The engineering effort on Kiwi Syslog Server (KSS) v9.4 Release Candidate has been completed. RC is the last step before general availability and is a chance for existing customers to get the newest functionality before it is available to everyone else.

You will find the latest version on your customer portal in the Release Candidate section.

Here is the content of this RC version:

• Moving to a new web server
  This change brings a lot of new functionality "for free". Examples:
  • SSL (https) support for Web Access
  • Process health monitoring
  • TCP port sharing
  • And much more! (See UltiDev Web Server Pro pages for details.)
• Active Directory authentication for web access
• Alerting for Message Queue Monitor
  Be notified when the number of messages in the message queue crosses certain threshold. This indicates there might be performance problems and gives you chance to take an action before messages get dropped.
• Bug Fixes / resolved cases:

RC builds are made available to existing customers prior to the formal release. These are used to get customer feedback in production environments and are fully supported.

Good day Community,

I am experiencing an urgent issue. The sys log server forwarder is forwarding the following message to the KIWI sys log server. The actual security logs are showing the correct information, however the message below is being showed. I thought it was the server, but wen I added another sever to forward security logs, I am getting the same message as shown below.

Can anyone who have encountered this message or know how to resolve this issue. The security logs are on the server and I can view them using event viewer properly and audit logs are reflecting fine.

I would really appreciate your humble assistance or comments.

Apr 08 14:36:34 CASSIOPEIA1.carimed.local MSWinEventLog 5 Security 495 Wed Apr 08 14:36:33 2015

4624 Microsoft-Windows-Security-Auditing N/A Audit Success CASSIOPEIA1.carimed.local 12544

The description for Event ID 4624 from source Microsoft-Windows-Security-Auditing cannot be

found. Either the component that raises this event is not installed on your local computer or

the installation is corrupted. You can install or repair the component on the local computer.If

the event originated on another computer, the display information had to be saved with the

event.The following information was included with the event: S-1-0-0. FormatMessage failed with

error 1815, The specified resource language ID cannot be found in the image file.

Hello,

Could you please tell me how to transfer all DHCP events (from a standard Windows 2012 DHCP server) to syslog ?

Thanks in advance for your help

I'm evaluation Kiwi Syslog server and using the Event Log Forwarder from my servers

The message I receive in the Syslog server looks like this

dec 01 11:00:36 SERVERNAME.CHANGED.TOTHISTEXT MSWinEventLog 6 TaskView 3 fre dec 01 11:00:34 2017 0 SolarWinds Event Log Forwarder for Windows (TaskView) N/A Information SERVERNAME.CHANGED.TOTHISTEXT 0 The description for Event ID 0 from source SolarWinds Event Log Forwarder for Windows (TaskView) cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: Test Message from Log Forwarder to the 'TaskView' event log.. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file.

Why?

Server versions is Windows server 2012 R2 Standard

The server use Swedish location Sweden, but language English

(Attached is pictures of langue settings)

Regards

Roland

Hi

i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog   6   Application   127   lun giu 08 17.03.41 2015   1003   Microsoft-Windows-Security-SPP      N/A   Information   srv-av.astergenova.it   0   The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."

do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed

An Infoblox device is reporting that Kiwi Syslog is receiving "connection failed" errors in its logs from the Kiwi server.  According to the engineer asking the question the interface sending the syslog messages is not behind a firewall.

I assume the syslog server does not randomly drop or refuse connections from a device sending it syslog messages. 

Any ideas as to what might be causing this?

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to resolve IP addresses into hostnames in Kiwi Syslog Server.

External link to Jing: DNS Resolution - justinfinley's library

Video Guide:

• 0:00 Watching traffic come in with unresolved IP addresses
• 0:10 Turning on IP address resolution (this affects what appears in the "Hostname" column)
• 0:20 Turning on in-message IP address resolution (this is optional, can be slow, and affects what appears in the "Message" column)
• 0:27 A quick glance at the DNS server settings (which DNS server to use, whether NetBIOS is to be used, etc.)
• 0:29 A quick glance at the DNS cache settings
• 0:30 Turning on resolution of frequently-uses IPs from a local hosts file (this is very fast, but ignores changes to DNS servers)
• 0:35 How to edit the hosts file
• 1:30 Watching traffic come in with properly resolved IP addresses

Remember to "LIKE" this if you find it useful - that helps others find it too!

