Hello,

Could you please tell me how to transfer all DHCP events (from a standard Windows 2012 DHCP server) to syslog ?

Thanks in advance for your help

Hello,

I have installed kiwi syslog server 9.6.3.3 eval version and trying to configure syslog in TCP SSL mode.

First, these are the steps I following to configure the server:

     a) created a self signed certificate using java keytool.

     b) imported into windows certificates personal and trusted roots folder.

     c) selected the imported certificate in kiwi setup configuration.

After following the above steps , I got below error in Event log file.

2017-11-29 16:40:06 Unable to bind secure TCP listener to port 6514 There might be a problem with the certificate provided.

After googling for this error, I got below link and used IIS server to create a self-signed certificate

Re: Kiwi Syslog Server does not display secure ASA syslogs

After configuring certificate  which is generated from IIS, I started getting below error.

2017-11-30 12:37:30 Source: C:\Windows\SysWow64\mswinsck.ocx Error: Socket is non-blocking and the specified operation will block

But , I was able to receive messages in SSL mode using java code running in same box where syslog server is installed. If I try to run same java code from any  box other than kiwi server, it is not receiving messages.

Observed similar behavior for TCP mode as well. 

How to check syslog server is configured correctly or not? Is there any way to do that?.

Thanks in Advance!!

Hi all,

I am currently using kiwi syslog 9.1 in win2008 which i have been using for a few months.

Since yesterday i can see that for every minute a file name "192.168.x.x-515-connectionxxxx.bin" is generated under C:\program files (x86)\syslogd \cache

Each file has a size of 1MB.

I tried deleting the cache folder but after sometime this file generation thing comes back again.

Pls advise how this can be solved? Thks in advance.

Hi all.

I have just installed Kiwi Syslog Server 9.5 on a test machine to evaluate its suitability for a project I'm working on. It's currently still running in 14-day Evaluation mode.

We can't seem to get it to receive SNMP traps at all. No matter what we do, netstat shows nothing listening on UDP port 162. SNMPv1 traps are being sent to the server, and we can see them in Wireshark arriving at the server, but Kiwi isn't listening for them.

In desparation, we tried enabling the Windows SNMP Trap service (although we understand this isn't required?) and this 'absorbed' the traps, but nothing appeared in Kiwi.

The test machine is running Windows 7 (32-bit) with the Windows Firewall switched off.

Should the 14-day Evaluation be able to receive SNMP traps?

Thanks in advance for any advice!

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

I am setting up a kiwi syslog server.  Running into a problem with the filtering not working the way I would expect.  I have used Kiwi but that was several years ago.  I have setup a display for a specific switch and have tried several different filter possibilities but still getting syslog messages on the display that dont belong to the switch I am trying to watch. 

I have tried a ip address - simple filter with the ip address of the switch "10.1.1.2".  On the cisco switch, I have used the command logging source-interface vlan 254 which should send out the syslog messages using the ip address in the simple filter I setup.  I have also tried the hostname option with the hostname of the switch "Switch1" but same problem.

It has got to be something simple but so far I havent found the problem.  Since this is the free version, I know I cant call Solar Winds support.

Any suggestions are appreciated.

Ron

Hello,

    I'm currently trying to get the logs of where (what IP) and when (date and time) the Domain Administrator account information is used to log into one of three specific machines (2 DC's, and a Finance server). I'm having some trouble defining the subscription in the Kiwi Log Forwarder - Specifically, what boxes do I need to tick off and what event ID number do I need to include? I have the IP's for the three servers that I want AD to send the Admin login logs from. Thanks!

Has anyone configured Active Directory Settings in Kiwi Syslog Server 9.4.1?  Below are the available Active Directory Settings available in the Web Access interface under the Admin Tab.

• Domain URL: <Free Form Box>  My domain prepopulated correctly.
• Authentication Type: <Free Form Box>.  Is this supposed to be NTLM, Kerberos, etc?
• User Groups: <Free Form Box>  Does the format need to be LDAP based?

