Hi everyone,

I wonder if Kiwi Syslog Server has any limitation on how many servers that it can collect the logs from or how many servers can send the logs to the syslog server?

I know the Web Access has 4GB db limitation.  What is the best practice for this limitation when you have more than 10 servers sending the logs to syslog server? I don't want to see only 1 or 2 day logs every day from Web Access.  I hope at least 4GB db limitation can store like a month logs of all 10+ servers.  I am trying first with the windows event logs (using the free tool Solwarwinds Event Log Forwarder)

Is there any limitation that i should be aware with Kiwi Syslog Server and Event Forwarder tool?

Another question:

Does Solarwinds Event Log Forwarder can work with other vendor syslog server? If so, which vendor and which syslog server product is that?

Thanks in advance!

HI all,

My first post, i wish to share you some tips i found.

My main goal was to have access to the kiwi web site working with SSL...

But looking at Cassinni Web Server, it wasn't possible.

After searching more on this forum I found a post about a Rewriting Module with Apache ; so why dont we do it with IIS ?

Here we go !

Setup

- Win 2008 R2 , IIS 7 (with auth modules etc ...) , at least a working SSL certificate for the HTTPS listener (this post will not cover how PKI works, certs installation etc .... sorry).

- We will use the ARR 2.0 module x64 for IIS... See References at bottom for DL link, install it.

- A running Kiwi Syslog Server and the Web Access working on port 8088. Access via a browser works on this port.

Goal

- Enable the rewrite/proxy module in IIS

- Create a new IIS Web Site with HTTPS Listener on TCP Port 8090

- Create a rule to rewrite requests from 8090 to 8088

- When connecting on https://server:8090 , we would see Kiwi Web page.

HOW TO

1. Enabling the rewrite module

"C:\Windows\System32\inetsrv\appcmd.exe" set config  -section:system.webServer/proxy /enabled:"True"  /commit:apphost

2. New Site creation

set syslogwebdir=c:\inetpub\syslog

set syslogsitename=SYSLOG

"C:\Windows\System32\inetsrv\appcmd.exe" add site /name:"%syslogsitename%" /id:15 /bindings:https/*:8090: /physicalPath:"%syslogwebdir%"

3. Attach the SSL Certificate to the Binding 8090

3.1 With batch/cmd line(copy/past to a BAT file)

set CERTHASH=EnterYourHashHere

netsh http add sslcert ipport=0.0.0.0:8090 certhash=%CERTHASH% appid={00000000-0000-0000-0000-000000000000}

3.2 With IIS Manager (if you don't know where to read Hash Certificate).

-Right Click on SYSLOG site, modify Bindings.

-Select https 8090 * Listener > Modify.

-On the "box" SSL Certificate, choose your certificate for the server.

-"OK"

4. Create the rule (copy/past to a BAT file)

set syslogsitename=SYSLOG

set syslogrulename="Rewrite to Kiwi localhost 8088"

:: Rewrite Rule creation
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /+[name='%syslogrulename%']

:: Rule Parameters (one line)
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /[name='%syslogrulename%'].action.type:"Rewrite" /[name='%syslogrulename%'].match.url:"(.*)" /[name='%syslogrulename%'].action.url:"http://localhost:8088/{R:1}"

5. End

Test with your browser https://localhost:8090/

Now you can access from an "admin desktop" to this new SSL web site ...

Configure your firewalls to forbid access on port 8088 to this server (or/and configure the internal Windows Firewall of this server to allow only Localhost connection on 8088).

6. Refs Used

http://learn.iis.net/page.aspx/659/reverse-proxy-with-url-rewrite-v2-and-application-request-routing/

http://learn.iis.net/page.aspx/489/using-the-application-request-routing-module/

---

At the beginning i was thinking to use http://mysite/syslog/ as a virtual directory, but I got some troubles with events.aspx and the rewrite module.

Inbound Rules was OK ; But Outbound Rules to rewrite URLS were not working as expected ; and filters in Kiwi were not working anymore.

That's why i decided to create a new site on another binding, with a root site ; so don't need to create Outbound Rules ...

---

Sorry for my English ...  i'm french :)

I have tried Kiwi Syslog and it isn’t working.

Here's the situation:

          I have a virtualized Avaya PABX solution.

The server is on a virtual machine.

There is a virtual PC (Windows 7) for management.

They are on the same host and network.

All firewalls are off.

Kiwi Syslog is installed on the virtual PC. Configured to list on both UDP and TCP on port 514.  I have tried all manner of Data encoding.  I am not using a "bind to" address.  But I have tried it.

Avaya logs show it sending the SMDR output to the PC's IP address on port 514.

