Hi Guys,
I am totally new with Kiwi Syslog software and I've been assigned to assist with the installation of the software on a Windows Environment on our customer site. However I need some answers to these questions below. I can't seem to find them online.
Appreciate the help given.
1. What is the maximum event per second that syslog server can handle ?
2. What is the maximum size for the database to keep the log ? Can it use enterprise database such as mssql ?
I am hoping you can give me a hand with an issue that I am having. I have a number of servers in a DMZ that are logging to a central rsyslog server and then forwarding these messages to a KiwiSyslog server. Unfortunately when this happens all of the messages received by Kiwi are labelled with the hostname/ip of the rsyslog server and not their original source. I am unable to enable UDP Spoofing on the RSyslog server as the firewall will only allow traffic from this servers IP and not the spoofed addresses.
Take the following example:
InternalServer1 -> KiwiSyslogServer
-Kiwi is able to resolve the name of InternalServer1 and everything works fine.
DMZServer1 -> DMZRSyslogServer -> KiwiSyslogServer
-Kiwi is not able to resolve the name of DMZServer1 as the incoming messages are stamped with the IPAddress of the DMZRSyslogServer
I noticed in the help documents that there is the option to modify a message by processing it with a script. The example they give for "Fields.VarPeerAddress" is very similar to what we want to happen:
"Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog collector (192.168.1.3)
The Fields.VarPeerAddres value would be 192.168.1.1."
So would a script similar to the following work? Anyone have any experience with this?
"Function Main()
' Replace DMZServerIP with ActualSourceIP within the message hostname
Fields. = Replace(Fields., "123.123.123.123", Fields.VarPeerAddress)
' Return OK to tell syslog that the script ran correctly.
Main = "OK"
End Function"
Thanks,
Ryan
Hi,
We are using the Kiwi Syslog Web Access as a syslog for all the network and security devices. Due to this we are unable to fetch events for any specific filters applied on the Kiwi Syslog Web Access.
We alternatively go to the location: \Program Files (x86)\Syslogd\Logs and try to open the logs in text editor like notepad++.
The problem is:
1. That file size is too large (~700 MB) and we are unable to open via the text editor. Is there any way to limit the size.
2. On the Web Access, when a filter is applied, the software crashes with the error:
Exception of type 'System.Web.HttpUnhandledException' was thrown.
Status Code: 500
System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.Web.HttpException: Maximum request length exceeded.
at System.Web.HttpRequest.GetEntireRawContent()
at System.Web.HttpRequest.FillInFormCollection()
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
--- End of inner exception stack trace ---
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.events_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Resource: http://10.240.22.194:8088/Events.aspx
Referrer: http://10.240.22.194:8088/Events.aspx
Click here to return to the previous page Click here to return to the login page
Please suggest.
Details: Kiwi Syslog Web Access ver 1.5.1
Thanks,
Richard
Anybody been able to forward from Kiwi to ArcSight? The security dept complain that the syslog message they are receiving cannot be read by Arcsight. Is there specific option to look for in the configuration? Special setup to do in Arcsight?
We have Kiwi Cattools version 3.4.0 currently running on a windows 2003 server. We need to upgrade the server to a new version 2007+ and just wondered if anybody would know if this version of cattools can run on it?
Hello guys,
I setup kiwi syslog server and could receive message from other devices, such cisco switch 2960, 5510, and windows server. But can not get any message from 3750. I enclosed 3750 configuration as below. Please help to take a look and where am I wrong. Thank you.
logging trap notifications
logging facility local5
logging 192.168.0.51
I'm trying to forward events from Kiwi Syslog to QRadar SIEM.
In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.
The test event was the only event received by the QRadar. None of the events I'm forwarding have been received as incoming logs on QRadar.
I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.
Do I need to install a universal DSM on the Kiwi Syslog servers?
Hello to the community!
I have been confused with this for a while and i would like to get your help!
I have a network topology with an ASA 5520 and a Kiwi Syslog server 9.3.4-eval. I also have a CA server.
I have installed the root CA certificate on both the Kiwi Syslog Server and the ASA.
Also i have generated a certificate request for the Kiwi server which was signed by the CA server and also made a trustpoint on the ASA with that certificate (The signed one)
When i try to send syslogs it doesn't display anything.
I have installed Kiwi SyslogGen and have made some tests.
When i make a test with destination port 1468 (TCP default) it works and displays something on the Kiwi manager.
But when i make a test with destination port 6514 (Default Secure TCP) it fails.
On the command prompt i issued the following:
netstat -ano
there were the following entries regarding syslog:
TCP: 0.0.0.0 1468
UDP: 0.0.0.0:514
But nothing is listening to 6514
What can be the problem? Thank you very much in advance!!
Somethin i saw on the error log:
Unable to bind TCP listener to port 6514 There might be a problem with the certificate provided.
Here are some pictures of the settings:
I set up Secure TCP port 6514 in in Kiwi Syslog Server version 9.5.0.332.
I'm getting the following error :
Unable to bind secure TCP listener to port 6514 There might be a problem with the certificate provided
I'm using a self-signed certificate that I created in IIS.
