Hi,

I use Kiwi Syslog Server on Windows Server 2016.

I got an error on Kiwi Syslog Server due to conflict with Windows Update several times.

1) Performed on April 26, 2017

*Environment

- Windows Server 2016

- Kiwi Syslog Server version 9.5.2

The following patchs were installed by Windows Update successfully.

KB4015217

KB890830

Then KSS is unable to load and presents the following error:

---------------------------

Syslogd

---------------------------

Component 'KiwiSocket.ocx' or one of its dependencies not correctly registered: a file is missing or invalid

---------------------------

2) Performed on May 19, 2017

*Environment

- Windows Server 2016

- Kiwi Syslog Server version 9.6.1

The following patchs were installed by Windows Update successfully.

KB3150513

KB4019472

KB890830

KB4013418

Then KSS is unable to load and presents the following error:

---------------------------

Syslogd

---------------------------

Component 'XceedZip.dll' or one of its dependencies not correctly registered: a file is missing or invalid.

---------------------------

[Resolution]

Both cases, I uninstalled and re-installed Kiwi Syslog Server.

Please refer:

https://support.solarwinds.com/Success_Center/Kiwi_Syslog_Server/KSS_error_Component_XceedZip_dll_or_one_of_its_dependencies_not_correctly_registered_a_file_is_missing_or_invalid

3) Performed on June 21, 2017

*Environment

- Windows Server 2016

- Kiwi Syslog Server version 9.6.1 

The following patchs were installed by Windows Update successfully.

(KB3186568)

(KB4023834)

(KB4022715)

(KB890830)

(KB3150513)

Then KSS is unable to load and presents the following error:

---------------------------

Syslogd

---------------------------

Component 'XceedZip.dll' or one of its dependencies not correctly registered: a file is missing or invalid.

---------------------------

[Resolution]

I uninstalled and re-installed Kiwi Syslog Server.

メッセージ編集者:

Date: June 28, 2017

JTC Osaka　

After Windows Update(2017-June-21), KSS can not start again.

Is there any way for me to export Kiwi Syslogs.  I want to be able to export the syslogs from a licensed Kiwi server into another database for viewing.  Specifically the NPM database.  I would think that there would have been something to do this already since both are SolarWinds products, but I am unable to find it.
  I want to be able to take the logs off the Kiwi server and view them elsewhere, without viewing through Kiwi.  I want to view them through NPM, but I guess I can get by viewing them through something like Access.  Is there a way (even if it isn't easy) to do this?

Hello,

I am in a situation where I need to filter out a certain string. It is a little complicated however. The string(s) I am trying to filter out usually looks like this:

"port D10-High collision or drop rate."

D10 is a device bay in a chassis and that is what we are really interested in here. There are 16 device bays so it can be D1, D2, D3....D16.

The only problem is that there is no space between D10 and "-High"

And we WOULD like to keep getting messaged that dont have the Dx part in it so we cant just filter out "collision or drop rate."

Is the only way to do this by putting 16 separate filters like so: ...?

"D1-High"

"D2-High"

"D3-High"

...."D16-High"

or is there a wildcard we can put in place of the number? Catch is that sometimes it could be a single digit (1-9) or it could be a double digit (10-16).

You input is appreciated. Thank you.

KiWi Syslogd error: Maximum number of TCP connections has been reached. Not accepting connection.

Why? Thanks..

We have both Linux and Windows servers in our environment. I want to create SNMP trap for for both. But Im facing difficulty in configuring SNMP trap for linux servers. Im not getting any Trap alert for Linux servers. Its working fine for windows. It would be a great help if someone could help me out in this. Linux servers are configured with net-snmp.

Hello,

I have setup Kiwi to act as a buffer between my devices and NPM and have configured multiple filters with an action to Display to Display 09 (so I can see what is being forwarded) and  Forward to NPM.

One of my filters looks like this and tests without problem -

Example syslog message -

Apr  4 08:56:58.032 BST: %SYS-5-CONFIG_I: Configured from console by Peter on vty0 (10.10.10.10)

RegEx filter -

".*SYS-5-CONFIG_I: Configured from console by .* on.*"

If I create another rule filtering by source IP I can see the message being sent correctly.

Edit: Just as I was typing this I wondered if it was an AND rather than an OR for the filters and on disabling all the other filters except the above one it worked.

Teaches me to RTFM -

"For each rule, the message is matched against the specified filters. Starting from the top most filter and working down. If any of the filter conditions fail, the program stops processing that rule and moves on to the next rule. If all the filter conditions are met, that is they all return TRUE, then the program will perform the specified action or actions for that rule, in order starting at the top most action and working down."

Hope this helps someone

Hi all,

Is there a way that I am able to have Kiwi Syslog read from or import from a text file or CSV file that may be generated by a program that does not support Syslog?

Thanks.

We are new to Kiwi Syslog and are just getting things configured.  We are on version 9.6.1.6.  One thing I immediately noticed is that running the "Check for update..." results in the following error: "An error occurred while checking for available software updates.  Check internet connectivity or proxy server settings.". 

