Kuz

Machinist, Try clearing Kiwi Syslog Server's internal DNS cache, and then restarting the Kiwi Syslog Server service. Clearing the DNS cache (Setup > DNS Setup > DNS Caching > Clear All) will remove all the static name resolution data. The restart will force Kiwi Syslog Server to reload the static hosts (from…

Hi Mystic, If your OSPF network has been configured to send SNMP traps, then Kiwi Syslog Server can receive them. The current version of the Kiwi Syslog Server MIB database includes definitions for the following OSPF MIBS: * OSPF-MIB * OSPF-PRIVATE-MIB * OSPF-TRAP-MIB * OSPFV3-MIB * OSPFV3-MIB-JUNIPER You may also want to…

I would go with the following approach: 1. Create a new Rule "Parse PIX Messages" Rule "Parse PIX Messages" Filter + Message Text : RegExp -> Include: "^%PIX-" Action + RunScript "Script_Lookup_PIX_message.txt" (in \<program files>\Syslogd\Scripts) + Email * 2. Modify the script "Script_Lookup_PIX_message.txt" There's a…

Have you installed Kiwi Syslog Server on the same machine? If so, your problem is probably because the default syslog port (UDP 514) is in already in use. To check, run: netstat -aon And check which process (PID) is bound to UDP 0.0.0.0:514 The process name can be verified by finding the corresponding PID in Task Manager…

Uninstall WebAccess from the Add/Remove programs CP. Then reinstall web access (<program files>\Syslogd\Setup\KiwiSyslogWebAccess_x.x.x_Setup.exe) You will be prompted for the Administrative username/password along the way. NB. Your existing Web Access event data will be preserved.

Hi misw, I'd suggest maybe changing the SNMP field tagging (Setup > Inputs > SNMP) from "OID=Value" to "FieldName=Value". If the MIB database lookup is happening correctly, then OID's should be translated into the field name.

Hi G, The Kiwi Syslog Web Access database is limited (due to the nature of SQL CE as a datastore) to a maximum of 4GB. When the database reaches this limit, older data is removed automatically - in effect, the database is a rolling 4GB of data, so you shouldn't need to worry about manually purging or deleting older data.

Hi Joe, E-mails in Kiwi Syslog Server are sent every minute, and are queued between each send. Unfortunately, this setting is not configurable. If having more timely e-mails is critical to you, can I suggest the following workaround: 1) Replace your e-mail action with a Run Program action. 2) Have the Run Program action…

Hi jswan, You could combine a couple of scripts that we have: The first script needs to be added to the default rule, and records (in a scripting dictionary) a count of messages recieved per host (IP address). See [Script_HostCount.txt] attached. (VBScript, requires full read/write permissions) The second script generates…

Hi miles53, Couple of questions: 1. At what point in the Subscription Wizard does the CPU spike occur? 2. Does the CPU return to normal levels after the subscription wizard completes? 3. Can I ask what OS you're running? 4. What are your current system and application event log counts like? -Mike

Hi byrona, On 1) No, not yet. But this is a feature request we've had for a while now and are looking to add support for this in a forthcoming version. On 2) No. The Kiwi Syslog Web Access console is the only tool that can be used to view data logged via the "Log to Web Access" action. Kiwi Log Viewer can however, be used…

KRDP is a proprietary protocol designed to be used between Kiwi Syslog Servers. If you're forwarding to a linux syslog daemon then KRDP won't work. If your linux syslog daemon supports syslog over TCP then you could use that instead. KRDP is built on top of TCP, and TCP is more reliable than UDP.

