my company has the kiwi syslog server v 9.6.6.1 and today my kiwi automaticaly stopped. i received in application event viewer message

Application: Syslogd_Service.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.IndexOutOfRangeException

Stack:

   at SolarWinds.SyslogServer.Engine.NetworkingDeamon.ProcessTcpMessage(System.Net.Sockets.TcpListener, System.Text.Encoding, System.Collections.Generic.List`1<System.String>)

   at SolarWinds.SyslogServer.Engine.NetworkingDeamon+<>c__DisplayClass11.<ReinitTcp>b__d()

   at SolarWinds.SyslogServer.Engine.Implementation.WatcherThread.<.ctor>b__0()

   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)

   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)

   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)

   at System.Threading.ThreadHelper.ThreadStart()

and

Faulting application name: Syslogd_Service.exe, version: 9.6.6.1, time stamp: 0x5c013768

Faulting module name: KERNELBASE.dll, version: 6.3.9600.19178, time stamp: 0x5bc10573

Exception code: 0xe0434352

Fault offset: 0x00015ef8

Faulting process id: 0x%9

Faulting application start time: 0x%10

Faulting application path: %11

Faulting module path: %12

Report Id: %13

Faulting package full name: %14

Faulting package-relative application ID: %15

what i do?

i error log of kiwi syslog server i receive message

2018-12-24 08:20:43 Unable to bind secure TCP listener to specified address and port (192.168.99.52 on port 6514). Will attempt to bind to first available adapter instead.

2018-12-24 08:20:43 Unable to bind secure TCP listener to any adapter on the specified port (6514) There might be a problem with the certificate provided.

2018-12-24 08:20:50 Unable to bind secure TCP listener to specified address and port (192.168.99.52 on port 6514). Will attempt to bind to first available adapter instead.

2018-12-24 08:20:50 Unable to bind secure TCP listener to any adapter on the specified port (6514) There might be a problem with the certificate provided.

2018-12-24 08:20:51 Unable to bind secure TCP listener to specified address and port (192.168.99.52 on port 6514). Will attempt to bind to first available adapter instead.

2018-12-24 08:20:51 Unable to bind secure TCP listener to any adapter on the specified port (6514) There might be a problem with the certificate provided.

mu kiwi syslog is working on port UDP 514, not port 6514.

also i found log in C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Syslogd_Service._717ae3826e39cd5b6ad2c81df41fcd019dfd3a6_00000000_265e445f