75338830mS CDR: SMDR OUTPUT  '2016/06/14 10:47:59,00:00:05,15,XXX320400@XXX.XXX.253.232,I,7002,94140858,,0,1000037,0,T9009,Line 9.1,V9500,VM Channel 0,0,0,,,,,,,,,,,,,,10.10.10.160,1270,10.10.10.160,1273'

75338830mS CDR: Using TCP to send data len 174 to 10.10.10.165 on port 514

Putty and Wireshark show it hitting the PC on port 514.

Kiwi Syslog doesn’t show it in the display or save it into the configured destination.

I have tried the free version of Kiwi Syslog (9.5.1) and an evaluation version (9.5.1).  Neither receives anything.  I have seen other people post a similar problem and they resolved it by using an older version.

Any suggestions?

Hi,

First I am new here.

Currently, I am having an issue where I login as a domain user from my windows PC no logs were forwarded to my syslog server. I did a test log and it works correctly, but only when I login as a local user from my computer.

Overall, when i login as a local user it forwards log messages according to the subscription and preview functionality. When i tried login as a domain user, it do not work?

I would be appreciated if you would assist me with this issue.

I have installed the kiwi syslog server 9.5 and I am using the SolarWinds LogForwarder 1.2 on all the other servers and endpoints to send the logs to the kiwi syslog server.

I noticed that I am not receiving any logs from the servers only network devices (switches, routers, etc.) I checked to see if the Log Forwarder for Windows is running, and I noticed that it was not. I manually started the service, and then sometime after that the service stopped. I checked the event viewer application log and saw the following each in a separate entry

1. Service started successfully.
2. Server Initialization Failed.  See previous event messages for reason.
3. SolarWinds Event Log Forwarder for Windows; Service Stopped.

I have the SolarWinds LogForwarder 1.2 installed on w2k8r2 and w2k12r2 servers.  I opened the log forwarder service log and I saw this

1/26/2017 4:57:57 PM - SolarWinds Event Log Forwarder for Windows; Service Started.

1/26/2017 4:58:58 PM - Configuration File Reloaded at 1/26/2017 4:58:58 PM

1/26/2017 5:30:10 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 5:30:10 PM - Configuration File Reloaded Failed at 1/26/2017 5:30:10 PM

1/26/2017 9:24:23 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:24:23 PM - Configuration File Reloaded Failed at 1/26/2017 9:24:23 PM

1/26/2017 9:27:29 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:29 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:29 PM

1/26/2017 9:27:33 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:33 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:33 PM

1/26/2017 9:27:41 PM - Unable to setup Windows Event Log subscribers.  Subscribe failed with error 15001, The specified query is invalid.

1/26/2017 9:27:41 PM - Configuration File Reloaded Failed at 1/26/2017 9:27:41 PM

Can anyone help?

Hi, I was hoping someone can explain the log files ('SolarWinds.SyslogServer.Engine.log') created in the Syslogd folder to me. What purpose do they serve? Are they safe to delete? Can I set them to be created in a different directory?

Thank you.

i am using  a syslog server to recive logs from my firewall , i am trying to send the logs from my syslog server to my private email but i ceep getting the error : SMTP protocol error 535 5.7.3 authentication unsuccessful [BN4PR13CA0020.namprd 13.prod.outlook.com

i get this error when using TLS as security.

but when i use SSL as security i get this error : mail error: [10060] connection time out.

pleas help me , this is an exam thing for my school.

I successfully installed Kiwi Syslog server (latest version) and successfully received 18.8 million logs in 5 – 6 hours and after that the application crashes and every time I re-start the service it keeps crashing. I too would like to know if this issue has been resolvable? and if so how was it done. We are required to log these messages because of audit regulations and we have multiple firewalls logging to this one server.  If Kiwi cannot keep up kindly let us know or suggest any other option.

following are the system events:

Faulting application name: Syslogd_Service.exe, version: 9.4.0.1, time stamp: 0x5256d794

Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7

Exception code: 0xc0000005

Fault offset: 0x000552a2

Faulting process id: 0x49c

Faulting application start time: 0x01cfedd553cc3c0b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe

Faulting module path: C:\Windows\SysWOW64\ntdll.dll

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.1

P3: 5256d794

P4: ntdll.dll

P5: 6.1.7601.18247

P6: 521ea8e7

P7: c0000005

P8: 000552a2

P9:

P10:

Attached files:

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d

Analysis symbol:

Rechecking for solution: 0

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Service.exe

P2: 9.4.0.1

P3: 5256d794

P4: ntdll.dll

P5: 6.1.7601.18247

P6: 521ea8e7

P7: c0000005

P8: 000552a2

P9:

P10:

Attached files:

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._dae90f6dff5377cb3818b3577cc016b8e269a5_1190477d

Analysis symbol:

Rechecking for solution: 0

Report Id: 98b25655-59c8-11e4-8349-005056bb1e35

Report Status: 0

I have logs saved to separate files every day.  At the end of the quarter, I will need to look thru the logs to collect statistics for the report.

