Adding lots of new rules via GUI just take too long so wondering if any other options?
Can we export .ini, edit and add new rules and import back? Any try and if this works?
↧
Adding new rules via .ini file?
↧
Getting an error message "Cannot specify a column width on data type text" when trying to create a table in SQL server.
Kiwi Syslog server, SQL2008R2 using a OBCC SQL connector.
Any thoughts?
↧
↧
How to search all log files
Hi everyone,
Can someone confirm that both the Kiwi Syslog Service Manager console and the Kiwi Syslog Web Access will only display messages for current log files. Therefore, a find or filter will only bring up hits for the most current log files, correct?
Assuming that is the case, I found a thread that mentions WinGREP as a freeware to search all log files on your hard drive. Wouldn't it be helpful for this capability to be integrated into Kiwi Syslog Server?
For example, I am importing all Windows Security events from all domain controllers into Kiwi Syslog Server. I want to be able to search for a username and the phrase "user account is locked out" for as far back as I have logs. How do I do this easily?
Thanks,
Tony
↧
Kiwi Syslog Server limitations
Hi everyone,
I wonder if Kiwi Syslog Server has any limitation on how many servers that it can collect the logs from or how many servers can send the logs to the syslog server?
I know the Web Access has 4GB db limitation. What is the best practice for this limitation when you have more than 10 servers sending the logs to syslog server? I don't want to see only 1 or 2 day logs every day from Web Access. I hope at least 4GB db limitation can store like a month logs of all 10+ servers. I am trying first with the windows event logs (using the free tool Solwarwinds Event Log Forwarder)
Is there any limitation that i should be aware with Kiwi Syslog Server and Event Forwarder tool?
Another question:
Does Solarwinds Event Log Forwarder can work with other vendor syslog server? If so, which vendor and which syslog server product is that?
Thanks in advance!
↧
Is there any limitation of usage for the Free Version
Currently we're using the free version only to get logs from one device (firewall). Since we're a company, is it ok to just use the Free Version for as long as we need it for that one device, or do we actually have to buy the commercial license? Is there any term of usage that describes this?
↧
↧
Event Log Forwarder - Where is the Audit Failure Type?
Hi There,
I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log. When I click on the Security Log I don't see Audit Success or Audit Failure as an event type. It just has Error, Warning and Information. If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change. Am I doing something wrong? How can I see Audit Failure as an Event Type?
Thanks,
↧
What is the best way to setup/configure/build a SQL database for Kiwi Syslog Server?
I am currently able to log my messages to a MS SQL database, so I am not really asking how to accomplish that task.
I would like to know how to build the database itself. I know it will ultimately contain a massive amount of data, so I am looking for the little details that would allow the database to survive the lessons of time... at least until it becomes another person's problem.
Should I send everything to a single table, or break it up by IP, hostname, etc..?
Do I need to have the data "rolled up", similar to the way NPM/Orion retains hour/day/week/month/year data?
If so, how would I accomplish this, via scheduled task/management, triggers, procedures?
Currently, I have various rules within the Kiwi console, separating messages by similar device types and purposes. Each of those rules dumps the messages into a different table in the same database, as well as dumping the messages to different log files. This has been working fairly decently, however, after approximately 6 months, some of those tables have so many rows in there, it is taking a very long time to read.
I am really not looking to do anything fancy with Kiwi. I simply want to store the data, and I need it to be accessed quickly. I am not really concerned, so much, with the size of the overall storage, as much as I am with eventually having 5+ years of data stored in a single table of the database.
Thank you,
-Will
↧
Forward syslog events to QRadar
I'm trying to forward events from Kiwi Syslog to QRadar SIEM.
In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.
The test event was the only event received by the QRadar. None of the events I'm forwarding have been received as incoming logs on QRadar.
I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.
Do I need to install a universal DSM on the Kiwi Syslog servers?
↧
SNMP forwarding
All
I have setup my KIWI syslog server to listen for SNMP traps, successfully. Is there a way to setp KIWI, or an available action to forward the SNMP traps to other SNMP trap receivers as KIWI receives them.