Version=1

EventType=APPCRASH

EventTime=131902000515078526

ReportType=2

Consent=1

ReportIdentifier=eb8782fe-081e-11e9-80cb-9c8e994deaad

WOW64=1

Response.type=4

Sig[0].Name=Application Name

Sig[0].Value=Syslogd_Service.exe

Sig[1].Name=Application Version

Sig[1].Value=9.6.6.1

Sig[2].Name=Application Timestamp

Sig[2].Value=5c013768

Sig[3].Name=Fault Module Name

Sig[3].Value=KERNELBASE.dll

Sig[4].Name=Fault Module Version

Sig[4].Value=6.3.9600.19178

Sig[5].Name=Fault Module Timestamp

Sig[5].Value=5bc10573

Sig[6].Name=Exception Code

Sig[6].Value=e0434352

Sig[7].Name=Exception Offset

Sig[7].Value=00015ef8

DynamicSig[1].Name=OS Version

DynamicSig[1].Value=6.3.9600.2.0.0.272.7

DynamicSig[2].Name=Locale ID

DynamicSig[2].Value=1033

UI[2]=C:\Program Files (x86)\Syslogd\Syslogd_Service.exe

LoadedModule[0]=C:\Program Files (x86)\Syslogd\Syslogd_Service.exe

LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll

LoadedModule[2]=C:\Windows\SYSTEM32\KERNEL32.DLL

LoadedModule[3]=C:\Windows\SYSTEM32\KERNELBASE.dll

LoadedModule[4]=C:\Windows\system32\apphelp.dll

LoadedModule[5]=C:\Windows\AppPatch\AcGenral.DLL

LoadedModule[6]=C:\Windows\SYSTEM32\msvcrt.dll

LoadedModule[7]=C:\Windows\SYSTEM32\sechost.dll

LoadedModule[8]=C:\Windows\SYSTEM32\SspiCli.dll

LoadedModule[9]=C:\Windows\SYSTEM32\SHLWAPI.dll

LoadedModule[10]=C:\Windows\SYSTEM32\UxTheme.dll

LoadedModule[11]=C:\Windows\SYSTEM32\USER32.dll

LoadedModule[12]=C:\Windows\SYSTEM32\GDI32.dll

LoadedModule[13]=C:\Windows\SYSTEM32\WINMM.dll

LoadedModule[14]=C:\Windows\SYSTEM32\samcli.dll

LoadedModule[15]=C:\Windows\SYSTEM32\ole32.dll

LoadedModule[16]=C:\Windows\SYSTEM32\OLEAUT32.dll

LoadedModule[17]=C:\Windows\SYSTEM32\MSACM32.dll

LoadedModule[18]=C:\Windows\SYSTEM32\VERSION.dll

LoadedModule[19]=C:\Windows\SYSTEM32\SHELL32.dll

LoadedModule[20]=C:\Windows\SYSTEM32\USERENV.dll

LoadedModule[21]=C:\Windows\SYSTEM32\dwmapi.dll

LoadedModule[22]=C:\Windows\SYSTEM32\urlmon.dll

LoadedModule[23]=C:\Windows\SYSTEM32\ADVAPI32.dll

LoadedModule[24]=C:\Windows\SYSTEM32\WINSPOOL.DRV

LoadedModule[25]=C:\Windows\SYSTEM32\MPR.dll

LoadedModule[26]=C:\Windows\SYSTEM32\RPCRT4.dll

LoadedModule[27]=C:\Windows\SYSTEM32\CRYPTBASE.dll

LoadedModule[28]=C:\Windows\SYSTEM32\combase.dll

LoadedModule[29]=C:\Windows\SYSTEM32\WINMMBASE.dll

LoadedModule[30]=C:\Windows\SYSTEM32\profapi.dll

LoadedModule[31]=C:\Windows\SYSTEM32\iertutil.dll

LoadedModule[32]=C:\Windows\SYSTEM32\WININET.dll

LoadedModule[33]=C:\Windows\SYSTEM32\bcryptPrimitives.dll

LoadedModule[34]=C:\Windows\SYSTEM32\cfgmgr32.dll

LoadedModule[35]=C:\Windows\SYSTEM32\DEVOBJ.dll

LoadedModule[36]=C:\Windows\SYSTEM32\SHCORE.DLL

LoadedModule[37]=C:\Windows\SYSTEM32\MSVBVM60.DLL

LoadedModule[38]=C:\Windows\SYSTEM32\kernel.appcore.dll

LoadedModule[39]=C:\Windows\SYSTEM32\SXS.DLL

LoadedModule[40]=C:\Windows\SYSTEM32\clbcatq.dll

LoadedModule[41]=C:\Windows\SYSTEM32\CRYPTSP.dll

LoadedModule[42]=C:\Windows\system32\rsaenh.dll

LoadedModule[43]=C:\Windows\SYSTEM32\bcrypt.dll

LoadedModule[44]=C:\Windows\SYSTEM32\KiwiSocket.ocx

LoadedModule[45]=C:\Windows\SYSTEM32\ws2_32.DLL

LoadedModule[46]=C:\Windows\SYSTEM32\NSI.dll

LoadedModule[47]=C:\Windows\SYSTEM32\mswinsck.ocx

LoadedModule[48]=C:\Windows\SYSTEM32\WSOCK32.dll

LoadedModule[49]=C:\Windows\SYSTEM32\SVCIT.ocx

LoadedModule[50]=C:\Windows\SYSTEM32\MFC42u.DLL

LoadedModule[51]=C:\Windows\SYSTEM32\ODBC32.dll

LoadedModule[52]=C:\Windows\SYSTEM32\actskn43.ocx

LoadedModule[53]=C:\Windows\SYSTEM32\comdlg32.dll

LoadedModule[54]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.9600.17810_none_7c5b6194aa0716f1\COMCTL32.dll

