID cannot be found in the image file.
After installing the permanent license for Kiwi Syslog server the Syslog service will not start. It started without problems when running as the trial version. No errors appear in the Kiwi Syslog error log, but the Windows event viewer shows the following error: The Kiwi Syslog Server service failed to start due to the following error: The service did not start due to a logon failure. I can't find anything in the Kiwi Syslog documentation about having to login. The OS is Windows 2008 R2. I am starting the Syslog service from Service Manager > Manage, and Service Manager was Run As Administrator. Is this a known problem? Thanks, Glenn
We have noticed that
enforceFIPSPolicy enabled=false under windows\logforwarderclient.exe.config
This may be problematic on our system - can this section be removed or be set to true ?
Thanks,
Tal
Hi There,
I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log. When I click on the Security Log I don't see Audit Success or Audit Failure as an event type. It just has Error, Warning and Information. If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change. Am I doing something wrong? How can I see Audit Failure as an Event Type?
Thanks,
As you all may recall, it's been 7 months since Kiwi Syslog v9.5 was posted (see Kiwi Syslog 9.5 is now Available! ). I am very much looking forward to a major release (i.e. v10). What would this new version contain? I have a few things in my wish-list...
I am sure that other Thwackers have many other items in their respective wish-list for Kiwi. I'd like to hear from you. And, of course, I'd like to hear from the Kiwi PM, to tell us what's in the Roadmap for the next Kiwi release. Have a great day, everyone!!!
I am having kiwi syslog 9.5 installed.
I choose to install as service and also installed the web access.
The syslog console opened fine and I see logs on displayed and also to file.
However, with the web access, it shows nothing (what so ever). I checked the Setup on Console Manager and see that under Rules i have 2 exact same option for "Log to Syslog Web Access". Everything under that options checked.
But I still see no log on web access.
1) I tried to uncheck all the "Log to Syslog Web Access".
2) Closed the Console Manager and reopened it
3) Checked mark one of the 2 optioins "Log to Syslog Web Access" and everything below it.
4) Opened and log in to web access -> Still see nothing.
any idea?
I just installed kiwi syslog 9.5, I would like to have log actions to a sql database. I have created the table but the syslog server won't log the traffic to the database,when I click the test button the syslogd service stops. It does this every time, how do I make this syslog server log to the database?
Hi, I was hoping someone can explain the log files ('SolarWinds.SyslogServer.Engine.log') created in the Syslogd folder to me. What purpose do they serve? Are they safe to delete? Can I set them to be created in a different directory?
Thank you.
Hello,
We got a old Kiwi syslog web access server with allot of different filters that need to be exported.
The problem is that we can only export one at the time... is there a way to export all at ones.
how to setup snort-log link to syslog server?
in snort.conf (windows 7 32 bits)
output alert_syslog: host=127.0.0.1:8080, LOG_AUTH LOG_ALERT
command :
snort -i 1 -c c:\snort\etc\snort.conf -s
then get a file in c:\snort\log\snort.log.1493058792.
please tell me, how to send log to syslog server?
thank you
I am running the Kiwi Syslog Server (free version 9.4) and it is not showing or recording any syslog info.
1. It does get localhost test messages
2. under file | setup | inputs | UDP, it is set to listen, port 514, nothing for the "bind to" address.
3. There are no filters and the action is display and log to file (default install).
4. I've rebooted the windows (Win 7) machine.
5. The packets are being sent from a local linux machine using socket() and sendto()
6. wireshark running on the same machine as kiwi syslog does see the packets and identify them as syslog packets
7. The behavior is the same whether the win7 firewall is on with the Kiwi input rule exceptions on, or if the firewall is off
8. Kiwi is not logging any errors
9. outbound ping from the Windows machine running Kiwi syslog works.
10. If the win7 firewall is off, inbound ping from the local linux machine to the Windows machine works.
11. I'm running it as an application, not as a service / daemon.
Any suggestions?
-Marty
Hello Everyone,
First time poster here. I am trying to track event log service status and power downs. I cannot get the windows machines to forward event logs 6005, 6006, 6008, 6009 and 1074.
I have event log forwarder configured correctly, at least the log preview shows the correct logs being forwarded. I do have a custom filter built just for these event IDs but I also have a catch all file that is not filtered. I am checking in both the web access and the syslog server itself. Neither of them receive these event logs from the windows machines. I haven't noticed any other events not being forwarded. All of my other filters are producing the information correctly.
Any tips on how to collect these logs?
Windows 2012R2 and Windows 7 Enviorment
Using Kiwi Syslog Server 9.6 and Event log Forwarder
After installing the permanent license for Kiwi Syslog server the Syslog service will not start. It started without problems when running as the trial version. No errors appear in the Kiwi Syslog error log, but the Windows event viewer shows the following error: The Kiwi Syslog Server service failed to start due to the following error: The service did not start due to a logon failure. I can't find anything in the Kiwi Syslog documentation about having to login. The OS is Windows 2008 R2. I am starting the Syslog service from Service Manager > Manage, and Service Manager was Run As Administrator. Is this a known problem? Thanks, Glenn