Folks I have three Ciscos that are added as devices in Kiwi. Each sends the correct info to the syslog server as tested with WireShark. Kiwi shows the correct source IP from two machines but shows the other as 127.0.0.1 Thing is it is random. If I delete the working device and restart Kiwi the non working one from before delete/restart now shows correct? I am on the 5 licence latest version on WinXP SP3 Pro server all ports default. If I shut down Kiwi and run The Dude syslog shows in its syslog page the correct IP from all the remote Cisco devices (10.1.0.50) any ideas?
↧
Wrong IP showing as from 127.0.0.1 ?
↧
Kiwi - Palo Alto User ID agent
I have written a perl script to take data from Kiwi, parse out some information and pass it into our Palo Alto UserID agent. It runs fine when I pass the message in on the command line but when I have kiwi run it (so to pull the data from kiwi) it fails with an error:
Error Info: invalid charater on line 1
My script looks like this:
sub Main() {
use PAN::API;
$string = Fields.VarCleanMessageText;
$SERVER = '127.0.0.1';
#Extract user and IP from string
if ($string =~ /(\w+)([.+]|(\s))(\w+)(\s|\+|.)(\d+\.\d+\.\d+\.\d+)/) {
$delim = ($3 eq "+") ? " " : $3;
$username = "$1\\$2$delim$5";
$ip_address = $7;
}
print "$username : $ip_address \n";
# Create User ID API connection
$uid=PAN::API::UID->new($SERVER);
#Post data to agent
$uid->add('login',$name,$address);
$uid->submit();
return "OK"; #return value for Kiwi
}
Thanks for any guidance.
Kevin
↧
↧
Syslog message duplicated
I have an issue wherein syslog messages from one host are being duplicated. We have a Secure Tunnel client running at one site, with network devices set up to send syslog messages to this client. No syslog messages from any other network device at this site are duplicated. I have verified that this appears to be a Secure Tunnel issue by configuring the offending network device to send syslog messages directly to the Kiwi Syslog Server. When this is done, only one syslog message is logged. When I reconfigure the network device to log to the Secure Tunnel client, two identical syslog messages are logged. I have also verified that there is only one syslog configuration line in the network device (i.e. that it is not configured to send syslogs both directly to the Syslog Server and to the SecureTunnel client.) This is eating up twice as much filespace, obviously... any help would be appreciated.
↧
Sending events from Cisco 3750 switch
Hello,
I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.
Should the following work:
Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error
This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?
Should this work or is there a "Supported" switch configuration that I should be using.
Thank you,
Chris
↧
Filter Web Access
I need to createsome filtersthat onlymessages thatappeartivereninside the filter, for exampleto showthewebaccessonlypostthat had "" STP"" and"BGP", there isthis possibility?
Thanks
↧
↧
Log Forwarder for Windows v1.1 not sending test emails
Does anyone know what could be causing the Log Fowarder test email not to be received by the sys log server?
I can see the test is generating an event log on the originating server via the event viewer
The server is Window 2008 R2
I can ping the syslog server
I have rebooted server and ensured the Log Forwarder service is running and also the SNMP is set up correctly.
The syslog server works fine for other Windows 2008 R2 servers on the domain
I have tried repairing Log Forwarder - tna
Any help would be gratefully received
Mat
↧
Error: "Trial version of activeskin control" after upgrading to current Kiwi Syslog version 9.4.0
After upgrade, when I start the Kiwi Syslog app I get a box that comes up and says "Trial version of ActiveSkin control" and I need to click OK. Anyone else see this?
Debbi
↧
Sending events from Cisco 3750 switch
Hello,
I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.
Should the following work:
Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error
This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?
Should this work or is there a "Supported" switch configuration that I should be using.
Thank you,
Chris
↧
KiwiSyslog Evaluation - Log4Net and XML
Hello,
I've started evaluating KiwiSyslog Server.
We will be using KiwiSyslog Server (gui and webclient) to listen to UDP traffic broadcasted by our applicaitons by the Log4Net Library.