LoadedModule[55]=C:\Windows\SYSTEM32\IGThreed40.ocx

LoadedModule[56]=C:\Windows\SYSTEM32\OLEPRO32.DLL

LoadedModule[57]=C:\Windows\system32\asycfilt.dll

LoadedModule[58]=C:\Windows\SYSTEM32\KiwiGrid3.ocx

LoadedModule[59]=C:\Windows\SYSTEM32\KiwiSubtmr.dll

LoadedModule[60]=C:\Windows\SYSTEM32\COMCTL32.OCX

LoadedModule[61]=C:\Windows\SYSTEM32\smtps81.ocx

LoadedModule[62]=C:\Windows\SYSTEM32\netapi32.dll

LoadedModule[63]=C:\Windows\SYSTEM32\netutils.dll

LoadedModule[64]=C:\Windows\SYSTEM32\srvcli.dll

LoadedModule[65]=C:\Windows\SYSTEM32\wkscli.dll

LoadedModule[66]=C:\Windows\SYSTEM32\LOGONCLI.DLL

LoadedModule[67]=C:\Windows\SYSTEM32\crypt32.dll

LoadedModule[68]=C:\Windows\SYSTEM32\MSASN1.dll

LoadedModule[69]=C:\Windows\SYSTEM32\secur32.dll

LoadedModule[70]=C:\Windows\SYSTEM32\ssnmptrp90.ocx

LoadedModule[71]=C:\Windows\SYSTEM32\ipdaem160.ocx

LoadedModule[72]=C:\Windows\SYSTEM32\ssnmpag90.ocx

LoadedModule[73]=C:\Windows\SYSTEM32\XceedZip.dll

LoadedModule[74]=C:\Windows\SYSTEM32\mscoree.dll

LoadedModule[75]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll

LoadedModule[76]=C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

LoadedModule[77]=C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.8428_none_d08a11e2442dc25d\MSVCR80.dll

LoadedModule[78]=C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2c5ddb892ef42c85945c11a94cb535c4\mscorlib.ni.dll

LoadedModule[79]=C:\Program Files (x86)\Syslogd\SolarWinds.Licensing.KiwiSyslog.COMWrapper.dll

LoadedModule[80]=C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll

LoadedModule[81]=C:\Program Files (x86)\Syslogd\SolarWinds.Licensing.Framework.dll

LoadedModule[82]=C:\Program Files (x86)\Syslogd\SolarWinds.Logging.dll

LoadedModule[83]=C:\Program Files (x86)\Syslogd\log4net.dll

LoadedModule[84]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System\f9e02038882aa5a8e51484f253e67a65\System.ni.dll

LoadedModule[85]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\5bf487a82026b5ec2c9844eab53b8d79\System.Configuration.ni.dll

LoadedModule[86]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\5562cf60fb6b2737b539202dcebf3e44\System.Xml.ni.dll

LoadedModule[87]=C:\Windows\SYSTEM32\shfolder.dll

LoadedModule[88]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\a5b34829d88c0cb723b311f3ec0025cb\System.Security.ni.dll

LoadedModule[89]=C:\Windows\SYSTEM32\DPAPI.dll

LoadedModule[90]=C:\Windows\SYSTEM32\ncrypt.dll

LoadedModule[91]=C:\Windows\SYSTEM32\NTASN1.dll

LoadedModule[92]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\4fcbc382e5890ec54c36513724e0e71c\System.Drawing.ni.dll

LoadedModule[93]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\724d6b27d4d727394819d8a4fa1a7b18\System.Windows.Forms.ni.dll

LoadedModule[94]=C:\Windows\SYSTEM32\IPHlpApi.DLL

LoadedModule[95]=C:\Windows\SYSTEM32\WINNSI.DLL

LoadedModule[96]=C:\Windows\SYSTEM32\dhcpcsvc6.DLL

LoadedModule[97]=C:\Windows\SYSTEM32\dhcpcsvc.DLL

LoadedModule[98]=C:\Windows\SYSTEM32\scrrun.dll

LoadedModule[99]=C:\Windows\SYSTEM32\netbios.dll

LoadedModule[100]=C:\Windows\SYSTEM32\DNSAPI.dll

LoadedModule[101]=C:\Windows\SYSTEM32\KRDPLogger.dll

LoadedModule[102]=C:\Windows\SYSTEM32\KRDPLoggerforIPv6.dll

LoadedModule[103]=C:\Windows\SYSTEM32\ipinfo90.ocx

LoadedModule[104]=C:\Windows\system32\mswsock.dll

LoadedModule[105]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll

LoadedModule[106]=C:\Windows\SYSTEM32\MSVCR120_CLR0400.dll

LoadedModule[107]=C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\2679bf53374eaee3d0bfc7e4ffabe020\mscorlib.ni.dll

