Kiwi Syslog Server Administrator Guide PDF
Kiwi Syslog Server Administrator Guide PDF
Kiwi Syslog Server Administrator Guide PDF
This document may not be reproduced by any means nor modified, decompiled, disassembled, published
or distributed, in whole or in part, or translated to any electronic medium or other means without the prior
written consent of SolarWinds. All right, title, and interest in and to the software and documentation are
and shall remain the exclusive property of SolarWinds and its respective licensors.
The SolarWinds and other SolarWinds marks, identified on the SolarWinds website, as updated from
SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark
Office and may be registered or pending registration in other countries. All other SolarWinds trademarks
may be common law marks or registered or pending registration in the United States or in other countries.
All other trademarks or registered trademarks contained and/or mentioned herein are used for
identification purposes only and may be trademarks or registered trademarks of their respective
companies.
page 2
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Table of Contents
About Kiwi Syslog Server 14
Learn more 14
Highlighting options 19
Message font 20
Default rule 24
Next steps 24
Define rules 24
Add a filter 25
page 3
Filter messages based on input source 34
Examples 37
Add an action 38
Date 66
page 4
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Time 66
Facility 66
Level 67
Rule Name 68
Export a rule 71
Import a rule 71
Scripting resources 73
Script examples 73
Rules setup 73
page 5
Scripting custom statistics fields 76
Script variables 77
Common fields 77
Fields.VarFacility 77
Fields.VarLevel 77
Fields.VarInputSource 78
Fields.VarPeerAddress 78
Fields.VarPeerName 78
Fields.VarPeerDomain 78
Fields.VarCleanMessageText 79
Other fields 79
Fields.VarDate 79
Fields.VarTime 79
Fields.VarMilliSeconds 79
Fields.VarSocketPeerAddress 79
Fields.VarPeerAddressHex 80
Fields.VarPeerPort 80
Fields.VarLocalAddress 80
Fields.VarLocalPort 80
Fields.VarPriority 81
Fields.VarRawMessageText 81
Custom fields 81
Script functions 82
page 6
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Fields.GetDailyStatistics() As String 83
Fields.ConvertPriorityToText(PriorityValue) 83
Fields.ActionDeleteFile(Filename) 92
Fields.ActionDisplay(DisplayNumber, TabDelimitedMessage) 93
Scripting dictionaries 96
StoreItem 96
AddItem 96
UpdateItem 97
RemoveItem 97
RemoveAll 97
Delete 97
DeleteAll 98
GetItemCount 98
GetItem 98
ItemExists 98
GetKeys 99
GetItems 99
page 7
Error Reference 99
page 8
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Default Microsoft SQL and generic SQL database table design 120
page 9
View syslog statistics 150
Protocols 153
Transport 156
Rules 159
DisplayColumnsEnabled 166
DisplayRowHeight 167
page 10
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
MailStatsDeliveryTime 167
ServiceStartTimeout 168
ServiceUpdateTimeout 168
NTServiceSocket 169
NTServiceDependencies 169
DebugStart 170
Applies to 170
Effect 171
DNSDisableWaitWhenBusy 171
DNSCacheMaxSize 172
DNSCacheFailedLookups 172
DNSSetupQueueBufferBurstCoefficient 173
DNSSetupQueueBufferClearRate 173
DNSSetupQueueLimit 174
DNSSetupDebugModeOn 174
MsgBufferSize 174
MailAdditionalSubjectText 175
MailAdditionalBodyText 176
MailMaxMessageSend 177
FileWriteCacheEnabled 178
FileWriteCacheTimeout 179
FileWriteCacheEntries 179
FileWriteCacheMaxSizeKB 180
FileWriteCacheCleanup 180
page 11
FileWriteCacheFileLock 181
FileWriteCacheOpenFiles 181
LogFileDateSeparator 182
LogFileTimeSeparator 183
LogFileEncodingFormat 183
ScriptEditor 184
ScriptTimeout 185
DBCommandTimeout 186
ArchiveFileReplacementChr 186
ArchiveFileSeparator 187
UseOldArchiveNaming 187
ArchiveTempPath 188
EnableArchiveTempFile 188
ErrorLogFolder 189
MailLogFolder 189
KRDPACKTimer 190
KRDPKeepAliveTimer 190
KRDPCacheFolder 191
KRDPRxDebug 191
KRDPTxDebug 191
KRDPQueueSize 192
KRDPQueueMaxMBSize 192
KRDPAutoConnect 193
KRDPConnectTime 193
KRDPSendSpeed 194
KRDPIdleTimeout 194
KRDPAddSeqToMsgText 195
ProcessPriority 195
page 12
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
MaxRuleCount 198
DBLoggerCacheClearRate 198
DBLoggerCacheTimeout 199
DBLoggerCacheDisable 199
HostNosToDisplay 200
page 13
About Kiwi Syslog Server
Kiwi Syslog Server is a syslog server for the Windows platform. It receives syslog messages and SNMP traps
from network devices such as routers, switches, and firewalls.
Kiwi Syslog Server includes many options for customization. For example, you can create rules to
automatically respond to messages that meet the specified criteria, and you can set up schedules to
automatically archive logs for regulatory compliance.
When you initially install Kiwi Syslog Server, all features are available during a 14-day trial period.
When the trial period ends, you can continue to use the free edition without purchasing a license.
Or you can enter a license key to access features in the licensed edition.
To upgrade to the latest version, see the Kiwi Syslog Server Upgrade Guide.
If you're new to Kiwi Syslog Server, see the Kiwi Syslog Server Getting Started Guide. This guide walks you
through examples of common configuration tasks.
Not seeing messages? See the troubleshooting tips in the Getting Started Guide.
Learn more
See the following sections in this guide to learn more about:
page 14
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Collecting messages
SNMP
page 15
FREE EDITION LICENSED EDITION
Logging to disk
Split by priority
Split by network
Viewing messages
Display windows 10 25
Statistics graphs
Web-based displays
Highlighting rules
Forwarding messages
page 16
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
To database
To SNMP
To email
Filtering messages
By time received
By priority
By message text
By input source
Reacting to messages
Send email
Play sound
Run script
Run executable
page 17
Configure devices to send messages to Kiwi
Syslog Server
To receive messages from a syslog-capable device, configure the device to send syslog messages to the
appropriate port on the computer where Kiwi Syslog Server is installed.
Kiwi Syslog Server automatically listens for UPD messages on port 514. This is the default port for devices
sending syslog messages as defined by the RFC standard 5426.
You can configure Kiwi Syslog Server to listen for UPD message on a different port. You can also
enable Kiwi Syslog Server to listen for TCP messages, secure TCP messages, and SNMP traps.
For information about configuring a specific device, see documentation from the device manufacturer. The
Kiwi Syslog Server Getting Started Guide provides an example of configuring a Cisco switch.
Message logging must be enabled on the device. On many devices that generate syslog messages,
logging is enabled by default.
If you have configured devices but Kiwi Syslog Server is not displaying messages, see the troubleshooting
tips in the Getting Started Guide.
page 18
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
4. To change other display options, select or clear the associated check boxes.
Except for display names, the changes you make affect all displays.
