Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)

February 6, 2013, 5:04 am

≫ Next: How to make Kiwi log Windows logon events?

≪ Previous: How to Migrate Kiwi Syslog server and viewer to Another system

PROBLEM - pfSense syslogs for firewall event is split into two lines when it is sent to Kiwi syslog app.

Is there a way to edit configuration or parsing script to parse the pfSense event as one similar to what the Splunk app can do see link http://www.basementpctech.com/content/pfsense-log-analysis-splunk

I understand that this is a PFsense tcpdump/issue, but I have already tried changing link http://redmine.pfsense.org/issues/1938 without any luck, it just don't work, tried all combinations of changes without any luck.

Pfsense version = 2.0.1-RELEASE, (amd64) , built on Mon Dec 12 18:16:13 EST 2011 ,FreeBSD 8.1-RELEASE-p6

I would really appreciate any help with this, as I have already exhasted searching for a working soloution using Kiwi Syslog, and the only thing holding me back from purchasing this application.

Appreciate any help on this..........

Example from Kiwi Syslog

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: <009> Client-Ethernet-Address 00:50:56:9d:53:fc [|bootp]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: 10.x.x.xx.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:xx:56:9d:53:fc, length 313, xid 0xf7d8ecbb, secs 3328, Flags[bcast]

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: 00:00:08.003040 rule 1/0(match): block in on em0: (tos 0x0, ttl 128, id 12646, offset 0, flags [none], proto UDP (17), length 341)

02-06-2013 13:01:35 Local0.Info 10.x.x.x Feb 6 13:01:37 pf: <009> Client-Ethernet-Address 00:xx:56:9d:53:fc [|bootp]

↧

How to make Kiwi log Windows logon events?

June 17, 2014, 6:50 am

≫ Next: How to Split Log Files by IP Address and Date in Kiwi Syslog Server

≪ Previous: Kiwi Syslog + PFsense (parsing firewall log from 2 lines to 1 help)

I have Log Forwarder on our spiceworks server currently enabled with a security subscription, but I'm not sure if I'm getting logon events or not.

↧

How to Split Log Files by IP Address and Date in Kiwi Syslog Server

May 31, 2013, 9:19 am

≫ Next: Does kiwi queue records while SQL Server is offline

≪ Previous: How to make Kiwi log Windows logon events?

SolarWinds's own Justin Finley just recorded a video tutorial that shows how to split logs into multiple files by IP address and date in Kiwi Syslog Server. Specifically, this syslog server tutorial shows how to store logs in separate folders for each source IP address, and then shows how to keep separate log files for each day within those folders. (e.g., "D:\logs\192.168.000.001\Log2012-07-13.txt")

External link to Jing: autosplit - justinfinley's library

Video Guide:

0:00 Opening Kiwi Syslog's configuration dialog
0:15 Using an "AutoSplit" variable of "IP Address (4 octets)" (%IPAdd4) in the log path to split logs by IP address
0:40 Using an "AutoSplit" variable of "ISO Date" (%DateISO) in the log path to split logs by date

Remember to "LIKE" this if you find it useful - that helps other find it too!

↧

Does kiwi queue records while SQL Server is offline

September 25, 2014, 11:07 am

≫ Next: Does Kiwi Syslog Server Support Receiving Syslog over TCP via RFC3195

≪ Previous: How to Split Log Files by IP Address and Date in Kiwi Syslog Server

My production environment needs to have the SQL Server that Kiwi forwards Syslogs to restarted. When this restart is done I'm wondering if Kiwi will store the syslogs while the SQL is out of communication or if it will just send the packets blindly assuming the SQL Server will pick them up without verifying. If it won't auto-detect when the sql server isn't there then is there a way to manually begin queueing logs for a short time while we do some server maintenance?

↧

Does Kiwi Syslog Server Support Receiving Syslog over TCP via RFC3195

September 24, 2014, 2:45 pm

≫ Next: Kiwi Syslog Server Web Access can't start

≪ Previous: Does kiwi queue records while SQL Server is offline

We are currently trying to migrate all UDP senders of syslog to TCP. Our fortigate security appliances only support the RFC 3195 standard for syslog over TCP. syslog-ng does not support this and rsyslog says that they support RFC 3195, but it is not working. Please, any assistance with this request would be appreciated. Running syslog with UDP is no longer an option.