LoadedModule[108]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll

LoadedModule[109]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ad24492050301d4b4d48fd00d831303c\System.ni.dll

LoadedModule[110]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\bd49b5142a5a58f840dc44c72fe288b3\System.Configuration.ni.dll

LoadedModule[111]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\3db1416a1f2afcc33913f210c17618f2\System.Xml.ni.dll

LoadedModule[112]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\b1a2c35087dbc2e09b0817c989c18271\System.Core.ni.dll

LoadedModule[113]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\e7cd8a54f38fa7d99ce56f0862d2ecfb\System.Numerics.ni.dll

LoadedModule[114]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\688c7d05c81d1169d21e0305b092c819\System.Runtime.Serialization.ni.dll

LoadedModule[115]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\747409c5dcadb11544f591967acfa901\System.Xml.Linq.ni.dll

LoadedModule[116]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\a73db803577cab3b401d1b1618483b77\System.Data.ni.dll

LoadedModule[117]=C:\Windows\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll

LoadedModule[118]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\aaaa1dcb31e89d4e37e89d014a679760\System.Drawing.ni.dll

LoadedModule[119]=C:\Windows\SYSTEM32\PacketX.dll

LoadedModule[120]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\666ab63c0eed9e2ac2619f136c483c61\System.Windows.Forms.ni.dll

LoadedModule[121]=C:\Windows\SYSTEM32\packet.dll

LoadedModule[122]=C:\Windows\SYSTEM32\TimerLite.dll

LoadedModule[123]=C:\Program Files (x86)\Syslogd\SolarWinds.KiwiSyslog.WebAccess.Data.dll

LoadedModule[124]=C:\Windows\SYSTEM32\psapi.dll

LoadedModule[125]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\9da4a8baa01f6ada47398a31817143d0\System.Runtime.Remoting.ni.dll

LoadedModule[126]=C:\Windows\assembly\GAC_MSIL\System.Data.SqlServerCe\4.0.0.0__89845dcd8080cc91\System.Data.SqlServerCe.dll

LoadedModule[127]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\ba0e4ca73a43165a321a1e02a2f0a995\System.Data.ni.dll

LoadedModule[128]=C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll

LoadedModule[129]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\7134be9f26e171dafd0218df50c0a1a1\System.Transactions.ni.dll

LoadedModule[130]=C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

LoadedModule[131]=C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v4.0\sqlceme40.dll

LoadedModule[132]=C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.8387_none_5094ca96bcb6b2bb\MSVCR90.dll

LoadedModule[133]=C:\Windows\system32\wintrust.dll

LoadedModule[134]=C:\Windows\SYSTEM32\imagehlp.dll

LoadedModule[135]=C:\Windows\SYSTEM32\gpapi.dll

LoadedModule[136]=C:\Windows\SYSTEM32\cryptnet.dll

LoadedModule[137]=C:\Windows\SYSTEM32\WLDAP32.dll

LoadedModule[138]=C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v4.0\sqlceer40EN.DLL

LoadedModule[139]=C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v4.0\sqlcese40.dll

LoadedModule[140]=C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v4.0\sqlceqp40.dll

LoadedModule[141]=C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\9b6f6f4bb8926294bf3b53118321697a\System.EnterpriseServices.ni.dll

LoadedModule[142]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll

FriendlyEventName=APPCRASH

ConsentKey=APPCRASH

AppName=Syslogd_Service.exe

AppPath=C:\Program Files (x86)\Syslogd\Syslogd_Service.exe

ReportDescription=Stopped working

ApplicationIdentity=00000000000000000000000000000000

also i noticied that my version kiwi syslog v 9.6.6.1 works on windows server 2012 R2, sql 2012 standard, maybe this is problem?

this problem i resolved. i disabled listening on TCP/IP port 1468 in settings of the kiwi syslog server console, and the service is working all time.

