The logforwarder v1.1 is installed on a german 2008R2 Server.

In the eventlog on the server i see aps.net warnings and errors with the following message:

/*

Ereigniscode: 3005
Ereignismeldung: Es ist eine unbehandelte Ausnahme aufgetreten.
Ereigniszeit: 16.12.2011 08:10:49
Ereigniszeit (UTC): 16.12.2011 07:10:49
Ereignis-ID: 00e80467722a4ddaa60928cab11be830
Ereignissequenz: 2
Vorkommen: 1
Ereignisdetailcode: 0
 
Anwendungsinformationen:
    Anwendungsdomäne: /LM/W3SVC/19/ROOT-****************
    Vertrauensebene: Full
    Virtueller Anwendungspfad: /
    Anwendungspfad: ******
    Computername: ******
 
Prozessinformationen:
    Prozess-ID: 9796
    Prozessname: w3wp.exe
    Kontoname: IIS APPPOOL\AppsService
 
Ausnahmeinformationen:
    Ausnahmetyp: NullReferenceException
    Ausnahmemeldung: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei System.Web.HttpApplication.set_AsyncResult(HttpAsyncResult value)
   bei System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   bei System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)

 
 
Anforderungsinformationen:
    Anforderungs-URL: http://127.0.0.1/*******
    Anforderungspfad: /********
    Benutzerhostadresse: 127.0.0.1
    Benutzer: 
    Ist authentifiziert: False
    Authentifizierungstyp: 
    Threadkontoname: IIS APPPOOL\AppsService
 
Threadinformationen:
    Thread-ID: 1
    Threadkontoname: IIS APPPOOL\AppsService
    Identitätswechsel für: False
    Stapelüberwachung:    bei System.Web.HttpApplication.set_AsyncResult(HttpAsyncResult value)
   bei System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
   bei System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
 
 
Details des benutzerdefinierten Ereignisses:

*/

But on the syslog server i see the following error message:

/*

12-16-2011    08:12:10    System4.Warning    192.168.6.**    Dez 16 08:10:49 ****** MSWinEventLog   4   Application   20   Fr Dez 16 08:10:49 2011   1309   ASP.NET 4.0.30319.0      N/A   Warning   *****   3   The description for Event ID 1309 from source ASP.NET 4.0.30319.0 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 3005. FormatMessage failed with error 1815, Die angegebene Sprachenkennung f³r die Ressourcen wurde nicht in der Image-Datei gefunden.

*/

I know that this is a problem with the language, but how can i solve this.

Hey all,

I have recently taken over a sys admin position, and am required to move the location of the Kiwi Syslog Server logs to another file location. I have never used it prior.  However, I can't seem to move the file.

Kiwi Syslog Server 9.2.1 (Free version.)

Windows Server 2003 SP2 (WORKGROUP)(VM)

Current configuration:

Log to Log File

Path and file name:  C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt

If I test the configuration, I can see the test messages in the location noted about.  However, after I apply the settings, the older location (a CIFS share) continues to receive the actual syslogs of the devices we monitor.

There are three local users, all of which show the same configuration.

I have tried deleting and recreating the Log to Log File rule.  No change.

I have tried starting and stopping the service.  No change.

I have tried exporting the system settings, and then reimporting them.  No change.

I have tried searching the registery for the old location.  Nothing found.

I have two theories.

1.  The settings are locked for some reason.

2.  The settings are stored somewhere else.

Any help would be great.

Thanks,

Aaron

Solarwinds Padawan

I have tried 2 of the syslog programs for windows and can't get either of them to work. I now have Kiwi installed and running as an application and not as a service. I have an IP phone that also doesn't work and will only log to a syslog viewer. How do I configure things so the phone will log messages to my syslog?

PC running syslog is IP 192.168.0.2

Phone is IP 192.168.0.6

The phone asks to put in the syslog "server". I don't know if this is the IP of the PC that is running the server or what. Do I need a ":514" or something after the IP address to specify the port? At least with Kiwi, from the PC, if ti turn on the heartbeat or stay alive function, I see messages in the log. But that is not challenge, they are coming from itself.  I have windows firewall on the PC and both the phone and PC are connected to the same Netgear wireless switch. The PC is wireless, but the phone is plugged into a port on the switch.

Can I test this from another pc on my network easily? Is there some command I can send from one machine to the one running Kiwi so I can at least test if I am getting messages?

This is too hard. For something so simple, just to test the connections, there should be an automatic install where it is just working and a small exe test program that you can copy to any machine and send messages, including the one that Kiwi is running on. Then I could test a dumb device like a phone that gives me very limited control. Thanks!

We are running Kiwi Syslog Server v. 9.3.0.

We are sending syslogs from about 45 Cisco devices to this server.  We have a filter setup to identify any Emerg, Alert, Crit, Error, Warn, or Notice logs.  We then setup an action for it to email the network administrators anytime any of these are received by Kiwi.

