Event Log Forwarder - Where is the Audit Failure Type?
https://www.jtc-i.co.jp/support/documents/solarwinds_docs/EventLogForwarder_v1.2_setup.pdf
Open a case if the above thread doesn't help much
↧
Re: SolarWinds LogForwarder 1.2 NOT WORKING
↧
Re: syslog server service will not stay running
What version are you running?
↧
↧
Re: syslog server service will not stay running
Try disabling DEP
1. Open the Start screen, right click the Computer tile and click Properties in the bar below.
2. In the System Settings, click Advanced system settings in the left pane, go to the Advanced tab and click Settings in the Performance section. Next in the Performance Options window, go to the Data Execution Prevention tab and select Turn on DEP for essential Windows programs and services only.
3. Finally click OK in both windows to save the configuration change and restart your computer to apply it.
Also it is possible that some EMET or STIG security restrictions block KSS execution.
↧
Re: SolarWinds LogForwarder 1.2 NOT WORKING
bkyle - looks like a similar post that you did comment about in the past
↧
Re: SolarWinds LogForwarder 1.2 NOT WORKING
I already saw that link, it's from 2015 and this is STILL an issue in 2 years later. They should have resolved this by now, none of that works for either. I sad thing is that I opened a case and support pointed me to that same link !
↧
↧
Forward syslog via secure TCP
Is it currently possible to forward syslog to another collector via secure encrypted TCP? I can only find options for UDP and standard TCP. If this is not possible, do you know if it is on the roadmap? Thanks.
↧
Emails after certain number of events
Is it possible for Kiwi to send an email alert only after X number of message types are received in Y units of time? I set up a test action and it (unintentionally!) generated about 200 events in 10 seconds. I'm still getting the emails from my kiwi server...
↧
Re: Emails after certain number of events
You want to create a Filter with 'Flags/Counters' as the field. The choose the Filter Type of 'Threshold'. This will let you select the number of event occurrences and the time period.
↧
Re: Emails after certain number of events
Perfect! Thanks muchly
↧
↧
Variable data bleeding in from previous log/script runs.
Our 14 day trial is almost up and I'm having a big problem. We've vbscripted Kiwi to parse the Syslog data and email alerts. I discovered that the alerts were containing some data from previous log that was processed. For example the previous alert would come to us saying ABC Company Alert then the next log would be for XYZ company but would say ABC Company. I suspected that maybe the logs were being processed too fast or simultaneously but it even happens if there is 5+ minutes between alerts. I tried generating email alerts via the built in action as well directly from the vbscript, same result.
To confirm the issue I added a line at the bottom of my vbscript, after it emails the alert, that sets all the variables to the string "null" and sure enough I sporadically get the word null in messages instead of the actual data that was in the message. I tried restarting the kiwi service, restarting the computer, etc.
I tried using my own varibles instead of the Fields.VarCustom01 type and the same thing occurs. What's even stranger is that I have a variable that has, say, a username in it... Kevin. My script builds the email using that varibale in two spots (subject and body) and it may show up in the subject incorrectly but the body correctly... from the same variable.
I'm very confused. It's like it's not isolating memory space between script executions or there is a memory leak/bleed going on. I can't seem to nail it down. Running 9.5.2.5 as a service on a dedicated Windows 7 Pro 64-bit machine.
I contacted support but they told me to post here since I am in the trial. I need to make this work before I pay for the product.
Need help! Thanks!
↧
Re: Variable data bleeding in from previous log/script runs.
I've been doing this on a high volume system for year and have never seen this type of issue. It has me curious... Can you post the script?
↧
Changes to setup are not saving / old hidden filters still applying
We had noticed that after testing and removing a few filter settings, we were missing events in Web Access. After some investigation, I had the impression that one of the filters we had tested was somehow "stuck" in the application.
We had tested changes on Feb 6th
Service restarted
Changes were reverted on Feb 6th
Service Restarted
Updates were applied to the server on Feb 25th
Server restarted.
Unfortunately - because we're boneheads - we didn't notice that we were missing events from Web Access until March 1st; mainly because the two of us who most frequently configure the application actually hide these events from our screen anyway. Since it was brought to our attention, I have made several changes to the Setup of Kiwi Syslog Server.
- Rules
- Filters
- Actions
- Email server settings
Service has been restarted dozens of times and server has been restarted twice; after repeated attempts, none of the revised settings are reflected in the application.
At one point, I was resigned to having to reinstall the software - this installation isn't that heavily customized, so it wouldn't have been too much of an imposition. In any event, I exported the settings to an INI file for easy recovery after the re-installation. When reviewing the resulting INI file, I had noticed that there were one or two "hidden" filters that were in the file that were not showing in the setup. These filters actually explained why several events were missing from Web Access. If it is pertinent, the offending filters were using complex and RegExp filters on the Message Text field.
