Quantcast
Channel: THWACK: Popular Discussions - Kiwi Syslog
Viewing all 15803 articles
Browse latest View live

Forward syslog events to QRadar

January 13, 2016, 11:55 am
$
0
0

I'm trying to forward events from Kiwi Syslog to QRadar SIEM. 

 

In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.

 

The test event was the only event received by the QRadar.  None of the events I'm forwarding have been received as incoming logs on QRadar.

 

I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.

 

Do I need to install a universal DSM on the Kiwi Syslog servers?

Search

Event Log Forwarder - Where is the Audit Failure Type?

March 18, 2015, 5:40 pm
$
0
0

Hi There,

 

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

 

Thanks,

Integrating IPAM Reports with Syslog Messages question

April 16, 2015, 7:07 am
$
0
0

I have installed the Syslog Server on server A with it's own SQL.

I installed IPAM on its own server with SQL.

 

When I go to create a Syslog Report in the IPAM, it gives me an error and says "Datasource for resource Syslog Summary should be defined" (I can't get past the first tab). I've looked everywhere on the IPAM server and the Syslog server, but cannot find out how or where to set it up or link the 2 together. The closest I've seen is creating a new Report using the Orion Report Writer on the IPAM machine and selecting the Syslog fields. Of course the report comes back with no data....

 

Is it possible to link the 2 software products together when they are installed on 2 different servers? At a loss here...

 

Thanks,

 

Scott

Forward Event Viewer subscriptions with Event Log Forwarder for Windows

March 8, 2017, 1:45 pm
$
0
0

Has anyone been able to forward subscribed events (from other machines) to Kiwi Syslog server using Event Log Forwarder for Windows? I am trying to setup a single point to collect events to be forwarded to our syslog server.

 

I setup a test and subscribed to events from another machine to be placed in the Windows Logs -> Application. I see the forwarded events in Windows Event Viewer, but when viewing the "preview of matching event records" (Event Log Forwarder for Windows) I only see the events sources from the computer running the event log forwarder. (see the attached screenshot)

 

Thanks!

 

Jeremy

Kiwi Syslog Service hanging

May 26, 2017, 11:45 am
$
0
0

1st time starting a discussion.

1st time working with Kiwi Syslog.

Let me know if I'm in the wrong place.

 

I am very new to Syslog Servers.

I'm a Route/Switch type guy.

 

We are using Kiwi Syslog to get Call Manager Call Traces for troubleshooting.

This Instance of Kiwi Syslog was working fine as a Guest VMware Server on a Host Server.

We used the app Veeam to move the Kiwi Syslog VMware Guest Server to another Host.

This issue started after the copy/move of the Kiwi Syslog

 

No IP addresses were changed, it's on the same network as before.

It starts up, logs are being received, and then they stop.

If you try to start the service, it tells you it's already running.

 

At the bottom of the Kiwi Syslog Service Manager, you can see the MPH indicator has stopped.

Looking at the correct folder I can see the logs are no longer being  received.

If I stop the service and start the service it starts.

There is a script that tells it to restart every morning at 4am, and it will do this.

 

Below is the error event seen when it stopped last time.

 

Windows Server 2012 R2

64 -bit OS

 

Has anyone seen this type of issue before?

 

Any help would be greatly appreciated,

 

Mhaley

User Account Control Options To Control What Syslog Messages A Specific Web User Has The Right To View

June 30, 2017, 1:55 am
$
0
0

Dear,

Is there a way to to control what Syslog messages a specific Kiwi Web Server user account can view?

User case:

3 different admin groups, each managing a group of devices.

-All devices send logs to one syslog server.

-Each admin group is allowed to see only logs coming from devices that are assigned to him.

 

Thanks!

Aziz

Kiwi Syslog not displaying Cisco ASA 5505 syslogs

April 2, 2011, 7:21 pm
$
0
0

I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

How to backup Kiwi Syslog Server?