5. Click Apply to apply changes to the displays, and click OK to close the dialog box.
l Use highlighting to apply a set of display options to messages that meet the specified criteria.
l Change the font, style, and color of the message text.
HIGHLIGHTING OPTIONS
This feature is available only in the registered version.
page 19
Use the highlighting options in Kiwi Syslog Server to specify a set of highlighting rules which will be
applied to each message shown on the Kiwi Syslog Service Manager display. Highlighting rules are
evaluated from the top-down, and any syslog messages that match a given rule will have the associated
effects applied.
Highlight Lists the highlighting rules that will be applied to each syslog message that is to be
Items displayed, the syslog message field that will be searched, the string pattern that will be
searched for, and the effect to be applied. Each rule can be activated/deactivated by
respectively checking/unchecking the checkboxes leftmost on each row of the list. The
list of fields available in the 'fields' drop-down box are the same as the fields that are
available on the Kiwi Syslog main display grid. (ie. Date, Time, Priority, Hostname,
Message). Highlighting rules can be added/deleted by clicking the buttons on the
toolbar to the right of the highlights list. Rule precedence can be changed in this
toolbar as well, by clicking the up/down arrows.
That the first time you access the Highlighing Options, you may be prompted "No
highlighting rules have been found. Do you want to create some default rules
based on Syslog Priorities?". As the prompt implies, if you answer yes to this
question some default rules based on Syslog Priority will be created for you.
String to The string pattern that will be searched for in the selected syslog message field.
match
Regular If checked, this option specifies if the string to match is a regular
Expression expression. See Regular Expressions.
Invert Match If checked, this option specifies that the effect will be applied only if a
match is NOT found.
Ignore Case If checked, the search pattern (string to match) will be treated as case
insensitive.
MESSAGE FONT
To select a new font name, style, and colour to be used for displayed messages.
page 20
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
If non ASCII characters appear in the display as blanks or square blocks, it means that the selected
font doesn't contain the required Unicode character glyph. If you have Microsoft Office installed,
Arial MS Unicode includes all Unicode glyphs.
page 21
Add rules, filters, and actions
Use rules, filters, and actions to specify how Kiwi Syslog Server processes the syslog messages it receives.
See the following topics:
l Filters determine which messages trigger the actions. If a rule does not include any filters, all
messages are acted on.
l Actions determine what happens when a message passes all of the filters.
You can define up to 100 rules. Each rule can include up to 100 filters and 100 actions.
page 22
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
1. The message is matched against each filter in that rule, starting with the filter at the top of the list.
l If the message passes a filter (all conditions in the filter return TRUE), it is matched against the
next filter in that rule.
l If the message does not pass a filter, processing stops for that rule and Kiwi Syslog Server
applies the next rule.
page 23
2. If the message passes all filters, each action is performed. Actions are performed in order, starting
with the action at the top of the list.
When all actions within that rule have been performed, Kiwi Syslog Server applies the next rule.
DEFAULT RULE
When you install Kiwi Syslog Server, a rule named Default is created automatically. This rule applies two
actions to all messages:
NEXT STEPS
To define how Kiwi Syslog Server processes and responds to messages, complete the following tasks:
l Define rules
l Add filters to a rule
l Add actions to a rule
l Rearrange rules, filters, and actions
l Copy a filter or an action to a different rule
Define rules
Add rules to specify what actions Kiwi Syslog Server takes when a message meets the specified criteria.
page 24
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
1. From the Kiwi Syslog Service Manager, choose File > Setup.
The Kiwi Syslog Server Setup dialog opens.
2. In the left pane, right-click Rules and choose Add rule.
A new rule is added to the tree.
3. Replace the default name with a descriptive name. (The name does not have to be unique.)
4. Add one or more filters.
5. Add one or more actions.
6. Click OK to save your changes.
Add a filter
Add one or more filters to each rule to determine which messages trigger the actions in the rule. Each rule
can include up to 100 filters.
Filters are applied in order. The output from the first filter becomes the input for the next filter. You can
change the order of the filters applied to a rule.
If a rule does not contain a Priority filter, all priorities are included.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a new rule, or locate an existing rule.
3. Right-click the Filters node below the rule, and choose Add Filter.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. In the Field menu, select Priority.
page 25
6. Select one or more cells to specify the facility and level of messages to include:
Use an IP address filter to include or exclude messages based on the IP address of the sending device.
Only messages from included IP addresses trigger the actions in the associated rule.
If a rule does not contain an IP address filter, all IP addresses are included.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a new rule, or locate an existing rule.
3. Right-click the Filters node below the rule, and choose Add Filter.
page 26
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. In the Field menu, select IP address.
6. Select an option from the Filter Type menu, and specify one or more IP addresses.
Simple Enter one or more IP addresses to include. Enclose each IP address in quotes.
Complex Enter the IP addresses to include or to exclude. Enclose each IP address in quotes.
There is an OR relationship between IP addresses on the same line. Messages are
included or excluded if they are sent from any of the IP addresses on the line.
In the following example, a message is excluded if the IP address of the sending device
is 192.0.2.14 or 192.0.2.15.
RegExp Enter one or more regular expressions to specify the IP addresses to include or
exclude.
page 27
IPv4 Specify a range of IP addresses to include or exclude based on mask matching. The IP
Mask address is logically AND'ed with the specified Mask and then compared with the IP
address of the sending device. If the two addresses are on the same subnet, then the
filter result is TRUE.
In the following example, the message is excluded If the sending device's IP address is
within the range of 192.168.0.0 to 192.168.0.15.
IPv6 Enter the range of IP addresses to include, exclude, or both. (For a range example, see
Range IPv4 Range.)
Use the Hostname filter to include or exclude messages based on the host name of the sending device.
Only messages from included hosts trigger the actions in the associated rule.
If a rule does not contain a Hostname filter, all hosts are included.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a new rule, or locate an existing rule.
3. Right-click the Filters node below the rule, and choose Add Filter.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. In the Field menu, select Hostname.
6. Select an option from the Filter Type menu, and specify one or more host names.
page 28
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Simple Enter one or more host names to include. Enclose each name in quotes.
There is an OR relationship between the host names. Messages from any of these
hosts are included.
Complex Enter the host names to include or to exclude. Enclose each name in quotes.
There is an OR relationship between host names on the same line. Messages are
included or excluded if they are sent from any of the hosts on the line.
RegExp Enter one or more regular expressions to specify the host names to include or exclude.
Use the Message text filter to include or exclude messages based on the content of the message. Only
included messages trigger the actions in the associated rule. For example, you can create rules to send an
email or run a script when a message contains specific text strings.
If a rule does not contain a Message text filter, all messages are included.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a new rule, or locate an existing rule.
3. Right-click the Filters node below the rule, and choose Add Filter.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. In the Field menu, select Message text.
6. Select an option from the Filter Type menu, and specify one or more text strings.
Simple Enter one or more text strings, enclosed in quotes. There is an OR relationship between
the strings. A message meets the filter criteria (returns TRUE) if it includes any of the
strings.
page 29
l Select the S button to perform a substring search (the default). A substring
search returns TRUE if the text string appears anywhere in the message.
