Hello guys,
I setup kiwi syslog server and could receive message from other devices, such cisco switch 2960, 5510, and windows server. But can not get any message from 3750. I enclosed 3750 configuration as below. Please help to take a look and where am I wrong. Thank you.
logging trap notifications
logging facility local5
logging 192.168.0.51
Hi all,
New here, searched for discussions but found no entry on procurve switch(es).
The Procurve switches will not send any syslog messages (wiresharked the server)
Turned on logging on the switch: logging 'ip-address'
show debug
Debug Logging
Source IP Selection: Outgoing Interface
Destination:
Logging --
'ip-address' Kiwi Syslog server
Protocol = UDP
Port = 514
Facility = user
Severity = info
System Module = all-pass
Priority Desc =
tried facility 'syslog' still nothing.
Only the Procurve switches will not send any syslog messages.
Other devices such as Cisco ASA's work fine.
Anyone ideas to solve this?
TIA Jaap
I am consistently getting warnings from SAM that the DB Cache folder the kiwi syslog (\\${IP}\c$\Program Files (x86)\Syslogd\DBCache) contains files. The warning in SAM indicates that the log to database action is falling behind or failing. I do not see anything in the documentation regarding this warning. Does anybody know how this affects the kiwi syslog and how concerned I should be? I would like to add more devices to send syslog information but am concerned kiwi will have more of these files in the DBCache. Currently I am seeing about 47K MPH in Kiwi. Has anybody else seen this message from SAM, or have any suggestions for possible solutions?
Thanks,
Caleb
Kiwi Syslog Server 9.4.2 installed on Windows 2008 R2 Standard, 8 GB ram, 200 GB HD.
Using the log to database action to Microsoft SQL Server 2008 R2, 8 GB ram, 100 GB HD
SAM 6.1.1 Application component File Count: DBCache Folder for Kiwi Syslog Server
Hi all.
I have just installed Kiwi Syslog Server 9.5 on a test machine to evaluate its suitability for a project I'm working on. It's currently still running in 14-day Evaluation mode.
We can't seem to get it to receive SNMP traps at all. No matter what we do, netstat shows nothing listening on UDP port 162. SNMPv1 traps are being sent to the server, and we can see them in Wireshark arriving at the server, but Kiwi isn't listening for them.
In desparation, we tried enabling the Windows SNMP Trap service (although we understand this isn't required?) and this 'absorbed' the traps, but nothing appeared in Kiwi.
The test machine is running Windows 7 (32-bit) with the Windows Firewall switched off.
Should the 14-day Evaluation be able to receive SNMP traps?
Thanks in advance for any advice!
I am trying to connect to kiwi syslog server in secure TCP mode. From my client side (c# code) I try to connect to kiwi syslog sever using TLS 1.2 protocol. But SSL Handshake from server is set to TLS 1.0
I installed kiwi server in Windows 7 SP1 and enabled TLS 1.2 in the system by modifying the system registry.
SSL handshakes captured using Network monitor are given below
Client HandShake
Server HandShake
Client side code( c#)
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
var tcpClient = new TcpClient(hostname, port);
var tcpClientStream = tcpClient.GetStream();
var sslStream = new SslStream(tcpClientStream, false, ValidateServerCertificate)
{
ReadTimeout = timeout,
WriteTimeout = timeout
};
sslStream.AuthenticateAsClient(hostname, new X509CertificateCollection(), System.Security.Authentication.SslProtocols.Tls12, false);
Hello,
I have installed kiwi syslog server 9.6.3.3 eval version and trying to configure syslog in TCP SSL mode.
First, these are the steps I following to configure the server:
a) created a self signed certificate using java keytool.
b) imported into windows certificates personal and trusted roots folder.
c) selected the imported certificate in kiwi setup configuration.
After following the above steps , I got below error in Event log file.
2017-11-29 16:40:06 Unable to bind secure TCP listener to port 6514 There might be a problem with the certificate provided.
After googling for this error, I got below link and used IIS server to create a self-signed certificate
Re: Kiwi Syslog Server does not display secure ASA syslogs
After configuring certificate which is generated from IIS, I started getting below error.
2017-11-30 12:37:30 Source: C:\Windows\SysWow64\mswinsck.ocx Error: Socket is non-blocking and the specified operation will block
But , I was able to receive messages in SSL mode using java code running in same box where syslog server is installed. If I try to run same java code from any box other than kiwi server, it is not receiving messages.
Observed similar behavior for TCP mode as well.
How to check syslog server is configured correctly or not? Is there any way to do that?.
Thanks in Advance!!
