Many of us still use Kiwi Syslog Server's GUI "Service Manager" to watch logs rather than Kiwi's web interface.  Over time

My Favorite Highlighting Rules

This is my favorite set of Highlighting Rules in action:

Notice that I don't use Kiwi's icons.  If you don't use them either, you can turn off all icons by unchecking "View | Show/Hide Columns | Icons" from the main Service Manager menu. 

To implement this configuration on your Kiwi Syslog Server, make sure the following lines are in the INI file you import into Kiwi Syslog Server.  (See next section for instructions.)

[Highlighting]

HighlightCount=8

H001=MAkyCUVtZXJnCTE2Nzc3MjE1CTQ5MzI4NDQJMAkwCTAJMQkxCTEJMAkwCWtzZF9Qcmlvcml0eUljb24y

H002=MAkyCUFsZXJ0CTAJNDkzMjg0NAkwCTAJMAkxCTEJMQkwCTAJa3NkX1ByaW9yaXR5SWNvbjI=

H003=MAkyCUNyaXQJMAk0NjI5NzQ4CTAJMAkwCTEJMQkxCTAJMAlrc2RfUHJpb3JpdHlJY29uMg==

H004=MAkyCUVycm9yCTAJMzIxMDQ5MgkwCTAJMAkxCTEJMQkwCTAJa3NkX1ByaW9yaXR5SWNvbjQ=

H005=MAkyCVdhcm4JMAk0Nzc5MjU2CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNA==

H006=MAkyCU5vdGljZQkxNjc3NzIxNQk3MDYxODU0CTAJMAkwCTEJMQkwCTAJMAlrc2RfQmxhbms=

H007=MAkyCUluZm8JMTQzMjY4NDcJMTY3NzcyMTUJMAkwCTAJMQkxCTAJMAkwCWtzZF9CbGFuaw==

H008=MAkyCURlYnVnCTEyNjMyMjU2CTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfQmxhbms=

...

[Properties]

DisplayColumnsEnabled=223

How to Import/Export Service Manager Highlighting Rules

Although the Service Manager doesn't include a facility to import/export Highlighting Rules, it does include a facility to import/export the entire Kiwi Syslog Server configuration as an INI file.  To use this to import/export your Highlighting Rules:

1. Stop the Kiwi Syslog Service.
2. Select "File | Export settings to INI file" from the Service Manager's main menu.  Save the INI file.
3. Make a copy of the exported INI file in case as a backup (in case the import of your modified file doesn't work). 
4. Open the INI file with notepad or an appropriate text editor.
5. Find the [Highlighting] tag. Make the necessary changes, and double-check your value of "HighlightCount".
6. Optionally, find the [Properties] tag and the "DisplayColumnsEnabled" property just below it.  Make changes.  (Or set/reset to "255" to turn everything back on.) 
7. Save the INI file.
8. Select "File | Import settings from INI file" and import your modified file. 
9. Close and relaunch the Service Manager application.  (Optionally, select "View | Highlighting options" after relaunching to see if your INI file changes worked.) 
10. Start the Kiwi Syslog Service. 

Remember also that Highlighting Rules only work in the Syslog Server Comparison | Kiwi Free vs Kiwi Commercial.  You can apply INI files to the Free Edition, but Highlighting Rules will be ignored.

Default Highlighting Rules

The default Highlighting Rules in action:

To implement (or reset) this configuration, make sure the following lines are in the INI file you import into Kiwi Syslog Server. 

[Highlighting]

HighlightCount=8

H001=MAkyCUVtZXJnCTY1NTM1CTI1NQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjA=

H002=MAkyCUFsZXJ0CTYyOTE0NTYJNTA0MzEJMAkwCTAJMQkxCTAJMAkwCWtzZF9Qcmlvcml0eUljb24x

H003=MAkyCUNyaXQJNjI5MTQ1Ngk2NTUzNQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjI=

H004=MAkyCUVycm9yCTIxMwkxMjkxMDU5MQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjM=

H005=MAkyCVdhcm4JMAkxNTI2Mzk3NgkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjQ=

H006=MAkyCU5vdGljZQk0MjEwNzUyCTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNQ==

H007=MAkyCUluZm8JODM4ODYwOAkxNjc3NzIxNQkwCTAJMAkxCTEJMAkwCTAJa3NkX1ByaW9yaXR5SWNvbjY=

H008=MAkyCURlYnVnCTI0NTc2CTE2Nzc3MjE1CTAJMAkwCTEJMQkwCTAJMAlrc2RfUHJpb3JpdHlJY29uNw==

...

