I don't think the Kiwi version matters and we should be able to pull in the data. You are most likely just missing a (non-obvious) configuration step. We pre-configured the Windows integrations, but we're not doing any discovery of the syslog data to pre-configure anything, you'll need to do that manually.
The second step after you've deployed the agent is to configure the right connectors to monitor your Kiwi logs. You'll want to go to Manage > Nodes, identify the node where your Kiwi syslog server lives, then go to Gear > Tools. From here, you pick the types of devices that are syslogging to kiwi, specify their log path, and that'll pull in the log data.
Thank for the quick reply, In am new to this software so I am not quite understanding what you mean by I have to manually configure the discovery in the syslog data. Do you mean Kiwi server or the LEM Appliance? If on the LEM appliance how would I go about doing that?
The next step I added the devices to the syslog node. I selected the device; So for example i selected Cisco PIX and IOS and then edit the path of log were files are saved (On my syslog Server) and then hit start but still nothing.
As long as your data is already being syslogged to your Kiwi server, you just need to configure it on the LEM appliance.
If it's Cisco PIX/ASA/FWSM/IOS data...
- Go to Manage > Nodes
- Click on your Kiwi Syslog Server Node
- Click the gear to the left of the node and click "Tools"
- Click on the Cisco PIX and IOS tool (you can use the box on the top left to search - typing "cisco" narrows it down a lot!)
- Click the gear to the left, and click "New"
- In the "Alias" box, you can leave it as default, or change to something like "Cisco Firewalls", whatever works - it's just a label.
- In the "Log File" box, type in the path to the Kiwi log file that contains the Cisco data on disk. For example, if it's in the catchall log and that log is in the "logs" directory, use: C:\Logs\SysLogCatchAll.txt
- Click "Save" at the top
- Click the gear to the left of your new item ("Cisco Firewalls") and click "Start"
At that point, you should see data coming in to other parts of your Console, check the Monitor view and the "All Alerts" filter to see everything.
The biggest detail is knowing what the name of your Kiwi log file is and where it's located on disk. Once you've put that in the "Log File" path box, you should be good to go.
Ok I was doing everything right expect, I forgot to add the actually text file ( Face Palm) I was just putting the path without SysLogCatchAll.txt lol...
Thank you for quick response and for your help
now I can let testing begin =)
Awesome! Glad to hear it was something easy.
One more question, since LEM is reading SysLogCatchAll.txt ( which is real time) is there a way to read the archive data. So for example after today kiwi is going to archive SysLogCatchAll.txt >> 2012-04-27-SyslogCatchAll.txt.
What I was thinking of doing is make another device under syslog server but point path directory to all were archive logs and have *.txt are and make costume filter so I wont get confused with real time data.
Or is there a easier way?
Regarding real-time data, after LEM reads in the logs it stores a copy of the data in its own database for future reporting & searching. To search that data, it doesn't have to reach back out to Kiwi, it just uses the local copy. Once the data is read in, it's fine for Kiwi to rotate the logs, because we've already copied the data.
As for reading historical data, that's much trickier. LEM was primarily designed for real-time data feeds - set it up and monitor from now forward. If you created a connector and pointed it to the old logs, it would seek to the end and wait for new data, which would never occur, so that won't work.
If you really want to read in that older data, the honest to god easiest way to do it is:
- Create a new dummy text file (OldSyslogData.txt)
- Inside the LEM console, create a new copy of the LEM connector/tool to watch that OldSyslogData.txt log (you'll also have to name it something different)
- Copy the data from whatever historical SysLogCatchAll.txt file you want to read in (e.g. 2012-04-27-SyslogCatchAll.txt) into the OldSyslogData.txt file
- Save it
- LEM will read in the data, since it appears as "new"
- Repeat with whatever days of data you want to feed in.
There's a few other ways that involve creating a connector and rewinding it to read from the beginning but since we're talking about Kiwi syslog data this is the most straightforward.
Ok that's good to know, I will give it a try and see how it looks when copy the data over to OldSyslogData.txt file
Again thank you for all your help