kstone ✭✭✭✭✭

I would be looking to write events to custom event logs on the same server that Kiwi is running on. We write many thousands of entries to the Application log and it would be cleaner if some of the events were to go to a specific event log. We do this now with either Eventcreate(legacy) or Powershell but this involves…

Will the rewrite in .net also bring the capability to create scripts with Powershell?

I haven't tested with the latest Log Forwarder version(we don't run the needed .Net framework version) but in 1.1 if a configured event log no longer existed the service would not start nor could you edit the config via the GUI. In those cases we either would delete the existing config file and start over or manually…

It's been 10 months since this posting, are there any updates?

I'd like to see this as native functionality in the forwarder as well. In addition to Acy's script suggestion you can use NxLog which supports event logs and disk logs(and many others). Logstash is another option.

Testing the latest version and one item has been corrected, the "Threshold" filter type can now accept larger numbers. Everything else remains an issue and one is worse than previously reported. The original issue was: [quote userid="110950" url="~/products/kiwi-syslog/f/ng/103811/syslog-ng-1-3-issues"]Schedules cannot…

Testing of the latest version shows that the "Threshold" filter type cannot be set to anymore than 999 seconds. In the legacy version this was could be up 30000. This is significant for us as many of our thresholds are for 1 hour(3600 seconds).

The Solarwinds Event Log Forwarder can forward DNS event logs. Select 'Applications and Services Logs\Microsoft\Windows\DNS-Server' in the application. If it does not exist you need to enabled audit logging. This link shows how to enable DNS logging on Windows servers: learn.microsoft.com/.../dn800669(v=ws.11)

Is Kiwi syslog server running as an application or as a service? If it is a service make sure the account it is using has the needed permissions.

If you look at the bottom of the Kiwi Syslog Server console there are a couple of status items. The first is a percentage; this is the amount of message buffer available. The message buffer is a registry setting that defaults to 500000 log items. It can be set as high as 10 million. It is possible, but unlikely, that this…

That is correct, The port setting is globally set for the application.

Do the MS connectors accept syslog? If so the OS doesn't matter.

Can you write that log to a file from VMware to see the contents? If it's a standard syslog message Kiwi should not be omitting anything. Another suggestion is to look at the max message size configured in you KSS instance. It's possible that the info you're looking for is at the end of the message and if the message is…

You can change this to allow oversize messages in Setup under 'Modifiers'. Mine is set to 10240 and rarely have oversize messages reported. You can look in the Help for 'Syslog Message Modifiers' to see what the default is. I do not recommend increasing the size if the KSS is accessible on the internet at all. Under Email…

For many use cases the included web access works well. I believe there is a 4gb max database size so that could impact its usefulness in your environment. For high volume usage I'd suggest looking at a cloud provider like Solarwinds Papertrail, Logz.io, or Grafana Loki.

Since we have monthly patching on our Windows servers it gets restarted then. I've had instances running for months in other environments between restarts. Depending on the complexity of your ruleset there can be loads that cause memory faults or exhaustion and require the service to be restarted. We've seen very few of…

Are you sending the logs via TCP to Kiwi Syslog? The default for syslog is UDP.

I don't believe the Log Forwarder has the option to use encryption. You will likely have to use another forwarder like NXlog.

You can create a rule that matches those severities then logs to the file. The other messages will be skipped. Create a filter for your rule that uses the 'Priority' field then select the priorities that match your messages.

You will need to use NXlog or something similar. SWLF doesn't have the capability for format changes.

I would guess that it's related to the file sizes. Try a log rotation that keeps the files under 2gb and see if that changes anything. Opening a support case may provide more info but I don't think 9.5 is a supported version any longer.

I would use a script. Put the IP address list into a text file, write the script to read the file into an array. Loop through the array to see if there is a match or not. On a busy server this could be resource intensive. Another option, if this doesn't need to be real time, is to write a script that would be run on a…

You can change the fields displayed in the console. In the 'View' menu select 'Show/Hide columns', choose Hostname and Message. This doesn't completely solve your issue... To actually change the message and display it you will need to write a small script that splits the message and then saves it. Most messages will have…

I usually start troubleshooting by removing any filters and forwarding all events. Once I have verified that the events are making it to the syslog server(s) I will start to add filters. Nothing looks wrong with the forwarder config but I haven't used that in quite a while.

Is the server creating the message Windows or Linux? If Linux check the syslog config in /etc. If Windows is it running a mail client or scripts that might send emails?

Kiwi doesn't 'keep' events. You can have it log to a file and those can be kept indefinitely or until the filesystem is full. The syslog server has a strong set of file actions to allow you to write to files, rotate them, limit the sizes, move, compress etc.

If that message is from a remote server(not the Kiwi server) then there is something that is trying to send email. If that is the Kiwi server the email address being used doesn't have the permissions to send email through that SMTP server. You can set a rule in Kiwi to 'drop' those messages by matching on some unique text…

Kiwi Syslog can't do this natively. You can use something like NXlog to read the file and sent it to syslog. We use this quite a bit and it works well. If the server that the file is located on is Linux you could also use rsyslog.

That depends on your requirements. If they just need to be saved to disk most tools should be able to handle that. We use Kiwi for this. If they need to be searchable you would need to look at other tools or services, Splunk, Loggly, Elasticsearch, etc.

Nothing exists in Kiwi itself. I use the Powershell get-filehash command to generate hash files on the prior day files.