Deselect the S button to perform a whole string search. A whole string
search returns TRUE only if the text string matches the entire message
text.
Example: If the text string is "down" and the messages is System down, a
substring search returns TRUE, but a whole string search does not.
Complex Enter one or more text strings to include, exclude, or both. Enclose each string in
quotes. There is an OR relationship between strings on the same line.
Optionally, enter strings on the And line to include a Boolean AND operator.
Include The message is included if it contains any string on the Include line and
any string on the And line.
In the following example, a message is included if it contains (server or
system) and (down or inaccessible).
The message "The system is down" is included, but not "The system is up."
Exclude The message is excluded if it contains any string on the Exclude line and
any string on the And line.
In the following example, a message is excluded if it contains
recommended action (not case-sensitive) and None required. (case
sensitive).
page 30
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Both You can use both the Include and Exclude sections. In the following
example, the message is included if it contains (server or system) and
(down or inaccessible) but does not contain test.
The message System down is included, but not the message Test
system down.
RegExp Enter one or more regular expressions to specify text strings to include or exclude.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a new rule, or locate an existing rule.
3. Right-click the Filters node below the rule, and choose Add Filter.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. In the Field menu, select Time of day.
page 31
6. Select one or more cells to specify the times to include:
Use Flags/Counters filters to trigger or suppress actions based on the number of times a filter returns
TRUE during the specified interval. The following Flags/Counters filters are available:
page 32
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
l Use a Time interval filter to avoid triggering the same action multiple times during the specified
interval.
Example: a rule sends an email alert when a message contains the text "link down." When a problem
occurs, the link sometimes goes up and down many times a minute, and you receive an email alert
for each "link down" message. To prevent this, you include a Time interval filter with a value of 5.
Kiwi Syslog Server sends an email alert for the first "link down" message. Other "link
down" messages during next five minutes do not trigger additional email alerts.
l Use a Threshold filter to be alerted if a message is sent more than a certain number of times during
the specified interval.
Example: you occasionally receive a message containing the text "port scan detected," but you don't
want to be alerted unless it occurs more than five times within a minute. That frequency would
indicate that someone is persistently scanning your network.
You can also use this filter to watch for failed login attempts. If the text "login failed" occurs more
than five times within 30 seconds, it could indicate a brute force login attempt.
l Use a Timeout filter to monitor syslog devices and send an alert when a device is unexpectedly
quiet. This filter triggers an action when the filters that precede it in the rule are not met a
minimum number of times per interval.
Example: your firewall normally generates at least 200 messages per hour. If the number of
messages drops below 10 in an hour, this filter triggers an email alert.
The internal counter or timer used by these filters can be reset with the action to reset flags and
counters.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a new rule, or locate an existing rule.
3. Right-click the Filters node below the rule, and choose Add Filter.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. In the Field menu, select Flags/Counters.
page 33
Timeout To configure a Timeout filter:
1. Add one or more filters before the Timeout filter to specify which messages to
count. (For example, to watch for inactivity on the firewall, create a filter to
include only messages from the firewall's IP address.)
2. In the Timeout filter, enter the minimum number of times the message should
be received.
3. Enter the time interval in minutes.
4. (Optional) To avoid triggering an alert at times when low activity is expected,
add a Time of day filter to include only certain days and time periods.
Other than the optional Time of day filter, a timeout filter should be the last
filter in a rule.
When this filter returns TRUE, a message with the following format is passed to any
actions in the rule:
Priority: Local7.Debug (191)
HostIP: 127.0.0.1 (localhost)
MsgText: The rule 'ruleName' has only been matched x times in y minutes. The
threshold was set for z times.
Use the Input source filter to trigger an action only if the input source of the message matches one of the
selected input sources (for example, only TCP messages).
If there is no Input source filter in the rule, all input sources are included.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a new rule, or locate an existing rule.
3. Right-click the Filters node below the rule, and choose Add Filter.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. In the Field menu, select Input source.
page 34
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
CHARACTER DESCRIPTION
^ Looks only at the beginning of a string.
When the next character is a special character (part of the syntax), use this to indicate
that the character should be interpreted literally. For example, \.\*\+\\ matches
.*+\.
| Separates alternatives.
For example, z|wood matches both z and wood. And (Hello | Hi) world matches
Hello world and Hi world.
{n} Matches the preceding character exactly n times, where n is a non-negative integer.
For example, o{2} does not match the o in Bob, but matches the first two o's in
foooood.
For example, o{2} does not match the o in Bob, but matches all the o's in foooood. o
{1,} is equivalent to o+, and o {0,} is equivalent to o*.
{n,m} Matches the preceding character at least n times but not more than m times.
page 35
CHARACTER DESCRIPTION
For example, o{1,3} matches the first three o's in fooooood. o{0,1} is equivalent to
o?.
For example, [m-s] matches any lowercase alphabetic character in the range m through
s.
For example, [^m-s] matches any character not in the range m through s.
\b Matches a word boundary, that is, the position between a word and a space.
For example, er\b matches the er in never but not the er in verb.
\s Matches any white space including space, tab, form-feed, etc. Equivalent to [
\f\n\r\t\v].
page 36
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
CHARACTER DESCRIPTION
\W Matches any non-word character. Equivalent to [^A-Za-z0-9_].
(x)\n Matches consecutive identical characters or strings, where x is the character or string
and n is the number of times it is repeated (not including the first occurrence).
\n Matches n, where n is an octal escape value. Octal escape values must be 1, 2, or 3 digits
long. For example, \11 and \011 both match a tab character. \0011 is the equivalent
of \001 and 1. Octal escape values must not exceed 256. If they do, only the first two
digits make up the expression. This allows ASCII codes to be used in regular
expressions.
\xn Matches n, where n is a hexadecimal escape value. Hexadecimal escape values must be
exactly two digits long. For example, \x41 matches A. \x041 is equivalent to \x04 and
1. This allows ASCII codes to be used in regular expressions.
EXAMPLES
EXPRESSION MATCHES
^stuff Any string starting with stuff
od? o or od
[+\-]?[0-9]*[\.]?[0-9] Any number with optional sign and decimal point (needs two escape
* characters)
page 37
EXPRESSION MATCHES
dst=\qLOCAL MACHINE\q Any occurrence of dst="LOCAL MACHINE"
Add an action
Actions are triggered when all the filters for a rule are evaluated as true. Multiple actions can be defined
for each rule. You can define the following types of actions:
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
page 38
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Log to file.
Path and Enter a path and file name, or browse to select a file. The default location is
file name <installPath>\Logs\SyslogCatchAll-%DateISO.txt.
of log file To split incoming messages into multiple files, insert an AutoSplit value in the path
or file name.
For example, the current date variable (%DateISO) is inserted at the end of the
default file name. This appends the date to the end of the file name, so a new
message log file is created for each day.
To select a value:
1. Place your cursor in the path or file name where you want to insert the
AutoSplit value.
