Rule and filter structure

May 23, 2014, 4:46 pm

≫ Next: Eval version of Kiwi Syslog shows as Free

Hi there,

New to Kiwi Syslog and need help setting up rules and grouping devices. Interested to know what the best practices are and what others are doing.

What I'm doing so far for example, is setup one rule for switches, one for vSphere, one for BladeCenters, etc. This way, I can output similar devices to one display console, have different file rotation rules for grouped devices, and organize the log file structure into meaningful subfolders. Is this the best way to go about it?

This seems to work until I get a new device that I'm not aware of pointed to the syslog server. I assume without a rule that passes, the log from a host is dropped. I think I need a rule at the end with a filter that says if you don't meet the criteria of all the other rules and filters, then use this one. How do I do this? Hopefully this makes sense.

Thanks!

↧

Eval version of Kiwi Syslog shows as Free

June 18, 2014, 8:07 am

≫ Next: Syslog configure to pull Exchange server message tracaking log

≪ Previous: Rule and filter structure

I had Kiwi Syslog Free version installed. Then I requested 14 day trial version of licensed software. I uninstalled free version and installed 14 day trial, but it still show that it is free version. I uninstalled again. Deleted everything from registry that had word 'kiwi' in it and then installed again. Still same issue. Please, help me have it working. Im really interested. If it works well, I'll be buying paid version.

↧

Syslog configure to pull Exchange server message tracaking log

November 2, 2012, 3:36 am

≫ Next: How to Migrate Kiwi Syslog server and viewer to Another system

≪ Previous: Eval version of Kiwi Syslog shows as Free

looking for a guide to configure syslog server with Exchange server to pull exchange message tracking logs into syslog server.

↧

How to Migrate Kiwi Syslog server and viewer to Another system

April 28, 2010, 12:15 am

≫ Next: Kiwi syslog - 2011-03-18 10:54:01Licensed action was found in settings and disabled.

≪ Previous: Syslog configure to pull Exchange server message tracaking log

Current system on which Kiwi Syslog Server and viewer are installed is not working properly and we need to migrate to another system,
And SolarWinds License Manager does not reset Kiwi, ipMonitor, or LANsurveyor product licenses.

Kindly Solve the issue.

Thanks

Imran

↧

Kiwi syslog - 2011-03-18 10:54:01Licensed action was found in settings and disabled.

March 18, 2011, 4:43 am

≫ Next: Web Access stuck in timeout loop

≪ Previous: How to Migrate Kiwi Syslog server and viewer to Another system

Kiwi syslog stopped collecting information. The view error log button is red and blinking. When i click to view the log

is see the below message repeating itself:

2011-03-18 10:54:01 Licensed action was found in settings and disabled.

2011-03-18 13:37:56 Licensed action was found in settings and disabled.

2011-03-18 13:37:57 Licensed action was found in settings and disabled.

↧

Web Access stuck in timeout loop

June 18, 2014, 1:04 pm

≫ Next: How to Split Logs to Multiple Displays in Kiwi Syslog Server

≪ Previous: Kiwi syslog - 2011-03-18 10:54:01Licensed action was found in settings and disabled.

Web Access timed out today, and when I hit the link to take me back to login, it stays there. Restarting Kiwi did noting.

↧

How to Split Logs to Multiple Displays in Kiwi Syslog Server

May 31, 2013, 8:56 am

≫ Next: How to Split Log Files by IP Address and Date in Kiwi Syslog Server

≪ Previous: Web Access stuck in timeout loop

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple displays in Kiwi Syslog Server.

External link to Jing: Multiple Displays - justinfinley's library

Video Guide:

0:00 Unfiltered display (Display 00)
0:10 Showing the rule that sends all messages to Display 00
0:20 Changing the unfiltered display from Display 00 to Display 05
0:25 Checking that the switch happened
0:35 Adding a new filter rule looking for the word "logon" and sending it to Display 01
1:20 Adding a new filter rule looking for the word "logoff" and sending it to Display 02
2:05 Checking that the new filters work
2:25 Renaming "Display 05" to "All Messages"
2:45 Renaming "Display 01" to "Logon" and "Display 02" to "Logoff"
3:10 Checking that the display renaming worked

Remember to "LIKE" this if you find it useful - that helps other find it too!