Hi guys,

Sorry for the lack of knowledge but i am a new syslog and kiwi world. I purchased kiwi server with the inter to monitor three areas of my network,

1 - failed login attempts on servers and workstations

2 - bandwidth spikes on the firewalls if all possible by service e.g. smtp (all sonicwalls)

3 - bandwidth spikes on workstation

Can someone guide me to where i can find any documentations to configure the server to alert on the above, or am i asking for too much out of the kiwi server.

Thanks

Rudy

deonaanne72,

There is no Kiwi integration into ServiceNow. Kiwi can send an email and ServiceNow can create a ticket from email, but that's not always the best workaround. Kiwi does contain a scripting engine that can execute VBscript and you could possibly build your own integration to ServiceNow's API. Those are really your only two options with Kiwi.

amir.khan,

Kiwi is extremely configurable. I would even argue that it can give much pricier syslog servers a run for their money.

Out of the box though, without any configuration, it's only a log collector and a very basic one at that. You can set up rules to separate logs from different sources, log them into separate files, separate displays and separate database tables.

rudym12,

Kiwi is extremely capable, but it requires configuration to do anything other than collect logs. You'll find that the help file is extensive and complete for Kiwi, but I can point you in the right direction for starters:

1 - This one is fairly easy, you'll need to have a copy of the message you want to alert on. You can create a rule and filter by server and workstation IP addresses. You will also need the Log Forwarder for Windows so you can get the event logs into Kiwi. If you own a Kiwi License, you should be able to get that utility from solarwinds. Once you have all of that setup, it's just a matter of creating a rule in the setup section of Kiwi to filter only your server and workstation IPs and and then another filter for part of the message text for the failed login. Not the whole text, just a snippet that's specific enough to only alert on failed logins. Once your rules are successfully filtering the correct information (Setup an action to use a separate display for troubleshooting), then setup an email action to email you when Kiwi receives the failed login message.

2 & 3 - You will need some knowledge about firewalls, bandwidth calculations and syslogs in general to pull this off. You will have to correlate the logs and do your own calculations per service, per destination or per source IPs. You will also need some scripting or programming experience. If you're new to the world of device logging and have never used a scripting or programming language, then you've got some work ahead of you.

Solarwinds does have other options that can get you closer to this information right out of the box. LEM has built in correlation if I remember correctly, and LM for Orion along with Netflow traffic Analyzer can probably get you all 3 of your requests much closer to out of the box than what Kiwi can do for you.

srikantm,

Kiwi does not have reporting capability out of the box, it all has to be scripted.

You could do this via a local installation of MySQL or SQL Server (my preferences for DB Engines) and use their built in SMTP configuration to attach and email the report as part of a stored procedure that generates and exports the data to a report.

You could also utilize Kiwi's scripting engine to build and email the report just like the syslog statistics report that actually is available right out of the box and just needs to be enabled.

I have three environments, India UK and AUstralia connected with each other using MPLs link. All locations have own servers, routers, firewalls. Ultimate goal is to implement SIEM but before that would like to deploy syslog solution and that should be compatible with any SIEM such as Splunk, Solarwind, Q radar (plan is to deploy on prem SIEM only).

1. What is the best way to deploy syslog, keep three environment and install 3 KIWI syslog

2. Is it possible to collect logs locally and send them in compressed and encrypted manner to central database

3. Can that central database later forward logs to SIEM

Very much confused on best way. I have read enough about SIEM and lot of enterprises have failed implementation because they just dont setup logs and use cases properly hence we have taken call that we will install Centralized Log Management First (CLM) and looking for expert guidance and opinion here.

Regards

Arun Soni

So a few questions in regards to SolarWinds Event Log Forwarder... is there a guide for it other than the lacking help file?

Second, I'm running it on my DC's to forward some events from them however when I try to edit the Subscriptions it does not let me change them.

Running Server 2012r2, Event Log forwarder version 1.2.0.114

I could have sworn when i stood these up way back when i was able to adjust what they grab as far as which event type an even all of the other fields but for some reason I can't change or save the changes I am trying to make.

I've tried running as admin, stopping the service and neither resolves my issue.