Why doesn't the error message tell exactly what is wrong with the certificate?
Could somebody suggest a solution or a workaround?
Thanks!
Hello Im new on Kiwi Server i just configure a 6 cisco swicthes with succes for Syslog and in the kiwi server had been workin fine capture the logs, but i need to configure SNMP V3 but doesnt works in Kiwi doesnt capture any snmp trap Please help me an example configuration for the cisco switches and the screen for configure the user on Kiw server
Hi guys
I'm new on this forum and I need your help , I'm using Kiwi syslog server version 9.6.5 , I create a lot of rules for group of the equipments that feed my syslog server(switch, servers , firewall..), and I have different stakeholders to whom I have to give access through Kiwi syslog web acces but I want to restrict access to the context that everyone have to had access !without giving access to all logs.
When we create users account on the console , there is no way to personalize profil to do that.
My question there is a way to do that?
Thanks
Does anyone know of a way to import/export rules to/from KiWi Syslog Server via command line or other means?
We have a very heavily utilized LEM with a "farm" of KiWi syslog servers sitting behind a load balancer. When ever we change the rule on one KiWi server, we need to manually export the rule and import it to the KiWi servers.
We would like to find a way to script this, but we cannot find any relevant CLI options in the admin guide. If anyone has done this or has a suggestion, it would be greatly appreciated.
If this is not possible, then would anyone find interest in a supporting a feature request to have a centralized management console for large deployments of KiWi syslog servers?
Thanks!
Hi
I testing Kiwi as snmp trap server that will forward some Traps to NPM.
I find it hard to forward SNMP trap and keep the source ip.
Is that syslog Only to "sppof" the source?
RouterA->Trap Kiwi->NPM see kiwi
| 23-10-2014 10:40:34 | 10.kiwi IP | kiwiserver | * | SNMPv2-SMI:enterprises.20580.69 | enterprises.20580.69.181 = community=DIST, enterprise=1.3.6.1.4.1.2636.1.1.1.2.57, uptime=1722307967, agent_ip=10.10.30.61, generic_num=3, specificTrap_num=0, specificTrap_name=, version=Ver1, generic_name="Link up", ifIndex.1073741824=1073741824, ifAdminStatus.1073741824=testing, ifOperStatus.1073741824=7 snmpTrapOID = SNMPv2-SMI:enterprises.20580.69 sysUpTime = 1 day 1 hour 20 minutes 8,21 seconds |
Hi everyone,
I wonder if Kiwi Syslog Server has any limitation on how many servers that it can collect the logs from or how many servers can send the logs to the syslog server?
I know the Web Access has 4GB db limitation. What is the best practice for this limitation when you have more than 10 servers sending the logs to syslog server? I don't want to see only 1 or 2 day logs every day from Web Access. I hope at least 4GB db limitation can store like a month logs of all 10+ servers. I am trying first with the windows event logs (using the free tool Solwarwinds Event Log Forwarder)
Is there any limitation that i should be aware with Kiwi Syslog Server and Event Forwarder tool?
Another question:
Does Solarwinds Event Log Forwarder can work with other vendor syslog server? If so, which vendor and which syslog server product is that?
Thanks in advance!
Hello,
I have been working in log management for a couple of years now. Across all the clients I've met, kiwi syslog had been in use for quite a while.
From a functionality perspectives, amazing things were achieved with it by operational teams.
But I am no expert at configuring kiwi syslog although somewhat familiar with it.
I am often involved in building centralized log management infrastructure and here where I always get stuck with kiwi syslog.
Perhaps there is a hidden config option that I missed ?
Implementing a centralized log management infrastructure often dictates that all logs (syslog) are to be sent to a single destination, the centralized log management.
This destination is always defined with high performance and high resilience in mind e.g. VIP, load balancers, failover systems
For any other systems that requires access to the logs, a live unmodified copy is forwarded to them.
In other words, we just built a syslog relay chain.
And with as much respect I have for your product, making kiwi syslog the first in that relay chain in a central log management system is not an option.
Nor is double-feeding from the source, building a central log management is all about having a single destination for logs where redistribution is performed there.
Whenever I walk into a department that has been running kiwi syslog for a while, they have implemented a lot of automation with it.
Obviously, they (and I agree) want to keep using it.
So the simplest solution would be to forward logs from the centralized syslog server TO the deparment kiwi syslog server.
This ways the enterprise is happy, centralized log management is in place AND that department is happy, the same interface they are using is still there.
Thats where I hit a snag.
To my knowledge, Kiwi syslog ALWAYS take as the source of the message the IP address even if it receives properly RFC3164 or RFC5424 messages containing hostnames.
Therefore, using kiwi syslog in a relay chain where its not the first one in the relay makes all source the previous IP address.
Yes spoofing can be used in the relay chain, but its not elegant, it slows down throughput quite a lot and more often than not, does get blocked by security guidelines.
Almost all advanced syslog server in the field are configurable and allow to use either the hostname contained in properly formatted syslog messages as the source host.
For improperly formatted messages, then the IP of the connected socket is taken.
Also, with some templating, its even possible in the first relay to add in the message an ORIGINATING IP prefix and get the hostname from there.