2. Click Insert AutoSplit value and select the value.
Log file Specify the file format. You can select a standard format or create a custom format.
format Custom formats are listed at the end of the Log file format menu, after the standard
and reserved formats.
page 39
7. To automatically rotate log files:
a. Select Enable Log File Rotation.
b. Specify the total number of log files in the rotation set.
c. Specify the rotation criteria:
l To rotate files based on size, select Maximum log file size.
l To rotate files based on age, select Maximum log file age.
8. (Optional) Test the action.
9. Click Apply to save the action.
You can use schedules to automate log file archival and retention.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Forward to another host.
6. Specify the remote host IP address or host name. To send messages to multiple hosts, separate each
host name or IP address with a comma. For example:
Myhost.com, SecondHost.net, 203.75.21.3, ABC:567:0:0:8888:9999:1111:0
page 40
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
New Facility Forces outgoing messages to use a different facility. In most cases, accept the
default value of - No change -.
New Level Forces outgoing messages to use a different level. In most cases, accept the default
value of - No change -.
KRDP Specifies the unique name assigned to the KRDP connection. Each connection
connection between the source and destination syslog Server needs to be identified. When the
identifier connection is broken and re-established, the sequence numbers can be exchanged
and any lost messages can be resent. A separate set of message sequence numbers
are kept against each connection identifier.
Examples are: Source:RemoteOffice1 or SyslogServer1
The string of text used will uniquely identify the source of the connection to the
destination syslog Server.
If you have more than one "Forward to another host" action configured, you can use
the same connection identifier on all actions. This will mean that only a single KRDP
connection is made between the source and destination syslog Servers. If you
specify a different connection identifier, multiple KRDP sessions will be created.
To ensure that the identifier is unique, we recommend the use of the %MACAddress
variable. This variable will be replaced by the first MAC address of the machine.
Examples are: Source:RemoteOffice1-%MACAddress
When running, the ID would look like: Source:RemoteOffice1-AA-BB-CC-DD-EE-FF-00
The MAC Address is globally unique to each network card.
Send with Adds the standard RFC3164 header information to the outgoing message. The
RFC3164 format is:
header <Priority>Date Hostname PID Message text
information
The Priority is a value between 0 and 191.
The Date is in the format of Mmm DD HH:NN:SS (July 4 12:44:39). Note there is no
year specified. The PID is a program identifier up to 32 characters in length.
Retain the Normally, the syslog protocol is unable to maintain the original sender's address
original when forwarding syslog messages. This is because the sender's address is taken
source from the received UDP or TCP packet.
address of Kiwi Syslog solves this problem by placing a tag in the message text that contains
the the original sender's address. By default, the tag looks like Original
message Address=192.168.1.1. That is, the "Original Address=" tag, followed by the IP address,
followed by a " " (space) delimiter or tag.
page 41
These tags are inserted only if the "Retain the original source address of the
message" option is selected.
If the "Spoof Network Packet" option is used, then the "Original Address=" tag
will not be used. The Syslog packet will be forwarded to the destination
address as though it has been sent from the originating IP address.
Use a fixed Uses a fixed IP address in the Original Address= tag. This can be useful when you
source IP want to identify all outgoing messages as from a particular host. For example, if you
address have many remote syslog Servers sending messages to one central location. If each
of the remote syslogs use the 10.0.0.x address range, all the received messages will
appear from the same host. Specifying a different source IP address for each remote
syslog could help in identifying the incoming messages better.
If the "Spoof Network Packet" option is used, then the "Original Address=" tag
will not be used. The Syslog packet will be forwarded to the destination
address as though it has been sent from the specified fixed IP address.
Spoof This option only applies to syslog messages forwarded via UDP protocol with IPv4
Network address only.
Packet The network packet is spoofed to appear as though the forwarded message has
come directly from the originating devices' IP address, and not the address of the
Syslog Server. Kiwi Syslog Server will use the Selected Network Adapter to send the
spoofed UDP/IP packet.
This feature is only available in the licensed version. It requires WinPcap 4.1+
installation.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Play a sound.
page 42
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
6. Specify which sound to play and how many times to play it.
You can add an action to run an external program. Details of the message and other Syslog statistics can
be passed to the external program as command-line arguments.
A new instance of the external program is launched for every message, so this may become a
problem if messages arrive faster than the external program exits. It is especially true if Syslog is
installed as a service, in which case the external program is launched by the service inside the non-
interactive Windows session. The only way to see that the program is running is by using Task
Manager. So if not used carefully this action may lead to the computer being flooded with multiple
instances of the external program.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Run external program.
7. Specify the command line options you would like to pass to the program in the Command line
options field.
8. To pass program variables, counters, script fields and statistics to the external program, click on
the Insert message content or counter link and choose an option.
9. Specify the priority of the new process that will be created.
PRIORITY
VALUE DESCRIPTION
LEVEL
0 Low Specify this class for a process whose threads run only when the system
is idle. The threads of the process are preempted by the threads of any
process running in a higher priority class. An example is a screen saver.
The idle-priority class is inherited by child processes.
1 BelowNormal Indicates a process that has priority above Idle but below Normal.
2 Normal (Default value.) Specify this class for a process with no special
page 43
PRIORITY
VALUE DESCRIPTION
LEVEL
scheduling needs.
3 Above Indicates a process that has priority above Normal but below High.
Normal
4 High Specify this class for a process that performs time-critical tasks that
must be executed immediately. The threads of the process preempt the
threads of normal or idle priority class processes. An example is the
Task List, which must respond quickly when called by the user,
regardless of the load on the operating system. Use extreme care when
using the high-priority class, because a high-priority class application
can use nearly all available CPU time.
5 Realtime Specify this class for a process that has the highest possible priority. The
threads of the process preempt the threads of all other processes,
including operating system processes performing important tasks. For
example, a real-time process that executes for more than a very brief
interval can cause disk caches not to flush or cause the mouse to be
unresponsive.
10. If the process has a user interface, specify the Window Mode.
This setting has no effect on processes that do not have a user interface. This setting is unavailable
if you are running Syslog Server as a service.
If you select Wait for program initialization to complete before continuing, Syslog will wait for
the new process to complete its initialization. It does this by waiting until the new process
signals that it is idle. This is a blocking operation. Kiwi Syslog will not process messages any
further until it receives the InputIdle signal from the process. Because of this, there is an
additional option which specifies how long Kiwi Syslog should wait for the process to initialize.
Once this time interval has elapsed, Kiwi Syslog assumes that the process started correctly.
This setting is useful is you are interacting with the process at a later stage, and you want to
be sure that the process has started.
page 44
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
You can add an action to send an email message to one or more recipients. Details from the syslog
message and other syslog statistics can be included in the email subject line or the message body.
Before Kiwi Syslog Server can send email, you must configure email options.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select E-mail message.
page 45
6. Specify the following options.
E-mail Enter one or more email recipients. Separate multiple email addresses with
Recipients commas.
E-mail Enter the From email address. If you are using secured email (SSL or TLS), the From
From email address entered here must match the From email address entered in E-mail
setup options.
E-mail Specify the message subject. Only one line is allowed. Click Insert message content
Subject or counter to include a variable.