↧

How to Split Log Files by IP Address and Date in Kiwi Syslog Server

May 31, 2013, 9:19 am

≫ Next: Sending events from Cisco 3750 switch

≪ Previous: How to Split Logs to Multiple Displays in Kiwi Syslog Server

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server. Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders. (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

0:00 Opening Kiwi Syslog's configuration dialog
0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

↧

Sending events from Cisco 3750 switch

January 19, 2011, 8:13 am

≫ Next: Kiwi Syslog not capturing syslogs

≪ Previous: How to Split Log Files by IP Address and Date in Kiwi Syslog Server

Hello,

I am trying to send events from a Cisco 3750 switch to our Kiwi syslog server but am unsure of the config for the switch.

Should the following work:

Switch (config) # logging on
Switch (config) # logging Syslog Server IP
Switch (config) # logging trap error

This command will send (Error 3) events (0-3) to the Kiwi server via UDP514. Is this the supported method of transfer?

Should this work or is there a "Supported" switch configuration that I should be using.

Thank you,

Chris

↧

Kiwi Syslog not capturing syslogs

May 14, 2013, 1:40 pm

≫ Next: Need Help Troubleshooting - Not Receiving/Displaying Messages

≪ Previous: Sending events from Cisco 3750 switch

Installed Kiwi Syslog Free version 9.3.4 on Windows Server 2008 R2. Trying to capture syslog from a Cisco ASA 5510. I have confirmed that the syslog events are hitting the server with Wireshark. Nothing is coming through to Kiwi Syslog. Current settings are all default. No filters in place. Not sure what is wrong as I can see the syslog messages coming through Wireshark. Any ideas as to why the syslog messages are not being seen by Kiwi?

↧

Need Help Troubleshooting - Not Receiving/Displaying Messages

January 13, 2014, 11:00 am

≫ Next: How to forward glassfish log to Kiwi syslog server

≪ Previous: Kiwi Syslog not capturing syslogs

Server 2008 R2 Std

Kiwi Syslog Server 9.4.1

I have an older version of Kiwi installed on an old server that is being retired. I've installed it on the new server, but I cannot get it to display anything. I exported settings from the other server and imported on this one, then went to Inputs-UDP and set the correct IP to bind it to.

I've gone through ALL the steps at SolarWinds Knowledge Base :: Kiwi Syslog Daemon is not receiving messages and Kiwi Syslog Server but had no luck getting it to work.
I know for a fact that messages are being received -- when I run WireShark with the filter, "udp port 514", I see PLENTY of traffic from my firewall. Both my firewall and VPN device are sending syslog messages to the old server and the new one. The old server is still working just fine.
Windows Firewall on the new server is completely disabled.
I loaded the default rules and settings but still had no luck.
I disabled all DNS resolution - no luck.
There is no Errorlog.txt in C:\Program Files (x86)\Syslogd.
Test messages from within Kiwi work just fine.
I finally uninstalled Kiwi, rebooted the server, then reinstalled, and have the same problem.

Kiwi is running as LocalService -- I wondered if that might be the problem, but that's how it's running on the old server as well.

I'm at a loss as to what to do now. I tried contacting support, but since I'm using the free version I was directed here.

↧

How to forward glassfish log to Kiwi syslog server

January 30, 2014, 7:28 am

≫ Next: Procurve switches not sending syslog messages in KIWI syslog

≪ Previous: Need Help Troubleshooting - Not Receiving/Displaying Messages

Hi Guys,

I am new at this and I need some assistance on how to configure glassfish 3.1.2 to forward its log to my Kiwi syslog server in windows. Does anyone have any experience on this?

↧

Procurve switches not sending syslog messages in KIWI syslog

July 25, 2013, 6:58 am

≫ Next: Kiwi Syslog Server 9.4 Free Collecting SNMP from GNS3 Cloud

≪ Previous: How to forward glassfish log to Kiwi syslog server

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

Source IP Selection: Outgoing Interface
Destination:
Logging --
'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap

↧

Kiwi Syslog Server 9.4 Free Collecting SNMP from GNS3 Cloud

September 15, 2014, 1:20 pm

≫ Next: Kiwi syslog server external DB

≪ Previous: Procurve switches not sending syslog messages in KIWI syslog

This is probably me being silly.

I have defined a cloud MS loopback from GNS3 emulated router. Wireshark can see the packet. If I replace Kiwi with a quick VB programme it can see the record but I can not get Kiwi to display the record.