The problem we are having is as follows:

• Cisco device generates a log record and sends it to Kiwi.
• The time stamp on the log shows 09:29:19 EDT.  If you have the Syslog Service Manager up, you will see it arrive real time.
• We receive an email notification from Kiwi at 16:16 EDT.

We've logged into the cisco device in question and have done a "show clock" and confirmed that date and time are accurate.

We've confirmed the time is accurate on the server we have Kiwi installed on (Windows Server 2003 Stanadard x64 Edition w/ SP2, 2.04GB ram).

Looking in the bottom right corner of Kiwi Syslog Service Manager, we can see the time and date are accurate.

In addition, all Cisco devices and Windows servers point to our NTP server to ensure clocks stay sync'd.

Why are we having such a huge delay from the time Kiwi receives a log record to the time it sends us an email notification?

Hi guys,

I recently installed Kiwi Syslog on a Windows Server 2008 machine, however I had to uninstalled the program as the customer wants to be on the D:\ . But now I am not able to install the program on D:\ or even back

on C:\ as I get the error message "an unlicensed version is detected" hence the installation cannot proceed any longer.

Can anyone help? Where can I delete the old files so i am able to install the software again? I need to install this quite urgently, I have the license with me but I did not activate the license in my previous installation since it was not installed on the right drive.

Please help.

Thanks.

Hi all !

past weekend we were unable to login to to Kiwi Syslog webaccess as a result of the follow error message:

" Session initialization error
An error occurred while initializing this session.
The session has been abandoned.

Event database initialization failure.
The database file may be corrupted. Run the repair utility to check the database file. [ Database name = C:\Programme\SolarWinds\Kiwi Syslog Web Access\html\App_Data\Event.sdf ] "

I have taken a look at the errorlog of Kiwi and noticed that there are three messages regarding this error:

2010-11-15 11:51:35 SolarWinds.KiwiSyslog.WebAccess.Data error: General exception. System.Runtime.InteropServices.SEHException: External component has thrown an exception. at System.Data.SqlServerCe.NativeMethods.ExecuteQueryPlan(IntPtr pTx, IntPtr pQpServices, IntPtr pQpCommand, IntPtr pQpPlan, IntPtr prgBinding, Int32 cDbBinding, IntPtr pData, Int32& recordsAffected, ResultSetOptions& cursorCapabilities, IntPtr& pSeCursor, Int32& fIsBaseTableCursor, IntPtr pError) at System.Data.SqlServerCe.SqlCeCommand.ExecuteCommandText(IntPtr& pCursor, Boolean& isBaseTableCursor) at System.Data.SqlServerCe.SqlCeCommand.ExecuteCommand(CommandBehavior behavior, String method, ResultSetOptions options) at System.Data.SqlServerCe.SqlCeCommand.ExecuteNonQuery() at SolarWinds.KiwiSyslog.WebAccess.Data.Logger.KiwiSyslogEventUpdate(Object state)

2010-12-04 20:58:48 SolarWinds.KiwiSyslog.WebAccess.Data error: Unable to start component, SQL exception. System.Data.SqlServerCe.SqlCeError: The database file may be corrupted. Run the repair utility to check the database file. [ Database name = C:\Programme\SolarWinds\Kiwi Syslog Web Access\html\App_Data\Event.sdf ]

2010-12-04 21:22:04 SolarWinds.KiwiSyslog.WebAccess.Data error: Unable to start component, SQL exception. System.Data.SqlServerCe.SqlCeError: The database file may be corrupted. Run the repair utility to check the database file. [ Database name = C:\Programme\SolarWinds\Kiwi Syslog Web Access\html\App_Data\Event.sdf ]

I start/stopped the webserver service without any success on saturday.
This morning i tried to access the page again and I got correctly redirected to http://10.x.x.x:8088/gateway.aspx.
At the moment the login is possible but I'm concerned that my database file may be corrupted!

Do you have any suggestions for me?

Thanks in advance!

Dan

How do you detect specific clients that have not sent syslog messages to the server in a specified amount of time?

Hello,

I am in a situation where I need to filter out a certain string. It is a little complicated however. The string(s) I am trying to filter out usually looks like this:

"port D10-High collision or drop rate."

D10 is a device bay in a chassis and that is what we are really interested in here. There are 16 device bays so it can be D1, D2, D3....D16.

The only problem is that there is no space between D10 and "-High"

And we WOULD like to keep getting messaged that dont have the Dx part in it so we cant just filter out "collision or drop rate."

Is the only way to do this by putting 16 separate filters like so: ...?

"D1-High"

"D2-High"

"D3-High"

...."D16-High"

or is there a wildcard we can put in place of the number? Catch is that sometimes it could be a single digit (1-9) or it could be a double digit (10-16).

You input is appreciated. Thank you.