We have no proxy server enabled.  From the server with Kiwi Syslog, I have Internet connectivity via a browser with no problems. 

From Kiwi's error log, I see the following line associated with the failed update: "Info: An error occurred while checking for available software updates.  Moved Temporarily [20152] - Resource: http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/currentkiwisyslogversion.xml".  If I paste that URL into a browser, it returns the following:

<?xml version="1.0"?>

-<KiwiSyslogServerVersionManifest Version="1">

<CurrentVersion Version="9.6.1" Link="http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/Kiwi-Syslog-Server-9.6.1.zip" DateReleased="2017-05-01"> New in 9.6.1 update ------------------------------ * Kiwi Syslog Server no longer creates large SolarWinds.SyslogServer.Engine.log fileswhich consume significant disk space. * Kiwi Syslog Server diagnostic information shows the correct buffer usage for all types of messages * If you do not see a "Download Update" button below, copy and paste the following link into your browser to download: http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/Kiwi-Syslog-Server-9.6.1.zip</CurrentVersion>

</KiwiSyslogServerVersionManifest>

I can then paste the .zip link it references into a browser and get the zip file to download (although it appears to be the same version we already have). 

Has anyone experienced the same issue or know how to fix it?

Thanks!

Currently we're using the free version only to get logs from one device (firewall). Since we're a company, is it ok to just use the Free Version for as long as we need it for that one device, or do we actually have to buy the commercial license? Is there any term of usage that describes this?

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

I've got a set of 3 Kiwi servers sitting behind an F5, which I *thought* would effectively load balance the incoming syslog volume (I'm seeing around 5-8million messages per hour, and we haven't really turned everything on yet).

The problem, I just discovered, is that F5 load balances based on connections, not messages/packets. So round robin isn't round robin since most of my sending systems are passing new messages (and therefore creating a connection) more than even the lowest "disconnect after" option on the F5 (which is 1 second).

So my first server is maxing out at about 5million MPH and 0% buffer, while server 02 gets 2million messages and 80% buffer, and server 03 gets barely anything at all.

Has anyone else tried this, and have you found a work around (it doesn't have to be an F5. I just need the ability to create a pool of Kiwi servers and have all the systems in my enterprise sending to ONE ip address.

Thanks!

- Leon

Good Day,

We are have an issue getting SNMP trap inputs to work on Kiwi v9. We have installed Kiwi on both a WinXP (with SNMP trap service) and Win2k3 Virtual Machine. When collecting syslogs it works fine. However when we configure the SNMP inputs under setup, we get a message stating that it "cannot open snmp listener on port 162" 

There was no other SNMP software installed as it suggested that the port is already bound to an interface. We then installed the Solarwinds Engineer's toolset on the VM and used the trap receiver. Once alarms were generated this worked well while Kiwi is still unable to receive the traps.

Finally, we used a standalone laptop and loaded Kiwi. Using the same address as the VM we were able to receive the SNMP traps from the device under test. The platform that Kiwi was loaded onto was WinXP with Trap service installed.

Any ideas anyone? Any assistance will be greatly appreciated. I saw in the forum something about UDP Spoofing being unable to work as well and I was wondering if it had any connection.

Has anyone been able to forward subscribed events (from other machines) to Kiwi Syslog server using Event Log Forwarder for Windows? I am trying to setup a single point to collect events to be forwarded to our syslog server.

I setup a test and subscribed to events from another machine to be placed in the Windows Logs -> Application. I see the forwarded events in Windows Event Viewer, but when viewing the "preview of matching event records" (Event Log Forwarder for Windows) I only see the events sources from the computer running the event log forwarder. (see the attached screenshot)

Thanks!

Jeremy

1st time starting a discussion.

1st time working with Kiwi Syslog.

Let me know if I'm in the wrong place.

I am very new to Syslog Servers.

I'm a Route/Switch type guy.

We are using Kiwi Syslog to get Call Manager Call Traces for troubleshooting.

This Instance of Kiwi Syslog was working fine as a Guest VMware Server on a Host Server.

We used the app Veeam to move the Kiwi Syslog VMware Guest Server to another Host.

This issue started after the copy/move of the Kiwi Syslog

No IP addresses were changed, it's on the same network as before.

It starts up, logs are being received, and then they stop.

If you try to start the service, it tells you it's already running.

At the bottom of the Kiwi Syslog Service Manager, you can see the MPH indicator has stopped.

Looking at the correct folder I can see the logs are no longer being  received.

If I stop the service and start the service it starts.

There is a script that tells it to restart every morning at 4am, and it will do this.

Below is the error event seen when it stopped last time.

Windows Server 2012 R2

64 -bit OS

Has anyone seen this type of issue before?

Any help would be greatly appreciated,

Mhaley

Hello,

    I'm currently trying to get the logs of where (what IP) and when (date and time) the Domain Administrator account information is used to log into one of three specific machines (2 DC's, and a Finance server). I'm having some trouble defining the subscription in the Kiwi Log Forwarder - Specifically, what boxes do I need to tick off and what event ID number do I need to include? I have the IP's for the three servers that I want AD to send the Admin login logs from. Thanks!