Last, is there a way to change how often the logs are sent? I mean the interval the logs are forwarded seems to be every second which is great if i'm using kiwi for alerts but if i just want to store logs I'd rather get them every hour or day or some other interval that every second.

Hi,

I need information regarding filtering in KIWI Syslog Web Access. When i select filter in KIWI Web Access  and put device name or IP address of which events i want to see in filteration, then KIWI Web Access displays the 7 days old list of events of the specific device. My query is why KIWI Web Access just showing 7 days old events? Can we see more than 7 days old events?If yes, kindly guide me.

This depends on the amount of data stored in the SQL Compact database.  There is a 4 GB limit.  You can also set the data retention.  If you look back do you see any data older than 7 days?

Just in case more searches lead to this thread. A previous similar thread had a response and lead directly to the answer here - Free Kiwi syslog server - on install shows "Evaluation Expired" on Web access screen

Chris' instructions above resolved my issue.  Thanks!

Also since this original post we recently acquired TriGeo which does in depth log and event analysis and management, you can read more here on that.

FYI

Kiwi Syslog Web Access Server error: System.Web.HttpUnhandledException - SolarWinds Worldwide, LLC. Help and Support

All,

I am trying to parse data that is received with Kiwi Syslog and then forward that parsed data to another syslog server that is viewed by other technicians. The issue I am having is that the server that sends the data is sending to much information that is not needed to the destination syslog server. I see that Kiwi Syslog does have the ability to do some parsing via VBscript. I was hoping someone could post a script that I could try that would parse the following data.

02-08-2019 14:25:19 User.Warning 172.16.0.145 Feb  8 20:25:19 Server1.penfield.edu ERAServer[743]: {"event_type":"Threat_Event","ipv4":"172.17.21.137","hostname":"Computer1.microsoft.com","source_uuid":"ecef5ff4-0535-42e2-9985-41110278b0db","occured":"08-Feb-2019 19:16:43","severity":"Warning","threat_type":"potentially unwanted application","threat_name":"JS/Spigot.B","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"18843 (20190208)","object_type":"file","object_uri":"file:///C:/Users/JDoe/AppData/Local/Temp/scoped_dir6204_15059/CRX_INSTALL/background.js","action_taken":"cleaned by deleting","threat_handled":true,"need_restart":false,"circumstances":"Event occurred on a newly created file.","firstseen":"08-Feb-2019 19:16:43","hash":"B19897AB34E780D9F53E6AC8BE78BE26094693FD"}

The only data I need to pass to the other syslog server from Kiwi server is the following data,

"hostname":"Computer1.microsoft.com"

"threat_name":"JS/Spigot.B"

"object_uri":"file:///C:/Users/Jdoe/AppData/Local/Temp/scoped_dir6204_15059/CRX_INSTALL/background.js"

"scanner_id":"Real-time file system protection"

The parts marked in red do change. Is this possible?

Thanks,

Mike

Hello,

I'm trying to set up the email alerts in Kiwi Syslog Server Setup but when I hit the Test button it comes back.

Unable to send test message.

Reason: Mail Error: Server certificate verification failed.

Connection aborted.

Can anyone please help shed some light on how to resolve this?

Screen is below, the emails are valid emails in our exchange server. I have the server's IP address in that box.

In the security box TLS is the only one that got this far where it appears it contacted the server then aborted. The other choices didn't even make it that far.

Thanks,

Kevin L.

This one is relatively simple.  Save this as a text file(script.txt), then add the action to run the script.  Make sure the boxes to read and write common fields are checked.  After that action create another action to forward the message to the other syslog server.

Function Main()

CleanMsg = Fields.VarCleanMessageText

arrSplits = split(CleanMsg, ",")

Fields.VarCleanMessageText = arrsplits(2) &  VbCrLf & arrSplits(7) & VbCrLf &  arrSplits(8) & VbCrLf &  arrSplits(12)

Main = "OK"

End Function

If your content isn't in those fields add this after the 'split' command in the script. Then change the array item numbers to match the content you need.

x=o

for each item in arrSplits

wscript.echo "arrSplits(" & x & "): " & item & VbCrLf

x=x+1

next

Remove or comment out this section or at least the 'wscript.echo' line when it works as expected.

After each update to the script you need to click 'Apply' or 'OK' in the setup screen to reload the script.