kstone ✭✭✭✭✭

I can't speak to other Solarwinds tools but Kiwi syslog cannot do this with the built in actions and filters only. However, you could do this in Kiwi with some scripting added to the mix to do this in real time. Otherwise writing them all to a log then parsing the log with the tool of your choice on a schedule(daily,…

For the log file size issue you can set size or age limits for any logging action. We set ours to rotate at 250MB .

You're really looking to keep 'state' and that's somewhat outside the scope. There are two options that almost meet your needs - first, create a filter using 'Flags/Counters' and select time interval. This will fire once the first time the log is matched then again once the time interval(15 minutes) has passed. The first…

Have you put autosplit values in your log name definition? Logname-%DateISO.txt will give you Logname-2014-07-31.txt. You can also add time values. The .001 pattern should be appended after the full file name.

We use NXlog (https://nxlog.co/ ) for those cases. The learning curve can be a little steep but there are plenty of good examples for reading and file and forwarding to a syslog server.

The SQL CE instance is for the Web Access interface, which is optional. You can write syslogs to log files and the only limitation is on disk space. Do you need all the logs over the year to be searchable or just archived? All searchable would probably require a full SQL server or other searchable storage. Just archiving…

I'm not sure how the second batch file is running... is that another action item in the rule? In the script that is setting VarGlobal01 you can add the function Fields.ActionLog to file. In the help search for 'script functions'. Using that you can specify the log file name and the data to log. Since this would all happen…

I see those occasionally also. It is usually a prelude to an out of memory error and service crash. We use the Keep-Alive feature to send messages from each syslog server to another. Enable Keep-alive in the Inputs section at the bottom of the menu tree. On the sending server create a rule with an input source of…

To expand on what bkyle provided... Create a filter using the message text field. Put the text strings into that filter and then only those logs with matches will pass to the action portion on the rule.

You will need to create a script to extract the data to the variables you want. The text parsing could be a simple vbscript using the split function on ":". The sending host IP would be an existing Kiwi message variable(I'd have to look it up but it;s in the script docs). Getting it to the SSH script will depend on how you…

You will need to create a script(Vbscript) and add a run script action. There is an example file included with the installation called 'Script_SplitMessageInfoFields.txt' that should get you started. It's hard to tell in the posting but splitting the message on the space character as done in the example will probably work.…

I'm not familiar with the file transfer options for Azure. How would you copy any file to the Azure storage? Can you mount a drive, use an SMB connection(\\servername\c$\foldername)? Once you find the method(s) that can be used you can create a script or command line that could be used in the Kiwi scheduler to transfer the…

In the 'FIle' menu there is an item called "Export Settings to INI file". This will save all the settings to a text file called "Syslog Server Settings.ini" in the program directory(usually C:\program files (x86)\Syslogd). You can then copy that file to the new server and use the "Import settings from INI file" item. Make…

For clarity, NPS logs are sent to text files not the event logs. To send these to a syslog server you would need to use another forwarder such as NXlog or Remote_syslog2. 

Probably overkill in most environments but we are using ElasticSearch with Logstash and Kibana to provide graphing/stats.

at 10k per minute you're at ~600k per hour. That's a healthy amount of messages but well within the capabilities of the Kiwi engine. I'm not sure how you identified that it's 250k messages behind, I don't recognize that buffer info. What database are you writing to and how? Is is with the Action 'Write to Database'? Are…

Is the timestamp shown the Kiwi timestamp or the switch timestamp? It is possible that the syslogs are not being received in order from the device. You can set up a separate log action before your script to log the raw events and compare the order. I not sure how the Powershell script fits into this... Is it running from…

Have you tried running the app as Administrator? I have SyslogGen installed on Win2012 and don't have any issues. 

Also, there are some good example scripts provided by application in C:\program files(x86)\Syslogd\Scripts. They should have enough info to get you started on most scripting tasks.

This one is relatively simple. Save this as a text file(script.txt), then add the action to run the script. Make sure the boxes to read and write common fields are checked. After that action create another action to forward the message to the other syslog server. Function Main() CleanMsg = Fields.VarCleanMessageText…

You need to create a filter using 'Message Text' and the filter type 'Complex'. Add "access denied" to the 'Exclude' field.

I created a forward rule from one of my production servers to my test server(approximately 700k MPH). The production server is 9.5.1.66, the dev server is 9.6.3.3. The first configuration was using UDP on port 514. This worked as expected, messages were received and logged. The second config was using TCP on port 1468.…

I haven't looked at the regex syntax, I'll need to research that a bit... Other solutions are to create two rules, the first with the subnet range, the second with the individual IPs. You could also use a simple filter by putting each subnet("172.16.0","172.16.1"...) and the individual IP addresses.

I create a rule to log by hostname. Add an action to 'Log to File' add your file path and then use the 'Insert Autosplit value' link to select the Hostname variable. You can also do this manually by adding %Hostname to your file name or path. If you want to keep the log entries set a suitable log rotation. To just see the…

You need a way to read the log and send it to the Kiwi Syslog server. I'm not familiar with SQL logging specifically but for disk based logs I typically use NXlog.

Are the hostnames actual internal DNS names? If so you can go to 'DNS Resolution' on the tree menu and choose 'Resolve IP addresses within the message text'. If they are not DNS names but custom names the above applies but you need to add them to the statichosts.txt file in the program directory.

I would also like to see conditional/branching statements, it would provide a lot of flexibility in the way rules operate. In the meantime I've used scripts. For your issue, can you provide more detail about how the folder structure would work? For some you may be able to use the auto-split functionality(Date, hostname,…

Our default rule includes an action to log to a file. When configuring this action we use the 'AutoSplit' value to use the hostname as the log file name(C:\logs\hostslogs\%Hostname.txt). The hostlogs directory will then have a file for every host. From there you could do something like 'dir > hostlist.txt and use the text…

What application are you using to forward the event logs to Kiwi? If using the Solarwinds log forwarder you can easily exclude them there so they never get sent to Kiwi. Similar functionality should be available in other apps as well.

I don't think that will work. To my knowledge there isn't a way to change the hostname field in the display. Maybe someone from the Solarwinds team can provide more info. You can change the filename to for log files by saving the VarPeerAddress to a Custom Variable and using that custom variable for the auto-split.