After we upgraded our Kiwi Syslog to 9.6.5 we have had an ongoing issue where any rule or config change crashes the syslog service. This happens on both of our Kiwi servers.

We ruled out McAfee AntiVirus and HBSS (uninstalled)

The error I see in the Application events shows:

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: exception code c0000096, exception address 0686733C

I have re-opened our case with support but I wanted to reach out to the community to see if anyone else is seeing behavior. We might have to roll back to an earlier version if we don't get something resolved soon.

Thanks

Hi everyone,

Can someone confirm that both the Kiwi Syslog Service Manager console and the Kiwi Syslog Web Access will only display messages for current log files.  Therefore, a find or filter will only bring up hits for the most current log files, correct?

Assuming that is the case, I found a thread that mentions WinGREP as a freeware to search all log files on your hard drive.  Wouldn't it be helpful for this capability to be integrated into Kiwi Syslog Server?

For example, I am importing all Windows Security events from all domain controllers into Kiwi Syslog Server.  I want to be able to search for a username and the phrase "user account is locked out" for as far back as I have logs.  How do I do this easily?

Thanks,

Tony

Hello,

I just installed Syslog on a Windows 8 VM (ESXi 5.5).

However... I don't received any message from the router (Cisco RV042G) I want to log.

I tried the generic troubleshhoting :

• Check network connectivity by pinging from the sending device to the Syslog Server machine  => OK
• Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list) => OK, only one
• Disable any personal firewall software such as ZoneAlarm or BlackIce => Disabled

• Use a sniffer to check if messages from the routing are reaching the PC => Yes, I can see them
• Check DNS resolution is working as expected by pinging a hostname from the Command Prompt => OK
• Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on. => OK
• Send a test message to yourself by pressing Ctrl+T => Displayed
• Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads => Done
• Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host). => Not displayed, and I don't see them in a local packet capture.
• Try sending messages with SyslogGen from another machine to the host running the Syslog Server => Not displayed, but see them on a packet capture (on Syslog PC)

Do you have any idea about the cause of this issue ?

Thanks in advance for your help.

All,

I am trying to parse data that is received with Kiwi Syslog and then forward that parsed data to another syslog server that is viewed by other technicians. The issue I am having is that the server that sends the data is sending to much information that is not needed to the destination syslog server. I see that Kiwi Syslog does have the ability to do some parsing via VBscript. I was hoping someone could post a script that I could try that would parse the following data.

02-08-2019 14:25:19 User.Warning 172.16.0.145 Feb  8 20:25:19 Server1.penfield.edu ERAServer[743]: {"event_type":"Threat_Event","ipv4":"172.17.21.137","hostname":"Computer1.microsoft.com","source_uuid":"ecef5ff4-0535-42e2-9985-41110278b0db","occured":"08-Feb-2019 19:16:43","severity":"Warning","threat_type":"potentially unwanted application","threat_name":"JS/Spigot.B","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"18843 (20190208)","object_type":"file","object_uri":"file:///C:/Users/JDoe/AppData/Local/Temp/scoped_dir6204_15059/CRX_INSTALL/background.js","action_taken":"cleaned by deleting","threat_handled":true,"need_restart":false,"circumstances":"Event occurred on a newly created file.","firstseen":"08-Feb-2019 19:16:43","hash":"B19897AB34E780D9F53E6AC8BE78BE26094693FD"}

The only data I need to pass to the other syslog server from Kiwi server is the following data,

"hostname":"Computer1.microsoft.com"

"threat_name":"JS/Spigot.B"

"object_uri":"file:///C:/Users/Jdoe/AppData/Local/Temp/scoped_dir6204_15059/CRX_INSTALL/background.js"

"scanner_id":"Real-time file system protection"

The parts marked in red do change. Is this possible?

Thanks,

Mike

Hi,

Then syslogd service runs fine on our windows server 2016 DC.

But if we open the console, it hangs. Memory and CPU load are ok.

Any idea what I can check ?

Best Regards,

Wouter Jinssen

Siemens

In order for the syslogs that come from an ISE server you must change the message length to 8192 on the device or the messages will be messed up.

Is there a setting on the KIWI server I need to adjust to accommodate this?

It appears when viewing the logs coming in thru the manager console they look ok, but if you send that to a log file the entries in the file are incomplete or truncated.

Hi Folks, I am starting to evaulate Kiwi Syslog Server and one of the main requirements will be how we provision HA (High Availability)

I have seen some posts regarding the use of LB's (Load Balancers) but these posts are pretty old and don't go into that much detail.

I'm hoping that someone can point me in thr right direction.

If we use 2 LB's in a cluster (probably Netscalers) all clients will connect to the LB VIP.

I'm "guessing at this stage" that the LB's will send all trafiic to one of 2 Kiwi Syslog servers (lets call them Kiwi A and Kiwi B where Kiwi A is the current live server)

We are resilient against the loss of a LB (as theye are operating in a HA Cluster)

If we lose Kiwi A, traffic will be redirected to Kiwi B.

Thoughts/Comments

If we lose a LB, we will probably lose syslog records - I don't think its possible to avoid this (even if we use TCP)?

If we lose Kiwi A, syslog records will be redirected to Kiwi B by the LB (again, I think we could lose some syslog records)

If we need old logfiles on Kiwi A (that isn't now available) - I guess we can't unless Kiwi A writes to a CIFS share (that Kiwi B also writes to) ???

If we don't have access to a direct CIFS share, could we use Windows DFS (so that Kiwi A is replicating to Kiwi B and vice-versa) - again, I think we will miss records.

So basically, if we lose Kiwi A, and the LB starts writing to Kiwi B, Kiwi B will have the replicated records (via DFS from Kiwi A)

Kiwi B should pretty much have almost all of the records available (would need to test this against busy input devices)

Before we go down this road and start testing, It would be great if anyone has any information/feedback/comments  they could provide.

Many Thanks.

Hello,

  We are looking to find the Windows file/folder location for where the Kiwi Syslog Web Access is pulling its records from?

  We currently save events to the syslogd/logs location, as well as a SQL database.  But when we setup in the Kiwi Syslog Console Service Manager to send forwarded events to the 'Log to Kiwi Syslog Web Access', we cannot find where it stores those records?

Thanks,

Mark

I am trying to connect to kiwi syslog server in secure TCP mode. From my client side (c# code) I try to connect to kiwi syslog sever using TLS 1.2 protocol. But SSL Handshake from server is set to TLS 1.0

I installed kiwi server in Windows 7 SP1 and enabled TLS 1.2 in the system by modifying the system registry.

SSL handshakes captured using Network monitor are given below

Client HandShake

Server HandShake

Client side code( c#)

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

var tcpClient = new TcpClient(hostname, port);

var tcpClientStream = tcpClient.GetStream();

var sslStream = new SslStream(tcpClientStream, false, ValidateServerCertificate)

{

        ReadTimeout = timeout,

        WriteTimeout = timeout

};

sslStream.AuthenticateAsClient(hostname, new X509CertificateCollection(), System.Security.Authentication.SslProtocols.Tls12, false);

according to the FAQ.. Our software is built and tested to support more than two million messages an hour without tuning.   (That would support more than 500 machines each sending one message a second.)

Hello,

I have been working in log management for a couple of years now. Across all the clients I've met, kiwi syslog had been in use for quite a while.

From a functionality perspectives, amazing things were achieved with it by operational teams.

But I am no expert at configuring kiwi syslog although somewhat familiar with it.

I am often involved in building centralized log management infrastructure and here where I always get stuck with kiwi syslog.

Perhaps there is a hidden config option that I missed ?

Implementing a centralized log management infrastructure often dictates that all logs (syslog) are to be sent to a single destination, the centralized log management.

This destination is always defined with high performance and high resilience in mind e.g. VIP, load balancers, failover systems

For any other systems that requires access to the logs, a live unmodified copy is forwarded to them.

In other words, we just built a syslog relay chain.

And with as much respect I have for your product, making kiwi syslog the first in that relay chain in a central log management system is not an option.

Nor is double-feeding from the source, building a central log management is all about having a single destination for logs where redistribution is performed there.

Whenever I walk into a department that has been running kiwi syslog for a while, they have implemented a lot of automation with it.

Obviously, they (and I agree) want to keep using it.

So the simplest solution would be to forward logs from the centralized syslog server TO the deparment kiwi syslog server.

This ways the enterprise is happy, centralized log management is in place AND that department is happy, the same interface they are using is still there.

Thats where I hit a snag.

To my knowledge, Kiwi syslog ALWAYS take as the source of the message the IP address even if it receives properly RFC3164 or RFC5424 messages containing hostnames.

Therefore, using kiwi syslog in a relay chain where its not the first one in the relay makes all source the previous IP address.

Yes spoofing can be used in the relay chain, but its not elegant, it slows down throughput quite a lot and more often than not, does get blocked by security guidelines.

Almost all advanced syslog server in the field are configurable and allow to use either the hostname contained in properly formatted syslog messages as the source host.

For improperly formatted messages, then the IP of the connected socket is taken.

Also, with some templating, its even possible in the first relay to add in the message an ORIGINATING IP prefix and get the hostname from there.

On output I saw that rsyslog supports adding such prefix.

My questions are:

1. Is there a way to configure kiwi syslog to take the source from inside the syslog message received because it was prefixed with "originating address=4.4.4.4" for example ?

2. Is there a way to configure kiwi syslog to take the source from the hostname syslog header and if it fails to take it from the connected socket ?

Without a way to do any of the above, Kiwi simply doesn't support being on the receiving end of a syslog relay chain and ends up being discarded where it still had lots of value.

Most large enterprises are really looking at central log management, and message brokers like kafka to store the logs and allow for log distribution.

Feeding specific logs from Kafka to kiwi syslog would be a tremendous help for operational teams but e.g. if all the logs have as a source a single IP address, the Kafka cluster instead of the real IP of their firewall, it makes this forwarding useless.

Presuming that I read the doc and havent missed anything, if rsyslog could support on TCP and UDP input a setting that instruct to look for ORIGINATING ADDRESS inserted it the messatge and use this IP address as the source for display, that would be amazing.

Hoping I overlooked some part of the documentation, otherwise is there anyone else who sees this an extremely important feature to support ?

KiWi Syslogd error: Maximum number of TCP connections has been reached. Not accepting connection.

Why? Thanks..

Hi community. I ve searched about my problem but only found topics related about Orin software. I am getting an exception in Kiwi Syslog Web Access. Status Code 500. Any one have experienced this issue ? Thanks a lot.

Exception of type  'System.Web.HttpUnhandledException' was thrown.

Status Code: 500

System.Web.HttpUnhandledException:  Exception of type 'System.Web.HttpUnhandledException' was thrown. --->  System.ArgumentOutOfRangeException: 'capacity' must be  non-negative.
Parameter name: capacity
at  System.Collections.ArrayList..ctor(Int32 capacity)
at  RadGridUserSettings.GetSerializedSettings()
at _Event.Render(HtmlTextWriter  writer)
at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer,  ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter  writer, ControlAdapter adapter)
at  System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at  Telerik.Web.UI.RadAjaxControl.RenderPageInAjaxMode(HtmlTextWriter writer,  Control page)
at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter  writer, ICollection children)
at  System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
at  System.Web.UI.Page.Render(HtmlTextWriter writer)
at  _Event.Render(HtmlTextWriter writer)
at  System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer,  ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter  writer, ControlAdapter adapter)
at  System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at  Telerik.Web.UI.RadAjaxControl.RenderPageInAjaxMode(HtmlTextWriter writer,  Control page)
at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter  writer, ICollection children)
at  System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
at  System.Web.UI.Page.Render(HtmlTextWriter writer)
at  _Event.Render(HtmlTextWriter writer)
at  System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer,  ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter  writer, ControlAdapter adapter)
at  System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint,  Boolean includeStagesAfterAsyncPoint)
--- End of inner exception stack trace  ---
at System.Web.UI.Page.HandleError(Exception e)
at  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint,  Boolean includeStagesAfterAsyncPoint)
at  System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean  includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at  System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at  System.Web.UI.Page.ProcessRequest(HttpContext context)
at  ASP.events_aspx.ProcessRequest(HttpContext context)
at  System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at  System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&  completedSynchronously)