I have written a perl script to take data from Kiwi, parse out some information and pass it into our Palo Alto UserID agent.  It runs fine when I pass the message in on the command line but when I have kiwi run it (so to pull the data from kiwi) it fails with an error:

Error Info: invalid charater on line 1

My script looks like this:

sub Main() {

  use PAN::API;

  $string = Fields.VarCleanMessageText;

  $SERVER = '127.0.0.1';

 

  #Extract user and IP from string

  if ($string =~ /(\w+)([.+]|(\s))(\w+)(\s|\+|.)(\d+\.\d+\.\d+\.\d+)/) {

       $delim = ($3 eq "+") ? " " : $3;

       $username = "$1\\$2$delim$5";

       $ip_address = $7;

  }

  print "$username : $ip_address \n";

 

  # Create User ID API connection

  $uid=PAN::API::UID->new($SERVER);

 

  #Post data to agent

  $uid->add('login',$name,$address);

  $uid->submit();

 

  return "OK"; #return value for Kiwi

}

Thanks for any guidance.

Kevin

Hi everyone,

I'm using Kiwi syslog server 9 on Windows 2008 R2 server (VMware virtual machine). On 17.8.2012. physical server has stopped responding and customer had to restart it manually. Since then Kiwi syslog server doesn't work. When I try to access it, server's CPU raises to 100%, it is stuck like that for few minutes and then it displays error message in Kiwi grid pop up window saying 'Run-time error '0''.

Kiwi syslog service also can't be started, when I try to start it, it says it couldn't be started in timely fashion.

I've tried to delete/rename files in c:\program files\solarwinds\kiwi web access\html\app_data but with no success. I've renamed event.sdf to Old_event.sdf and made a copy of Event-blank.sdf and then renamed it to event.sdf.

I've raised a support ticket but with no results till now.

Do you have any idea what's the problem here?

Regards, O

All

I have setup my KIWI syslog server to listen for SNMP traps, successfully.  Is there a way to setp KIWI, or an available action to forward the SNMP traps to other SNMP trap receivers as KIWI receives them.

Thanks

KIWI New Guy

Hello,

I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.

Should the following work:

Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error

This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?

Should this work or is there a "Supported" switch configuration that I should be using.

Thank you,

Chris

I installed the 30 days eval version of Solarwinds Kiwi Syslog and want to switch to the free version.  However, after uninstall the 30 days eval and install the free version, it still tells me that I am on eval version.

How do I switch to free verison correctly?

Good Day,

We are have an issue getting SNMP trap inputs to work on Kiwi v9. We have installed Kiwi on both a WinXP (with SNMP trap service) and Win2k3 Virtual Machine. When collecting syslogs it works fine. However when we configure the SNMP inputs under setup, we get a message stating that it "cannot open snmp listener on port 162" 

There was no other SNMP software installed as it suggested that the port is already bound to an interface. We then installed the Solarwinds Engineer's toolset on the VM and used the trap receiver. Once alarms were generated this worked well while Kiwi is still unable to receive the traps.

Finally, we used a standalone laptop and loaded Kiwi. Using the same address as the VM we were able to receive the SNMP traps from the device under test. The platform that Kiwi was loaded onto was WinXP with Trap service installed.

Any ideas anyone? Any assistance will be greatly appreciated. I saw in the forum something about UDP Spoofing being unable to work as well and I was wondering if it had any connection.

What is the differencse between the two? Do i need both running?  Can i have both running on the same box?  Currently i have both installed on the same box.  the orion syslog is running but the kiwi gives error messages like "Unable to open UDP socket on port 514" or "Registered action was found in settings and disabled"

When attempting to start the Kiwi Syslog Server service (on Windows 2008 R2), I get the message "The Kiwi Syslog Server service on [my server name] started and then stopped.  Some services stop automatically if they are not in use by other services or programs."  Any ideas what could be causing this?

PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.

Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk

I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.

Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6

I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.

Appreciate any help on this..........

Example from Kiwi Syslog

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf:     10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb  6 13:01:37 pf: <009>  Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]

Hello,

Has anyone run into this error?

Faulting application Syslogd_Service.exe, version 8.3.0.15, faulting module unknown, version 0.0.0.0, fault address 0x001e1d33.

The error log throws this error every time I try to troubleshoot it...

*** INTERNAL PROGRAM ERROR - Please contact support@kiwisyslog.com ***
2008-12-10 09:34:17 Service Version 8.3.15 | Error Number: 6 | Description: Overflow | Module Name: Syslogdsvc.frm | Procedure Name: PerformAction | Line Number: 110 | Date and time: 12/10/2008 9:34:17 AM

During installation of Syslog Web Access, you are prompted for a userid and password.  The password can be changed at any time easily.

But how does one change the userid?  Where is it stored?

We even went as far as trying to reinstall syslog web access to get to the initial userid prompt again.  But having already asked us once, it did not ask us again.

Thanks,

-Ken

Hallow

I have noticed that the following error logs are generated on the server where we have installed Kivi Syslog server v9.3.2. Operating system is Windows 2003 Server x32. As a database we use MS SQL 2008 R2

Description:

Object Open:

Could you please help me to understand what this error mean?

Thank you