We have been experiencing an issue with our Kiwi Syslog Service crashing about every other day.  We are running version 9 and have a pretty standard setup where we are pushing syslogs from all of our devices in our network.  We have quite a bit of stuff logging to our Syslog server and are easily breaching the 200000 maximum message count throughout the day and getting email's.  We up'ed that and seem to be doing better however the syslog service continues to fail and will at times restart itself based off of the services recovery failure to restart the service but this is happening way to often. 

Has anyone else seen this problem and if so, what kinds of things did you try/do?  Is this box just getting pegged so hard that it's causing the service to malfunction and trip up?  I'm not a Windows guy but is this issue even Windows related?  The only other application we have running on this server is CatTools and it runs clean with no service issues.  The systems team has taken a look at the server and believe this to be related only to the Kiwi application itself. 

Next Steps: I'm thinking of removing and rebuilding the Kiwi 9 application from scratch to see if this corrects the issue but wanted some direction from the forum if anyone has any good ideas/suggestions.

Thankyou in advance!

Hello folks.

My Kiwi Syslog is merging 2 or more hostnames (devices) in the same file when: "Log to file Action".

For example, i have 3 devices:

1. 10.168.1.20
2. 10.168.1.201
3. 10.168.1.202

In the root folder of files, i had 3 folders, one for each hostname.

The 10.168.1.201 and 10.168.1.202 are logging correctly. But when i should have the 10.168.1.20 logs, i have a merge of 10.168.1.201 and 10.168.202 (without the 10.168.1.20).

I check another scenario (that i consider worse)...

I had a file log from 10.120.1.2. But this device don't exist.

IN this file, are logged 6 devices: 10.120.1.20, 10.120.1.25, 10.120.1.26, 10.120.1.27, 10.120.1.28 and 10.120.1.29.

The logs below, are in same file:

Is a bug, or some misconfigured of my part?

Looking forward for a help,

Regards Fold

I am new to Kiwi syslog and don't know much about using Jscript.  I'm reading that I need to create a script if I want a custom field added to my custom file format.  I wanted to do a simple task of appending a specific ID number at the end of each event that is written to the syslog file.  There is a repository that I send my syslog files to but the parser for that system needs the specific ID for my system to be at the end of each event message within the file.  This is not the correct syntax but I want to do something like the following for example:

original message would look like = 2018-Jan-4 19:37:17 host IP 10.1.1.1 event message

modified message would look like = 2018-Jan-4 19:37:17 host IP 10.1.1.1 event message SystemID:12345678987654321

Function Main()
    'Text to append to raw message
    appendID = "SystemID:12345678987654321"

    'get the raw message
    modifiedRawMessage = Fields.VarRawMessageText
  
    'Append text to message
    modifiedRawMessage = Append(modifiedRawMessage, appendID)

    'Overload message text with modified one.
    Fields.VarRawMessageText = modifiedRawMessage

    'Return success
    Main = "OK"
End Function

Can someone help me with getting the syntax correct?

Thank you in advance.

How do you detect specific clients that have not sent syslog messages to the server in a specified amount of time?

We are new to Kiwi Syslog and are just getting things configured.  We are on version 9.6.1.6.  One thing I immediately noticed is that running the "Check for update..." results in the following error: "An error occurred while checking for available software updates.  Check internet connectivity or proxy server settings.". 

We have no proxy server enabled.  From the server with Kiwi Syslog, I have Internet connectivity via a browser with no problems. 

From Kiwi's error log, I see the following line associated with the failed update: "Info: An error occurred while checking for available software updates.  Moved Temporarily [20152] - Resource: http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/currentkiwisyslogversion.xml".  If I paste that URL into a browser, it returns the following:

<?xml version="1.0"?>

-<KiwiSyslogServerVersionManifest Version="1">

<CurrentVersion Version="9.6.1" Link="http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/Kiwi-Syslog-Server-9.6.1.zip" DateReleased="2017-05-01"> New in 9.6.1 update ------------------------------ * Kiwi Syslog Server no longer creates large SolarWinds.SyslogServer.Engine.log fileswhich consume significant disk space. * Kiwi Syslog Server diagnostic information shows the correct buffer usage for all types of messages * If you do not see a "Download Update" button below, copy and paste the following link into your browser to download: http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/Kiwi-Syslog-Server-9.6.1.zip</CurrentVersion>

</KiwiSyslogServerVersionManifest>

I can then paste the .zip link it references into a browser and get the zip file to download (although it appears to be the same version we already have). 