I was able to receive the traffic in the following default form which is not what I'm looking for.
Contacted Sales Support and they told me to search the forums (nothing relevant found) and post a thread here if I still need assistance.
Will be glad for some assistance because This SysLog server does exactly what we need but the output formatting is too RAW.
The default fields look like this:
Date, Time, Priority, Hostname, Message.
I'm not interested in these fields except Message which contains all relevant information.
The problem is the "Message" field is in "Log4Net" format which is basicly a kind of XML.
I"ve tried writing custom scripts but wasn't able to succeed.
I would be glad for some assistance in parsing this output and using these fields.
Here is an example of the "Message" syntax:
<log4net:eventlogger="Logger"timestamp="Timestamp"level="Level"thread="Thread"domain="Domain"username="Username">
<log4net:message>Message</log4net:message>
<log4net:properties>
<log4net:dataname="DataName"value="DataValue"/>
</log4net:properties>
<log4net:locationInfoclass="Class"method="Method"file="File"line="Line"/>
</log4net:event>
In the above format, the boldblack text are the fields the value in these attributes/keys should be.
Thanks in advance,
Idan.
↧
↧
Kiwi Syslog not capturing syslogs
Installed Kiwi Syslog Free version 9.3.4 on Windows Server 2008 R2. Trying to capture syslog from a Cisco ASA 5510. I have confirmed that the syslog events are hitting the server with Wireshark. Nothing is coming through to Kiwi Syslog. Current settings are all default. No filters in place. Not sure what is wrong as I can see the syslog messages coming through Wireshark. Any ideas as to why the syslog messages are not being seen by Kiwi?
↧
No events coming through to the Syslog server
We recently purchased Kiwi Syslog Server ver 9.3.1. I have installed it on a Server. I have enabled the logging on my devices to this host. I have also enabled my logging events on my Cisco devises. I see no events coming through to the Syslog server. Have I forgot to set something up? Any help would be gladly appreciated.
(Posting it for a customer)
↧
Filter Web Access
I need to createsome filtersthat onlymessages thatappeartivereninside the filter, for exampleto showthewebaccessonlypostthat had "" STP"" and"BGP", there isthis possibility?
Thanks
↧
TIPS HOW TO - Kiwi Syslog Web Server with SSL and IIS 7
HI all,
My first post, i wish to share you some tips i found.
My main goal was to have access to the kiwi web site working with SSL...
But looking at Cassinni Web Server, it wasn't possible.
After searching more on this forum I found a post about a Rewriting Module with Apache ; so why dont we do it with IIS ?
Here we go !
Setup
- Win 2008 R2 , IIS 7 (with auth modules etc ...) , at least a working SSL certificate for the HTTPS listener (this post will not cover how PKI works, certs installation etc .... sorry).
- We will use the ARR 2.0 module x64 for IIS... See References at bottom for DL link, install it.
- A running Kiwi Syslog Server and the Web Access working on port 8088. Access via a browser works on this port.
Goal
- Enable the rewrite/proxy module in IIS
- Create a new IIS Web Site with HTTPS Listener on TCP Port 8090
- Create a rule to rewrite requests from 8090 to 8088
- When connecting on https://server:8090 , we would see Kiwi Web page.
HOW TO
1. Enabling the rewrite module
"C:\Windows\System32\inetsrv\appcmd.exe" set config -section:system.webServer/proxy /enabled:"True" /commit:apphost
2. New Site creation
set syslogwebdir=c:\inetpub\syslog
set syslogsitename=SYSLOG
"C:\Windows\System32\inetsrv\appcmd.exe" add site /name:"%syslogsitename%" /id:15 /bindings:https/*:8090: /physicalPath:"%syslogwebdir%"
3. Attach the SSL Certificate to the Binding 8090
3.1 With batch/cmd line(copy/past to a BAT file)
set CERTHASH=EnterYourHashHere
netsh http add sslcert ipport=0.0.0.0:8090 certhash=%CERTHASH% appid={00000000-0000-0000-0000-000000000000}
3.2 With IIS Manager (if you don't know where to read Hash Certificate).
-Right Click on SYSLOG site, modify Bindings.