E-mail Specify the message body. Multiple lines are allowed. Click Insert message content
Message or counter to include variables.
If the message will be sent to a pager, you can leave the message blank because it
will not be included.
The Max message length option can be used to limit the amount of data sent in the
message body. If you have used the variable %MsgText in the message body and a
large syslog message arrives, it may be too large to send via e-mail. You can limit the
message body length to a more manageable length.
E-mail Specify the Importance, Priority, or Sensitivity of messages sent by this action.
Delivery
Options
Expand Select this option to expand any carriage return and line feed characters that have
<013><010> previously been replaced with <013> and <010>.
in message If the Replace non printable characters with <ASCII value> option is selected in the
Modifiers setup options, any CR and LF characters appearing in the syslog message
are replaced. Expanding these characters again when the message is emailed can
make the text more readable.
Max Enter the maximum number of characters in the subject line, or leave blank to
subject remove the limit.
length
Max Enter the maximum number of characters in the message body, or leave blank to
message remove the limit.
length If you used the variable %MsgText in the message body and a large syslog message
arrives, it could be too large to send via email. Use this option to limit the message
body length to ensure that the message can be sent.
page 46
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
You can add an action to send a syslog message to one or more hosts. You can use this option to relay
syslog messages to another host with extra information, or with your own text added to the message.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Send Syslog message.
IP address or Enter the IP address or host name of one or more hosts. Separate multiple
hostname entries with commas. IPv4 and IPv6 addresses are supported. For example:
Myhost.com, SecondHost.net, 203.75.21.3
Syslog message Specify the message text. Click Insert message content or counter to include
text variables.
New Facility, New To change the facility, level, or socket, enter the new values.
Level, and New
Socket
You can add an action to log a syslog message to an ODBC database. By default, the Log to Database action
logs the following message field values:
l Date
l Time
l Priority
l Host name
l Message text
page 47
If you want to log different values, you can:
l Create a custom database format. The custom format will be available for selection when you
create a Log to Database action.
l Use the Run script action to parse the syslog message, assign values to custom fields, and log
them to a database.
l Use the scripting function ActionLogToODBC to send SQL statements and raw data to a
database connection.
1. Create a database, or select an existing database that Kiwi Syslog Server can write to.
If the database file is opened exclusively by another process, Kiwi Syslog Server might not be
able to write new records to the database.
Some example ODBC databases are available for download from the SolarWinds Success Center.
The ZIP file contains information and sample databases that you can use as a guide to help you set
up ODBC logging on your own system.
2. Determine how you want to create the table that stores message values. The following options are
available:
Automated When you add the action, click Create table. Kiwi Syslog Server creates a table
option containing the required columns.
Semi- When you add the action, click Show SQL commands. The SQL commands used to
automated create the table are shown in a text editor. You can run these commands in your
option database application.
Manual If you choose to create the table manually before you add the action, use the table
option design for the selected database type. Be sure that the name, data type, and size of
each column match the table design. If the sizes are too small, the data could be
truncated when it is written to the database.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Log to Database.
page 48
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Data link 1. Press the Browse (...) button to create or edit Data link properties.
connection
The Data Link Properties dialog box opens.
string
2. On the Provider tab, select a database provider.
3. On the Connection tab, specify the source of the data by doing one of the
following:
l Select the data source name (DSN) of an available provider. The drop-
down menu lists valid DSNs for providers that are predefined on your
system.
l Enter a custom connection string.
4. Click Test Connection to validate that the connection properties are correct.
5. Use the Advanced tab to view and set other initialization properties for your
data.
6. Click OK.
Database Enter the name of the database table where message values are logged. You can
Table either:
name
l Enter an existing table name. The table must match the expected table design.
To verify the table structure, click Query table to retrieve the last five rows of
data.
Any existing table with that name is deleted and the contents are lost. The new
table is created with the column names and data types for the database type
you have selected.
Database Choose from the list of default database types, or create your own format by clicking
type/field Edit custom format.
format
Connection Specify how long the database connection is kept open after the last message has
Inactivity been sent. Because opening and closing the connection can be the slowest part of
timeout logging to a database, the connection is kept open while data is actively being logged.
If no more messages have been logged before the timeout value expires, the
database connection is closed. As soon as a new message arrives, the connection is
reopened.
page 49
The default for this setting is 600 seconds (10 minutes). A value of 0 ensures that the
connection will never time out. The maximum value is 86400 seconds (1 day).
Run debug If there is a problem logging to the database, click this button and enter a SQL
command command to be executed on the database. If the command fails, the results field
displays a detailed error message. By default, the current INSERT statement used for
the selected database type is displayed in the query field. This statement can be
modified to test particular variations of the statement.
l You cannot use this option to query the database. For example, you
cannot run a Select From statement and obtain results. Only error
information is returned to the results field.
l Use the Show SQL commands button to obtain the correct syntax to
use in the debug test.
Database Select this option to clean up the database by deleting older messages.
cleanup The cleanup operation is performed nightly. Click Cleanup now to perform the
operation immediately.
When you test logging messages from the Service Manager, the program runs as the current user
(probably "Administrator"). When Kiwi Syslog Server actually logs messages to a database, the
service runs as the "Local System" user by default.
If your test messages work but the messages are not being logged, try changing the service login ID
to "Administrator" instead of "Local System." Use the Services applet under Control Panel. Also
consider selecting the option that allows the program to interact with the desktop.
You can add an action to log messages to the NT application event log.
When you view the NT event log with the NT event log viewer, the log type is set to show System
events by default. To show Application events, select the Application item in the Log menu of the NT
Event viewer.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
page 50
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Log to NT event log.
Event log message Select the logging level to be used for messages logged to the NT event log
type by this action.
Insertion string Select how messages are inserted into the Event Log:
options
l Single insertion string
%1 is replaced with: Date – Tab – Time – Priority – Tab – Hostname –
Tab – Message
%4 = Hostname
%5 = Message
You can add an action to send an SNMP trap to the specified host.
page 51
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Send SNMP Trap.
Forward Select this option to forward the original SNMP trap to destination host.
SNMP Trap
without
changing
Destination Enter the IP address of the system that will be receiving the SNMP trap.
host
Remote port Enter the port to which the SNMP trap will be sent. The default is 162.
If you change this setting, you will need to configure the receiving device to "listen"
for SNMP traps on the same port number.
Message text Enter the content of the SNMP trap to be forwarded. Click Insert message content
or counters to insert content using variables.
Agent IP Enter the IP address that will appear as the source of the SNMP trap. By default
address this is set to "The original sender" but can be set to "From this machine" (that is,
the address of the machine running the Kiwi Syslog Server).
Generic type For version 1 traps, select the type of trap to be sent:
l 0 - Cold Start
l 1 - Warm Start
l 2 - Link Down
l 3 - Link Up
l 4 - Authentication Failure
l 5 - EGP Neighbor Loss
l 6 - Enterprise Specific
Enterprise For version 1 traps, enter a dotted numerical value (1.3.6.1.x.x.x.x) that represents
OID the MIB enterprise of the SNMP trap.
page 52
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Version 2 traps have the Enterprise value bound as the second variable in
the message.
