Quantcast
Channel: THWACK: Popular Discussions - Kiwi Syslog
Viewing all 15803 articles
Browse latest View live

Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)

February 6, 2013, 5:04 am
$
0
0

PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.

 

Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk

 

I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.

 

Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6

 

I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.

 

Appreciate any help on this..........

 

 

Example from Kiwi Syslog

 

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf:     10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]

Search

how to setup snort-log link to syslog server?

April 24, 2017, 12:31 pm
$
0
0

how to setup snort-log link to syslog server?

 

in snort.conf  (windows 7 32 bits)

output alert_syslog: host=127.0.0.1:8080, LOG_AUTH LOG_ALERT

 

command :

snort -i 1 -c c:\snort\etc\snort.conf -s

 

then get a file in c:\snort\log\snort.log.1493058792.

 

please tell me, how to send log to syslog server?

 

thank you

When is Kiwi Syslog v10 coming out?

March 11, 2016, 6:15 am
$
0
0

As you all may recall, it's been 7 months since Kiwi Syslog v9.5 was posted (see Kiwi Syslog 9.5 is now Available! ).  I am very much looking forward to a major release (i.e. v10).  What would this new version contain?  I have a few things in my wish-list...

 

  • Increased the of number of syslog messages and snmp traps that can Kiwi can handle. According to a posting on Geek Speak (How many messages can Kiwi Syslog manage?), Kiwi can handle between 400 and 600 messages per second.  I'd like to see that go all the way up to 2,000 messages (or more).
  • Rules Wizard (for the novice and those of us with diminished brain-cells due to age. 
  • Full web-based management option.  I don't know about other Thwackers, but I prefer not to use Win32 (via RDP) whenever possible.
  • Additional Polling Engine option for Kiwi.  This, so we can have multiple servers handle syslog messages and snmp traps.

 

I am sure that other Thwackers have many other items in their respective wish-list for Kiwi.  I'd like to hear from you.  And, of course, I'd like to hear from the Kiwi PM, to tell us what's in the Roadmap for the next Kiwi release.  Have a great day, everyone!!! 

Kiwi C: drive space

October 11, 2016, 5:27 am
$
0
0

One of our Kiwi instances is running out of room on the C: drive. When I check for large files, I see two logs from uws.apphost.clr2.x86.trace.log, using up almost 30gb. I understand this is Ultidev web server application process, which appears integral with Kiwi.  Is this log safe to delete to free up space? When attempting to open it to view log history, it's locked indicating it's

in use by another process and can't be openend. Kiwi UWS-apphost-clr2-x86-trace-log-using-up-c-drive.PNG

SolarWinds.SyslogServer.Engine.log

April 6, 2017, 11:52 am
$
0
0

Hi, I was hoping someone can explain the log files ('SolarWinds.SyslogServer.Engine.log') created in the Syslogd folder to me. What purpose do they serve? Are they safe to delete? Can I set them to be created in a different directory?

 

Thank you.

Log to Database not working

September 24, 2009, 7:15 am
$
0
0

I am having trouble getting the Log to Database action to work. I am using SQL 2005 Enterprise and is seems to be an issue with the authentication but I can't figure out what I am doing wrong. I was able to get the database table created but no events are being logged. When I test the action I get "Database connection error: Login failed for user 'NT Authority\Snonymous...'. I am speciying a SQL account in the connection string and ODBC control panel. The user has dbo rights to the database.

 

Any ideas?

How to load-balance Kiwi Syslog servers

December 23, 2013, 12:31 pm
$
0
0

I've got a set of 3 Kiwi servers sitting behind an F5, which I *thought* would effectively load balance the incoming syslog volume (I'm seeing around 5-8million messages per hour, and we haven't really turned everything on yet).

 

The problem, I just discovered, is that F5 load balances based on connections, not messages/packets. So round robin isn't round robin since most of my sending systems are passing new messages (and therefore creating a connection) more than even the lowest "disconnect after" option on the F5 (which is 1 second).

 

So my first server is maxing out at about 5million MPH and 0% buffer, while server 02 gets 2million messages and 80% buffer, and server 03 gets barely anything at all.

 

Has anyone else tried this, and have you found a work around (it doesn't have to be an F5. I just need the ability to create a pool of Kiwi servers and have all the systems in my enterprise sending to ONE ip address.

 

Thanks!

- Leon

How to create filter in kiwi syslog web access to filter only windows logon events

April 21, 2015, 9:23 pm
$
0
0

Dear All,

I want to create filter in syslog server to view the windows logon and logoff (event logs).

 

Please help me to create the filter.

Search

Sizing of syslog storage

November 25, 2016, 11:05 am
$
0
0

Hello,

 

We need to implement a syslog containing a trace of all web access of 15 users.

But we don't have any idea of the volume required.

 

Do you have any estimation (a rough range is enough) of the daily syslog volume for an average web use (webmail + surf) ?

 

We will only register :

- origin MAC address

- origin IP address

- network port

- destination IP address

- timestamp

 

Thanks in advance for your help.

Maximum number of TCP connections has been reached. Not accepting connection.

July 9, 2014, 7:38 am
$
0
0

KiWi Syslogd error: Maximum number of TCP connections has been reached. Not accepting connection.

Why? Thanks..