[Properties]

DisplayColumnsEnabled=255

Discussion

What are YOUR favorite Kiwi Syslog Server highlighting rules?  Please paste a screenshot and the [Highlighting] section from your Kiwi INI export below. 

1st time starting a discussion.

1st time working with Kiwi Syslog.

Let me know if I'm in the wrong place.

I am very new to Syslog Servers.

I'm a Route/Switch type guy.

We are using Kiwi Syslog to get Call Manager Call Traces for troubleshooting.

This Instance of Kiwi Syslog was working fine as a Guest VMware Server on a Host Server.

We used the app Veeam to move the Kiwi Syslog VMware Guest Server to another Host.

This issue started after the copy/move of the Kiwi Syslog

No IP addresses were changed, it's on the same network as before.

It starts up, logs are being received, and then they stop.

If you try to start the service, it tells you it's already running.

At the bottom of the Kiwi Syslog Service Manager, you can see the MPH indicator has stopped.

Looking at the correct folder I can see the logs are no longer being  received.

If I stop the service and start the service it starts.

There is a script that tells it to restart every morning at 4am, and it will do this.

Below is the error event seen when it stopped last time.

Windows Server 2012 R2

64 -bit OS

Has anyone seen this type of issue before?

Any help would be greatly appreciated,

Mhaley

  Back in http://thwack.solarwinds.com/message/185776#185776 I mentioned being prompted to install .NET 3.5 during the Kiwi Syslog upgrade process.  I am still being prompted for it for the 9.4 upgrade, even though I don't have the Webaccess part selected for install! This forces me to sit there for several minutes while .NET 3.5 downloads, only to be told that it must be selected in the Features section on the server.

When will this be fixed?

I have a number of syslog servers I need to upgrade and this is wasting my time. I brought up this issue almost a YEAR ago!

Hi all,

Is there a way that I am able to have Kiwi Syslog read from or import from a text file or CSV file that may be generated by a program that does not support Syslog?

Thanks.

Hello,

my kiwi web access database is 4gb great. And i have some timeout errors executing filters.

I am trying to use an external MSSQL DB with kiwi syslog server.

Is possible for Web access to use this external DB?

Thanks

I use kiwi syslog server a lot for testing syslog.  It seems like in the latest version there are issues with TCP.  I'm verifying with the Kiwi Syslog Message Generator.  Seems like with syslog server version 9.4.1 TCP connects and works, but in latest version 9.6.3 it does not connect for some reason. When I try to connect TCP with message generator it says "TCP session remotely disconnected" using the same tool the same exact way, it works with version 9.4.1. I'm using the syslog message generator tool on the same machine as the syslog server.  Is this a known issue, or am I missing something?  Any suggestions or help would be much appreciated.  Thank you very much.

I have scanned the forums and I haven't stumbled upon any information regarding my question.

Is there a way to determine which devices are sending logs to the Kiwi Syslog Server?

Our maintenance ended already and I was assigned to this task of assessing our syslog server. I am trying to get information on how long the logs were retained and what devices are sending those. I have explored both the web access and server console to no avail.

Appreciate the help.

Hi,

I have recently been handed over Kiwi Syslog server to manage which has both Fat Client and Web Server. Fat Client is directly logged in however Web console could not be logged in. When I checked regarding the password of "Administrator", I have been informed that resource handling it has left long ago and there is no one to tell.

Is there a way we can reset the password of Administrator or create a new user from Syslog Fat Client. I cant raise the request with Support as we do not have active maintanence.

Thanks,

Syed

Hi all,

Is there away to setup an automated install of SolarWinds Event Log Forwarder? I'm planning on deploying it via SCCM and wanted to know if there's a way to automate the install and configuration of the program?

Any help would be grateful!!!

Thanks in advance.

Good day Community,

I am experiencing an urgent issue. The sys log server forwarder is forwarding the following message to the KIWI sys log server. The actual security logs are showing the correct information, however the message below is being showed. I thought it was the server, but wen I added another sever to forward security logs, I am getting the same message as shown below.

Can anyone who have encountered this message or know how to resolve this issue. The security logs are on the server and I can view them using event viewer properly and audit logs are reflecting fine.

I would really appreciate your humble assistance or comments.

Apr 08 14:36:34 CASSIOPEIA1.carimed.local MSWinEventLog 5 Security 495 Wed Apr 08 14:36:33 2015

4624 Microsoft-Windows-Security-Auditing N/A Audit Success CASSIOPEIA1.carimed.local 12544

The description for Event ID 4624 from source Microsoft-Windows-Security-Auditing cannot be

found. Either the component that raises this event is not installed on your local computer or

the installation is corrupted. You can install or repair the component on the local computer.If

the event originated on another computer, the display information had to be saved with the

event.The following information was included with the event: S-1-0-0. FormatMessage failed with

error 1815, The specified resource language ID cannot be found in the image file.