Has anyone experienced the same issue or know how to fix it?

Thanks!

hello,

i am seeing a lot of post where kiwi syslog forwarding to QRadar is not working .

in kiwi site it seems straight forward but I need your help to document all the steps properly.

please post here snapshot of your configuration and steps if you are successful sending kiwi log to QRadar.

thank you

I discovered this morning (only because I didn't receive the nightly report) that two of our Syslog servers stopped logging yesterday afternoon. The nightly archiving and cleanup jobs did not run. The service did not crash. The drive has 63 GB of free space. There are no entries under the Application or System logs in Windows. Under the Errorlog I see this for all of the reporting nodes ("ip.address.#" is placeholder for the actual values in the logs):

2015-05-28 15:38:59    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:38:59    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:38:59    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address1.txt

2015-05-28 15:39:00    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:00    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:00    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1..txt

2015-05-28 15:39:02    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:02    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:02    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.2.txt

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.3.txt

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:06    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:06    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:06    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:07    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:07    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:07    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.4.txt

2015-05-28 15:39:08    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:08    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:08    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:11    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:11    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:11    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:16    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:16    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:16    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:16    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.5.txt

     The log stops there. When I restart the service I see these additional entries in the Error log:

2015-05-29 07:17:16    Unable to open InterApp listening socket on TCP port 3300

2015-05-29 07:17:16    Unable to open UDP socket on port 514

2015-05-29 07:19:08    Service running, but Service/Manager comm link is not connecting.

2015-05-29 07:19:28    Unable to connect to Service socket on TCP port 3300

2015-05-29 07:19:38    Service running, but Service/Manager comm link is not connecting.

Any ideas?

I am new to Kiwi syslog and don't know much about using Jscript.  I'm reading that I need to create a script if I want a custom field added to my custom file format.  I wanted to do a simple task of appending a specific ID number at the end of each event that is written to the syslog file.  There is a repository that I send my syslog files to but the parser for that system needs the specific ID for my system to be at the end of each event message within the file.  This is not the correct syntax but I want to do something like the following for example:

original message would look like = 2018-Jan-4 19:37:17 host IP 10.1.1.1 event message

modified message would look like = 2018-Jan-4 19:37:17 host IP 10.1.1.1 event message SystemID:12345678987654321

Function Main()
    'Text to append to raw message
    appendID = "SystemID:12345678987654321"

    'get the raw message
    modifiedRawMessage = Fields.VarRawMessageText
  
    'Append text to message
    modifiedRawMessage = Append(modifiedRawMessage, appendID)

    'Overload message text with modified one.
    Fields.VarRawMessageText = modifiedRawMessage

    'Return success
    Main = "OK"
End Function

Can someone help me with getting the syntax correct?

Thank you in advance.

I want to encrypt syslog from Cisco swirtch or router into Kiwi Syslog.

I read somewhere I can use syslog tls or snmp trap v3

Is that possible using Kiwi Syslog

thanks

Hello,

    I'm currently trying to get the logs of where (what IP) and when (date and time) the Domain Administrator account information is used to log into one of three specific machines (2 DC's, and a Finance server). I'm having some trouble defining the subscription in the Kiwi Log Forwarder - Specifically, what boxes do I need to tick off and what event ID number do I need to include? I have the IP's for the three servers that I want AD to send the Admin login logs from. Thanks!

My syslog server archives the data into text files. How do I create reports from or view that data without using a text editor? Can I open the archived syslog data using the Syslog Web Access?

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

  Source IP Selection: Outgoing Interface
  Destination:
   Logging --
     'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap