SolarWinds Event Log Fowarder(1.2.0.114) TCP Issue

After Kiwi Syslog Server's service re-started, the reconnection problem had occurred on SolarWinds Event Log Fowarder(1.2.0.114) TCP protcol.

To re-produce:

1)Kiwi Syslog Server

Setup>Inputs>TCP Enabled and Port: 5140

2)SolarWinds Event Log Fowarder(1.2.0.114)

Port: 5140

Protocol:TCP

3)Kiwi Syslog Server's service re-started

SolarWinds Event Log Fowarder(1.2.0.114) did not forward to Windows EventLog to KSS through TCP.

Please see the following Packet capture:

Please fix this issue.

So i'm trying to accomplish the following:

I want the "MessageText" to appear in one, constant line of text instead of it being indented with tabs and enters for the subject, group and process information. Is it possible to achieve this? i've tried messing around with the logging formats and even creating my own, but no dice.

I tried searching around but couldn't manage to find much about it. Anyone can help me out with this?

Currently an example syslog I've received:

'6/27/2019','1:55:12 PM','6/27/2019 1:55:12 PM','639','+0200','Kernel','Notice','Kernel.Notice','192.168.100.130','192.168.100.130','UDP','Jun 27 13:24:15 WIN-RDSGFDFGDFG MSWinEventLog    5    Security    41    Thu Jun 27 13:24:11 2019    4799    Microsoft-Windows-Security-Auditing        N/A    Audit Success    WIN-RSDFSDFSDF    13826    A security-enabled local group membership was enumerated.

Subject:
    Security ID:        S-x-x-xx
    Account Name:        WIN-SDFSDFSDFSDF
    Account Domain:        WORK
    Logon ID:        0x3E7

Group:
    Security ID:        S-x-x-xx-xxx
    Group Name:        Backup Operators
    Group Domain:        Builtin

Process Information:
    Process ID:        0xxxxxxxx
    Process Name:        C:\Windows\System32\sdgdfsgdfg.exe'

I want the 3 paragraphs at the end (subject, group and process information) to be pasted to the end of the first line of text, with its spaces and tabs instead of it continuing on the next line. Is this even possible to achieve?

'6/27/2019','1:55:12 PM','6/27/2019 1:55:12 PM','639','+0200','Kernel','Notice','Kernel.Notice','192.168.178.130','192.168.178.130','UDP','Jun 27 13:24:15 WIN-ROBKHFCU8AS MSWinEventLog    5    Security    41    Thu Jun 27 13:24:11 2019    4799    Microsoft-Windows-Security-Auditing        N/A    Audit Success    WIN-ROBKHFCU8AS    13826    A security-enabled local group membership was enumerated.

Subject:
    Security ID:        S-1-5-18
    Account Name:        WIN-ROBKHFCU8AS$
    Account Domain:        WORKGROUP
    Logon ID:        0x3E7

Group:
    Security ID:        S-1-5-32-551
    Group Name:        Backup Operators
    Group Domain:        Builtin

Process Information:
    Process ID:        0x1084
    Process Name:        C:\Windows\System32\VSSVC.exe'

I am setting up Cisco Routers and assorted firewall with Kiwi to listen and alert on Bad Passwords with little success.  I have also allowed SNMP.  Has anyone have success with doing this and have any examples of the Cisco devices.  We are using an assorted number of Cisco Routers, Switches, ASA firewalls, and VPN 3000 series gear.

logging trap errors

logging source-interface Ethernet0/0

logging 172.16.7.57

snmp-server community readmib RO

snmp-server enable traps snmp

snmp-server enable traps syslog

snmp-server host 172.16.7.57 traps writemib

!

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

Server OS: Windows server 2016

Client OS: Windows 10 pro build 1511

Kiwi syslog service manager: Licensed 9.6

Kiwi syslog message generator: v2.2

Solarwinds event log forwarder: v1.2

Firewall status: both server and client are off.

I'm trying to use Solarwinds event log forwarder to forward client's event logs to server's syslog manager through TCP, but nothing shows up (Ports and IP address are done correctly). Activating license was my last resort, but result doesn't change.

I then tried using Kiwi syslog message generator, message finally received by syslog manager but after every one message was sent, TCP connection is constantly being cut off. Tried sending messages using UDP too, turns out UDP does nothing at all, no message no nothing (Again, ports are fine).  Tried this method Kiwi Syslog Server service is halting regularly - SolarWinds Worldwide, LLC. Help and Support , doesn't work. Tried reinstalling syslog manager, no luck.

I tried to install Splunk on the server pc, and I managed to connect successfully with client's pc through TCP, which means there were no issues with the ports and connection.

Any help would be appreciated!

Hi There,

I'm trialing Kiwi Syslog and I'm having trouble with the Log Forwarder and Security Event Log.  When I click on the Security Log I don't see Audit Success or Audit Failure as an event type.  It just has Error, Warning and Information.  If I manually edit the CFG file and add <int>16</int> it works, but then it gets overwritten if I make a change.  Am I doing something wrong?  How can I see Audit Failure as an Event Type?

Thanks,

Hello.

I've installed the free version of Kiwi Syslog (I'm a long-time user of CatTools), and am unable to find a setup preference which tells Kiwi how long to retain syslog messages.  I don't have unlimited drive space, and only want to keep certain messages for a limited period.

More specifically, need to keep the NAT translation messages from my firewall, so I can track down inappropriate use by students.  These messages come at a rate of over 20,000/hr.  I only want to keep them for a week.

Thanks

Hi

i am installing syslog in my server room to monitor the log in/log out operations on serers... i installed log forwarder on some windows server 2003 servers and everithig is ok but now i installed it on some windows server 2012 and all the messages that i receive from these servers are like this :''06-08-2015 17:03:47 Kernel.Info 172.19.12.119 giu 08 17.03.47 srv-av.astergenova.it MSWinEventLog   6   Application   127   lun giu 08 17.03.41 2015   1003   Microsoft-Windows-Security-SPP      N/A   Information   srv-av.astergenova.it   0   The description for Event ID 1003 from source Microsoft-Windows-Security-SPP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 55c92734-d682-4d71-983e-d6ec3f16059f. FormatMessage failed with error 15100, The resource loader failed to find MUI file."

do you have idea of how to fix this? syslogger is installed on a xp machine but i also tried to install it on a windows 2012 server machine and nothing changed

Hi,

I have recently been handed over Kiwi Syslog server to manage which has both Fat Client and Web Server. Fat Client is directly logged in however Web console could not be logged in. When I checked regarding the password of "Administrator", I have been informed that resource handling it has left long ago and there is no one to tell.

Is there a way we can reset the password of Administrator or create a new user from Syslog Fat Client. I cant raise the request with Support as we do not have active maintanence.

Thanks,

Syed

I discovered this morning (only because I didn't receive the nightly report) that two of our Syslog servers stopped logging yesterday afternoon. The nightly archiving and cleanup jobs did not run. The service did not crash. The drive has 63 GB of free space. There are no entries under the Application or System logs in Windows. Under the Errorlog I see this for all of the reporting nodes ("ip.address.#" is placeholder for the actual values in the logs):

2015-05-28 15:38:59    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:38:59    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:38:59    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address1.txt

2015-05-28 15:39:00    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:00    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:00    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1..txt

2015-05-28 15:39:02    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:02    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:02    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.2.txt

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.3.txt

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:06    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:06    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:06    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:07    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:07    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:07    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.4.txt

2015-05-28 15:39:08    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:08    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:08    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:11    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:11    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:11    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:16    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:16    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:16    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:16    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.5.txt

     The log stops there. When I restart the service I see these additional entries in the Error log:

2015-05-29 07:17:16    Unable to open InterApp listening socket on TCP port 3300

2015-05-29 07:17:16    Unable to open UDP socket on port 514

2015-05-29 07:19:08    Service running, but Service/Manager comm link is not connecting.

2015-05-29 07:19:28    Unable to connect to Service socket on TCP port 3300

2015-05-29 07:19:38    Service running, but Service/Manager comm link is not connecting.

Any ideas?

Hi All,

Help in fixing the below error.case raised with Solarwinds still waiting for the solution

2019-11-14 13:52:20    Unable to query the table:  Syslogd in the database specified by the DSN.Error -2147217871: Query timeout expired

2019-11-14 13:55:54    Unable to open InterApp listening socket on TCP port 3300

2019-11-14 13:55:54    Source: C:\Windows\SYSTEM32\mswinsck.ocx Error: Connection is aborted due to timeout or other failure

2019-11-14 13:55:56    Unable to open InterApp listening socket on TCP port 3300

2019-11-14 13:55:56    Source: C:\Windows\SYSTEM32\mswinsck.ocx Error: Connection is aborted due to timeout or other failure

2019-11-14 13:57:14    WebAccess.Data: Error while trying to read Event Db properties from the system database.There is not enough memory on the device running SQL Server Compact to complete this operation.

2019-11-14 13:58:43    Log to file action - Error: Win32File Object [45600] Unknown error.

2019-11-14 13:58:43    Log to file action - Error: Win32File Object [45600] Unknown error.

2019-11-14 13:58:43    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\KIWISyslog\Syslogd\IP Based Logs\xxx.xxx.xxx.xxxSyslogCatchAll-2019-11-14.txt

2019-11-14 13:59:02    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***

2019-11-14 13:59:02    Service Version =9.6.7.1 | Error Number: 14 | Description: Out of string space | Module Name: Syslogd.frm | Procedure Name: TabSafeDBCacheItem | Line Number: 20 | Date and time: 11/14/2019 1:59:02 PM

I'm having trouble configuring email alerts. I'm trying to send alerts to my Office 365 email address. Can someone see if I've input one of these settings incorrectly? I'm using my full Office 365 email for each of the blacked out sections in the screen shot below. For "SMTP Password," I'm using my Office 365 password.

Hi there,

             I'm trying to figure out which way is better? Correct me if I'm wrong.

             Currently, I want to change log level from critical to notification. I tried to avoid fill up log storage in the swtich (e.g. 3850)

1. Kiwi: I need to change console log level in order to send notification logs to kiwi, which all the notification logs would store locally in the switch then.

2. Log file (logging logfile logfile-name severity-level [ size bytes ]):  I can just change saving log file level to notification, and still store critical logs locally in the switch.

           If I'm right about the concept, wouldn't it be better to store syslogs in a log file instead of sending to kiwi?

               Thank you!!

Best,

Lionel

In the web access settings page, when I try to modify the value of page refresh or anything under the "general settings" screen it pops up an error about changing the password.  I am not modifying anything under the "user settings" part or clicking "change password".  Any ideas?

I'm having trouble configuring email alerts. I'm trying to send alerts to my Office 365 email address. Can someone see if I've input one of these settings incorrectly? I'm using my full Office 365 email for each of the blacked out sections in the screen shot below. For "SMTP Password," I'm using my Office 365 password.

Hello,

I'm trying to set up the email alerts in Kiwi Syslog Server Setup but when I hit the Test button it comes back.

Unable to send test message.

Reason: Mail Error: Server certificate verification failed.

Connection aborted.

Can anyone please help shed some light on how to resolve this?

Screen is below, the emails are valid emails in our exchange server. I have the server's IP address in that box.

In the security box TLS is the only one that got this far where it appears it contacted the server then aborted. The other choices didn't even make it that far.

Thanks,

Kevin L.

Hello guys,

I setup kiwi syslog server and could receive message from other devices, such cisco switch 2960, 5510, and windows server. But can not get any message from 3750. I enclosed 3750 configuration as below. Please help to take a look and where am I wrong. Thank you.

logging trap notifications

logging facility local5

logging 192.168.0.51

HI all,

My first post, i wish to share you some tips i found.

My main goal was to have access to the kiwi web site working with SSL...

But looking at Cassinni Web Server, it wasn't possible.

After searching more on this forum I found a post about a Rewriting Module with Apache ; so why dont we do it with IIS ?

Here we go !

Setup

- Win 2008 R2 , IIS 7 (with auth modules etc ...) , at least a working SSL certificate for the HTTPS listener (this post will not cover how PKI works, certs installation etc .... sorry).

- We will use the ARR 2.0 module x64 for IIS... See References at bottom for DL link, install it.

- A running Kiwi Syslog Server and the Web Access working on port 8088. Access via a browser works on this port.

Goal

- Enable the rewrite/proxy module in IIS

- Create a new IIS Web Site with HTTPS Listener on TCP Port 8090

- Create a rule to rewrite requests from 8090 to 8088

- When connecting on https://server:8090 , we would see Kiwi Web page.

HOW TO

1. Enabling the rewrite module

"C:\Windows\System32\inetsrv\appcmd.exe" set config  -section:system.webServer/proxy /enabled:"True"  /commit:apphost

2. New Site creation

set syslogwebdir=c:\inetpub\syslog

set syslogsitename=SYSLOG

"C:\Windows\System32\inetsrv\appcmd.exe" add site /name:"%syslogsitename%" /id:15 /bindings:https/*:8090: /physicalPath:"%syslogwebdir%"

3. Attach the SSL Certificate to the Binding 8090

3.1 With batch/cmd line(copy/past to a BAT file)

set CERTHASH=EnterYourHashHere

netsh http add sslcert ipport=0.0.0.0:8090 certhash=%CERTHASH% appid={00000000-0000-0000-0000-000000000000}

3.2 With IIS Manager (if you don't know where to read Hash Certificate).

-Right Click on SYSLOG site, modify Bindings.

-Select https 8090 * Listener > Modify.

-On the "box" SSL Certificate, choose your certificate for the server.

-"OK"

4. Create the rule (copy/past to a BAT file)

set syslogsitename=SYSLOG

set syslogrulename="Rewrite to Kiwi localhost 8088"

:: Rewrite Rule creation
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /+[name='%syslogrulename%']

:: Rule Parameters (one line)
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /[name='%syslogrulename%'].action.type:"Rewrite" /[name='%syslogrulename%'].match.url:"(.*)" /[name='%syslogrulename%'].action.url:"http://localhost:8088/{R:1}"

5. End

Test with your browser https://localhost:8090/

Now you can access from an "admin desktop" to this new SSL web site ...

Configure your firewalls to forbid access on port 8088 to this server (or/and configure the internal Windows Firewall of this server to allow only Localhost connection on 8088).

6. Refs Used

http://learn.iis.net/page.aspx/659/reverse-proxy-with-url-rewrite-v2-and-application-request-routing/

http://learn.iis.net/page.aspx/489/using-the-application-request-routing-module/

---

At the beginning i was thinking to use http://mysite/syslog/ as a virtual directory, but I got some troubles with events.aspx and the rewrite module.

Inbound Rules was OK ; But Outbound Rules to rewrite URLS were not working as expected ; and filters in Kiwi were not working anymore.

That's why i decided to create a new site on another binding, with a root site ; so don't need to create Outbound Rules ...

---

Sorry for my English ...  i'm french :)

Hi All,

Few months back we bought Kiwi Syslog Server license version because of the SSL feature only. I enabled the option Secured TCP option. But unfortunately it is unable to bind the port itself.

It says "invalid certificate provided". We use the same SSL certificate for other products with no issues. If use the same port for TCP or UDP only then it is working fine. I could not find what is the exact issue.

I contacted the SolarWinds customer portal few months back. They are not able tell what is exactly going on. Can you some one help me in fixing the problem?

Regards,

Abdun

I do not know if this is the correct place to post this question.

I am using Kiwi Syslog Server, and I have SolarWinds Event Log Forwarder for Windows installed on a computer.The forwarder will send  test messages, but it is not sending the logs to the log server. Any suggestions?

Dejacpp...