Thanks in advance.

↧

Kiwi Syslog Server Web Access can't start

November 26, 2010, 4:44 am

≫ Next: Procurve switches not sending syslog messages in KIWI syslog

≪ Previous: Does Kiwi Syslog Server Support Receiving Syslog over TCP via RFC3195

Hello!

I install Kiwi Syslog Server & Web Access.

Kiwi Syslog Server start and i see events from my devices, but when i start Kiwi Syslog Server Web Access its could not start:

"Kiwi Syslog WebAccess requires Kiwi Syslog Server to be online, but it is offline"

What's problem?

Version 9.2

↧

Procurve switches not sending syslog messages in KIWI syslog

July 25, 2013, 6:58 am

≫ Next: Need Help Troubleshooting - Not Receiving/Displaying Messages

≪ Previous: Kiwi Syslog Server Web Access can't start

Hi all,

New here, searched for discussions but found no entry on procurve switch(es).

The Procurve switches will not send any syslog messages (wiresharked the server)

Turned on logging on the switch: logging 'ip-address'

show debug

Debug Logging

Source IP Selection: Outgoing Interface
Destination:
Logging --
'ip-address' Kiwi Syslog server

       Protocol = UDP
       Port     = 514
     Facility = user
     Severity = info
     System Module = all-pass
     Priority Desc =

tried facility 'syslog' still nothing.

Only the Procurve switches will not send any syslog messages.

Other devices such as Cisco ASA's work fine.

Anyone ideas to solve this?

TIA Jaap

↧

Need Help Troubleshooting - Not Receiving/Displaying Messages

January 13, 2014, 11:00 am

≫ Next: Error 1053 when starting Kiwi Syslog Server

≪ Previous: Procurve switches not sending syslog messages in KIWI syslog

Server 2008 R2 Std

Kiwi Syslog Server 9.4.1

I have an older version of Kiwi installed on an old server that is being retired. I've installed it on the new server, but I cannot get it to display anything. I exported settings from the other server and imported on this one, then went to Inputs-UDP and set the correct IP to bind it to.

I've gone through ALL the steps at SolarWinds Knowledge Base :: Kiwi Syslog Daemon is not receiving messages and Kiwi Syslog Server but had no luck getting it to work.
I know for a fact that messages are being received -- when I run WireShark with the filter, "udp port 514", I see PLENTY of traffic from my firewall. Both my firewall and VPN device are sending syslog messages to the old server and the new one. The old server is still working just fine.
Windows Firewall on the new server is completely disabled.
I loaded the default rules and settings but still had no luck.
I disabled all DNS resolution - no luck.
There is no Errorlog.txt in C:\Program Files (x86)\Syslogd.
Test messages from within Kiwi work just fine.
I finally uninstalled Kiwi, rebooted the server, then reinstalled, and have the same problem.

Kiwi is running as LocalService -- I wondered if that might be the problem, but that's how it's running on the old server as well.

I'm at a loss as to what to do now. I tried contacting support, but since I'm using the free version I was directed here.

↧

Error 1053 when starting Kiwi Syslog Server

April 8, 2014, 2:01 am

≫ Next: How to encrypt syslog from cisco switch or router into Kiwi syslog?

≪ Previous: Need Help Troubleshooting - Not Receiving/Displaying Messages

Hi,

When trying to start the Kiwi Syslog Server we are receiving the following error: Error 1053: The service did not respond to the start or control reqest in a timely fashion.

We also get the following messages in Event Viewer:

A timeout was reached (30000 milliseconds) while waiting for the Kiwi Syslog Server service to connect.

We are using the free version and had it running quite happily for 2 months before this issue occured. I can't find what may have changed on the day it started to fail. The tool is running on a Win7 Enterprise machine. I have tried the changes suggested here: http://knowledgebase.solarwinds.com/kb/questions/4386/Kiwi+Syslog+Server+Service+Startup+Failure+in+Versions+9.3.3+and+9.3.4 but they didn't work. I have also read the following but the service for me doesn't start no matter what account is used: http://thwack.solarwinds.com/thread/45470

Any suggestions would be greatly appreciated!