On output I saw that rsyslog supports adding such prefix.
My questions are:
1. Is there a way to configure kiwi syslog to take the source from inside the syslog message received because it was prefixed with "originating address=4.4.4.4" for example ?
2. Is there a way to configure kiwi syslog to take the source from the hostname syslog header and if it fails to take it from the connected socket ?
Without a way to do any of the above, Kiwi simply doesn't support being on the receiving end of a syslog relay chain and ends up being discarded where it still had lots of value.
Most large enterprises are really looking at central log management, and message brokers like kafka to store the logs and allow for log distribution.
Feeding specific logs from Kafka to kiwi syslog would be a tremendous help for operational teams but e.g. if all the logs have as a source a single IP address, the Kafka cluster instead of the real IP of their firewall, it makes this forwarding useless.
Presuming that I read the doc and havent missed anything, if rsyslog could support on TCP and UDP input a setting that instruct to look for ORIGINATING ADDRESS inserted it the messatge and use this IP address as the source for display, that would be amazing.
Hoping I overlooked some part of the documentation, otherwise is there anyone else who sees this an extremely important feature to support ?
I'm trying to forward events from Kiwi Syslog to QRadar SIEM.
In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.
The test event was the only event received by the QRadar. None of the events I'm forwarding have been received as incoming logs on QRadar.
I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.
Do I need to install a universal DSM on the Kiwi Syslog servers?
How to deploy log forwarder to hundreds of computers? I'll use Group Policy for MSI installation but I also need to distribute the CFG file. Any tips how to do that? Thanks in advance for any answer.
Hello Im new on Kiwi Server i just configure a 6 cisco swicthes with succes for Syslog and in the kiwi server had been workin fine capture the logs, but i need to configure SNMP V3 but doesnt works in Kiwi doesnt capture any snmp trap Please help me an example configuration for the cisco switches and the screen for configure the user on Kiw server
Hello,
Could you please tell me how to transfer all DHCP events (from a standard Windows 2012 DHCP server) to syslog ?
Thanks in advance for your help
Hi.
We use the snmp trap feature of syslogd, receiving and forwarding SNMP traps as syslog messages.
The following problem was discovered with syslogd 9.4.x. It is still present in 9.5.0, but slightly different. See update below.
The attached file shows two network packets captured with wireshark. Both packets appears to be completely valid packets, and also decodes perfectly with the appropriate mibs loaded in wireshark.
Kiwi syslogd somehow manages to mistreat one of the packets. This is illustrated below, where you can see that cldcClientMacAddress.0 reads as ‘L?XÉöh’ in one case, and ‘Hex String=70 18 8B 44 B3 4F’ in the other. Obviously, we prefer the latter parsing of the data.
This problem is very visible to us, as approximately one third to one half of all client MAC addresses are unintelligible in our logs.
The source of the messages are SNMPtraps from a Cisco WLC wireless controller.
The captured packets (in the attachment) are taken from the inbound snmptraps to the KIWI syslog server.
The Kiwi Display function shows the same corrupted MAC as shown below.
We have not managed to figure out any pattern in corrupted/noncorrupted packets.
Also the AP MAC address shows the same corruption. There is no obvious correlation between corruption of one or the other.
(I.e. if a client MAC is corrupted this does not imply that the AP MAC is corrupted and vice versa.)
We *think* a MAC address coming through as corrupted always comes through as corrupted.
UPDATE:
After having updated syslogd to 9.5.0, *all* MAC-addresses now arrives garbled. I do prefer consistency over randomness. But still....
I have found no way to decode the received text as a valid MAC address.
None of the options in the options under 'Input | SNMP' appear to have any impact on this issue.
Is this a bug, or an intended feature? If the latter, how am I meant to parse the received data?
From kiwi syslogd:
Client 4c:bb:58:90:94:68/10.115.170.85:
13:02:25 | community=kiwi201, enterprise=1.3.6.1.4.1.9.9.599.0.4, enterprise_mib_name=ciscoLwappDot11ClientMovedToRunState, uptime=2013100, agent_ip=10.120.5.205, version=Ver2, cldcClientMacAddress.0=L?XÉöh, cLApName.0=H-BERGEN-NGV-AP30, cldcApMacAddress.0=³¹¹?Ä, cLApDot11IfSlotId.0=0, cldcClientIPAddress.0=10.115.170.85, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=username, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=HFK-Skole
Client 70:18:8b:44:b3:4f/10.114.58.15:
13:05:59 | community=kiwi201, enterprise=1.3.6.1.4.1.9.9.599.0.4, enterprise_mib_name=ciscoLwappDot11ClientMovedToRunState, uptime=2034500, agent_ip=10.120.5.205, version=Ver2, cldcClientMacAddress.0="Hex String=70 18 8B 44 B3 4F", cLApName.0=H-LINDAS-KNV-AP38, cldcApMacAddress.0="Hex String=70 10 5C 93 D4 E0", cLApDot11IfSlotId.0=1, cldcClientIPAddress.0=10.114.58.15, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=anotherusername, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=HFK-Skole