Regards Conwyn

Waiting for broadcast

Received broadcast from 10.10.10.1:65347 :

0j☻☺ ♦♠public?]♠ +♠☺♦☺ +☻@♦

☺☻☺♠☻☺☺C♥6"[0?0‼♠♫+♠☺♦☺ +☺☺♠☺♥‼☻☺☺0‼♠♫+♠☺♦☺ +☺☺♠☺♦‼☻☺☻0‼♠♫+♠

☺♦☺ +☺☺♠☺♣‼☻☺♥

Waiting for broadcast

Here is Kiwi

↧

Kiwi syslog server external DB

March 21, 2012, 3:56 am

≫ Next: Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)

≪ Previous: Kiwi Syslog Server 9.4 Free Collecting SNMP from GNS3 Cloud

Hello,

my kiwi web access database is 4gb great. And i have some timeout errors executing filters.

I am trying to use an external MSSQL DB with kiwi syslog server.

Is possible for Web access to use this external DB?

Thanks

↧

Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)

February 6, 2013, 5:04 am

≫ Next: How to Split Log Files by IP Address and Date in Kiwi Syslog Server

≪ Previous: Kiwi syslog server external DB

PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.

Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk

I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.

Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6

I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.

Appreciate any help on this..........

Example from Kiwi Syslog

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: <009> Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: 10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: <009> Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]

↧

How to Split Log Files by IP Address and Date in Kiwi Syslog Server

May 31, 2013, 9:19 am

≫ Next: TIPS HOW TO - Kiwi Syslog Web Server with SSL and IIS 7

≪ Previous: Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)

External link to Jing: autosplit - justinfinley's library

Video Guide:

0:00 Opening Kiwi Syslog's configuration dialog
0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

↧

TIPS HOW TO - Kiwi Syslog Web Server with SSL and IIS 7

November 18, 2011, 9:24 am

≫ Next: SolarWinds Log Forwarder for Windows

≪ Previous: How to Split Log Files by IP Address and Date in Kiwi Syslog Server

HI all,

My first post, i wish to share you some tips i found.

My main goal was to have access to the kiwi web site working with SSL...

But looking at Cassinni Web Server, it wasn't possible.

After searching more on this forum I found a post about a Rewriting Module with Apache ; so why dont we do it with IIS ?

Here we go !

Setup

- Win 2008 R2 , IIS 7 (with auth modules etc ...) , at least a working SSL certificate for the HTTPS listener (this post will not cover how PKI works, certs installation etc .... sorry).

- We will use the ARR 2.0 module x64 for IIS... See References at bottom for DL link, install it.

- A running Kiwi Syslog Server and the Web Access working on port 8088. Access via a browser works on this port.

Goal

- Enable the rewrite/proxy module in IIS

- Create a new IIS Web Site with HTTPS Listener on TCP Port 8090

- Create a rule to rewrite requests from 8090 to 8088

- When connecting on https://server:8090 , we would see Kiwi Web page.

HOW TO

1. Enabling the rewrite module

"C:\Windows\System32\inetsrv\appcmd.exe" set config -section:system.webServer/proxy /enabled:"True" /commit:apphost

2. New Site creation

set syslogwebdir=c:\inetpub\syslog

set syslogsitename=SYSLOG

"C:\Windows\System32\inetsrv\appcmd.exe" add site /name:"%syslogsitename%" /id:15 /bindings:https/*:8090: /physicalPath:"%syslogwebdir%"

3. Attach the SSL Certificate to the Binding 8090

3.1 With batch/cmd line(copy/past to a BAT file)

set CERTHASH=EnterYourHashHere

netsh http add sslcert ipport=0.0.0.0:8090 certhash=%CERTHASH% appid={00000000-0000-0000-0000-000000000000}

3.2 With IIS Manager (if you don't know where to read Hash Certificate).

-Right Click on SYSLOG site, modify Bindings.

-Select https 8090 * Listener > Modify.

-On the "box" SSL Certificate, choose your certificate for the server.

-"OK"

4. Create the rule (copy/past to a BAT file)

set syslogsitename=SYSLOG

set syslogrulename="Rewrite to Kiwi localhost 8088"

:: Rewrite Rule creation
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /+[name='%syslogrulename%']

:: Rule Parameters (one line)
"C:\Windows\System32\inetsrv\appcmd.exe" set config "%syslogsitename%" -section:system.webServer/rewrite/rules /[name='%syslogrulename%'].action.type:"Rewrite" /[name='%syslogrulename%'].match.url:"(.*)" /[name='%syslogrulename%'].action.url:"http://localhost:8088/{R:1}"

5. End

Test with your browser https://localhost:8090/

Now you can access from an "admin desktop" to this new SSL web site ...