↧

How to encrypt syslog from cisco switch or router into Kiwi syslog?

June 16, 2014, 4:01 am

≫ Next: Kiwi syslog server external DB

≪ Previous: Error 1053 when starting Kiwi Syslog Server

I want to encrypt syslog from Cisco swirtch or router into Kiwi Syslog.

I read somewhere I can use syslog tls or snmp trap v3

Is that possible using Kiwi Syslog

thanks

↧

Kiwi syslog server external DB

March 21, 2012, 3:56 am

≫ Next: Kiwi Syslog 9.3.2 is now Generally Available

≪ Previous: How to encrypt syslog from cisco switch or router into Kiwi syslog?

Hello,

my kiwi web access database is 4gb great. And i have some timeout errors executing filters.

I am trying to use an external MSSQL DB with kiwi syslog server.

Is possible for Web access to use this external DB?

Thanks

↧

Kiwi Syslog 9.3.2 is now Generally Available

July 5, 2012, 12:02 pm

≫ Next: Syslog Server - Flag/Counter Time Interval - Not working as expected.

≪ Previous: Kiwi syslog server external DB

Kiwi Syslog 9.3.2 is now Generally Available.

For customer with active maintenance, you should see it in your portal.

Here are the changes in this release:

Adds-

Support for Displays extended from 10 to 25 displays
Extended to support sending of secure emails via SMTP over SSL/TLS

Fixes –

Fixed Scheduled Archive: Not working as per Files age selected.
Fixed Web Access - Add/Delete filter causing - Status Code: 500 Error.
Application is sometimes unresponsive at start up for couple of minutes.
Increased max size set to 1000 to prevent “MailMaxMessageSend" errors.

If you need a copy of the latest documentation, let me know, we will be getting that on to the website KiwiSyslog.com soon.

Brandon

↧

Syslog Server - Flag/Counter Time Interval - Not working as expected.

July 24, 2013, 2:04 am

≫ Next: Manager always crashes on 2008 R2 x64

≪ Previous: Kiwi Syslog 9.3.2 is now Generally Available

Hi I have just upgraded to 9.3.4 syslog server and I am having trouble with setting up new actions with timers counters.

I have approx 20 rules defined and approx 5 of them need a Time Interval Filter.

These filter syslogs from various cisco hardware, one being Fan Faults.

The intial Filter is set to Include = "%FAN" "%ENVIRONMENT" - works a treat

the 2nd filter is a Flag/Counter for Time Interval - currently set to 60 mins

Actions are . 1 = display in ErrorFan,

2. Send snmp trap to server 1

3. forward syslog to server 2

When the timer is enabled the syslogs only show 1 every 60 mins for all devices. We currently have 8 bits of kits reporting fan rotation errors etc, and with the timer set I am only seeing the same device or two every hour - not all 8.

When i remove the timer the syslogs come through every 30sec-1min intreval from each device.

In the Syslog Help guide it states:

"When a message arrives from the host "central-router.company.com" that
contains the words "link down" in the text, the first filter (Message text) will
be true. The Time interval filter is then processed. The first time the Time
interval filter is processed, the result will be true, and the actions that
follow will be performed. A countdown timer using the specified value is
started. In the above example it is 15 minutes. If another message arrives from
the same host that contains the words "link down", the first filter (Message
text) will again be true. If the countdown timer has not reached zero, the Time
interval filter will return false and the actions following will not be
performed."

I cannot get this to work 'per host' it just stops all messages coming through from ll devices except 1.

So I dont think it is correctly storing 'counter/flag' for each host and is just setting the filter for the first message received from any host.

I would also like to know if 60 mins is the maximum, as this can still be quite annoying for backend systems, and It would be great to see this increase to maybe 3 or 4 hours - or to be able to put a once a day for each host filter on. Is there a way around this? for instance can i put a 2nd time interval timer on (when it works properly) for a further 60mins etc so i would get 120 mins in total?

↧

Manager always crashes on 2008 R2 x64

August 11, 2010, 12:05 pm

≫ Next: Kiwi Syslog Server Log Location won't change.

≪ Previous: Syslog Server - Flag/Counter Time Interval - Not working as expected.