Trying to send failed login attempts to the syslog and getting error as follows XXXXXXX.domain.gov.uk MSWinEventLog 2 Security 128 Tue Jan 30 16:32:42 2018 4771 Microsoft-Windows-Security-Auditing N/A Audit Failure XXXXXX.domain.gov.uk 14339 The description for Event ID 4771 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 4258. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file. Using Version 1.2.0.114 on server Windows 2012 R2 Datacenter

completed the hack to actually get the failed logins  <string>0x10000000000000</string>

Can anyone solve this - using SolarWinds-LogForwarder-FreeTool-v1.2.0

I have a Cisco ASA 5505 that is setup to send syslogs to a remote syslog server.

I have kiwi syslog (free) installed on a Windows 2003 R2 Server and it is listening on UDP port 514. The syslog server also is my Ciscoworks v3.2 server.

I can ONLY see the Ciscoworks log files and not the ASA. I only want to display the ASA log files.

I have googled, read the user guide, and search the forum and cannot find any procedure that I can tweak Kiwi to log the syslog files from my ASA which is being used as a VPN concentrator.

Any ideas?

Hello,

I am in a situation where I need to filter out a certain string. It is a little complicated however. The string(s) I am trying to filter out usually looks like this:

"port D10-High collision or drop rate."

D10 is a device bay in a chassis and that is what we are really interested in here. There are 16 device bays so it can be D1, D2, D3....D16.

The only problem is that there is no space between D10 and "-High"

And we WOULD like to keep getting messaged that dont have the Dx part in it so we cant just filter out "collision or drop rate."

Is the only way to do this by putting 16 separate filters like so: ...?

"D1-High"

"D2-High"

"D3-High"

...."D16-High"

or is there a wildcard we can put in place of the number? Catch is that sometimes it could be a single digit (1-9) or it could be a double digit (10-16).

You input is appreciated. Thank you.

Hello,

I am having some difficulties opening KIWI Syslog webpage as a 'read only' public user. We have TV monitors in the IT department and we would like to dedicate one to show errors on the Syslog page with a refresher. I have marked the filters as public and tried the direct link option, but it takes me to the login screen. What am I doing wrong?

regards

I'm evaluation Kiwi Syslog server and using the Event Log Forwarder from my servers

The message I receive in the Syslog server looks like this

dec 01 11:00:36 SERVERNAME.CHANGED.TOTHISTEXT MSWinEventLog 6 TaskView 3 fre dec 01 11:00:34 2017 0 SolarWinds Event Log Forwarder for Windows (TaskView) N/A Information SERVERNAME.CHANGED.TOTHISTEXT 0 The description for Event ID 0 from source SolarWinds Event Log Forwarder for Windows (TaskView) cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: Test Message from Log Forwarder to the 'TaskView' event log.. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file.

Why?

Server versions is Windows server 2012 R2 Standard

The server use Swedish location Sweden, but language English

(Attached is pictures of langue settings)

Regards

Roland

Hello.

I've installed the free version of Kiwi Syslog (I'm a long-time user of CatTools), and am unable to find a setup preference which tells Kiwi how long to retain syslog messages.  I don't have unlimited drive space, and only want to keep certain messages for a limited period.

More specifically, need to keep the NAT translation messages from my firewall, so I can track down inappropriate use by students.  These messages come at a rate of over 20,000/hr.  I only want to keep them for a week.

Thanks

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to resolve IP addresses into hostnames in Kiwi Syslog Server.

External link to Jing: DNS Resolution - justinfinley's library

Video Guide:

• 0:00 Watching traffic come in with unresolved IP addresses
• 0:10 Turning on IP address resolution (this affects what appears in the "Hostname" column)
• 0:20 Turning on in-message IP address resolution (this is optional, can be slow, and affects what appears in the "Message" column)
• 0:27 A quick glance at the DNS server settings (which DNS server to use, whether NetBIOS is to be used, etc.)
• 0:29 A quick glance at the DNS cache settings
• 0:30 Turning on resolution of frequently-uses IPs from a local hosts file (this is very fast, but ignores changes to DNS servers)
• 0:35 How to edit the hosts file
• 1:30 Watching traffic come in with properly resolved IP addresses

Remember to "LIKE" this if you find it useful - that helps others find it too!

1st time starting a discussion.

1st time working with Kiwi Syslog.

Let me know if I'm in the wrong place.

I am very new to Syslog Servers.

I'm a Route/Switch type guy.

We are using Kiwi Syslog to get Call Manager Call Traces for troubleshooting.

This Instance of Kiwi Syslog was working fine as a Guest VMware Server on a Host Server.