If the Generic Type is set to 6, it indicates an Enterprise type trap. In this case the
Specific Trap value needs to be considered.
Variable OID Specify a dotted decimal value (1.3.6.1.x.x.x.x) that represents that MIB variable of
version 2 SNMP traps.
Community This is like a password that is included in the trap message. Normally this is set to
values such as "public", "private" or "monitor".
Specific type This is a value that indicates the condition that caused the trap to be sent. In
version 2 traps, this condition will be unique to the MIB defined for the particular
device sending the trap (or syslog message).
Version Select the version used to send SNMP traps to another syslog server. If you select
version 3, provide the User Name, Local Engine ID, Authentication Password,
Encryption Password, Protocol, and Algorithm.
Version type for SNMP traps (version 1, 2 or 3) should be selected to send the traps
to another syslog server. For example, you leave the encryption password and
algorithm, it acts as 'authentication only' security level.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Stop processing message.
page 53
You can use the Run script action to run a parsing script that breaks the syslog message down into
various sub-fields. The values can then be assigned to custom fields and logged to a database.
Because each device manufacturer creates syslog messages in a different format, it is not possible
to create a generic parser that will break up the message text into separate fields. You must write a
custom script to parse the message text and then place it in the custom database fields. Example
parsing scripts can be found in the \Scripts subdirectory in the Kiwi Syslog Server installation
directory.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Run Script.
Script file Enter the path and file name of an existing script file or of the file to be created.
name
l VBScript: a variation of Visual Basic or VBA (Visual Basic for Applications) used
in MS Word and Excel.
l PerlScript
l Python
l RubyScript
Edit script Click this button to open the script in a text editor. If the specified file does not exist,
it is created.
Modify the script and save your changes.
Script file rules
page 54
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
The script must always contain a function called Main(). No parameters are passed
to the function, but a return value of OK must be passed back to indicate that the
script ran successfully. If any value other that OK is returned, Syslog will assume an
error has occurred in the script and place an entry in the error log. The value
returned from the script function will also be included in the error log for later
diagnoses.
Each of the available script variables can be accessed from the Fields object.
Example (VBScript):
Function Main()
' Your code goes here
' Set the return value
Main = "OK"
End Function
Field Select the groups of fields that Kiwi Syslog Server can access:
Read/Write
l When you grant read access to a group of fields, their values are copied into
permissions
the script variables and are readable from within the script.
l When you grant write access to a group of fields, their values are copied
from the script variables and replace the equivalent program fields.
Each time a script runs, the available message fields are copied to the script
variables and back again upon completion of the script. The copying takes time and
uses CPU cycles. To improve script performance, SolarWinds recommends granting
read and write access only to the variables used in the script.
For more information about the fields in each group, see Script variables.
page 55
8. Click Apply to save the action.
If you run Kiwi Syslog Server as an application, do either of the following to reload the file:
l Flush the cache. Choose File > Debug options > Clear the script file cache, or press Ctrl+F8 from the
Service Manager console.
l Restart the application.
If you run Kiwi Syslog Server as a service, stop and restart the service to reload the file.
When you test a script from the Kiwi Syslog Server Setup window, the script is not cached. Each
script is freshly loaded before it is run.
You can add an action to send a pager, SMS, or email message via the NotePagerPro application. Before
you create this action, you must first purchase and install NotePager Pro. NotePager Pro is an inexpensive
but powerful paging and SMS gateway application. Features include:
When a message is passed to NotePager Pro, it places the messages in the sending queue. NotePager Pro
checks the queue periodically and then sends them via the method you have specified. This could be via
SNPP, e-mail, modem, TAPI, or what ever paging interface you have configured.
page 56
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Send message via NotePager Pro.
Send Select a recipient from the drop down list. The list is automatically populated from the
page to NotePager Pro Recipients and Groups database. If no names are available in the drop
down list, then NotePager Pro has not been installed correctly.
You can choose either a single recipient or a group of recipients to send to. For
example:
Send to: Joe
or
Send To: All-Network-Staff
Message Enter any descriptive name. If the recipient is configured in NotePager Pro to receive
from the message via e-mail, the From name you specify will be prepended to the default
domain you have configured. For example, if NotePager Pro is configured with the
default domain of "company.com", when you send a message from "Syslog", it will
appear as if the message came from "[email protected]".
Message Specify the message text. Click Insert message content or counter to include variables.
Max Select this option to limit the amount of data sent in the message. If you have used the
message variable %MsgText in the message body and a large syslog message arrives, it may be
length too large to send via pager. Use this option to limit the message body length.
If your pager is capable of receiving only numeric messages, you must specify a number
in the message field instead of %MsgText. You will have to determine a series of codes
that mean something to you. For example, 1=link up, 2=link down, 9=Router unreachable
etc.
page 57
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Log to Kiwi Syslog Web Access.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Reset Flags/Counters.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add or locate the rule that the action applies to.
3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. From the Action menu, select Log to Papertrail.com (cloud).
page 58
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Papertrail Enter the location where logs are sent from a syslog server. The destination
Destination host is provided by Papertrail. For example:
Hostname logs2.papertrailapp.com
Papertrail Papertrail provides specific port number while creating a login with Papertrail.
Destination Port Use the same port number to send the syslog messages. For example:
58612
For help in Papertrail, click here.
AutoSplit values can be used anywhere within the path or log file name, as long as the result is a valid file
name. Any number of AutoSplit values can be used within the path or file name.
If you are using the Run Script action, you can use any of the VarCustom or VarGlobal fields as an AutoSplit
value. The following sections describe the available options.
Examples:
l To split the messages into separate files based on the day of the month:
C:\Logs\MyLogFile%DateD2.txt
The %DateD2 is replaced by the current day of the month. On the 23rd of the month, the message is
written to:
C:\Logs\MyLogFile23.txt
page 59
l To split the messages based on the sending host, and then by priority level:
C:\Logs\%HostName.%HostDomain\MyLogFile-%PriLevAA.txt
The path and file name look like this:
C:\Logs\myhost.mycompany.com\MyLogFile-Debug.txt
DATE VALUES
Parameter %DateISO
Explanation International formatted date in the format YYYY-MM-DD. Leading zeros, always 10
characters in length.
Example 2017-10-15
Parameter %DateY4
Example 2017
Parameter %DateY2
Example 17
Parameter %DateM2
Example 12
Parameter %DateM3
Explanation 3 character month in English, always 3 characters in length. First letter is in upper case.
.Example Nov
page 60
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Parameter %DateD2
Explanation 2 digit day of the month with leading zero, always 2 characters in length
Example 05
Parameter %DateD3
Explanation 3 character day of the week in English, always 3 characters in length. First letter is in
upper case.
Example Fri
TIME VALUES
Parameter %TimeHH
Example 14
Parameter %TimeMM
Example 59
Parameter %TimeAMPM
Explanation 2 character time of day indicator. Always 2 characters in length. 00:00 to 11:59 = AM.
