Newbie to Kiwi Syslog! Took responsibility after previous co-worker...

During my initial discovery, the Syslog server is configured, "Kiwi Syslog server v9", Engineer's Toolset V11.0 Desktop - ETS1", and "Network Performance Monitor - SL100".

I've located Syslog log files location, set up for 30 days.

Should I be looking at any dashboard? Log file viewer?

Looking for suggestions on crush course to learn the system.  Tech support only helps if I have technical problem.

How did you start?  Learn?  Any suggestions are greatly appreciated.

lesu77

Hi,

I have recently been handed over Kiwi Syslog server to manage which has both Fat Client and Web Server. Fat Client is directly logged in however Web console could not be logged in. When I checked regarding the password of "Administrator", I have been informed that resource handling it has left long ago and there is no one to tell.

Is there a way we can reset the password of Administrator or create a new user from Syslog Fat Client. I cant raise the request with Support as we do not have active maintanence.

Thanks,

Syed

Installed Kiwi Syslog Free version 9.3.4 on Windows Server 2008 R2.  Trying to capture syslog from a Cisco ASA 5510.  I have confirmed that the syslog events are hitting the server with Wireshark.  Nothing is coming through to Kiwi Syslog.  Current settings are all default.  No filters in place.  Not sure what is wrong as I can see the syslog messages coming through Wireshark. Any ideas as to why the syslog messages are not being seen by Kiwi?

Hello Everyone,

First time poster here. I am trying to track event log service status and power downs. I cannot get the windows machines to forward event logs  6005, 6006, 6008, 6009 and 1074.

I have event log forwarder configured correctly, at least the log preview shows the correct logs being forwarded. I do have a custom filter built just for these event IDs but I also have a catch all file that is not filtered. I am checking in both the web access and the syslog server itself. Neither of them receive these event logs from the windows machines. I haven't noticed any other events not being forwarded. All of my other filters are producing the information correctly.

Any tips on how to collect these logs?

Windows 2012R2 and Windows 7 Enviorment

Using Kiwi Syslog Server 9.6 and Event log Forwarder

  Are there any known issues with Server 2012 and Kiwi Syslog reports?  We get a nightly report regarding top users, free space on the logging drive, etc -- the usual stuff. But on the only 2012 server we have, the report keeps coming through mangled (column formatting lost), like this:

