cancel
Showing results for 
Search instead for 
Did you mean: 

Back to the Future with Syslog

Level 9

In the contemporary American cinema classic, “Back to the Future,” Marty McFly takes a DeLorean-turned-time-machine into the future, into the past, and subsequently into the future again. If only your network and system infrastructure had a similar means of interdimensional travel to reveal the catalyst to events and incidents. Unfortunately, there is no flux capacitor for your network. You cannot get your firewall up to 88MPH, lock horns with a one-billion-volt bolt of lightning, and go back in time to determine the underlying cause of historical incidents on your network. Instead, we stay vigilant, watching and monitoring our networks for issues and trends across a historical period of time. However, in most environments, monitoring and observing all devices for ANY event is a foreboding task.

Luckily for us, most devices log events and have the ability to forward their log files to a centralized syslog server for collection, aggregation, review, and action. These log entries can range from configuration change notifications and port flapping on network devices, to services stopping on a system, or an intrusion. These log messages are paramount to your historical monitoring, and in some cases, compliance to legal and/or regulatory standards and audits. However, a log can only give you the information you need if you read it. This presents a challenge when many devices, such as firewalls, can produce millions of log messages per minute, many of which you might not need to read at all. With Kiwi Syslog® Server, you no longer have to hunt through log files on each individual device. Instead, they are all at your fingertips, allowing you to collect, filter, parse, and alert on log messages based on your criteria.

Ever vigilant, Kiwi Syslog Server becomes your eyes and ears, watching and listening for unusual log entries so you don’t have to. It is like a DeLorean for your network.

Kiwi Syslog Key Benefits

  • Deploy quickly. Accepts Syslog, SNMP, and Event Log data from your existing deployment.
  • Monitor real-time logs. Display logs locally or anywhere through the secure web access module.
  • React to messages. Send email, run programs, or forward data when selected messages arrive.
  • Troubleshoot problems. Centralize logs from systems and network devices to quickly pinpoint issues.
  • Comply with regulations. Implement log retention requirements of SOX, FISMA, PCI-DSS, and more.

Kiwi Syslog Key Features

  • NO LIMIT on maximum number of sources
  • Built and tested to handle MILLIONS of messages an hour
  • Run as a service (or foreground application) on most Windows operating systems
  • Collect log data from Syslog messages (both UDP and TCP), SNMP traps, and Windows® Event Logs (through the included Windows Event Forwarder)
  • Display real-time logs in multiple windows in a local viewing console, or from anywhere through secure web access
  • Split written logs by device, IP, hostname, date, or other message or time variables
  • Manage log archives with scheduled compress, encrypt, rename, move, and delete rules
  • Forward logs to other syslog servers, SNMP servers, or databases
  • Send email alerts, run programs, play sounds, and perform other actions when messages arrive
  • Act as a syslog proxy (forwarding messages with original IP information)
  • Ship syslog information securely across insecure networks with included Kiwi Secure Tunnel
  • View trend analysis graphs and send email with traffic statistics

Of course, it would be much more fun and adventurous to traverse the space-time continuum. Who wouldn’t want to leap into another dimension to get a glimpse of what’s to come, or a head’s up on things before they happen? However, for those of us without a time machine, there’s always Kiwi Syslog Server. Download it today and start your journey to better understand your network.

20 Comments
i_like_eggs
Level 13

Very nice article and very nice references thank you

Iv been using the syslog/ trap viewers and found them to be beneficial, the reason I guess I have never really gone to Kiwi is because the 'syslog viewer' or 'trap viewer' events are stored in the database once in the database I can run SQL queries to my hearts content.. also, having the integration to Orion is also another benefit with the use of the ${nodeid} variable you can create nice little node resources to 'show last 25 traps/syslogs'. Also Orion now lets you check every 15 seconds 'evaluation criteria' for alerts making it easy to set up from Orion which is pretty neat

Kiwi Definitely has extra benefits for storage and correlation/ grouping over storing events in the database perhaps I'll turn to KiWI when these become issues

Thanks again for the article

tallyrich
Level 15

I'll have to dig deeper into this. The Syslog facility in NPM isn't sufficient and we can't go to LEM just yet.

wluther
Level 16

Too bad the entire, clunky, UI is still stuck in 1984... The more work you need to do on your Kiwi server, the less room you have to work. It would also be nice to integrate some basics with NPM too.

ecklerwr1
Level 19

I'm using Kiwi Syslog server to collect logs from one of my smaller networks for compliance.