12:00 to 23:59 = PM
Example AM
page 61
PRIORITY VALUES
Parameter %PriLevAA
Example Critical
Parameter %PriFacAA
Example User
Parameter %PriLev00
Example 05
Parameter %PriFac00
Example 23
Parameter %Pri000
Example 016
Parameter %IPAdd4
page 62
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Explanation The IP address of the device that sent the message. Each octet is zero padded. Always
15 characters in length
Example 192.168.001.024
Parameter %IPAdd3
Explanation The first 3 octets of the IP address of the device that sent the message. Each octet is
zero padded. Always 11 characters in length.
Example 192.168.001
Parameter %IPAdd2
Explanation The first 2 octets of the IP address of the device that sent the message. Each octet is
zero padded. Always 7 characters in length.
Example 203.056
Parameter %IPv6Add6
Explanation The IPv6 address of the device that sent the message. IPv6 address of the device is
separated with ~ as special character is not accepted in file name.
Example ABC~567~0~0~8888~9999~1111~0
Parameter %HostName
Explanation The host name of the device that sent the message. Just the host name, no domain
name is included.
Example sales-router
page 63
Parameter %HostDomain
Explanation The domain name suffix of the device that sent the message. Just the domain name, no
host name is included.
Example mycompany.co.nz
Parameter %HostDomRev
Explanation The domain name suffix of the device that sent the message, in reverse order. Just the
domain name, no host name is included.
Example nz.co.mycompany
WELF format is the WebTrends Extended Logging Format. This format is used by many firewalls such as
GNATBox, SonicWall, CyberWallPlus, and NetScreen. Each field within the message text is prefixed with an
identifying tag, such as fw= for the firewall name or src= for the source of the packet being logged.
Parameter %TextFW
Example protector
Parameter %TextSrc
Explanation The source IP address of the packet being logged by the firewall (not zero padded,
unless this has been done by the firewall already)
Example 192.168.1.6
Parameter %TextDst
Explanation The destination IP address of the packet being logged by the firewall (not zero padded,
unless this has been done by the firewall already)
Example 203.57.12.1
page 64
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Parameter %TextProto
Example http
Parameter %TextSn
Example abcdDDDXSD
Parameter %InpSrc
Explanation Identifies the input source of the message. (The listening method that received the
message)
Example UDP
Explanation There are 16 custom fields that can be modified by the Run Script action. If these fields
have not been modified by the script, they will be blank. Be aware that a blank autosplit
value may result in an invalid file name. The custom field values are cleared when a
new message arrives. They are only valid for the current message. To store values
longer than a single message, use VarGlobal fields.
Explanation %VarGlobal01 to %VarGloabl16 Explanation: There are 16 global fields that can be
modified by the Run Script action. If these fields have not been modified by the script,
page 65
they will be blank. Be aware that a blank autosplit value may result in an invalid file
name. The global fields retain their value between messages.
To add a variable:
1. Position your cursor where you want to insert the variable.
2. Click Insert message content or counter.
3. Select a variable.
Explanation: The whole message as it appears on the display. Including the time, date, priority and
message text. Each field is space delimited.
DATE
Parameter: %MsgDate
Example: 2005-02-18
TIME
Parameter: %MsgTime
Example: 22:30:16
FACILITY
Parameter: %MsgFacility
page 66
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
LEVEL
Parameter: %MsgLevel
Example: 192.168.1.1
Explanation: The threshold level set for the minimum message count alarms
Explanation: The threshold level set for the maximum message count alarms
Explanation: The threshold level set for the minimum disk space remaining in MB
Example: 90 (MB)
Example: 254
page 67
MESSAGE COUNT LAST HOUR
Parameter: %MsgLastHour
Example: 254
Explanation: The MAC address value of the first network adaptor found.
Example: AA-BB-CC-DD-EE-FF-00
RULE NAME
Parameter: %RuleName
Example: EmailAction
Explanation: There are 16 custom fields that can be modified by the Run Script action. If these fields have
not been modified by the script, they will be blank. Be aware that a blank autosplit value may result in an
invalid file name. The custom field values are cleared when a new message arrives. They are only valid for
the current message. To store values longer than a single message, use VarGlobal fields.
VARGLOBAL01 TO VARGLOBAL16
Explanation: There are 16 global fields that can be modified by the Run Script action. If these fields have
not been modified by the script, they will be blank. Be aware that a blank autosplit value may result in an
invalid file name. The global fields retain their value between messages.
VARSTATS01 TO VARSTATS16
page 68
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Explanation: There are 16 statistics fields that can be modified by the Run Script action. The statistics
fields retain their value between messages. You can modify the names associated with the statistics fields
and their initial value from the Script options section on the setup window. The custom statistics values
are viewable on the statistics display and on the daily statistics e-mail.
1. At the bottom of the action or filter setup dialog, click the Test Setup button.
The Test message dialog displays the values that are passed to the filter or action when you perform
the test.
If necessary, change these inputs to match the values you are filtering for.
You can change the order of rules, filters, actions, or scheduled tasks.
page 69
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Right-click the rule, filter, action, or schedule.
3. Select Move up or Move down.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Right-click the filter or action.
3. Select Copy filter or Copy action.
page 70
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
EXPORT A RULE
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Right-click the rule and choose Export rule.
3. Browse to the location where you want to save the rule and click Save.
The rule definition file is automatically given a .ksr extension, and the default file name is based on
the rule name.
IMPORT A RULE
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. At the top of the left pane, right-click Rules and choose Import rule.
3. Browse to the file location, select the .ksr file, and click Open.
The imported rule is listed in the left pane at the bottom of the rules section. You can move the rule
to a different position.
PRESS TO
Insert Add a new Rule, Filter, Action, or Archive schedule. (The selected item must be Rules,
Filters, Actions, or Archiving.)
Ctrl-V Paste the copied Rule, Filter, Action, or Archive schedule. (The selected item must be Rules,
Filters, Actions, or Archiving.)
Enter Collapse or expand the tree at the currently selected position (same as double clicking
with the mouse).
Space bar Enable or Disable the selected Rule, Filter, Action, or Archive schedule.
page 71
PRESS TO
Shift + Up Move the selected Rule, Filter, Action, or Archive schedule up one position.
Arrow
page 72
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Scripting resources
When you add an action to run a script or create a scheduled task to run a script, use the following
resources to help you write the script.
l Script examples
l Scripting custom statistics fields
l Script variables
l Script functions
l JScript escape characters
l Scripting dictionaries
l Scripting tutorial
Script examples
If you want to add an action to run a script, use the examples in the following section to help you get
started writing scripts. The \Scripts folder in the Kiwi Syslog Server installation directory also includes
sample scripts that show you how to play sounds, send e-mail, log to file. and other actions.
If you have created a custom parsing script or something that would be useful to others, please
share it with the SolarWinds user community.
The values used in this script are found on the Cisco website.