March 18, 2016, 2:03 am
$
0
0

Dear all,

 

I would like to know how to backup a Kiwi Syslog Server.  We are installing this in VM, but the environment only has NetBackup.

 

I know that I can export the data out as log file for backup, but how about backup when log are still in the Kiwi Syslog Server database?

 

I am not able to find any reference in the Admin guide.

 

Best Regards,

Rayson Wong

Search

Kiwi Syslog Server limitations

July 28, 2017, 9:00 am
$
0
0

Hi everyone,

 

I wonder if Kiwi Syslog Server has any limitation on how many servers that it can collect the logs from or how many servers can send the logs to the syslog server?

 

I know the Web Access has 4GB db limitation.  What is the best practice for this limitation when you have more than 10 servers sending the logs to syslog server? I don't want to see only 1 or 2 day logs every day from Web Access.  I hope at least 4GB db limitation can store like a month logs of all 10+ servers.  I am trying first with the windows event logs (using the free tool Solwarwinds Event Log Forwarder)

 

Is there any limitation that i should be aware with Kiwi Syslog Server and Event Forwarder tool?

 

Another question:

Does Solarwinds Event Log Forwarder can work with other vendor syslog server? If so, which vendor and which syslog server product is that?

 

Thanks in advance!

Procurve switches not sending syslog messages in KIWI syslog

July 25, 2013, 6:58 am
$
0
0

Hi all,

 

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

 

show debug

 

Debug Logging

  Source IP Selection: Outgoing Interface
  Destination:
   Logging --
     'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

 

tried facility 'syslog' still nothing.

 

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

 

Anyone ideas to solve this?

 

TIA Jaap

Windows failed logins tracking

January 6, 2017, 11:19 am
$
0
0

Hi folks,

 

We currently have v9.5 running on a Windows 2012 R2 VM which is the loghost for our environment of approx. 60 systems. We use AD for authentication and I'm attempting to configure the logger to alert on multiple failed logins, however, nothing appears to be getting to the loghost from the DC, other than the previously configured items. I have been able to configure this successfully for our Linux VM's but no luck on the Windows side. My assumption is, the problem is between the keyboard and monitor

I've configured the Event Log Forwarder to send all things Microsoft Security to the loghost but having no luck. Has anyone done this successfully? What have I missed?

 

Thanks in advance.

 

Buddy

Kiwi Syslog and Ngnix -- How to config

September 24, 2013, 10:39 am
$
0
0

Hello everyone,

 

I am rather new to Kiwi Syslog and I am trying to figure out how to configure Ngnix so that it can send logs to the Kiwi Syslog server.  I believe I may need a patch for Ngnix.  However, I am not sure.  If anyone has set up logging for Ngnix to Kiwi Syslog and wouldn't mind sharing your process.  I would really appreciate the help. 

 

Thanks. 

 

-David Mulligan.

Kiwi Syslog Viewe Message Pattern Syntax

November 19, 2013, 11:07 am
$
0
0

Hello Thwackers!!!

 

Quick question... I want to filter using excludes in the Syslog Viewer.  To be clear, I don't want to eliminate the messages from Syslog - I just want to filter inside the viewer for them.

 

For example, I can include only messages with this IP by putting %192.1.3.4% in the "Message Pattern" box.

 

I can EXCLUDE messages with this IP by putting !%192.1.3.4% in the "Message Pattern" box.

 

What I want to do is exclude an IP AND exclude a partial user name.  So in english:  I want only messages that do NOT include the IP address of 192.1.3.4 and also do NOT include any user with 'anon' in the name.

 

Can this be done?

 

I have tried to no avail:

 

!%192.1.3.4%.!%anon*%

!%192.1.3.4%.!%anon?%

!%192.1.3.4% & !%anon*%

!%192.1.3.4% && !%anon*%

 

..and other combinations of the above...

 

Thanks in advance!!!