Is there a way for me to use Syslog Web Access to look thru the old log files and filter out information that I need?

I am using Syslog v9.5

When using an Events filter, I get the following return (see below).  My Kiwi Syslog is running on a virtual 2012 R2 standard (64bit). In an attempt to resolve the error, I have followed advice to increase the maximum size to 4MB but to no avail.  Any thoughts?

Exception of type  'System.Web.HttpUnhandledException' was thrown.

Status Code: 500

System.Web.HttpUnhandledException:
Exception of type 'System.Web.HttpUnhandledException' was thrown. --->
System.Web.HttpException: Maximum request length exceeded.
at System.Web.HttpRequest.GetEntireRawContent()
at System.Web.HttpRequest.FillInFormCollection()
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint,
Boolean includeStagesAfterAsyncPoint)
--- End of inner exception stack trace
---
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint,
Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean
includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.events_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously)

I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.

Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.

DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer

I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:

"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."

So would a script similar to the following work? Anyone have any experience with this?

"Function Main()
  ' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
  ' Return OK to tell syslog that the script ran correctly.
Main = "OK"
  End Function"

Thanks,
Ryan

This may seem obvious but I would just like confirmation that filters on IP address ranges or subnet masks are compared to the Source IP from the UDP/TCP packet header.  The documentation does not state this specifically.

Hi all,

Can anyone point me in the direction some documentation on how to change the default Kiwi Syslog web port from 8088 to something else? Say 80?

I had a 'quick' search and couldn't find anything solid to go off.

Thanks!

One of those things we never look at until we get notified of disk space running out!!...

We have daily logs for each device (approx 400), each within their own folder based on device hostname.  Ive looked at log file rotation, but I dont think it will work for simply deleting any files older than a month or so, as the help file implies that it is per log, which is created daily.

Other than doing this manually, can syslog not delete old files beyond a specified time?

Shame you cant get the app to compress and archive old logs.

Hello,

Could you please tell me how to transfer all DHCP events (from a standard Windows 2012 DHCP server) to syslog ?

Thanks in advance for your help

Hi everyone,

I wonder if Kiwi Syslog Server has any limitation on how many servers that it can collect the logs from or how many servers can send the logs to the syslog server?

I know the Web Access has 4GB db limitation.  What is the best practice for this limitation when you have more than 10 servers sending the logs to syslog server? I don't want to see only 1 or 2 day logs every day from Web Access.  I hope at least 4GB db limitation can store like a month logs of all 10+ servers.  I am trying first with the windows event logs (using the free tool Solwarwinds Event Log Forwarder)

Is there any limitation that i should be aware with Kiwi Syslog Server and Event Forwarder tool?

Another question:

Does Solarwinds Event Log Forwarder can work with other vendor syslog server? If so, which vendor and which syslog server product is that?

Thanks in advance!

I'm trying to forward events from Kiwi Syslog to QRadar SIEM. 

In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.

The test event was the only event received by the QRadar.  None of the events I'm forwarding have been received as incoming logs on QRadar.

I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.

Do I need to install a universal DSM on the Kiwi Syslog servers?

Is there anything out there that will index Kiwi syslog and let me search through the log files like the SPLUNK product will do, without paying $40,000 for splunk.  The kiwi log viewer is not an option either, thay only opens log files up to 700 MB.  My log files are 1.5 gig plus.  Kiwi is startin to get slow and message times are off.

According to the webinar from Symantec today, starting from Jan 2017, Chrome will give warning on insecure (non https) site that asks for password and/or credit card info

I am not sure how it will affect the functionality of the Kiwi Syslog Web Access (9.5) service edition - if any.

CA Security Council | The Web Is Moving From HTTP to HTTPS

Google Security Alert: How to Be Trusted in 2017

I use kiwi syslog server a lot for testing syslog.  It seems like in the latest version there are issues with TCP.  I'm verifying with the Kiwi Syslog Message Generator.  Seems like with syslog server version 9.4.1 TCP connects and works, but in latest version 9.6.3 it does not connect for some reason. When I try to connect TCP with message generator it says "TCP session remotely disconnected" using the same tool the same exact way, it works with version 9.4.1. I'm using the syslog message generator tool on the same machine as the syslog server.  Is this a known issue, or am I missing something?  Any suggestions or help would be much appreciated.  Thank you very much.