Thanks
KIWI New Guy
↧
↧
Syslog Console Hangs
Hi,
Then syslogd service runs fine on our windows server 2016 DC.
But if we open the console, it hangs. Memory and CPU load are ok.
Any idea what I can check ?
Best Regards,
Wouter Jinssen
Siemens
↧
Kiwi Syslog not receiving any message
Hello,
I just installed Syslog on a Windows 8 VM (ESXi 5.5).
However... I don't received any message from the router (Cisco RV042G) I want to log.
I tried the generic troubleshhoting :
• Check network connectivity by pinging from the sending device to the Syslog Server machine => OK
• Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list) => OK, only one
• Disable any personal firewall software such as ZoneAlarm or BlackIce => Disabled
• Use a sniffer to check if messages from the routing are reaching the PC => Yes, I can see them
• Check DNS resolution is working as expected by pinging a hostname from the Command Prompt => OK
• Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on. => OK
• Send a test message to yourself by pressing Ctrl+T => Displayed
• Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads => Done
• Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host). => Not displayed, and I don't see them in a local packet capture.
• Try sending messages with SyslogGen from another machine to the host running the Syslog Server => Not displayed, but see them on a packet capture (on Syslog PC)
Do you have any idea about the cause of this issue ?
Thanks in advance for your help.
↧
Does KiwiSyslog server read syslogs from a file from the disk of local machine?
I want Kiwi Syslog component to read log files from disk. How can I configure it?
↧
How to Resolve IP Addresses into Hostnames in Kiwi Syslog Server
SolarWinds's own Justin Finley just recorded a video tutorial that shows how to resolve IP addresses into hostnames in Kiwi Syslog Server.
External link to Jing: DNS Resolution - justinfinley's library
Video Guide:
- 0:00 Watching traffic come in with unresolved IP addresses
- 0:10 Turning on IP address resolution (this affects what appears in the "Hostname" column)
- 0:20 Turning on in-message IP address resolution (this is optional, can be slow, and affects what appears in the "Message" column)
- 0:27 A quick glance at the DNS server settings (which DNS server to use, whether NetBIOS is to be used, etc.)
- 0:29 A quick glance at the DNS cache settings
- 0:30 Turning on resolution of frequently-uses IPs from a local hosts file (this is very fast, but ignores changes to DNS servers)
- 0:35 How to edit the hosts file
- 1:30 Watching traffic come in with properly resolved IP addresses
Remember to "LIKE" this if you find it useful - that helps others find it too!
↧
↧
Forescout NAC & syslog
We have a couple of Forescout NAC devices. They are configured to forward to our local Kiwi servers, and then rules on the Kiwi are supposed to be sending warning & above messages to the main Orion server. Unfortunately, I have oodles (technical term) of info messages showing in the main repository. I'm pretty sure the Kiwi rules are correct (they are working for other devices) but our on site security guy isn't a Forescout expert, so he hasn't been able to see anything wrong on the NAC itself. I'm thinking we have it set to forward directly to Orion under a different facility, but that's a pure guess. From what I've seen of the NAC's SYSLOG setup there aren't drop downs to look at different facilities.
Does anyone have experience with this? Thanks in advance!
↧
Kiwi Syslog Server does not display secure ASA syslogs
Hello to the community!
I have been confused with this for a while and i would like to get your help!
I have a network topology with an ASA 5520 and a Kiwi Syslog server 9.3.4-eval. I also have a CA server.
I have installed the root CA certificate on both the Kiwi Syslog Server and the ASA.
Also i have generated a certificate request for the Kiwi server which was signed by the CA server and also made a trustpoint on the ASA with that certificate (The signed one)
When i try to send syslogs it doesn't display anything.
I have installed Kiwi SyslogGen and have made some tests.
When i make a test with destination port 1468 (TCP default) it works and displays something on the Kiwi manager.
But when i make a test with destination port 6514 (Default Secure TCP) it fails.