byrona
Level 21

I think Kiwi is a great product.  I have even suggested HERE that they use it to replace the aged and failing Syslog solution that comes as part of Orion.

vinay.by
Level 16

Nice article

wluther
Level 16

It would be great if SolarWinds would give Kiwi Syslog some attention, and a nice update, to bring it into line with all of the new NPM 12+ stuff. As many others, we also use Kiwi to take the brunt of the syslog load, filtering only the very important over to SolarWinds proper. I just feel as if there could be so much improvement between the two products. I know many of us have voiced out, asking for better alerting integration, but I think there should be a complete overhaul on Kiwi. I have never really like the UI of Kiwi, having to work within that tiny little box, and clunky rules to manage. It would be great to overlay the new SolarWinds core UI, integrating the two products, bringing the ability to manage Kiwi/Rules via web page. It would also be nice to build the rules similar to how we build out web based alerts.

mtgilmore1
Level 13

So So.... I agree with wluther

jkump
Level 15

Concise well-written article.  Bookmarking it.

designerfx
Level 16

I have desire to have syslogs handled somewhere else because it significant impacts the solarwinds DB and is a pain to properly manage, but I haven't looked into Kiwi. Maybe someday.

byrona
Level 21

designerfx​ while I think Kiwi is a good product, I don't think it's a replacement for the Orion syslog functionality... not yet anyway.  SolarWinds will tell you to use Kiwi in conjunction with Orion to augment it; however, I think they are essentially using Kiwi as a crutch to support the fact that the Orion Syslog functionality is terrible and needs to be replaced.  With a bit of work both to enhance Kiwi as suggested by wluther​ and integrate it into Orion then I think it would be a completely viable replacement for the current Orion Syslog functionality.

designerfx
Level 16

The problem isn't just orion, byrona . It's getting other people to understand what syslog is and how to not send 8 million unnecessary syslog messages where you even SW is warning you about table size.

byrona
Level 21

designerfx​ I completely agree with your point; however, when you are talking about large enterprise environments even after being careful about what you log you still end up with a LOT of logs to manage.

On the flip side, I have also been involved in a lot of conversations and I see a trend where the thought process on what data to keep is changing, especially as it pertains to log/event data.  I was just at a Nike Tech Talk last week where this was the exact topic.  The more forward thinking process is that with the technology we have now and the ability to ingest and process "big data" and with the cost of storage being a low as it is, it doesn't make sense to not collect and store as much as possible.  When you have a problem you need to troubleshoot you will never be sad for having too much data; however, if you don't have enough it's a different story.

wluther
Level 16

I agree... They just need to sit down, and bring both sides up to current status. That process should also include adding some basic features/functionality, allowing for better management. I would probably think of it similar to how the IVIM module works with, or without VMAN. If you don't have anything else (in regards to syslog), then the basic features are available within NPM/Core. However, if you also have Kiwi, then everything is simply enhanced on the NPM/Core side, and integration just provides a deeper dive into the syslog world. Just like SAM/DPA/SRM/VMAN/etc... I think they are on the right track, but I just can't help feeling like the train ain't moving... I mean, for a few hundred bucks, what do you expect...

colby
Level 16

It's an interesting problem - it's like 80% of your information comes from a small set of high value log sources, but when you need that other 20%, you're so thankful to have it.

designerfx
Level 16

That's a nice concept when you have a mature environment with the resources for it. Sometimes folks aren't in those environments and saying "well, storage is cheap!" isn't even an option.

vinay.by
Level 16

Nice work ondrejskacel

ecklerwr1
Level 19

This is what I want too!

tinmann0715
Level 16

I am a big fan of Syslog and SNMP Traps. But I have a stupid question to the quorum:

I have a bulked-up NPM and I have LEM... where does Kiwi Server add value to the triad?

byrona
Level 21

Not sure what you mean by having bulked-up NPM but I till take a stab at your question.  LEM is a great product but it has one severe limitation, if there isn't a connector for it then it can't ingest the data.  With that in mind there are often times data that you may need to collect and store and that is one use case where Kiwi comes in as a simple and easy to implement Syslog solution to capture and store the data that LEM can't ingest. 

Another good use case for Kiwi is to create a distributed collection model.  You can put Kiwi servers into different environments as your Syslog/Trap collection/aggregation points and then have it forward on everything or only the important stuff to another system such as Orion or LEM.

Kiwi isn't something you will necessarily need in the triad but there are certainly use cases for it.