Hi to all,

i'm evaluating Kiwi Syslog to manage logs generated by Juniper FWs. I have configured Kiwi in a Windows XP SP3 system and Kiwi receives correctly Juniper syslogs. In addition, i have configured Kiwi to store the syslog data in a MySQL DB. At this time, query created by Kiwi to populate the table omits the last two chars ') in any INSERT query.

Just as an example, MySQL log show following:

INSERT INTO SyslogDB (MsgDate,MsgTime,MsgFacility,MsgLevel,MsgHostname,MsgText) VALUES ('2013-05-22','18:06:39','Local0','Notice','XX.XX.XX.XX','int-fw: NetScreen device_id=int-fw  [Root]system-notification-00257(traffic): start_time="2013-05-22 18:06:10" duration=0 policy_id=4 service=udp/port:8888 proto=17 src zone=Global dst zone=Global action=Deny sent=0 rcvd=72 src=XX.XX.XX.XX dst=XX.XX.XX.XX src_port=1030 dst_port=8888 session_id=0

Thanks in advance.

Fabio.

Trying to send failed login attempts to the syslog and getting error as follows XXXXXXX.domain.gov.uk MSWinEventLog 2 Security 128 Tue Jan 30 16:32:42 2018 4771 Microsoft-Windows-Security-Auditing N/A Audit Failure XXXXXX.domain.gov.uk 14339 The description for Event ID 4771 from source Microsoft-Windows-Security-Auditing cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 4258. FormatMessage failed with error 1815, The specified resource language ID cannot be found in the image file. Using Version 1.2.0.114 on server Windows 2012 R2 Datacenter

completed the hack to actually get the failed logins  <string>0x10000000000000</string>

Can anyone solve this - using SolarWinds-LogForwarder-FreeTool-v1.2.0

i installed log forwarder 2.1.0 on my windows server 2008. i set my kiwi syslog server, i configured subscription for sending system logs from my server. when i click to test button, the test is ok, but in event viewer i receive in log solariwinds.net i receive message

Unable to setup Windows Event Log subscribers. Subscribe failed with error 15001, The specified query is invalid.

also, my kiwisyslogserver does not receives messages. where is problem

Hi,

How can I update the refresh time on KWSA please? Everytime I click on "Save", I've got the password policy message.

Thanks

*Kiwi Syslog Server V.9.1.0
*Windows 2008 SP1 and SP2 64bit

Our client encountered a Kiwi Syslog WebAccess installation error.

The error message is as follows:
=============================================
The installer has encountered an unexpected error
installing this package. This may indicate a problem
with this package.The error code is 2869.
=============================================
*Kiwi Syslog Server service runs correctly.

*The client stopped Anti-Virus service before the installation.

Are there some information to resolve the problem?

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.

Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk

I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.

Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6

I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.

Appreciate any help on this..........

Example from Kiwi Syslog

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf:     10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]

Got a couple of these yesterday. When I searched the forum, a post from 2011 suggested that updating to 9.2.1 would increase the buffer to 500 thousand; however this is well below that amount.

Syslog Alarm: 41596 messages overflowed the message queue this hour.
The current maximum threshold is set at 1 messages per hour.
This could indicate a problem, please check the log files and syslog statistics below.

///       Kiwi Syslog Server Statistics         ///
---------------------------------------------------
24 hour period ending on: Tue, 25 Jun 2013 08:14:38
Syslog Server started on: Sun, 23 Jun 2013 20:12:19
Syslog Server uptime:     1 day, 12 hours, 1 minute
---------------------------------------------------

+ Messages received - Total: 37905206
+ Messages received - Last 24 hours: 26657147
+ Messages received - Since Midnight: 8207057
+ Messages received - Last hour: 1314425
+ Message queue overflow - Last hour: 77312
+ Messages received - This hour: 39648
+ Message queue overflow - This hour: 41596
+ Messages per hour - Average: 1109062

+ Messages forwarded:                 0
+ Messages logged to disk: 8207765

+ Errors - Logging to disk:           0
+ Errors - Invalid priority tag:      0
+ Errors - No priority tag:           0
+ Errors - Oversize message:          676

+ Disk space remaining on drive E:    88880 MB

Kiwi syslog service is getting stop and while restarting it, again after few sec it stop. Restarted the server but no luck. Do any one have idea what will be cuase of issue.

In the web access settings page, when I try to modify the value of page refresh or anything under the "general settings" screen it pops up an error about changing the password.  I am not modifying anything under the "user settings" part or clicking "change password".  Any ideas?