corrupt syslog messages from windows event forwarder through kiwi to NPM

Hi there,

i am trying to find a way, to get windows events sent, s syslog, relayed through a syslog server, and then forwarded onto NPM syslog daemon, where I generate alerts.

current set up is (all servers are windows 2003 server):

server 1 - runs SolarWinds event log forwarder

server 2 - runs kiwi syslog daemon/forwarder

server 3 - runs SolarWinds NPM

i generate an event on server1, by restarting auto-update service. this generates a system event, which is forwarded onto kiwi. Kiwi sends the message, as a syslog onto NPM. NPM filters out the interesting stuff creates an email that sends the syslog contents to me.

I can see the message is corrupt by the time it gets to KIWIW, so the email itself is rubbish:

when kiwi gets this event, it is unreadable and looks something like the following example, see the message content on the last line of the message:

This alert is produced by the windows event log forwarding critical alerts through Solarwinds Orion

Hostname: s########### (blanked out for security)

Time of alert: 13/07/2009 20:10

Message Type:

Message detail: Jul 13 20:09:38 10.2.2.174 Kiwi_Syslog_Server Original Address= ########### (blanked out)

NDw0QXlhLj4jMSAjJCw2JyAjKiImLik/c3Vuc2ZxYmQYGB0fDAh9SlNEQFpATAwXa1xZTk5USkZge2IQNCAlLiklajs+JDgmPDQ1Nid1NyQrMD01OTl+Kw9BDAYTRQoIDwYEUWFnY2V5JAEWBlU4FhUcQHI9GRMW7ujx9/bk8uj6hICGhoTK4P3w+/2unJ/S1dzI0tOQlJKqqO7Mw8rIh+HtkKKlhZ7XgJ2Cy4P08vH7+pO2trC0tpCzq7WtqaOgrbrwwp+onaqzpKC6oKyGpbGvs7e5urvS6ujr6reApIaLgp+bvJ+HmZmdl5SR+Pz+8fCpnq6YjYtucGZUd29xYWVvbGkABAYZGEF2QHR9cldudH5ubnZ2UHFQSlJMSkJPTCchJSQnfFV1V1FBUmZFUU9TV1laWzJKSEtKFyAVPjs9LyYJIzgmIj48PjE7IgcqMCwyMDg5Om1ra2ptNgMrBwgOLx4EGAoCIQAaAhwaEh8cd3F1dHcs5cjv8+H39ejm6P7u3P/n+fn99/Txnw==

Message Severity: ${MESSAGESEVERITY}

I tried using a different product, “winsyslog”. when i use it, i can configure the product to send the syslog to NPM as RAW, rather than RFC compliant. if i do this, it makes it to NPM intact, but i am having other troubles with that product and i would rather stuck with a single vendor.

if i send the windows event forwarded syslogs direct to NPM, it works fine.

one final complication, in the above scenario, so u have all the information, server1 is an additional Orion web server, and server 2 is an addition SLX poller, and server3 is a SolarWinds NPM SLX server. i have disabled the syslog service on the additional poller to make sure the syslog is received by the forwarder.

really need help on this.....

cheers

dan

Find more posts tagged with

Accepted answers

All comments

chris.lapoint

Bad news: The problem is that the Orion Windows Event Forwarder hashes the message so that only the Orion Syslog Server can read it.

Good news: We're coming out with an updated SolarWinds Log Forwarder for Windows that will work with both Orion Syslog and Kiwi Syslog. It will be made available to customers current on maintenance for either product. Please send me a private message and we can discuss your options now in more detail.