kstone ✭✭✭✭✭

I'd download the Kiwi Syslog Generator and use that to send some test messages from the 2003 servers. That would rule out the connectivity and point the issue to the LF agent. I can't find the link on the Solarwinds site but it's still on the Kiwi site( http://www.kiwisyslog.com/downloads.aspx). You could also get a packet…

I haven't tested this yet but to iterate on your idea... For that rule write all the files to a separate directory, of you don't already. Then update your batch file that runs via the task scheduler(or the under utilized Kiwi Scheduler) to read each text file in the directory and run the blat command. You would probably…

Thanks, didn't know it was still on the old site...

We use ElasticSearch and Kibana. It keeps a rolling 30 day index. Over 30 days would require manually searching through logs or loading into Elasticsearch.

Have you resolved this? If not can you share your filters and actions?

I sort of get it... First issue, is it a solvable problem(today or with an update) to write the queue contents to disk? Preferably programmatically when the queue reaches a threshold but manually via a menu item could work. Second issue, replaying that file to the server. This is probably not possible within Kiwi without…

How is your Log Forwarder configuration done? Is the syslog server configured as an IP address or a hostname? If a hostname, can you ping that hostname in the command prompt? Are you filtering in the configuration or sending everything? Is there anything in the SolarWinds.net event log?

It should be possible to import the .ini file and then save without having to restart the service. I haven't thought about or tried that. It would be similar to installing a new server and using the .ini to restore all the settings. I'm still not sure, without a revamp of how Kiwi works and fully documenting the .ini file…

Syslog is definitely easier to read, SNMP requires the individual OID to be decoded. In the Cisco world it is important to have both since not all messages exist in both. 

If you don't have them already, add a 'Stop Processing' action to the end of each rule that doesn't need to match any additional rules. This keeps the message from passing to the next rule and being processed again. It can dramatically decrease the the processing the rules engine has to do. With that, make sure the busiest…

The script should be added to the rule not a schedule. When the message arrives at the Kiwi server the rule will match the message and one of the actions will be to run the script.

Where do you download the updated MIB database from?

I'm not sure what SAM is but you can 'export' the stats via a script. You need to get the variable 'Fields.GetDailyStatistics'. Call the script on the schedule you need then parse the results.

One more item: A way to save and backup the config automatically. Either via in app scheduling or an API/scripting interface.

It seems like the data isn't matching so the rule isn't triggering. What is your filter criteria and does the test and live data match?

I'm not part of the Solarwinds team so I can't say if it's bug or not. I would doubt that it is. In many environments the console messages would scroll by too fast to use it for copy and paste. 

To add the event ID to a script will need to be used. Kiwi Syslog can handle, according to the docs, about 2 million messages per hour. That works out to about 550 per second. We average about 600k messages per hour per Kiwi server or about 150 messages per second. Actual capacity varies by the complexity of your…

Antivirus can definitely be an issue... You can archive error logs. You need to create a scheduled task in Kiwi to look for C:\program files (x86)\Syslogd\errorlog0.txt. The error log rotates at 1mb and keeps 1 older version. I have an 'Archive' task that checks for that file hourly and if found copies it to a new folder.…

What Cisco model is this? Also, do you know what the authentication method is? Local or something like RADIUS or TACACS?

Our default is to log everything and create additional actions for specific items. for example, we have rules for Windows login errors, Cisco events, application errors, etc. Most of these start pretty broadly then get tuned over time.

No ideas. It simply worked for me but I've also been using the same setup for several years. Here are a few lines from my statichosts.txt: 10.0.41.21 dvkldb02 10.0.41.22 dvkldb03 10.0.41.24 dvkldb05 After making updates and restarting the service the host file should be read into the cache. In DNS Resolution re-enable…

I posted it in the Content Exchange: Save DailyStats to a file . I had to remove a lot of other parts of the script that were only relevant to our workflow, please test before relying on it... Acy also had posted a script to send the stats via email: E-mailing Statistics in a Scheduled Action

What the error log will show is dependent on what the server is doing, it's a good idea to look at it before you start sending traffic. If you aren't logging anything there probably won't be much. If you have scheduled tasks, reports, etc in Kiwi they could be reporting issues without syslog being recorded. You need to…

You're pushing the limit on the engine... How many rules, logs written etc?

I think Dogeron​ was onto the correct answer. Without seeing the config of the intermediate rsyslog server we can't assume it is forwarding the log message with the original source. By default it will not; nor does Kiwi.

That actually won't work correctly as a Kiwi script if you put the wscript.echo in it. I have that in my script as a section to write a debug file, I changed it to an echo statement to simplify it for you but Kiwi won't show that output. All you need is this: Function Main() CleanMsg = Fields.VarCleanMessageText arrSplits…

The first question to answer is "is the SQL transaction log a text log file"? If so NXlog, and others, can read it into a syslog server. From some quick searching it appears it is not an actual log file. It seems to be another, special, database table that is not designed for external uses. I'm not a DBA and have never…

Adding a hostname filter won't help much. Filters are sequential, if the message text filter matches it moves to the hostname filter. If that matches it moves to the time interval and so on. Since you really only need to match on message text it doesn't do anything. In other filters, like Threshold, there is a checkbox for…

Did you restart Kiwi syslog? That's likely needed so it can bind to the open port.

That config is gong to create a file with the hostname and date as the filename for each host every day. Your file rotation settings will create a new file only after the existing file has reached 90 days old. The 'Total Number of log files" would limit the total number of files to be created that match the filename to 90.…