Configure your firewalls to forbid access on port 8088 to this server (or/and configure the internal Windows Firewall of this server to allow only Localhost connection on 8088).

6. Refs Used

http://learn.iis.net/page.aspx/659/reverse-proxy-with-url-rewrite-v2-and-application-request-routing/

http://learn.iis.net/page.aspx/489/using-the-application-request-routing-module/

---

At the beginning i was thinking to use http://mysite/syslog/ as a virtual directory, but I got some troubles with events.aspx and the rewrite module.

Inbound Rules was OK ; But Outbound Rules to rewrite URLS were not working as expected ; and filters in Kiwi were not working anymore.

That's why i decided to create a new site on another binding, with a root site ; so don't need to create Outbound Rules ...

---

Sorry for my English ... i'm french :)

↧

SolarWinds Log Forwarder for Windows

November 7, 2013, 1:53 am

≫ Next: Kiwi Syslog Server High CPU Utilization - Messages Seem to be behind

≪ Previous: TIPS HOW TO - Kiwi Syslog Web Server with SSL and IIS 7

Hi,

I am evaluation kiki syslog server(9.4),

I got this problem with the SolarWinds Log Forwarder for Windows.

somehow when this is install in a different subnet the windows event is not forward to the syslog server.

there is no firewall in between the 2 servers.

Is this the limitation or bugs.

Tommy

↧

Kiwi Syslog Server High CPU Utilization - Messages Seem to be behind

September 8, 2010, 11:51 am

≫ Next: Kiwi on Windows Server 2008R2

≪ Previous: SolarWinds Log Forwarder for Windows

The CPU on my Kiwi Syslog Server is Pegged. Here is the Diagnostic info file from the server.

Kiwi Syslog Server [Registered] Version 9.0.3

/// Kiwi Syslog Server Statistics ///
---------------------------------------------------
24 hour period ending on: Wed, 08 Sep 2010 14:44:34
Syslog Server started on: Wed, 08 Sep 2010 13:37:39
Syslog Server uptime: 1 hour, 7 minutes
---------------------------------------------------

+ Messages received - Total:          1098753
+ Messages received - Last 24 hours: 1098753
+ Messages received - Since Midnight: 1098753
+ Messages received - Last hour:      996804
+ Message queue overflow - Last hour: 416654
+ Messages received - This hour:      101949
+ Message queue overflow - This hour: 12336
+ Messages per hour - Average:        996804

+ Messages forwarded: 769810
+ Messages logged to disk: 1194581

+ Errors - Logging to disk:           0
+ Errors - Invalid priority tag:      0
+ Errors - No priority tag:           2
+ Errors - Oversize message:          309

+ Disk space remaining on drive E:    41554 MB

    Breakdown of Syslog messages by severity
+--------------------+------------+------------+
| Message Level      | Messages | Percentage |
+--------------------+------------+------------+
| 0 - Emerg          |         0 |      0.00% |
| 1 - Alert          |      2753 |      0.25% |
| 2 - Critical       |       496 |      0.05% |
| 3 - Error          |      5745 |      0.52% |
| 4 - Warning        |    103603 |      9.43% |
| 5 - Notice         |     42938 |      3.91% |
| 6 - Info           |    775902 |     70.62% |
| 7 - Debug          |    167316 |     15.23% |
+--------------------+------------+------------+

Custom statistics
-----------------
CustomStats01: 0
CustomStats02: 0
CustomStats03: 0
CustomStats04: 0
CustomStats05: 0
CustomStats06: 0
CustomStats07: 0
CustomStats08: 0
CustomStats09: 0
CustomStats10: 0
CustomStats11: 0
CustomStats12: 0
CustomStats13: 0
CustomStats14: 0
CustomStats15: 0
CustomStats16: 0

End of Report.

DNS Cache size  20000
DNS Cache entries 2
Entries in queue 0
DNS Cache hits  0
DNS Cache misses 0
DNS Cache TTL  1440 minutes
Total DNS Lookups 0
Successful cache hits 0%

IP Address Hostname TTL (minutes)
127.0.0.1 localhost Static
::1 localhost Static

Message Buffer Information
==========================
Message Queue Max Size: 20000
Message Queue overflow: 428990
Message Count:          19932
Message Count Max:      20000
Percentage free:        1

E-mail Buffer Information
==========================
Message Queue Max Size: 1000
Message Queue overflow: 0
Message Count:          0
Message Count Max:      13
Percentage free:        100

↧