What is Kiwi Syslog?

 

Kiwi Syslog is a "syslog server" - a passive listening application. It does not actively poll your network devices.


When installed and started Kiwi Syslog binds to specified port(s) on your system and then listens for any syslog messages, SNMP traps (if enabled), and Windows Event Log messages (if forwarded as Syslog messages by SolarWinds Log Forwarder). By default it will listen for syslog messages on UDP port 514.  It then logs, displays, alerts, forwards and performs many other actions on syslog messages and SNMP traps, received from hosts such as firewalls, routers, switches, Unix hosts and other syslog enabled, or SNMP capable devices.


You need to configure all your network devices to send their syslog information to the IP Address of the system that you have installed Kiwi Syslog on.


The Default Rule


The first time Kiwi Syslog is installed it contains a single Rule.  This rule does not have any filters defined which means that every message that is received by Kiwi Syslog will cause the actions defined within this rule to fire. There are two actions defined within this default rule:

  1. A Display action which sends all messages to "Display00" (the default display)
  2. Log to file action which writes all messages to the file specified. The default filename is called SyslogCatchAll.txt. This is located in the Logs directory


How the Rule engine works

 

When a message is received by Kiwi Syslog it is tested against each Rule in turn from the top down until either all Rules have been tested against, or a Stop Processing action is encountered. The next message is then tested in turn and so on.  For the actions within a rule to be fired, all the preceding filters of that rule must first be TRUE. When you have more than one filter specified within a rule each filter is effectively AND together not OR.

In the following scenario we have created two filters:

  1. Simple IP address filter.
  2. Simple Message text filter.

The two defined actions, Display and Log to file will only fire if the message that is currently being processed matches both of these filters:

For example, if it comes from IP address 192.168.1.90 AND it contains the words "link down" OR "link up" within the message text part of the syslog message.

If the message does not meet these requirements then both filters will not be TRUE and therefore the actions will not fire.

 

Should I use Kiwi Syslog as a Service or as a Standard application?


If you only want to run Kiwi Syslog every now and then to see what is happening on your network or diagnose a fault with a network device, then installing it as a Standard (or "foreground") application would be best for your needs.


However, if you intend to run the Kiwi Syslog 24/7, please run it as a service.  (You can switch between Standard and Service installations without losing any settings.) 

 

Where Can I Learn More?