kstone ✭✭✭✭✭

I've been doing this on a high volume system for year and have never seen this type of issue. It has me curious... Can you post the script?

You can use Web Access to search and filter the events you see. I believe it is still space limited to 4GB based on the database engine used. The best way would be to store the logs in a database or something like ElasticSearch.

You want to create a Filter with 'Flags/Counters' as the field. The choose the Filter Type of 'Threshold'. This will let you select the number of event occurrences and the time period.

I'm not a Sharepoint expert but I don't believe it puts logs into the Event Logs. The Solarwinds Log Forwarder can only read the event logs. To forward disk based logs you need an agent like NXlog(https://nxlog.co). I'd also verify the logging configuration on the Sharepoint server - Configure diagnostic logging in…

The link below should help you make sure logs are configured and what to gather. More About DHCP Audit and Event Logging For the event logs you will need to use Log Forwarder to send the logs to the syslog server. The audit logs require something like NXlog that will forward disk based logs.

We use the Arcsight WMI pull feature not the log forwarder. It's all syslog I don't know why one would not be readable.

You need two small changes(assuming this is VBscript). The first is to add a space at the beginning of your AppendId string: appendID = " SystemID:12345678987654321" This will get the formatting you showed in the example. The second change is how you concatenate the strings: modifiedRawMessage = modifiedRawMessage &…

I'm not using 9.5 yet but have some generic questions. Are you running any scripts, particularly ones that shell out to another command? Is the server highly utilized? If it is, what size is your buffer cache and is it being used?

It will not be able to read that information directly. 

I'm not sure what exactly you're trying to do. You wrote that you want to filter by certain event IDs and then send them to a separate db-row. Did you mean a separate table? Each syslog received will be written to an individual row. To write specific events to another location(DB, file, etc) create a filter using the…

Additional RAM is unlikely to help Kiwi much but might. Watch the Task Manager for a while to see what the peak usage it. Unless Kiwi is queuing messages it doesn't use a lot of RAM, we average less than 250MB at about 500k MPH. It's also a 32bit app so its total usage it limited. More than 4gb would give the OS some space…

Kiwi syslog can do this. Create a scheduled task with the task type 'Clean-up'. You can choose to purge files by size or age. We have several tasks for this purpose.

Your logging config looks okay. Are you getting any messages from the device(s)? If you are not already I would configure your first rule to log everything to a file. Then you can filter based on the messages you are receiving and take any actions desired in another rule.

Your post covers just about all the points... Some sort of load balancer is needed, and they should always be an HA pair. Load balancing UDP can have some special settings depending on the LB design. Using TCP offers more LB options but can significantly reduce the number of messages that can be handled in Kiwi. You can…

There have been lots of questions recently about the console views... This is a great feature but one that doesn't scale. Do you need to view those logs real time or are they being searched later for specific text? If it is 'searched later' I'd suggest turning off the console displays and use the auto split feature to log…

There isn't any feature of Kiwi Syslog server to do that. You could use Windows OS tools like EFS(Encrypted File System). You could also right-click on the folder and go to Advanced Settings, Encrypt Contents to Secure Data. I've never used either one so I can't comment on the effectiveness or usability.

I haven't used Orion in many years but I assume it is still backed by some SQL version. Syslog is a lot of small writes and can quickly impact the DB performance. We have Kiwi as our primary syslog engine. It sits between our monitoring and reporting tools and NXlog, which is our 'bulk' syslog receiver. We have a pair of…

‌In the application directory there is a file called statichost.txt or something similar(it's been a while). It's like the Windows host file but only used within the syslog application. Updates to the file do not take effect until the app is restarted.

It is definitely possible. The easiest case is you have a single neighbor IP address and replace it with the same string each time. There is a good example of this in the example scripts in the app directory. The script name is 'Script_replaceText.txt'. The default language for KSS is VBscript so you can create scripts to…

If the messages overflow the buffer they are never processed by the syslog engine and are lost. For the buffer registry entry make sure you are looking in the correct part of the registry. Kiwi syslog is a 32bit app and runs in WOW. The help file includes info on this. If the key does not exist you can add it. OVersize…

The configuration file is XML text, you can copy to the servers using any copy method. You will need to restart the Log Forwarder service for it to use the new config. Also, for v1.1 at least, if you include an event log that does not exist on a server that agent won't start.

To get you part of the way there I would set up a rule that filters on message text matching "user account is locked out" and write it to a specific log file. Then you can open the file or files and do a simple text search. Alternatively, you could log the messages to a full SQL or MySQL instance and use thier query…

We use a Schedule task that runs at a 1 minute interval to run a script that writes "Fields.GetDailyStatistics()" to a file. We also set our high message count to double our daily average. Even with the most massive floods this usually lets us get to the server before the cache fills and you get the stack space error.

What version of Windows is this installed on? We saw a large performance drop going from Windows 2003 to Windows 2012. We're hoping the latest hotfix will improve that. Do you log all messages to SQL? If so why, for search? 1200k sustained is nearing the usable max for Kiwi. This depends on your rules and action types but…

The Log Forwarder only works with event logs, it can't read files from disk. You can use NxLog(http://nxlog.org) or Logstash(http://logstash.net) to send local files to syslog.

Are there any errors in the error log? C:\program files (x86)\SyslogD\errorlog.txt That may provide some idea of what is happening.

If you haven't done so add a logging action or display action to the rule. This will help determine what the filter is matching. What is your filter doing? Can you make it less specific and see what happens? For example, if you are looking for a specific hostname AND a message text string disable the text string and see if…

If the device is running a 'standard' OS like Linux or Windows you could try NXlog. https://nxlog.co This will allow you to read log files and send them to any combination of destinations.

You can create a rule with a filter to match IP addresses or hostnames then write to a log file. For example: Create a filter that matches "rtr" and "swi" then an action to write to cisco.log Create another filter that matches "asa" and then an action to write to asa.log.

Yes, you can add the key and restart the Kiwi server. Many settings use internal defaults unless overridden by a registry entry.