SYSLOG error with windows server 2012

June 9, 2015, 12:24 am
$
0
0

Hi

 

i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog   6   Application   127   lun giu 08 17.03.41 2015   1003   Microsoft-Windows-Security-SPP      N/A   Information   srv-av.astergenova.it   0   The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."

do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed

Cisco ISE Logs

April 6, 2016, 7:51 am
$
0
0

In order for the syslogs that come from an ISE server you must change the message length to 8192 on the device or the messages will be messed up.

Is there a setting on the KIWI server I need to adjust to accommodate this?

It appears when viewing the logs coming in thru the manager console they look ok, but if you send that to a log file the entries in the file are incomplete or truncated.

Setting up Kiwi Syslog with Meraki mr32

November 29, 2016, 12:06 pm
$
0
0

Hi,

i never used syslog servers and i would like to setup a logging system for my meraki mr32 devices.

I tried to setup myself Kiwi with the mr32 but with no success.

Can someone help?

Collect DHCP events from Windows DHCP server

November 26, 2016, 2:39 am
$
0
0

Hello,

 

Could you please tell me how to transfer all DHCP events (from a standard Windows 2012 DHCP server) to syslog ?

 

Thanks in advance for your help

Syslog 9.1 log to sql database error

October 11, 2010, 2:10 pm
$
0
0

Hello all,

I keep getting the below errors when trying to send info to our SQL database.

2010-10-10 16:49:39     DBLogger.ClearQueue aborted with error: Incorrect syntax near '2222:43:netmgtd:10-Oct-2010 16:49:37.018014:rca_ocp.c:295:INFO:25.2.4:GUI: Account admin from 10.X.X.XX logged in to 10.X.X.X'. - SQL statement has been removed from the database cache. [Syslogd_TaskEngine.exe 2.5.151] (801) INSERT INTO Syslogd (MsgDate,MsgTime,MsgPriority,MsgHostname,MsgText) VALUES ('2010-10-10','16:49:38','User.Info','10.X.X.XXX','2222:43:netmgtd:10-Oct-2010 16:49:37.018014:rca_ocp.c:295:INFO:25.2.4:GUI: Account admin from 10.X.X.XX logged in to 10.X.X.XXX. ') : C:\Program Files\Syslogd\DBCache\ca7ad33fa4e635d00d4106908427f600 [Line:0]

I have setup the the log to database using the built in sql file format as well as creating one from scratch.  What I don't get is that every time I use the debug command, the table gets updated properly without any errors.  But when I apply my settings the log file gets filled with errors.  I know it is complaining about quotes someplace, but in the view none of the statements have any quotes in them.  

 

Any help would be greatly appreciated.

 

Thank you,

Giuseppe

Search

Kiwi Syslog not capturing syslogs

May 14, 2013, 1:40 pm
$
0
0

Installed Kiwi Syslog Free version 9.3.4 on Windows Server 2008 R2.  Trying to capture syslog from a Cisco ASA 5510.  I have confirmed that the syslog events are hitting the server with Wireshark.  Nothing is coming through to Kiwi Syslog.  Current settings are all default.  No filters in place.  Not sure what is wrong as I can see the syslog messages coming through Wireshark. Any ideas as to why the syslog messages are not being seen by Kiwi?

no log shows on Kiwi Syslog Web Access

August 25, 2015, 11:44 am
$
0
0

I am having kiwi syslog 9.5 installed.

I choose to install as service and also installed the web access.

The syslog console opened fine and I see logs on displayed and also to file.

However, with the web access, it shows nothing (what so ever).  I checked the Setup on Console Manager and see that under Rules i have 2 exact same option for "Log to Syslog Web Access".  Everything under that options checked.

But I still see no log on web access.

 

1) I tried to uncheck all the "Log to Syslog Web Access".

2) Closed the Console Manager and reopened it

3) Checked mark one of the 2 optioins "Log to Syslog Web Access" and everything below it.

4) Opened and log in to web access -> Still see nothing.

 

any idea?

Forward syslog events to QRadar

January 13, 2016, 11:55 am
$
0
0

I'm trying to forward events from Kiwi Syslog to QRadar SIEM. 

 

In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.

 

The test event was the only event received by the QRadar.  None of the events I'm forwarding have been received as incoming logs on QRadar.

 

I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.

 

Do I need to install a universal DSM on the Kiwi Syslog servers?

How to Split Logs to Multiple Displays in Kiwi Syslog Server

May 31, 2013, 8:56 am
$
0
0

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.

 


External link to Jing: Multiple Displays - justinfinley's library

 

Video Guide:

  • 0:00 Unfiltered display (Display 00)
  • 0:10 Showing the rule that sends all messages to Display 00
  • 0:20 Changing the unfiltered display from Display 00 to Display 05
  • 0:25 Checking that the switch happened
  • 0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
  • 1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
  • 2:05 Checking that the new filters work
  • 2:25 Renaming "Display 05" to "All Messages"
  • 2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
  • 3:10 Checking that the display renaming worked

 

Remember to "LIKE" this if you find it useful - that helps other find it too!

Can not receive message from Cisco switch 3750

July 28, 2013, 11:37 pm
$
0
0

Hello guys,

 

I setup kiwi syslog server and could receive message from other devices, such cisco switch 2960, 5510, and windows server. But can not get any message from 3750. I enclosed 3750 configuration as below. Please help to take a look and where am I wrong. Thank you.

 

logging trap notifications

logging facility local5

logging 192.168.0.51

Viewing all 15803 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>