We used the app Veeam to move the Kiwi Syslog VMware Guest Server to another Host.

This issue started after the copy/move of the Kiwi Syslog

No IP addresses were changed, it's on the same network as before.

It starts up, logs are being received, and then they stop.

If you try to start the service, it tells you it's already running.

At the bottom of the Kiwi Syslog Service Manager, you can see the MPH indicator has stopped.

Looking at the correct folder I can see the logs are no longer being  received.

If I stop the service and start the service it starts.

There is a script that tells it to restart every morning at 4am, and it will do this.

Below is the error event seen when it stopped last time.

Windows Server 2012 R2

64 -bit OS

Has anyone seen this type of issue before?

Any help would be greatly appreciated,

Mhaley

Kiwi syslog stopped collecting information. The view error log button is red and blinking. When i click to view the log

is see  the below message repeating itself:

2011-03-18 10:54:01     Licensed action was found in settings and disabled.

2011-03-18 10:54:01     Licensed action was found in settings and disabled.

2011-03-18 13:37:56     Licensed action was found in settings and disabled.

2011-03-18 13:37:57     Licensed action was found in settings and disabled.

2011-03-18 13:37:57     Licensed action was found in settings and disabled.

Installed Kiwi Syslog Free version 9.3.4 on Windows Server 2008 R2.  Trying to capture syslog from a Cisco ASA 5510.  I have confirmed that the syslog events are hitting the server with Wireshark.  Nothing is coming through to Kiwi Syslog.  Current settings are all default.  No filters in place.  Not sure what is wrong as I can see the syslog messages coming through Wireshark. Any ideas as to why the syslog messages are not being seen by Kiwi?

I am new to Kiwi syslog and don't know much about using Jscript.  I'm reading that I need to create a script if I want a custom field added to my custom file format.  I wanted to do a simple task of appending a specific ID number at the end of each event that is written to the syslog file.  There is a repository that I send my syslog files to but the parser for that system needs the specific ID for my system to be at the end of each event message within the file.  This is not the correct syntax but I want to do something like the following for example:

original message would look like = 2018-Jan-4 19:37:17 host IP 10.1.1.1 event message

modified message would look like = 2018-Jan-4 19:37:17 host IP 10.1.1.1 event message SystemID:12345678987654321

Function Main()
    'Text to append to raw message
    appendID = "SystemID:12345678987654321"

    'get the raw message
    modifiedRawMessage = Fields.VarRawMessageText
  
    'Append text to message
    modifiedRawMessage = Append(modifiedRawMessage, appendID)

    'Overload message text with modified one.
    Fields.VarRawMessageText = modifiedRawMessage

    'Return success
    Main = "OK"
End Function

Can someone help me with getting the syntax correct?

Thank you in advance.

Trying to send failed login attempts to the syslog and getting error as follows XXXXXXX.domain.gov.uk MSWinEventLog 2 Security 128 Tue Jan 30 16:32:42 2018 4771 Microsoft-Windows-Security-Auditing N/A Audit Failure XXXXXX.domain.gov.uk 14339 The description for Event ID 4771 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 4258. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file. Using Version 1.2.0.114 on server Windows 2012 R2 Datacenter

completed the hack to actually get the failed logins  <string>0x10000000000000</string>

Can anyone solve this - using SolarWinds-LogForwarder-FreeTool-v1.2.0

Good day Community,

I am experiencing an urgent issue. The sys log server forwarder is forwarding the following message to the KIWI sys log server. The actual security logs are showing the correct information, however the message below is being showed. I thought it was the server, but wen I added another sever to forward security logs, I am getting the same message as shown below.

Can anyone who have encountered this message or know how to resolve this issue. The security logs are on the server and I can view them using event viewer properly and audit logs are reflecting fine.

I would really appreciate your humble assistance or comments.

Apr 08 14:36:34 CASSIOPEIA1.carimed.local MSWinEventLog 5 Security 495 Wed Apr 08 14:36:33 2015

4624 Microsoft-Windows-Security-Auditing N/A Audit Success CASSIOPEIA1.carimed.local 12544

The description for Event ID 4624 from source Microsoft-Windows-Security-Auditing cannot be

found. Either the component that raises this event is not installed on your local computer or

the installation is corrupted. You can install or repair the component on the local computer.If

the event originated on another computer, the display information had to be saved with the

event.The following information was included with the event: S-1-0-0. FormatMessage failed with

error 1815, The specified resource language ID cannot be found in the image file.