///       Kiwi Syslog Server Statistics         ///<br/>---------------------------------------------------<br/>24 hour period ending on: Tue, 04 Feb 2014 00:00:00<br/>Syslog Server started on: Sun, 02 Feb 2014 20:09:16<br/>Syslog Server uptime:     1 day, 3 hours, 35 minutes<br/>---------------------------------------------------<br/><br/>+ Messages received - Total:          3074669<br/>+ Messages received - Last 24 hours:  2757881<br/>+ Messages received - Since Midnight: 2677931<br/>+ Messages received - Last hour:      105004<br/>+ Message queue overflow - Last hour: 0<br/>+ Messages received - This hour:      60751<br/>+ Message queue overflow - This hour: 0<br/>+ Messages per hour - Average:        112380<br/><br/>+ Messages forwarded:                 319<br/>+ Messages logged to disk:            2677947<br/><br/>+ Errors - Logging to disk:           0<br/>+ Errors - Invalid priority tag:      0<br/>+ Errors - No priority tag:           0<br/>+ Errors - Oversize message:          0<br/><br/>+ Disk space remaining on drive E:    19477 MB<br/><br/>---------------------------------------------------<br/><br/><br/>     Breakdown of Syslog messages by sending host  <br/>+--------------------------+------------+------------+<br/>| Top  25 Hosts             |  Messages  | Percentage |<br/>+--------------------------+------------+------------+<br/>| xx.xx.xx.51               |    931061  |     34.77% |<br/>| xx.xx.xx.50               |    815957  |     30.47% |<br/>| xx.xx.xx.53               |    407432  |     15.21% |<br/>| xx.xx.xx.54               |    375649  |     14.03% |<br/>| xx.xx.xx.245              |     10020  |      0.37% |<br/>| xx.xx.xx.115              |      6374  |      0.24% |<br/>| xx.xx.xx.110              |      3190  |      0.12% |<br/>| xx.xx.xx.112              |      3177  |      0.12% |<br/>| xx.xx.xx.33               |      3000  |      0.11% |<br/>| xx.xx.xx.120              |      2950  |      0.11% |<br/>| xx.xx.xx.95               |      2872  |      0.11% |<br/>| xx.xx.xx.69               |      2806  |      0.10% |<br/>| xx.xx.xx.144              |      2657  |      0.10% |<br/>| xx.xx.xx.143              |      2501  |      0.09% |<br/>| xx.xx.xx.60               |      2345  |      0.09% |<br/>| xx.xx.xx.125              |      2336  |      0.09% |<br/>| xx.xx.xx.3                |      2336  |      0.09% |<br/>| xx.xx.xx.127              |      2335  |      0.09% |<br/>| xx.xx.xx.117              |      2335  |      0.09% |<br/>| xx.xx.xx.61               |      2331  |      0.09% |<br/>| xx.xx.xx.126              |      2330  |      0.09% |<br/>| xx.xx.xx.7                |      2330  |      0.09% |<br/>| xx.xx.xx.250              |      2300  |      0.09% |<br/>| xx.xx.xx.1                |      2298  |      0.09% |<br/>| xx.xx.xx.56               |      2255  |      0.08% |<br/>| All others (96)          |     82754  |      3.09% |<br/>+--------------------------+------------+------------+<br/><br/><br/>    Breakdown of Syslog messages by severity   <br/>+--------------------+------------+------------+<br/>| Message Level      |  Messages  | Percentage |<br/>+--------------------+------------+------------+<br/>| 0 - Emerg          |         0  |      0.00% |<br/>| 1 - Alert          |         0  |      0.00% |<br/>| 2 - Critical       |       638  |      0.02% |<br/>| 3 - Error          |     27926  |      1.04% |<br/>| 4 - Warning        |     20075  |      0.75% |<br/>| 5 - Notice         |      7943  |      0.30% |<br/>| 6 - Info           |   2605942  |     97.31% |<br/>| 7 - Debug          |     15407  |      0.58% |<br/>+--------------------+------------+------------+<br/><br/>Custom statistics<br/>-----------------<br/>CustomStats01: 0<br/>CustomStats02: 0<br/>CustomStats03: 0<br/>CustomStats04: 0<br/>CustomStats05: 0<br/>CustomStats06: 0<br/>CustomStats07: 0<br/>CustomStats08: 0<br/>CustomStats09: 0<br/>CustomStats10: 0<br/>CustomStats11: 0<br/>CustomStats12: 0<br/>CustomStats13: 0<br/>CustomStats14: 0<br/>CustomStats15: 0<br/>CustomStats16: 0<br/><br/>End of Report.<br/>

  If I reinstall Syslog, the problem goes away for a while, then comes back.

Has anyone configured Active Directory Settings in Kiwi Syslog Server 9.4.1?  Below are the available Active Directory Settings available in the Web Access interface under the Admin Tab.

• Domain URL: <Free Form Box>  My domain prepopulated correctly.
• Authentication Type: <Free Form Box>.  Is this supposed to be NTLM, Kerberos, etc?
• User Groups: <Free Form Box>  Does the format need to be LDAP based?

KiWi Syslogd error: Maximum number of TCP connections has been reached. Not accepting connection.

Why? Thanks..

There are 3 things that you need to consider when migrating Kiwi Syslog Server:

1. Configuration - to back them up, simply open the Kiwi Syslog Server Manager and click "File -> Export Settings to INI" .
2. Logs - Manually copy Syslog messages log files. Under Setup, look for all Log to file - action and take note of the path and file name.
3. License - Deactivate the license from the old server using License Manager Tool first so that you can transfer the license to the new server. Please take note that Activation Key will be different once the license is deactivated. You can refer to the following video for more detail information:
   • http://knowledgebase.solarwinds.com/kb/questions/1915/How+Do+I+Use+License+Manager%3F

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

I have installed the kiwi syslog server 9.5 and I am using the SolarWinds LogForwarder 1.2 on all the other servers and endpoints to send the logs to the kiwi syslog server.

I noticed that I am not receiving any logs from the servers only network devices (switches, routers, etc.) I checked to see if the Log Forwarder for Windows is running, and I noticed that it was not. I manually started the service, and then sometime after that the service stopped. I checked the event viewer application log and saw the following each in a separate entry

1. Service started successfully.
2. Server Initialization Failed.  See previous event messages for reason.
3. SolarWinds Event Log Forwarder for Windows; Service Stopped.

I have the SolarWinds LogForwarder 1.2 installed on w2k8r2 and w2k12r2 servers.  I opened the log forwarder service log and I saw this

1/26/2017 4:57:57 PM - SolarWinds Event Log Forwarder for Windows; Service Started.