Event Log Forwarder - Where is the Audit Failure Type?

March 18, 2015, 5:40 pm
$
0
0

Hi There,

 

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

 

Thanks,

Display original source of message when logs are aggregated through rsyslog server

December 6, 2015, 3:58 pm
$
0
0

I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.


Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.

DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer


I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:

"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."

So would a script similar to the following work? Anyone have any experience with this?

"Function Main()
  ' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
  ' Return OK to tell syslog that the script ran correctly.
Main = "OK"
  End Function"

Thanks,
Ryan

Search

Kiwi Syslog - Read text file/csv

October 2, 2016, 10:32 pm
$
0
0

Hi all,

 

Is there a way that I am able to have Kiwi Syslog read from or import from a text file or CSV file that may be generated by a program that does not support Syslog?

 

Thanks.

log forwarder and dhcp auditing?

October 15, 2011, 10:57 am
$
0
0

I am needing to forward all of our DHCP audits to the syslog, however I cannot figure out how to do that with the Log Forwarder.  Which source do I use in the Event Viewer?  The audit is logged to a file.  Is there any way to forward changes to files?

Does Kiwi syslog server support TLS 1.2? If so how to enable it?

August 21, 2015, 6:46 am
$
0
0

I am trying to connect to kiwi syslog server in secure TCP mode. From my client side (c# code) I try to connect to kiwi syslog sever using TLS 1.2 protocol. But SSL Handshake from server is set to TLS 1.0

I installed kiwi server in Windows 7 SP1 and enabled TLS 1.2 in the system by modifying the system registry.

 

SSL handshakes captured using Network monitor are given below

 

Client HandShake

 

Client HandShake.png

 

Server HandShake

server handshake.png

 

Client side code( c#)

 

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

var tcpClient = new TcpClient(hostname, port);

var tcpClientStream = tcpClient.GetStream();

var sslStream = new SslStream(tcpClientStream, false, ValidateServerCertificate)

{

        ReadTimeout = timeout,

        WriteTimeout = timeout

};

sslStream.AuthenticateAsClient(hostname, new X509CertificateCollection(), System.Security.Authentication.SslProtocols.Tls12, false);

When is Kiwi Syslog v10 coming out?

March 11, 2016, 6:15 am
$
0
0

As you all may recall, it's been 7 months since Kiwi Syslog v9.5 was posted (see Kiwi Syslog 9.5 is now Available! ).  I am very much looking forward to a major release (i.e. v10).  What would this new version contain?  I have a few things in my wish-list...

 

  • Increased the of number of syslog messages and snmp traps that can Kiwi can handle. According to a posting on Geek Speak (How many messages can Kiwi Syslog manage?), Kiwi can handle between 400 and 600 messages per second.  I'd like to see that go all the way up to 2,000 messages (or more).
  • Rules Wizard (for the novice and those of us with diminished brain-cells due to age. 
  • Full web-based management option.  I don't know about other Thwackers, but I prefer not to use Win32 (via RDP) whenever possible.
  • Additional Polling Engine option for Kiwi.  This, so we can have multiple servers handle syslog messages and snmp traps.

 

I am sure that other Thwackers have many other items in their respective wish-list for Kiwi.  I'd like to hear from you.  And, of course, I'd like to hear from the Kiwi PM, to tell us what's in the Roadmap for the next Kiwi release.  Have a great day, everyone!!! 

how to setup snort-log link to syslog server?

April 24, 2017, 12:31 pm
$
0
0

how to setup snort-log link to syslog server?

 

in snort.conf  (windows 7 32 bits)

output alert_syslog: host=127.0.0.1:8080, LOG_AUTH LOG_ALERT

 

command :

snort -i 1 -c c:\snort\etc\snort.conf -s

 

then get a file in c:\snort\log\snort.log.1493058792.

 

please tell me, how to send log to syslog server?

 

thank you

Viewing all 15803 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>