I use kiwi syslog server a lot for testing syslog. It seems like in the latest version there are issues with TCP. I'm verifying with the Kiwi Syslog Message Generator. Seems like with syslog server version 9.4.1 TCP connects and works, but in latest version 9.6.3 it does not connect for some reason. When I try to connect TCP with message generator it says "TCP session remotely disconnected" using the same tool the same exact way, it works with version 9.4.1. I'm using the syslog message generator tool on the same machine as the syslog server. Is this a known issue, or am I missing something? Any suggestions or help would be much appreciated. Thank you very much.
how to setup snort-log link to syslog server?
in snort.conf (windows 7 32 bits)
output alert_syslog: host=127.0.0.1:8080, LOG_AUTH LOG_ALERT
command :
snort -i 1 -c c:\snort\etc\snort.conf -s
then get a file in c:\snort\log\snort.log.1493058792.
please tell me, how to send log to syslog server?
thank you
i installed log forwarder 2.1.0 on my windows server 2008. i set my kiwi syslog server, i configured subscription for sending system logs from my server. when i click to test button, the test is ok, but in event viewer i receive in log solariwinds.net i receive message
Unable to setup Windows Event Log subscribers. Subscribe failed with error 15001, The specified query is invalid.
also, my kiwisyslogserver does not receives messages. where is problem
Is there any way for me to export Kiwi Syslogs. I want to be able to export the syslogs from a licensed Kiwi server into another database for viewing. Specifically the NPM database. I would think that there would have been something to do this already since both are SolarWinds products, but I am unable to find it.
I want to be able to take the logs off the Kiwi server and view them elsewhere, without viewing through Kiwi. I want to view them through NPM, but I guess I can get by viewing them through something like Access. Is there a way (even if it isn't easy) to do this?
Hello,
I just installed Syslog on a Windows 8 VM (ESXi 5.5).
However... I don't received any message from the router (Cisco RV042G) I want to log.
I tried the generic troubleshhoting :
• Check network connectivity by pinging from the sending device to the Syslog Server machine => OK
• Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list) => OK, only one
• Disable any personal firewall software such as ZoneAlarm or BlackIce => Disabled
• Use a sniffer to check if messages from the routing are reaching the PC => Yes, I can see them
• Check DNS resolution is working as expected by pinging a hostname from the Command Prompt => OK
• Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on. => OK
• Send a test message to yourself by pressing Ctrl+T => Displayed
• Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads => Done
• Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host). => Not displayed, and I don't see them in a local packet capture.
• Try sending messages with SyslogGen from another machine to the host running the Syslog Server => Not displayed, but see them on a packet capture (on Syslog PC)
Do you have any idea about the cause of this issue ?
Thanks in advance for your help.
We have a couple of Forescout NAC devices. They are configured to forward to our local Kiwi servers, and then rules on the Kiwi are supposed to be sending warning & above messages to the main Orion server. Unfortunately, I have oodles (technical term) of info messages showing in the main repository. I'm pretty sure the Kiwi rules are correct (they are working for other devices) but our on site security guy isn't a Forescout expert, so he hasn't been able to see anything wrong on the NAC itself. I'm thinking we have it set to forward directly to Orion under a different facility, but that's a pure guess. From what I've seen of the NAC's SYSLOG setup there aren't drop downs to look at different facilities.
Does anyone have experience with this? Thanks in advance!
I've setup the Solarwinds Log Forwarder to send to a Kiwi Syslog box but the messages are getting extra characters added:
Bad:
Jul 30 2009 04:06:36 RHCFILE01 %Security: Security : Successful Network Logon:<013><010><013><010><009>User Name:<009>RHC-74X1SH1$<013><010><013><010><009>Domain:<009><009>REDHAWK<013><010><013><010><009>Logon ID:<009><009>(0x0,0x519E523F)<013><010><013><010><009>Logon Type:<009>3<013><010><013><010><009>Logon Process:<009>Kerberos<013><010><013><010><009>Authentication Package:<009>Kerberos<013><010><013><010><009>Workstation Name:<009><013><010><013><010><009>Logon GUID:<009>{c8240591-1ba0-e617-a909-569d830ada64}<013><010><013><010><009>Caller User Name:<009>-<013><010><013><010><009>Caller Domain:<009>-<013><010><013><010><009>Caller Logon ID:<009>-<013><010><013><010><009>Caller Process ID: -<013><010><013><010><009>Transited Services: -<013><010><013><010><009>Source Network Address:<009>172.16.22.28<013><010><013><010><009>Source Port:<009>0
Good:
Security: 540: REDHAWK\RHC-54J1NH1-LT$: Successful Network Logon: User Name: RHC-54J1NH1-LT$ Domain: REDHAWK Logon ID: (0x0,0x4FE6C2FF) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {7f0bd825-0e9f-8f8a-5a4d-e5227e264dbe} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 172.16.22.148 Source Port: 0
Any ideas what could be causing this?