Hello,

I just installed 9.1 on a 2008 R2 x64 server. I installed it in service mode and when I run the manager, it just crashes immediately. When I install it in application mode, it works fine.

Here's the error info, any help would be appreciated, thanks!!

Problem signature:

Problem Event Name: APPCRASH

Application Name: Syslogd_Manager.exe

Application Version: 9.1.0.0

Application Timestamp: 4b78631b

Fault Module Name: StackHash_5b2b

Fault Module Version: 0.0.0.0

Fault Module Timestamp: 00000000

Exception Code: c0000005

Exception Offset: 02fe194e

OS Version: 6.1.7600.2.0.0.274.10

Locale ID: 1033

Additional Information 1: 5b2b

Additional Information 2: 5b2b4bbe2374c240b72f833a3ef7e30e

Additional Information 3: f660

Additional Information 4: f660de6916f397fec31d7584f0e23743

↧

Kiwi Syslog Server Log Location won't change.

September 17, 2012, 10:44 am

≫ Next: Aruba ClearPass and syslog messages truncated

≪ Previous: Manager always crashes on 2008 R2 x64

Hey all,

I have recently taken over a sys admin position, and am required to move the location of the Kiwi Syslog Server logs to another file location. I have never used it prior. However, I can't seem to move the file.

Kiwi Syslog Server 9.2.1 (Free version.)

Windows Server 2003 SP2 (WORKGROUP)(VM)

Current configuration:

Log to Log File

Path and file name: C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt

If I test the configuration, I can see the test messages in the location noted about. However, after I apply the settings, the older location (a CIFS share) continues to receive the actual syslogs of the devices we monitor.

There are three local users, all of which show the same configuration.

I have tried deleting and recreating the Log to Log File rule. No change.

I have tried starting and stopping the service. No change.

I have tried exporting the system settings, and then reimporting them. No change.

I have tried searching the registery for the old location. Nothing found.

I have two theories.

1. The settings are locked for some reason.

2. The settings are stored somewhere else.

Any help would be great.

Thanks,

Aaron

Solarwinds Padawan

↧

Aruba ClearPass and syslog messages truncated

October 9, 2013, 2:20 am

≫ Next: Syslog Manager fails to start on win 8.1

≪ Previous: Kiwi Syslog Server Log Location won't change.

Hello,

I have a problem with my Kiwi Syslog server and syslog messages received from my Aruba ClearPass Server. So I get the messages, no problem with that, but they are truncated. I mean, I don't get the full syslog message.

Here is an example : 10-09-2013 11:52:18 Local1.Debug 1.1.1.1 2013-10-09 10:48:42,270 1.1.0.1 Guest Access 66 1 0 RADIUS.Auth-Method=PAP,RADIUS.Auth-Source=Local:localhost,

Normally, here are all the information sent by Aruba ClearPass (and that should be present into the message) :

RADIUS.Acct-Authentic

RADIUS.Acct-Called-Station-Id

RADIUS.Acct-Calling-Station-Id

RADIUS.Acct-Delay-Time

RADIUS.Acct-Framed-IP-Address

RADIUS.Acct-Input-Octets

RADIUS.Acct-Input-Pkts

RADIUS.Acct-NAS-IP-Address

RADIUS.Acct-NAS-Port

RADIUS.Acct-NAS-Port-Type

RADIUS.Acct-Output-Octets

RADIUS.Acct-Output-Pkts

RADIUS.Acct-Service-Name

RADIUS.Acct-Session-Id

RADIUS.Acct-Session-Time

RADIUS.Acct-Status-Type

RADIUS.Acct-Termination-Cause

RADIUS.Acct-Timestamp

RADIUS.Acct-Username

RADIUS.Auth-Method

RADIUS.Auth-Source

As you can see, there are only the last 2 parameters which I can see on Kiwi Syslog. Is there something to setup in Kiwi ?

Thanks for you help.