Resource: http://localhost:8088/Events.aspx
Referrer: http://localhost:8088/Gateway.aspx

Click here to return to the previous  page    Click here to return to the login  page

I have never used Syslogs before but was asked to setup one.

I am having trouble setting it up with my Cisco ASA 5505 security Device.

I can ping FROM the server to the Cisco ASA

I can ping FROM the ASA to the Server.

Things I have done.

1. I have downloaded the Solarwind Kiwi Sylog server.
2. I installed it as a service.
3. I tested the Kiwi Syslog server using it's built in testing tool and I received messages. They came in on 127.0.0.1.
4. In Kiwi Sys Log server I added the IP address of the Cisco ASA.
   1. File - Setup - Input - 192.168.200.1 (Server address)
5. Inputs - UDP
   1. Made sure Port was set to 514
6. Logged into the Cisco ADSM management.
7. Went to:
   1. Configuration - Device Management - Logging
8. Under Logging setup I selected "Enable"
9. Logging filters
   1. I enabled Sys Log and selected "Severity:Warnings" for all event classes.
10. Clicked on "Sys Log Server" from the menu. I added:
    1. Interface: Data (inside which the Sys Log is connected to)
    2. IP Address ( IP address of the Syslog server)
    3. UDP Port 514
    4. EMBLEM and Secure is set to "NO"
11. Click on "Syslog Setup" on the ASA in the menu structure
    1. Include Timestamp in syslogs
12. I applied the settings to the ASA and then committed the changes to flash.

Any ideas on why the syslog server isn't displaying the info?

Thanks so much in advance!

Hi Folks, I am starting to evaulate Kiwi Syslog Server and one of the main requirements will be how we provision HA (High Availability)

I have seen some posts regarding the use of LB's (Load Balancers) but these posts are pretty old and don't go into that much detail.

I'm hoping that someone can point me in thr right direction.

If we use 2 LB's in a cluster (probably Netscalers) all clients will connect to the LB VIP.

I'm "guessing at this stage" that the LB's will send all trafiic to one of 2 Kiwi Syslog servers (lets call them Kiwi A and Kiwi B where Kiwi A is the current live server)

We are resilient against the loss of a LB (as theye are operating in a HA Cluster)

If we lose Kiwi A, traffic will be redirected to Kiwi B.

Thoughts/Comments

If we lose a LB, we will probably lose syslog records - I don't think its possible to avoid this (even if we use TCP)?

If we lose Kiwi A, syslog records will be redirected to Kiwi B by the LB (again, I think we could lose some syslog records)

If we need old logfiles on Kiwi A (that isn't now available) - I guess we can't unless Kiwi A writes to a CIFS share (that Kiwi B also writes to) ???

If we don't have access to a direct CIFS share, could we use Windows DFS (so that Kiwi A is replicating to Kiwi B and vice-versa) - again, I think we will miss records.

So basically, if we lose Kiwi A, and the LB starts writing to Kiwi B, Kiwi B will have the replicated records (via DFS from Kiwi A)

Kiwi B should pretty much have almost all of the records available (would need to test this against busy input devices)

Before we go down this road and start testing, It would be great if anyone has any information/feedback/comments  they could provide.

Many Thanks.

Hello all,

I keep getting the below errors when trying to send info to our SQL database.