On the command prompt i issued the following:
netstat -ano
there were the following entries regarding syslog:
TCP: 0.0.0.0 1468
UDP: 0.0.0.0:514
But nothing is listening to 6514
What can be the problem? Thank you very much in advance!!
Somethin i saw on the error log:
Unable to bind TCP listener to port 6514 There might be a problem with the certificate provided.
Here are some pictures of the settings:
↧
Syslog server not receiving messages in TCP/SSL mode
Hello,
I have installed kiwi syslog server 9.6.3.3 eval version and trying to configure syslog in TCP SSL mode.
First, these are the steps I following to configure the server:
a) created a self signed certificate using java keytool.
b) imported into windows certificates personal and trusted roots folder.
c) selected the imported certificate in kiwi setup configuration.
After following the above steps , I got below error in Event log file.
2017-11-29 16:40:06 Unable to bind secure TCP listener to port 6514 There might be a problem with the certificate provided.
After googling for this error, I got below link and used IIS server to create a self-signed certificate
Re: Kiwi Syslog Server does not display secure ASA syslogs
After configuring certificate which is generated from IIS, I started getting below error.
2017-11-30 12:37:30 Source: C:\Windows\SysWow64\mswinsck.ocx Error: Socket is non-blocking and the specified operation will block
But , I was able to receive messages in SSL mode using java code running in same box where syslog server is installed. If I try to run same java code from any box other than kiwi server, it is not receiving messages.
Observed similar behavior for TCP mode as well.
How to check syslog server is configured correctly or not? Is there any way to do that?.
Thanks in Advance!!
↧
Kiwi syslog migration
We have upgraded our kiwi syslog server to a new server with a new version of the OS.
I need to migrate the settings of the previous server to the new server, but I am unable to find a migration tool or guide on how to migrate the settings.
I dont need to migrate the files (logs) only the settings.
Can anyone help or advise, or point me to a guide?
↧
↧
Kiwi Syslog Server - Status Code 500
Hi community. I ve searched about my problem but only found topics related about Orin software. I am getting an exception in Kiwi Syslog Web Access. Status Code 500. Any one have experienced this issue ? Thanks a lot.
Exception of type 'System.Web.HttpUnhandledException' was thrown.
Status Code: 500
System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentOutOfRangeException: 'capacity' must be non-negative.
Parameter name: capacity
at System.Collections.ArrayList..ctor(Int32 capacity)
at RadGridUserSettings.GetSerializedSettings()
at _Event.Render(HtmlTextWriter writer)
at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at Telerik.Web.UI.RadAjaxControl.RenderPageInAjaxMode(HtmlTextWriter writer, Control page)
at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)
at System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
at System.Web.UI.Page.Render(HtmlTextWriter writer)
at _Event.Render(HtmlTextWriter writer)
at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at Telerik.Web.UI.RadAjaxControl.RenderPageInAjaxMode(HtmlTextWriter writer, Control page)
at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)
at System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
at System.Web.UI.Page.Render(HtmlTextWriter writer)
at _Event.Render(HtmlTextWriter writer)
at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
--- End of inner exception stack trace ---
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.events_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Resource: http://localhost:8088/Events.aspx
Referrer: http://localhost:8088/Gateway.aspx
Click here to return to the previous page Click here to return to the login page
↧
How to Migrate Kiwi Syslog Server
There are 3 things that you need to consider when migrating Kiwi Syslog Server:
- Configuration - to back them up, simply open the Kiwi Syslog Server Manager and click "File -> Export Settings to INI" .
- Logs - Manually copy Syslog messages log files. Under Setup, look for all Log to file - action and take note of the path and file name.
- License - Deactivate the license from the old server using License Manager Tool first so that you can transfer the license to the new server. Please take note that Activation Key will be different once the license is deactivated. You can refer to the following video for more detail information:
↧
How to create filter in kiwi syslog web access to filter only windows logon events
Dear All,
I want to create filter in syslog server to view the windows logon and logoff (event logs).
Please help me to create the filter.
↧