Hi snakethejake, The extra characters (<nnn>) you are seeing aren't actually sent by Log Forwarder. They are being displayed in Kiwi Syslog Server that way because of a setting in the Kiwi Syslog Server setup, called "Replace non-printable characters with <ASCII VALUE>". To fix, go into Kiwi Syslog Server Setup > Modifiers…

Hello, Could you please contact technical support regarding this issue. http://www.kiwisyslog.com/option,com_enquiry/Itemid,236/ Mike Kuzman, Dev Lead Kiwi Syslog Server Solarwinds New Zealand

Hi Giuseppe, This issue can occur whenever the Syslog MessageText contains single quotes ('). At this stage, the only workaround is to properly escape the any single quotes in the Message Text using a RunScript action, that runs *before* the "Log to Database" action. eg. Rule "My Log to Database Rule" Actions - RunScript…

Hi pguenther, You may need to make sure that the account that the Kiwi Syslog Server (Service) is running under also has the relevant permissions to your SQL Database. By default, the Kiwi Syslog Service runs under .\LocalSystem. To change the Service LogOn account, go to Services Control Panel, Kiwi Syslog Server…

Hi Jkeeton81, Please see this post:

For each rule, the message is matched against the specified filters. Starting from the top most filter and working down. If any of the filter conditions fail, the program stops processing that rule and moves on to the next rule. If all the filter conditions are met, that is they all return TRUE, then the program will…

Hi LD, You should be able to just filter on the messageText; to identify Windows Events, and have them log to a different table. Assuming your windows events are coming from either Snare or SolarWinds Log Forwarder for Windows - those events are tagged with "MSWinEventLog" Rule (1) "Log MSWinEventLog" to DB +Filter -…

BTW, if you're gonna run that script from KSS, take out the WScript bit. (Won't work otherwise!) ie. Set objShell = CreateObject("Wscript.Shell") objShell.LogEvent 0, "Hello"

Alternatively, if you feel like some scripting (and messing with event log permissions on your other servers), you could try this: [New RunScript Action from Kiwi Syslog (VBScript)] Function Main() Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.LogEvent 0, "Hello", "\\SERVER-B" Main="OK" End Function This…

Here's one suggestion: Install Kiwi Syslog Server on the other server (B). Forward Syslog message from server (A) to (B). Set up Log to Event Log on server (B) when message from (A) arrives. 

Hi Col, Not currently, but if you need to you could backup the Kiwi Syslog Server registry hive. It contains the same information as the Settings.ini file. It is safe* to export the registry key and revert or import an old set of config by running the corresponding .reg file. (Disclaimer: *at least as safe as doing…

Ben, Check out this KB article: http://www.kiwisyslog.com/index.php?option=com_kb&Itemid=244&page=articles&articleid=123

If you can isolate that one particular event (with a filter) then you can add a threshold filter after it. Filters > Flags/Counters > Threshold (X times in Y seconds). eg. 100 times in 60 seconds (depends on the timeframe over which the 100 identical events occurs).

You can hide the unwanted columns in Web Access - with the "Columns" drop down menu. The column visibility settings are saved per filtered view, so you can even set up different columns visible for each filter selected.

Hi jusmax, Kiwi Syslog Server does not require the SNMP Trap Service. In fact, an active Trap Service will conflict with Kiwi Syslog Server's internal Trap Server, hence the "cannot open snmp listener on port 162" error message - because port 162 is locked by SNMP Trap Service. You've got a couple of options here, either:…

Hi Tomm33, There's really no other way to do this without using a Scripting action (instead of a Log to Database Action). There is a sample script in <program files>\Syslogd\Scripts\Script_Log_snare_events_to_odbc.txt which demonstrates how to parse Syslog message text containing additional (delimited) information. Snare…

Hi aliendan, If any of your "Forward and Spoof packet" actions have been set to forward to another subnet, ie. A subnet different to the one that the Kiwi Syslog Server resides on, then can I suggest you try the following: 1) Check the local ARP cache on the Kiwi Syslog Server machine: arp -a 2) Ensure that there is an…

Hi Duke, Try reversing the order of “Flags/Counters-Timeout” and “Time of day-Time of day” Filters are evaluated in order from the top-most filter down. I think you need to constrain the Timeout filter to evaluate only when the Time-of-day is between 8 and 8:15 (and not the other way around).