Comments
-
It really depends on what ports you are using for logging purposes because it is customizeable. The primary default port if you are JUST capturing syslog messages is UDP 514. If you're using webaccess you might want to keep those ports open as well as DNS. If you're using SNMP to capture traps as logs you might want to…
-
You could write a script to keep up with this and generate reports, but things like EPS might be better suited to come from the database you're logging to. I typically have no issues sharing scripts and even writing scripts for others here when I have time, but for the last 4 months, I've barely had time to log into this…
-
Rajmohan, Here is an example script I put together. I used the split function to parse your entire example message, and then gave examples to do the same thing with the Mid and Instr functions. If you want to look into using regular expressions, I beleive there is a sample script in this forum space that parses PIX…
-
The first thing you'll want to do is right-click on "Custom DB Formats" in setup and choose "Add New" and then specify the columns and data types. Then you'll want to actually create the table with those same data types. Then for the rule you have setup for your firewall logs (or a new rule if you want) for the action "Log…
-
I think what you're looking for are syslog messages around 113004 range. This is also a very good reference: http://www.cisco.com/en/US/docs/security/asa/Syslog-Guide/asa-syslog.pdf
-
Do you have an action in the same rule as the filter that will e-mail out the alert? Also, you can test that your filter works by creating an action in the same rule to send those messages to a different display.
-
I don't know much about Orion and you might get a better answer in the Orion space if you haven't already, but... Kiwi can forward logs to another syslog server and I beleive Orion has the capability to receive Syslogs but I could be wrong on that. To forward, you can do 1 of two things, either use the "Send Syslog…
-
Any errors in the error.log? Can you get other devices to communicate? Is windows blocking or using 514 udp for anything?
-
Wow you are riled up today ttl. I'll see if I can help though. I still had a 2008 R2 upgrade left to do and it went without a hitch. However, I do remember an error message very similar to this and it was caused by not stopping the kiwi syslogd service prior to upgrade. Stopping the service and then hitting retry should…
-
I would start by checking your static hosts file and related settings in Kiwi. I would also check your ARP table to see if it's registering that IP addresss with a device ID (mac address) belonging to the router.
-
Hello Ian, and welcome to the thwack community! There are numerous methods of extracting data, archiving, etc... but really, the power of Kiwi is in it's versatility and configurability, it's not just a syslog server unless that's all you use it for. My suggestions: 1. Stop using the catch-all file as your only method of…
-
You should be able to add the databases in your full version and browse to the existing MDF and LDF files. In your MSSQL Server Management Studio, right-click on Databases and choose "Attach" instead of "New Database" I'm not sure about Steven's reply though, as I beleive the Express service needs to be stopped and…
-
Hello and welcome to the community. I don't have all of the answers for you, but I think I can point you in the right direction... 1. The syslogger that is part of Orion is not really Kiwi Syslogger. I'm really not 100% certain what features it contains in comparison with Kiwi, but I would imagine that by default it does…
-
Glitch, How are you verifying Syslog traffic in Kiwi? Here are some things to check: 1. Is the service started? 2. If you are using web-access do you have the log to web access rule setup for all messages? (I think this is default, but check just to make sure). 3. Are you viewing the correct display? 4. Make sure your…
-
karenm, If you are talking about devices logging to syslog, the IP addresses are always formatted the same way and are available in script variable to capture, modify or log. If you are referring to source/destination IPs from say a firewall log, then solarwinds/kiwi has no control over how those logs are sent from the…
-
Wow that looks like some of the substring stuff I do, one of my co-workers says I'm going to wear out the parenthesis key. The problem is that Datediff will round. You'll want to just adjust your math there to use the seconds datepart in your DateDiff statements instead of days, hours and minutes and then you should be ok.
-
I kept seeing subject lines " - I Love you" in my e-mail and it just made me remember this... And I Love You - YouTube
-
Have you checked the error log in your \syslogd\ folder? Or anything in the windows event log?
-
Hey danyk7 , Kiwi is absolutely capable of what you're asking for, but it does require scripting. You can setup a top rule to filter on the forwarding host and then set the hostname based on the originating IP address of the sender in a runscript actionas long as the sender is sending the originating IP. The…
-
You should have a green and blue flashing S/D icon in the system tray (bottom right hand corner of the task bar near the clock). When you minimize the GUI, it doesn't stay in the task bar, you have to double-click the system tray icon to bring it back up. The only time you need to click on the icon is when you first open…
-
Christopher, The easiest way to do this would be to put a rule in Kiwi to forward the logs to NPM. They would still be available in Kiwi, but would also be available in NPM.Another option would be to scrap Kiwi and just have your syslogs go to your NPM Server instead. I would definitely go with the first option though, as…
-
You can log to a local or remote database as well which among other things does change the file format and can provide some additional security.
-
This has been possible for quite some time with scripting, however if you’re looking for a gui option to configure this, there isn’t one.
-
Filter on the message text field using the “Complex” filter type. In the “Exclude” box, type in “192.1.3.4” including the quotes Then below that in the “AND” box, type in “anon” also including the quotes. And that’s all there is to it.
-
I'm thinking you want http/https traffic. DNS traffic from the firewall will tell you what your DNS servers are all day long, but unless you're capturing packets, that isn't going to tell you what hostnames you're trying to resolve. But to answer your question, yes you can. it might depend on your software version though.…
-
Here is a script I wrote for someone else to do exactly what you are asking. If you have any questions, please ask them in the comments section under the contents and I will be happy to answer them. Script_Filter_TimeInterval_byHost.txt Thanks,
-
That's only true by default Kstone. You can configure your cisco routers to syslog configuration changes: And here is a link to the instructions on how to do so.... This documentation has been moved - Configuration Change Notification and Logging [Support] - Cisco Here's an example of the syslog messages you might get…
-
The Log Forwarder works fine for me in that environment, although you may need to allow it through your windows firewall…
-
In the meantime, this script: can be scheduled for like 11:55pm so you can continue collecting your data.Just put your e-mail information in the script and create a scheduled run-script action for it.
-
levani, I have to do the same thing for some messages, but for different reasons. What I did was write a VB Script to parse out the message and strip the characters out. I did put Char13 back in though simply because I needed it for display purposes and I just stripped the characters out rather than including the Ascii…