-Select https 8090 * Listener > Modify.
-On the "box" SSL Certificate, choose your certificate for the server.
-"OK"
4. Create the rule (copy/past to a BAT file)
set syslogsitename=SYSLOG
set syslogrulename="Rewrite to Kiwi localhost 8088"
:: Rewrite Rule creation
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /+[name='%syslogrulename%']
:: Rule Parameters (one line)
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /[name='%syslogrulename%'].action.type:"Rewrite" /[name='%syslogrulename%'].match.url:"(.*)" /[name='%syslogrulename%'].action.url:"http://localhost:8088/{R:1}"
5. End
Test with your browser https://localhost:8090/
Now you can access from an "admin desktop" to this new SSL web site ...
Configure your firewalls to forbid access on port 8088 to this server (or/and configure the internal Windows Firewall of this server to allow only Localhost connection on 8088).
6. Refs Used
http://learn.iis.net/page.aspx/489/using-the-application-request-routing-module/
---
At the beginning i was thinking to use http://mysite/syslog/ as a virtual directory, but I got some troubles with events.aspx and the rewrite module.
Inbound Rules was OK ; But Outbound Rules to rewrite URLS were not working as expected ; and filters in Kiwi were not working anymore.
That's why i decided to create a new site on another binding, with a root site ; so don't need to create Outbound Rules ...
---
Sorry for my English ... i'm french :)
↧
↧
Email statistics buggy since v9.4
I've just upgraded to v9.4, and discovered an issue...
I'm using the email statistics functionnality for a long time and it worked correctly till v9.3.4.
I've set the "for every" option to 24 hours, and the mail is always being sent at midnight (12:00 AM + some minutes/seconds).
Now, I'm still receiving the mail correctly, but its content is partially reset at midnight.
Here is a sample mail:
---
/// Kiwi Syslog Server Statistics ///
---------------------------------------------------
24 hour period ending on: Tue, 17 Sep 2013 00:02:56
Syslog Server started on: Wed, 11 Sep 2013 11:33:10
Syslog Server uptime: 5 days, 12 hours, 27 minutes
---------------------------------------------------
+ Messages received - Total: 3046381
+ Messages received - Last 24 hours: 776286
+ Messages received - Since Midnight: 197
+ Messages received - Last hour: 7545
+ Message queue overflow - Last hour: 0
+ Messages received - This hour: 3441
+ Message queue overflow - This hour: 0
+ Messages per hour - Average: 32202
+ Messages forwarded: 0
+ Messages logged to disk: 212
+ Errors - Logging to disk: 0
+ Errors - Invalid priority tag: 0
+ Errors - No priority tag: 0
+ Errors - Oversize message: 0
+ Disk space remaining on drive D: 107889 MB
---------------------------------------------------
Breakdown of Syslog messages by sending host
+--------------------------+------------+------------+
| Top 25 Hosts | Messages | Percentage |
+--------------------------+------------+------------+
| router | 197 | 100,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
| | 0 | 0,00% |
+--------------------------+------------+------------+
Breakdown of Syslog messages by severity
+--------------------+------------+------------+
| Message Level | Messages | Percentage |
+--------------------+------------+------------+
| 0 - Emerg | 0 | 0,00% |
| 1 - Alert | 0 | 0,00% |
| 2 - Critical | 0 | 0,00% |
| 3 - Error | 0 | 0,00% |
| 4 - Warning | 0 | 0,00% |
| 5 - Notice | 0 | 0,00% |
| 6 - Info | 197 | 100,00% |
| 7 - Debug | 0 | 0,00% |
+--------------------+------------+------------+
Custom statistics
-----------------
CustomStats01: 0
CustomStats02: 0
CustomStats03: 0
CustomStats04: 0
CustomStats05: 0
CustomStats06: 0
CustomStats07: 0
CustomStats08: 0
CustomStats09: 0
CustomStats10: 0
CustomStats11: 0
CustomStats12: 0
CustomStats13: 0
CustomStats14: 0
CustomStats15: 0
CustomStats16: 0
End of Report.