2010-10-10 16:49:39     DBLogger.ClearQueue aborted with error: Incorrect syntax near '2222:43:netmgtd:10-Oct-2010 16:49:37.018014:rca_ocp.c:295:INFO:25.2.4:GUI: Account admin from 10.X.X.XX logged in to 10.X.X.X'. - SQL statement has been removed from the database cache. [Syslogd_TaskEngine.exe 2.5.151] (801) INSERT INTO Syslogd (MsgDate,MsgTime,MsgPriority,MsgHostname,MsgText) VALUES ('2010-10-10','16:49:38','User.Info','10.X.X.XXX','2222:43:netmgtd:10-Oct-2010 16:49:37.018014:rca_ocp.c:295:INFO:25.2.4:GUI: Account admin from 10.X.X.XX logged in to 10.X.X.XXX. ') : C:\Program Files\Syslogd\DBCache\ca7ad33fa4e635d00d4106908427f600 [Line:0]

I have setup the the log to database using the built in sql file format as well as creating one from scratch.  What I don't get is that every time I use the debug command, the table gets updated properly without any errors.  But when I apply my settings the log file gets filled with errors.  I know it is complaining about quotes someplace, but in the view none of the statements have any quotes in them.  

Any help would be greatly appreciated.

Thank you,

Giuseppe

If I setup Kiwi Syslog to forward to another system such a Voyence. Will Kiwi keep the source IP of the deivce that sent the syslog?

Hello Experts,

We have two instances of Kiwi 9.6.6.1(enterprise licensed) which are failing to stay up with TCP traffic over port 514. It fails with an unhandled exception "System.IndexOutofRangeException". If I try to send the normal burst messages using SyslogGen it works but for actual traffic it crashes. Tried to bind IP and disable UDP as well without luck.

We have DNS lookup disabled to achieve necessary speed. Our environment is Windows 2016.

Any suggestions would be of great help.

Thanks

Pradeep

I'm trying to forward events from Kiwi Syslog to QRadar SIEM. 

In Kiwi Syslog setup, I created an Action: Forward to another host; gave it the QRadar appliance's IP as the Destination IP; selected "Retain the original source address of the message"; clicked the Test button to verify the configuration and got a gree checkmark.

The test event was the only event received by the QRadar.  None of the events I'm forwarding have been received as incoming logs on QRadar.

I've tried this with and without adding the Kiwi Syslog servers as log sources in QRadar.

Do I need to install a universal DSM on the Kiwi Syslog servers?

Hi Folks, I am starting to evaulate Kiwi Syslog Server and one of the main requirements will be how we provision HA (High Availability)

I have seen some posts regarding the use of LB's (Load Balancers) but these posts are pretty old and don't go into that much detail.

I'm hoping that someone can point me in thr right direction.

If we use 2 LB's in a cluster (probably Netscalers) all clients will connect to the LB VIP.

I'm "guessing at this stage" that the LB's will send all trafiic to one of 2 Kiwi Syslog servers (lets call them Kiwi A and Kiwi B where Kiwi A is the current live server)

We are resilient against the loss of a LB (as theye are operating in a HA Cluster)

If we lose Kiwi A, traffic will be redirected to Kiwi B.

Thoughts/Comments

If we lose a LB, we will probably lose syslog records - I don't think its possible to avoid this (even if we use TCP)?

If we lose Kiwi A, syslog records will be redirected to Kiwi B by the LB (again, I think we could lose some syslog records)

If we need old logfiles on Kiwi A (that isn't now available) - I guess we can't unless Kiwi A writes to a CIFS share (that Kiwi B also writes to) ???

If we don't have access to a direct CIFS share, could we use Windows DFS (so that Kiwi A is replicating to Kiwi B and vice-versa) - again, I think we will miss records.

So basically, if we lose Kiwi A, and the LB starts writing to Kiwi B, Kiwi B will have the replicated records (via DFS from Kiwi A)

Kiwi B should pretty much have almost all of the records available (would need to test this against busy input devices)

Before we go down this road and start testing, It would be great if anyone has any information/feedback/comments  they could provide.

Many Thanks.