Hi,
I have recently been handed over Kiwi Syslog server to manage which has both Fat Client and Web Server. Fat Client is directly logged in however Web console could not be logged in. When I checked regarding the password of "Administrator", I have been informed that resource handling it has left long ago and there is no one to tell.
Is there a way we can reset the password of Administrator or create a new user from Syslog Fat Client. I cant raise the request with Support as we do not have active maintanence.
Thanks,
Syed
1st time starting a discussion.
1st time working with Kiwi Syslog.
Let me know if I'm in the wrong place.
I am very new to Syslog Servers.
I'm a Route/Switch type guy.
We are using Kiwi Syslog to get Call Manager Call Traces for troubleshooting.
This Instance of Kiwi Syslog was working fine as a Guest VMware Server on a Host Server.
We used the app Veeam to move the Kiwi Syslog VMware Guest Server to another Host.
This issue started after the copy/move of the Kiwi Syslog
No IP addresses were changed, it's on the same network as before.
It starts up, logs are being received, and then they stop.
If you try to start the service, it tells you it's already running.
At the bottom of the Kiwi Syslog Service Manager, you can see the MPH indicator has stopped.
Looking at the correct folder I can see the logs are no longer being received.
If I stop the service and start the service it starts.
There is a script that tells it to restart every morning at 4am, and it will do this.
Below is the error event seen when it stopped last time.
Windows Server 2012 R2
64 -bit OS
Has anyone seen this type of issue before?
Any help would be greatly appreciated,
Mhaley
Hi everyone,
I wonder if Kiwi Syslog Server has any limitation on how many servers that it can collect the logs from or how many servers can send the logs to the syslog server?
I know the Web Access has 4GB db limitation. What is the best practice for this limitation when you have more than 10 servers sending the logs to syslog server? I don't want to see only 1 or 2 day logs every day from Web Access. I hope at least 4GB db limitation can store like a month logs of all 10+ servers. I am trying first with the windows event logs (using the free tool Solwarwinds Event Log Forwarder)
Is there any limitation that i should be aware with Kiwi Syslog Server and Event Forwarder tool?
Another question:
Does Solarwinds Event Log Forwarder can work with other vendor syslog server? If so, which vendor and which syslog server product is that?
Thanks in advance!
Hello folks.
My Kiwi Syslog is merging 2 or more hostnames (devices) in the same file when: "Log to file Action".
For example, i have 3 devices:
In the root folder of files, i had 3 folders, one for each hostname.
The 10.168.1.201 and 10.168.1.202 are logging correctly. But when i should have the 10.168.1.20 logs, i have a merge of 10.168.1.201 and 10.168.202 (without the 10.168.1.20).
I check another scenario (that i consider worse)...
I had a file log from 10.120.1.2. But this device don't exist.
IN this file, are logged 6 devices: 10.120.1.20, 10.120.1.25, 10.120.1.26, 10.120.1.27, 10.120.1.28 and 10.120.1.29.
The logs below, are in same file:
| 2015-02-10 00:10:19 | Local4.Warning | 10.120.1.2 | Feb 10 2015 02:10:19 HQ-BL1-HW9306-A1 %%01LLDP/4/BAD_PACKET(l)[2159934]:8 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/14. |
| 2015-02-10 00:11:26 | Local4.Warning | 10.120.1.2 | Feb 10 2015 02:11:26 HQ-BL1-HW9306-A3 %%01LLDP/4/BAD_PACKET(l)[3194428]:6 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/19. |
| 2015-02-10 00:11:45 | Local4.Warning | 10.120.1.2 | Feb 10 2015 02:11:45 HQ-BL1-HW9306-A2 %%01LLDP/4/BAD_PACKET(l)[6928978]:7 invalid packets were received after latest notification. The last invalid packet came from interface GigabitEthernet1/0/4. |
| 2015-02-10 00:11:46 | Local4.Info | 10.120.1.2 | Feb 10 2015 02:11:46 HQ-BL1-HW9306-A5 %%01MSTP/6/SET_PORT_LEARNING(l)[2711307]:In process 0 instance 0, MSTP set port GigabitEthernet2/0/29 state as learning. |
Is a bug, or some misconfigured of my part?
Looking forward for a help,
Regards Fold
I have logs saved to separate files every day. At the end of the quarter, I will need to look thru the logs to collect statistics for the report.
Is there a way for me to use Syslog Web Access to look thru the old log files and filter out information that I need?
I am using Syslog v9.5
My syslog server archives the data into text files. How do I create reports from or view that data without using a text editor? Can I open the archived syslog data using the Syslog Web Access?
according to the FAQ.. Our software is built and tested to support more than two million messages an hour without tuning. (That would support more than 500 machines each sending one message a second.)