Comments
-
I'm running it on several hundred servers with no issue. Are all the servers on the same subnet?
-
We have our default rule(first action), it logs everything to a file called syslogcatchall.txt in D:\syslog\logs. This file is rolled over every 250mb so there may be syslogcatchall.txt.001, syslogcatchall.txt.002, etc. Our second action is to log by hostname using the auto-split function. This then logs to…
-
The IP address of the neighbor is not enough? Can you identify the down tunnel from the hub router message? You can filter on the message text using the neighbor IP address in a series of rules but 60+ rules would be a mess. I would create a script that has a case statement( you could also use if-else statements) that…
-
Are you running 64 bit Windows? If so the registry will be HKLM/Software/Wow6432Node/Solarwinds/Syslogd
-
It would seem that you have the basics working and probably just need to have a SQL task to automate your move of old records into new monthly tables. Not a DBA or SQL person so I can't help much there.
-
I completely misread that! Can you export the config from the File menu? Or, run Create tech support file?
-
What does the first Cisco Event ID rule do? It doesn't have a 'stop processing' action does it?
-
Are you using the IP Address filter and selecting IPV4 Range filter type? I would use the IP Address filter and the 'Simple' filter type unless you truly have a large range of contiguous addresses. You can have one rule per IP address or something like this: The Include would look like this: "192.168.1.1","192.168.1.2",…
-
Are the rules before the default rule working? Are they creating the logs as you configured it? If you have 'Stop Processing' as the last action in the first rule and the default rule still sees the messages I would think that the first, specific, rule isn't matching.
-
Unless you are repeating the same filters and actions I don't see this a being a practical method. There are many options in the .ini that are non descriptive numbers. Without documentation for those options you could not create new rules directly/programmatically in the .ini file. In my usage that would also mean a…
-
Looks like too much traffic and the server is getting overrun and crashing. Do you have a lot of rules? How many log to files? How many have multiple filter conditions? As I mentioned previously you’re very close to the capacity limit of Kiwi Syslog. There are some tuning tips and tricks that can help but reducing the…
-
That makes sense. We only use hostname for those.
-
Why is that? We use it in a couple of instances.
-
The trial version may allow you to test for 14 days. The application can do what you are looking for. We have dozens of similar scripts running that take the existing message, parse it, and write a new message.
-
Is it possible to expose the queue via a script and write it to disk? This would be more valuable if there was the ability to read and alert on the remaining queue space.
-
It is likely a feature request. It would go along with another: Alerting on queue free space. When the queue reaches the threshold it gets written to disk or make the queue, optionally, disk based.
-
To add to what Will said, check the error log in the Program Files (x86)\syslogd folder. My initial thought is that you are overloading the service causing it to crash. what does the MPH show when it's frozen? If it's over 2 million that can cause problems. If the buffer is at 0% and/or your you're seeing overruns there is…
-
Thanks for the info! I learned something new and can already see a number of ways to use this...
-
I found this.... SOL3605 - Configuring the BIG-IP system to load balance UDP packets individually Beginning in BIG-IP 9.0.3, the Datagram LB feature allows the BIG-IP system to accept these packets individually. Important: With UDP Datagram LB set to Enabled, if you also set the Timeout to Immediate,
-
I'm looking for ways to be notified when the configuration changes(new or deleted rules, etc). Since it is in the registry I could watch that for changes.
-
This might be the article: Success Center This really isn't balancing, it's just using more than 1 Kiwi server to handle the load. We balance our servers using an F5(we already had it for other purposes). You could use round-robin DNS, HAproxy or possibly Windows NLB(never used it). The biggest issue with trying to load…
-
I would suggest that logs be stored locally then scheduled to be moved and compressed. Losing the network share can cause any number of issues, as you've experienced, including the loss of messages. We have our logs rotate when they reach 250mb then have task that runs every 15 minutes to compress the rotated files. Each…
-
That's a Cisco link up/down message and should be part of the standard MIB database but it's been a long time since I checked. In the Kiwi config do you have 'Perform MIB lookups' enabled? This is in Inputs, SNMP, Decoding options.
-
I would like to see Powershell scripting support.
-
Those features were added to 9.5 which was released in August of 2015.
-
Are there any errors in the Syslog server error log?
-
On your default rule you can add a complex filter and exclude device names. if it’s more than 7-8 you may want to make the default logging rule the second rule. in this case, create a new rule. Have it match on the devices you want and take the action(s) needed. As the last action in the rule add ‘Stop Processing’. This…
-
What do you think the message load is, how many messages per hour? Q At it’s best Kiwi does 2 million messages per hour or about 550 messages per second. I don’t have hard numbers but I would expect TCP to be about 1/3 of that. Add some rules and it drops more. My first guess is too much traffic. Another thought is a rule…
-
Just log them to a file then copy and paste from the file. https://www.solarwinds.com/free-tools/kiwi-free-syslog-server - this lists the features/limits of the free version.
-
There is a Maximum message length setting. Towards the bottom of the tree menu is "Modifiers", max length is one of the options. We have ours set to 8192 and have not seen a message truncated in a long time.