Dimitri

↧

Syslog Manager fails to start on win 8.1

November 11, 2013, 4:10 pm

≫ Next: After a indeterminate period of time, Kiwi Syslog Web Access gets stuck in timeout

≪ Previous: Aruba ClearPass and syslog messages truncated

syslog_manager.exe 9.4.0.1 will not open correctly on windows 8.1. The process starts and can be seen in task manager, but closes a few second later. No GUI is seen at all not even the splash screen or the notification area icon.

there are no logs inside:

C:\Program Files (x86)\Syslogd\Dated logs

C:\Program Files (x86)\Syslogd\Logs

i tried calling (Service – Debug start-up: www.kiwisyslog.com/help/syslogd7/index.html?adv_reg_servicedebugstart_up.htm):

syslog_manager.exe DEBUGSTART

syslog_manager.exe /DEBUGSTART

syslog_manager.exe -DEBUGSTART

syslog_manager.exe --DEBUGSTART

but still no log or debug log files are created in the C:\Program Files (x86)\Syslogd directory or any of its sub directories.

i checked the window event log and found the same four error reoccurring every time the syslog_manager.exe is started up

==============================

Error 1

==============================

Fault bucket -339880763, type 1

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_4527

P5: 0.0.0.0

P6: 00000000

P7: c000041d

P8: PCH_1C_FROM_actskn43+0x00014197

P9:

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7A1F.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._1c26be14be8bc7e884ee84c763454f0becaea_d6be21d2_0a3f7cfe

Analysis symbol:

Rechecking for solution: 0

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: ee82e4cf87c028d8fde4d29d457939f8

==============================

Error 2

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc000041d

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 89cea6aa-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

==============================

Error 3

==============================

Fault bucket 50, type 5

Event Name: BEX

Response: Not available

Cab Id: 0

Problem signature:

P1: Syslogd_Manager.exe

P2: 9.4.0.1

P3: 5256d7ac

P4: StackHash_f2c9

P5: 0.0.0.0

P6: 00000000

P7: PCH_3D_FROM_ntdll+0x0003C1AC

P8: c0000005

P9: 00000008

P10:

Attached files:

C:\Users\user\AppData\Local\Temp\WER7676.tmp.WERInternalMetadata.xml

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Syslogd_Manager._4bac366436d77f4150a9f635e3ff4264d568c57d_d6be21d2_070f7973

Analysis symbol:

Rechecking for solution: 0

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Report Status: 0

Hashed bucket: 18c71da6583848b95798fbf0fc6b19c1

==============================

Error 4

==============================

Faulting application name: Syslogd_Manager.exe, version: 9.4.0.1, time stamp: 0x5256d7ac

Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x040705b8

Faulting process ID: 0xbe0

Faulting application start time: 0x01cedf304b48bb7b

Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Manager.exe

Faulting module path: unknown

Report ID: 893e635c-4b23-11e3-befa-001b63a57b6a

Faulting package full name:

Faulting package-relative application ID:

↧

After a indeterminate period of time, Kiwi Syslog Web Access gets stuck in timeout

February 11, 2014, 1:36 pm

≫ Next: Can SolarWinds Log forwarder be use to parse and forward Radius logs

≪ Previous: Syslog Manager fails to start on win 8.1

After a period of time, Kiwi Syslog Web Access will timeout and not allow me to log back in. Everytime I click on "Click here to log in" it takes me right back to the Timeout page. Restarting the server SOMETIMES fixes it, restarting the browser/clearing cache does not help at all. What is going on?

↧

Can SolarWinds Log forwarder be use to parse and forward Radius logs

September 10, 2014, 9:08 am

≫ Next: Kiwi Syslog Forwarder windows 2008R2 Invalid Subscription

≪ Previous: After a indeterminate period of time, Kiwi Syslog Web Access gets stuck in timeout

Hi,

I have a Windows NPS server, and I need to be able to forward the logs to a syslog server. Would Solarwinds log forwarder be able to do this?

Thank you

↧

Kiwi Syslog Forwarder windows 2008R2 Invalid Subscription

January 10, 2014, 7:40 am

≫ Next: Kiwi Syslog Web Access

≪ Previous: Can SolarWinds Log forwarder be use to parse and forward Radius logs

I am setting up the Kiwi Log Forwarder for windows 2008R2 If i select all the logs ( the logical thing to do in my opinion) I get an "Invalid Subscription error"

What is the fix for this as 23 event logs does not cover the list of secondary logs in windows 2008R2

Thank you

↧