1 Reply Latest reply on Jan 3, 2019 7:13 PM by Aforsythe

    Best practice configuration

    rudym12

      Hi guys,

       

      Sorry for the lack of knowledge but i am a new syslog and kiwi world. I purchased kiwi server with the inter to monitor three areas of my network,

       

      1 - failed login attempts on servers and workstations

      2 - bandwidth spikes on the firewalls if all possible by service e.g. smtp (all sonicwalls)

      3 - bandwidth spikes on workstation

       

      Can someone guide me to where i can find any documentations to configure the server to alert on the above, or am i asking for too much out of the kiwi server.

       

      Thanks

      Rudy

        • Re: Best practice configuration
          Aforsythe

          rudym12,

           

          Kiwi is extremely capable, but it requires configuration to do anything other than collect logs. You'll find that the help file is extensive and complete for Kiwi, but I can point you in the right direction for starters:

           

          1 - This one is fairly easy, you'll need to have a copy of the message you want to alert on. You can create a rule and filter by server and workstation IP addresses. You will also need the Log Forwarder for Windows so you can get the event logs into Kiwi. If you own a Kiwi License, you should be able to get that utility from solarwinds. Once you have all of that setup, it's just a matter of creating a rule in the setup section of Kiwi to filter only your server and workstation IPs and and then another filter for part of the message text for the failed login. Not the whole text, just a snippet that's specific enough to only alert on failed logins. Once your rules are successfully filtering the correct information (Setup an action to use a separate display for troubleshooting), then setup an email action to email you when Kiwi receives the failed login message.

           

          2 & 3 - You will need some knowledge about firewalls, bandwidth calculations and syslogs in general to pull this off. You will have to correlate the logs and do your own calculations per service, per destination or per source IPs. You will also need some scripting or programming experience. If you're new to the world of device logging and have never used a scripting or programming language, then you've got some work ahead of you.

           

          Solarwinds does have other options that can get you closer to this information right out of the box. LEM has built in correlation if I remember correctly, and LM for Orion along with Netflow traffic Analyzer can probably get you all 3 of your requests much closer to out of the box than what Kiwi can do for you.