We are having problems getting EMET to allow the kiwi syslog server service to run on an Windows 2012 R2 Server VM. We have case 999667 open and still haven't gotten it working. One of my partners working on this opened the case.
We still cannot get the kiwi syslog service to run under windows 2012R2. The windows EMET will NOT allow the service to start. We have had a case open for while now and sent the debug output to the support team under case 999667. We require this to work to satisfy multiple STIG requirements and this is causing the multiple open CAT II on multiple STIGs because everything is required to send it's logs to a syslog server. We are going to have to consider splunk or God forbid WUG since they are the only other syslog aggregators approved by DISA we're aware of. I'm surprised others haven't had problems with this.
Still can't get the service to run under fully patched up windows 2012 R2 server VM. I even watched the service try to start with sysinternals process monitor and I can't understand why it just gives up at one point... all of a sudden there are a bunch of out of bounds errors then it hits wer.exe We all know what that is... Windows Error Reporting... ugh!
Our hopefully temporary plan is to use the free WUG syslog server (which works btw) until we can figure this out.
What is the volume of syslogs that you have coming in?
Hey I've obviously come very late to the party, but I had a similar problem but was able to fix it.
My system was a hardened Server 2012, which pushed out EMET policy via Group Policy. My settings were:
My symptoms were that when installing Kiwi Syslog as an Application, the program would crash on start, giving me two mysterious errors in the Application Event Log "Event 1000, Application Error". When installed as a service, the service would not start on completion of installation and attempts to manually install it would fail, "Error 1067: The process terminated unexpectedly."
The error was in the System DEP mitigation. EDIT: Contrary to what I wrote before (now deleted), if you apply both System Wide DEP as "Always On", and an exception for DEP (through Application Configuration in the GPO) then the System Wide DEP takes precedence. If you instead enabled System Wide DEP as "Application Opt-Out" then I believe that the option to "Opt-Out" is given to the program or the person configuring EMET (no surprise there). I've managed to confirm this a number of times using both local EMET config and that pushed out from Group Policy. So, the solution is to enable System-Wide DEP as Application Opt-Out and then provide an exception to DEP mitigation for both syslogd_service.exe and syslogd_manager.exe. How exactly this affects the security of your system as a whole will depend on your priorities and may affect how you choose to implement these changes.
EDIT #2: I also ran into another little problem with EMET and Kiwi Syslog whereby the Syslogd Service was being randomly stopped and had to be constantly restarted. This was easy to diagnose as another EMET problem, triggering the "Caller" mitigation, through the Event Log. Hence, I made another exception for syslogd_service.exe for the Caller mitigation.
Some "gotchas" I found along the way:
For non-GPO implementation, you can do all this via the EMET GUI of course. You'll probably need to add the service manually, as it wont let it run in the first place and appear in the list of running processes. Then it should be pretty straight forward to manually disable DEP for syslogd_service.exe (EDIT: and syslogd_manager.exe).
I hope this helps someone out and saves them all the time I've spent on this.
It's relatively small volume less than 10 devices syslog. We're going to try it again this time not running it on a windows 2012R2 DC and instead on windows 10 client machine.
Lawrence.trevor - we just wanted to let you know that we are grateful for your post!
We were unable to successfully install Kiwi Syslog Server and Web Access for weeks. We've tried numerous "fixes" from Google searches and SolarWinds Support (mostly Group Policy and permissions related). Finally, while looking at the list of applications on the server, I took note of EMET, and searched the right string on Google that led me to your solution!
All I did was go to the EMET GUI, manually added syslogd_service.exe and syslogd_manager.exe, and disabled DEP.
Again, thank you very much!
-Kay Vi
My pleasure Kayvi. I'm only sad that you still wasted weeks on this problem.
I use to have this very problem and bashed my head for days on it. Kept getting an Application Error relating to .net with a generic 0x0000005 error. Once we verified HIPS and Active scanning wasn't the issue, I added the syslogd_manager.exe exception within EMET. That allowed the program to open right up!