Hi everyone,

Can someone confirm that both the Kiwi Syslog Service Manager console and the Kiwi Syslog Web Access will only display messages for current log files.  Therefore, a find or filter will only bring up hits for the most current log files, correct?

Assuming that is the case, I found a thread that mentions WinGREP as a freeware to search all log files on your hard drive.  Wouldn't it be helpful for this capability to be integrated into Kiwi Syslog Server?

For example, I am importing all Windows Security events from all domain controllers into Kiwi Syslog Server.  I want to be able to search for a username and the phrase "user account is locked out" for as far back as I have logs.  How do I do this easily?

Thanks,

Tony

After installing the permanent license for Kiwi Syslog server the Syslog service will not start.  It started without problems when running as the trial version.  No errors appear in the Kiwi Syslog error log, but the Windows event viewer shows the following error:

The Kiwi Syslog Server service failed to start due to the following error: The service did not start due to a logon failure.

I can't find anything in the Kiwi Syslog documentation about having to login.  The OS is Windows 2008 R2.  I am starting the Syslog service from Service Manager > Manage, and Service Manager was Run As Administrator.

Is this a known problem?

Thanks, Glenn

We have two syslog servers and use a F5 to load balance between the two. In total they receive around 45 million messages a day.We have around a dozen rules that forward messages onto a security appliance or splunk and it can take around 30 minutes before those messages arrive. It can also take 30 minutes for any emails to end up in a users mailbox.

As soon as we start the syslog service the message count on the buffer starts to climb and eventually the overflow queue increase. We haven't checked the stats for a while but one of the servers had a overflow queue count of 125,000! It is a VM server running Windows 2003, 2 CPU's and 4Gb RAM.

Here are the stats from the first hour of starting the syslog service

Kiwi Syslog Server [Licensed] Version 9.4.1

///       Kiwi Syslog Server Statistics         ///

---------------------------------------------------

24 hour period ending on: Thu, 22 May 2014 09:03:09

Syslog Server started on: Thu, 22 May 2014 08:04:17

Syslog Server uptime:     0 hours, 58 minutes

---------------------------------------------------

+ Messages received - Total:          767628

+ Messages received - Last 24 hours:  767628

+ Messages received - Since Midnight: 767628

+ Messages received - Last hour:      0

+ Message queue overflow - Last hour: 0

+ Messages received - This hour:      767628

+ Message queue overflow - This hour: 0

+ Messages per hour - Average:        767628

+ Messages forwarded:                 775368

+ Messages logged to disk:            767587

+ Errors - Logging to disk:           0

+ Errors - Invalid priority tag:      0

+ Errors - No priority tag:           602

+ Errors - Oversize message:          464

+ Disk space remaining on drive C:    3904 MB

    Breakdown of Syslog messages by severity  

+--------------------+------------+------------+

| Message Level      |  Messages  | Percentage |

+--------------------+------------+------------+

| 0 - Emerg          |        17  |      0.00% |

| 1 - Alert          |        10  |      0.00% |

| 2 - Critical       |       504  |      0.07% |

| 3 - Error          |     26356  |      3.43% |

| 4 - Warning        |    619384  |     80.69% |

| 5 - Notice         |     61780  |      8.05% |

| 6 - Info           |     58963  |      7.68% |

| 7 - Debug          |       614  |      0.08% |

+--------------------+------------+------------+

Message Buffer Information

==========================

Message Queue Max Size: 500000

Message Queue overflow: 18858

Message Count:          500000

Message Count Max:      500000

Percentage free:        0

Any help would be appreciated

Thanks

John

SolarWinds Event Log Fowarder(1.2.0.114) TCP Issue

After Kiwi Syslog Server's service re-started, the reconnection problem had occurred on SolarWinds Event Log Fowarder(1.2.0.114) TCP protcol.

To re-produce:

1)Kiwi Syslog Server

Setup>Inputs>TCP Enabled and Port: 5140

2)SolarWinds Event Log Fowarder(1.2.0.114)

Port: 5140

Protocol:TCP

3)Kiwi Syslog Server's service re-started

SolarWinds Event Log Fowarder(1.2.0.114) did not forward to Windows EventLog to KSS through TCP.

Please see the following Packet capture:

Please fix this issue.

I have an issue wherein syslog messages from one host are being duplicated. We have a Secure Tunnel client running at one site, with network devices set up to send syslog messages to this client. No syslog messages from any other network device at this site are duplicated. I have verified that this appears to be a Secure Tunnel issue by configuring the offending network device to send syslog messages directly to the Kiwi Syslog Server. When this is done, only one syslog message is logged. When I reconfigure the network device to log to the Secure Tunnel client, two identical syslog messages are logged. I have also verified that there is only one syslog configuration line in the network device (i.e. that it is not configured to send syslogs both directly to the Syslog Server and to the SecureTunnel client.) This is eating up twice as much filespace, obviously... any help would be appreciated.