Imagine this scenario: You are running a Kiwi server either on-premises or in the cloud, and need to push at least a portion of that log data to Papertrail. This would be especially helpful in situations where Kiwi is already in place, and you need to allow a developer, support contact, etc. external access to limited log data without providing access to the Kiwi server itself. Once these logs are pushed to your Papertrail account, you can grant users access to specific Papertrail log data. These Papertrail logs can be viewed from anywhere, while Kiwi servers are often locked down within a secured network. The best part is that you can maintain a complete local copy of your logs while pushing interesting log data to Papertrail for use with advanced search and alerting features.
From your Kiwi Syslog Service Manager select File -> Setup.
In the setup page, you have a rule named Default that displays all log entries sent to Kiwi and logs them to a file.
Send everything to Papertrail! If you wish to forward ALL logs seen by Kiwi to Papertrail, add the Send to Papertrail action to your Default rule, or any rule with no filters configured.
However, if you want to send only certain messages to Papertrail, you’ll need to add a new rule with a filter to capture just the specific messages you want.
We'll be adding 1 New Rule with 2 Filters and 2 Actions.
Filters allow several methods of matching log data. Positive matches result in the actions for that rule being performed on those log lines. Hostname, IP, Message Text, and Priority are the most commonly used filters.
Add the new rule by right-clicking Rules and selecting Add rule.
Under the new rule, right click Filters and Add Filter.
In the Field section, choose Priority.
Click on the Priority headings to highlight all the columns.
Click the green check mark at the bottom, to select the highlighted fields.
Next, create a new filter to match the text in log lines using the Message Text field, and Simple filter type. Here I used "test" because it will match on all of the Kiwi default test log lines. You can use any text strings in this filter to match log entries you wish to send to Papertrail.
Now configure the actions to take place on log lines matching our filters. Start by adding them to a Kiwi display so we can see what's matching the rule right here in Kiwi.
Under the new rule, right-click Actions and Add action.
Select the Display action at the top of the menu. Set a Display number that corresponds to the display dropdown in the main Kiwi window. You should use a unique display that isn't used by other Kiwi rules. Display 00 shows ALL logs seen by Kiwi by default, so I’ve used Display 01 instead. This will only show everything sent to Papertrail.
Now add an action to send the matching logs to Papertrail.
Under the new rule, right-click Actions and Add action to add another action.
Select the Log to Papertrail.com (cloud) action to send logs to a Papertrail account. Replace the hostname and port with your own log destination found here: https://papertrailapp.com/account/destinations
After hitting Apply to save the configuration, use the File –> Send test message to localhost menu item to generate a log line that will be pushed to your Papertrail account and shown on the Kiwi display you set. In your Papertrail account, you’ll see your Kiwi server show up by IP or hostname, but you can rename it as I’ve done here. (Remember: The test log line shown has to match your filters.)
Not seeing log lines in Papertrail? Does the Kiwi server have outbound network connectivity that allows a connection to Papertrail? In ~90% of cases, this is caused by host-based firewalls or other network devices blocking connectivity to Papertrail.
The PowerShell below will test basic UDP connectivity to Papertrail from a Windows host. Replace the Papertrail Hostname/Port with your actual log destination settings found here. Copy and paste all lines at once into PowerShell. (Run PowerShell as Administrator if you have trouble.)
WINDOWS - PowerShell
$udp = New-Object Net.Sockets.UdpClient logs6.papertrailapp.com, 12345
$payload = [Text.Encoding]::UTF8.GetBytes("PowerShell to Papertrail - UDP Syslog Test")
You can use this similar script to replicate a log transfer to Kiwi. Run this from the same host the Kiwi server is on.
$udp = New-Object Net.Sockets.UdpClient 127.0.0.1, 514
$payload = [Text.Encoding]::UTF8.GetBytes("udp papertrail test")