1/26/2017 4:58:58 PM - Configuration File Reloaded at 1/26/2017 4:58:58 PM

1/26/2017 5:30:10 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 5:30:10 PM - Configuration File Reloaded Failed at 1/26/2017 5:30:10 PM

1/26/2017 9:24:23 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:24:23 PM - Configuration File Reloaded Failed at 1/26/2017 9:24:23 PM

1/26/2017 9:27:29 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:29 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:29 PM

1/26/2017 9:27:33 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:33 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:33 PM

1/26/2017 9:27:41 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:41 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:41 PM

Can anyone help?

Hi everyone,

Can someone confirm that both the Kiwi Syslog Service Manager console and the Kiwi Syslog Web Access will only display messages for current log files.  Therefore, a find or filter will only bring up hits for the most current log files, correct?

Assuming that is the case, I found a thread that mentions WinGREP as a freeware to search all log files on your hard drive.  Wouldn't it be helpful for this capability to be integrated into Kiwi Syslog Server?

For example, I am importing all Windows Security events from all domain controllers into Kiwi Syslog Server.  I want to be able to search for a username and the phrase "user account is locked out" for as far back as I have logs.  How do I do this easily?

Thanks,

Tony

I'm trying to forward events from Kiwi Syslog to QRadar SIEM. 

In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.

The test event was the only event received by the QRadar.  None of the events I'm forwarding have been received as incoming logs on QRadar.

I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.

Do I need to install a universal DSM on the Kiwi Syslog servers?

I am getting error 15007, info about this error is in my language (czech), but here it is:

25.4.2017 8:42:52 - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15007, Zadan? kan?l nebyl nalezen. Zkontrolujte konfiguraci kan?lu.

25.4.2017 8:42:52 - Server Initialization Failed.  See previous event messages for reason.

25.4.2017 8:42:52 - SolarWinds Event Log Forwarder for Windows; Service Stopped.

Hello Everyone,

First time poster here. I am trying to track event log service status and power downs. I cannot get the windows machines to forward event logs  6005, 6006, 6008, 6009 and 1074.

I have event log forwarder configured correctly, at least the log preview shows the correct logs being forwarded. I do have a custom filter built just for these event IDs but I also have a catch all file that is not filtered. I am checking in both the web access and the syslog server itself. Neither of them receive these event logs from the windows machines. I haven't noticed any other events not being forwarded. All of my other filters are producing the information correctly.

Any tips on how to collect these logs?

Windows 2012R2 and Windows 7 Enviorment

Using Kiwi Syslog Server 9.6 and Event log Forwarder

Currently Kiwi Syslog Server 9.x release supports syslog based on RFC 3164. Are there any plans to add support for RFC 5424 in a future release?

Thank you,

David

Does anyone have information on setting up KIWI to match DISA STIGS?  I have found some for SolarWinds, but they do not seem to match to the setup of KIWI.  Trying to set up e-mail alerts for file space and several more?

Hello All,

I am planning to Deploy a Kiwi Syslog server to my NPM Environment.

We are planning to enable snmp traps and syslog messages to be sent from other tools to SolarWinds NPM hoping to have one alert dashboard focused on SolarWinds NPM.

I don't want to flood the polling engine and peg the processing power dealing will all the additional noise.

Instead the Kiwi Syslog server will process the items and forward the actionable items to the SolarWinds Server to be alerted and ticketed.

Any thoughts, concerns , or tips are appreciated.

Thank you,

Raymond

We have a custom made device that is sending SNMP traps. The vendor has created several MIB files to translate OID values, unfortunately the MIB files cannot be provided to Solarwinds to create a new MIB database file.

Does anyone know if it is possible to add additional MIB files to the MIB database file without Solarwinds assistants?

If the above is not support, can anyone recommend an alternative on how OID values can be translated? Or how OID values and exported from a MIB file?

Many Thanks

Adam

Currently we're using the free version only to get logs from one device (firewall). Since we're a company, is it ok to just use the Free Version for as long as we need it for that one device, or do we actually have to buy the commercial license? Is there any term of usage that describes this?

Trying to send failed login attempts to the syslog and getting error as follows XXXXXXX.domain.gov.uk MSWinEventLog 2 Security 128 Tue Jan 30 16:32:42 2018 4771 Microsoft-Windows-Security-Auditing N/A Audit Failure XXXXXX.domain.gov.uk 14339 The description for Event ID 4771 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 4258. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file. Using Version 1.2.0.114 on server Windows 2012 R2 Datacenter

completed the hack to actually get the failed logins  <string>0x10000000000000</string>

Can anyone solve this - using SolarWinds-LogForwarder-FreeTool-v1.2.0