I attempted to manually modify the INI file and re-import it; no change. A subsequent export still listed the filters. I actually tried several different modifications of the original INI export in an attempt to rectify the problem - nothing appeared to work.
There are several instances of a DCOM (DistributedCOM) error EventID 10000 in the System log, but these stretch back to before the changes were first made - I include this for reference:
Unable to start a DCOM Server: {1C546A70-60EF-4431-B4FC-D6741E20E815}. The error:
"740"
Happened while starting this command:
E:\Program Files (x86)\Syslogd\Syslogd_TaskEngine.exe -Embedding
There are also a couple of Error events in the SolarWinds.Net event log Event Id 0 with text that match or are substantially similar to the following, but they, too, stretch back to before the changes:
System.Web
System.Web.HttpRequest
System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.NullReferenceException: Object reference not set to an instance of an object.
at _Event.Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
--- End of inner exception stack trace ---
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.events_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
So, before I continue the wipe and reinstall, is this something that somebody has come across before? Are there any workarounds or resolutions? Is there any advice? I'd prefer not to reinstall, because I'll have to redo all of the rules/filters/actions from scratch (for fear there is something nasty in the INI that is related to this trouble).
↧
Kiwi 9.6 and forwarding SNMP traps as Syslogs
9.6 release notes....
"SNMP traps are now forwarded without changes. In previous versions, the SNMP trap was converted to a string and forwarded as a syslog messages, which could result in MAC addresses being displayed incorrectly."
I considered this conversion a feature, one that I need to pipe data into a system that can't receive traps. Is this a setting in which I can choose how it gets forwarded (snmp/syslog)? This conversion feature was a deciding factor in my Kiwi purchase last week.
Thank you.
↧
↧
Re: Variable data bleeding in from previous log/script runs.
It's fixed, in a round about way, by adding code to the beginning of the vbscript that sets all variables to blank.
↧
Kiwi flag interval less than one minute?
I would really like to be able to set a 5 or 15 second Flag/Interval time delay. This would allow us to filter events event sends 2 or 3 related syslogs all within a 1 or 2 seconds of each other but I only want to receive one alert. Our usage scenario is that each rule is scanning the syslogs from a many identical devices for a certain type of event so there is the possibility an event could fire from two different devices within 60 seconds and we would only see the alert against the first device. It's not the end of the world if we miss do miss an event because we would eventually find it elsewhere but it would be really neat if we could go below 60 seconds. Is there a way?
Thank you.
↧
Re: Kiwi 9.6 and forwarding SNMP traps as Syslogs
In "Send SNMP Trap" action you should uncheck "Forward SNMP Trap without changing". Also you can play with "Send Syslog Message" action
↧
Forward Event Viewer subscriptions with Event Log Forwarder for Windows
Has anyone been able to forward subscribed events (from other machines) to Kiwi Syslog server using Event Log Forwarder for Windows? I am trying to setup a single point to collect events to be forwarded to our syslog server.
I setup a test and subscribed to events from another machine to be placed in the Windows Logs -> Application. I see the forwarded events in Windows Event Viewer, but when viewing the "preview of matching event records" (Event Log Forwarder for Windows) I only see the events sources from the computer running the event log forwarder. (see the attached screenshot)
Thanks!
Jeremy
↧
↧
Re: Forward Event Viewer subscriptions with Event Log Forwarder for Windows
I'm forwarding 1000+ servers to Kiwi syslog without any problems. I'm a little confused by your question, are you forwarding to Kiwi syslog or another Log Forwadrsr?/
↧
Re: Forward Event Viewer subscriptions with Event Log Forwarder for Windows
Well in one scenario we have secure environments with multiple workstations and a local server. Only the server has a direct connection to the syslog server. I have the local server subscribed to events from the workstations and I would like to have Event Log Forwarder (installed on the local server) forward the aggregated events to the syslog server.
For other servers, I would like to have a single Windows server collecting events from other servers and forward all collected/subscribed events to the syslog server. This way we could setup one server with Event Log Forwarder (connected to the syslog server) and use group policy to push events from other servers.
Sorry if that still isn't quite clear.
Thank you,
Jeremy
↧
Kiwi Log Viewer Registration not saving
I have a license for the Kiwi Log Viewer that when copied and applied shows in the "About...." screen that it's saved and I have 293 more days.....
The next time I open the program it's back to "Freeware".
Is this a "feature" or am I missing something?
↧