---
The first summary part seems to be OK.
But the Top 25 hosts and the severity dispatching are reset at 00:00, instead of showing datas for the past day !
Therefore, the 197 messages are only those received since midnight, as the mail was sent at 00:02:56
So, either there's an unwanted clearing of counters (at 00:00 instead of after the mail was sent), or there should be a more precise scheduling option (every XX hours, that's not precise at all !) where for example it could be possible to specify the time of sending (00:00 or 23:59)...
I was using those datas for statistics, but they're now completely unuseful !!!
For me, this is clearly a bug that appeared in v9.4...
What's your opinion ?
In that case, can you correct it, please ?
↧
Error: "Trial version of activeskin control" after upgrading to current Kiwi Syslog version 9.4.0
After upgrade, when I start the Kiwi Syslog app I get a box that comes up and says "Trial version of ActiveSkin control" and I need to click OK. Anyone else see this?
Debbi
↧
Kiwi Syslog 9.2 on Windows 2008 R2
Installed 9.2 on Windows Server 2008 R2 from and Windows 2003 R2 (8.2.8). Redirect Cisco ASA 5510 logs to new server, but the only time Kiwi logs anything is at about 10:00pm Sunday nights. If I point the ASA back to Windows 2003 server, it logs normally. I have exported and imported the configuration from the 8.2.8 version, as well. Nothing seems to get the new Windows 2008 R2 9.2 version to actually log. This is still in the evaluation mode. The 2008 R2 does not have a firewall running (and we even allowed it through before hand), nor any A/V software with a firewall. It is odd that it works at 10:00pm on two consecutive Sundays, but not at any other time.
↧
How to Split Logs to Multiple Displays in Kiwi Syslog Server
SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.
External link to Jing: Multiple Displays - justinfinley's library
Video Guide:
- 0:00 Unfiltered display (Display 00)
- 0:10 Showing the rule that sends all messages to Display 00
- 0:20 Changing the unfiltered display from Display 00 to Display 05
- 0:25 Checking that the switch happened
- 0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
- 1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
- 2:05 Checking that the new filters work
- 2:25 Renaming "Display 05" to "All Messages"
- 2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
- 3:10 Checking that the display renaming worked
Remember to "LIKE" this if you find it useful - that helps other find it too!
↧
↧
How to Split Log Files by IP Address and Date in Kiwi Syslog Server
SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server. Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders. (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")
External link to Jing: autosplit - justinfinley's library
Video Guide:
- 0:00 Opening Kiwi Syslog's configuration dialog
- 0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
- 0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date
Remember to "LIKE" this if you find it useful - that helps other find it too!
↧
Kiwi Syslog not capturing syslogs
Installed Kiwi Syslog Free version 9.3.4 on Windows Server 2008 R2. Trying to capture syslog from a Cisco ASA 5510. I have confirmed that the syslog events are hitting the server with Wireshark. Nothing is coming through to Kiwi Syslog. Current settings are all default. No filters in place. Not sure what is wrong as I can see the syslog messages coming through Wireshark. Any ideas as to why the syslog messages are not being seen by Kiwi?
↧
Kiwi Syslog 9.4 is Now Available!
We are pleased to announce the general availability of Kiwi Syslog v9.4.
This version includes the following enhancements:
- New UltiDev Web Server implementation.
- Active Directory authentication for web access.
- Support for SSL (https) support for Web Access
- Alerting for Message Queue Monitor based on defined thresholds.
Kiwi Syslog v9.4 is available for download in your customer portal for those customers under current Kiwi Syslog maintenance.
You can view the full set of release notes, including problems fixed here.
Enjoy Kiwi Syslog 9.4!
↧