RULES SETUP
Rules setup
Rule: Lookup PIX msg
page 73
Filters
Filter: Host IP address: Simple: Match PIX firewall address
Actions
Action: Run Script: Lookup PIX msg
Action: Send e-mail
To: [email protected]:
Subject: Problem with PIX
Body: %MsgText
Explanation: %VarCustom01
Action to take: %VarCustom02
Rules
Function Main()
' Set the return value to OK
Main = "OK"
' By default, skip to the next rule, don't take the actions that follow
' If we exit the function before we get to the end, the default 'skip to
next rule'
' will be used.
Fields.ActionQuit = 100
Case "4-209004"
page 74
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
' Pass the Explanation and Action to take to the custom variables
Fields.VarCustom01 = E
Fields.VarCustom02 = A
' Since we have a valid match, we want to execute the send e-mail action
which follows.
' Setting ActionQuit to 0 means we won't skip any actions.
Fields.ActionQuit = 0
End function
All the variables are remarks and will not be executed if the function is called.
Function Info()
page 75
' // Other fields
' VarDate
' VarTime
' VarMilliSeconds
' VarSocketPeerAddress
' VarPeerAddressHex
' VarPeerPort
' VarLocalAddress
' VarLocalPort
' VarPriority
' VarRawMessageText (Read only)
End function
page 76
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
There are 16 custom statistics fields available for scripting use. These values are static and do not get
erased with each new message like the other script fields do.
The custom statistics values can be viewed from the Statistics window under the Counters tab. The names
for the fields that you have specified will be used in the statistics window and in the daily statistics e-mail
report.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click Scripting.
3. Specify the name and initial value.
The initial values of the statistics counters can be set to any value you like. By default the values are
all set to 0. If you want to create a decrementing counter then an initial value of 1000 for example
can be set and then decremented by the run script actions.
The names and initial values are applied when the program starts. To force the program to reinitialize the
fields with these values, use the File | Debug options | Initialize custom statistics menu, or press Ctrl-F9
from the main syslog window.
Script variables
The following variables are available for scripts used with Kiwi Syslog Server. Variables are passed to and
from the script. Depending on the read/write permissions you set for the action or scheduled task, the
variables can be modified and returned for use in the syslog program.
The variables are passed via a globally accessible object named "Fields." To access a variable, simply prefix
the word "Fields." to the variable name.
COMMON FIELDS
FIELDS.VARFACILITY
FIELDS.VARLEVEL
page 77
FIELDS.VARINPUTSOURCE
FIELDS.VARPEERADDRESS
Details The IP address of the sending device in nnn.nnn.nnn.nnn format. If the message has been
forwarded from another syslog collector, this value contains the original sender's address.
Case A: Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog
collector (192.168.1.3).
Type String
Example 192.168.1.67
FIELDS.VARPEERNAME
Details The host name of the sending device. This field will only contain resolved host name if the DNS
lookup options are enabled and the lookup was successful. Otherwise it will contain the same
value as VarPeerAddress in the format nnn.nnn.nnn.nnn. The name identifies the host portion
of the fully qualified domain name (FQDN), it does not contain the domain suffix.
Type String
Format myhost
FIELDS.VARPEERDOMAIN
Details The domain name portion of the resolved FQDN. This is just the domain suffix, it does not
contain the hostname. This field will only contain a value if the DNS lookup options are enabled
and the lookup was successful. Otherwise it will contain an empty string ("").
Type String
Format mydomain.com
page 78
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
FIELDS.VARCLEANMESSAGETEXT
Details The message text after it has been modified (for example, header removed, DNS lookups,
original address removed, and Cisco date removed).
Type String
Example %SEC-6-IPACCESSLOGP: list 101 denied udp 10.0.0.3 (firewall) (137) -> 216.7.14.105
(webserver.company. com) (137), 1 packet
OTHER FIELDS
FIELDS.VARDATE
Format YYYY-MM-DD
Example 2005-03-17
FIELDS.VARTIME
Format HH:MM:SS
Example 23:10:04
FIELDS.VARMILLISECONDS
Details The time the message was received in milliseconds past the second.
FIELDS.VARSOCKETPEERADDRESS
Details The IP address of the device, or the closest collector that sent the message.
Case A: Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This syslog
collector (192.168.1.3)
page 79
The field value would be 192.168.1.2.
Type String
Example 192.168.1.67
FIELDS.VARPEERADDRESSHEX
Details The IP address of the device that sent the message converted to an 8 digit hex value.
The hex address is used for the IP Mask and IP Range filters. If you are making changes to the
VarPeerIPAddress and want to use the IP Mask or Range filters, you must also make changes to
the VarPeerAddressHex field.
FIELDS.VARPEERPORT
Details The UDP/TCP port that the message was sent from.
Range 0 to 65535
FIELDS.VARLOCALADDRESS
Details The IP address that the message was sent to on this machine.
Type String
FIELDS.VARLOCALPORT
Details The local machine UDP/TCP port that received the message
page 80
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Range 0 to 65535
Typically 514 for UDP, 1468 for TCP, 162 for SNMP
FIELDS.VARPRIORITY
Range 0 to 191
FIELDS.VARRAWMESSAGETEXT
Details The message as it was received before modification (includes <pri> tag, original address, etc.).
This field is read only. Changing the field within the script will not modify the equivalent
program variable.
CUSTOM FIELDS
These fields are dynamic and are cleared with each new message. These fields can be used to hold the
results of your script so they can be used in Log to file or Log to Database actions. The fields can also be
passed to actions as parameters using the %VarCustom01 Insert message content or counter option or via
the AutoSplit syntax. A good use for these fields would be breaking a message up into separate fields via
the script and then logging them to file or database in the separate fields.
There are 16 custom fields available. Values from 1 to 9 are zero padded (VarCustom01 not VarCustom1).
There are 16 global fields available. Values from 1 to 9 are zero padded (VarGlobal01 not VarGlobal1).
The current field values can be viewed from the Statistics view window under the Counters tab. The
custom stats are also included in the daily statistics e-mail.
The names and initial values of the Statistics fields can be set from the Scripting option
page 81
There are 16 custom statistics fields available. Values from 1 to 9 are zero padded (VarStats01 not
VarStats1).
Fields.VarStats01 to Fields.VarStats16
Details This field can be set to determine what occurs after the script has been run. A value of 0 means
the program continues on to the next action in the rule. A value of 1 to 99 means skip the next n
actions within this rule (1=skip the next 1 action, 3=skip the next 3 actions). A value of 100
means jump to the next rule. A value of 1000 means skip all rules and stop processing this
message. A value of 0 is assumed if no value is set.
Enum 0=No skip, 1-99=skip next n actions, 100=skip to next rule, 1000=stop processing message
FIELDS.SECONDSSINCEMIDNIGHT
Range 0 to 86400
FIELDS.SECONDSSINCESTARTUP
Details The number of seconds elapsed since the program was started.
Script functions
When you are writing scripts for use with Kiwi Syslog Server, number of built in functions are available
from the Fields object. To use a built in function, simply access the function name prefixed with the Fields
object. Pass any parameters needed and the result is returned.
page 82
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Example usage:
Fields.VarCustom01 = Fields.VarPeerAddress
End if
Example usage:
Fields.VarCustom01 = Fields.ConvertIPToHex(Fields.VarPeerAddress)
End if
FIELDS.GETDAILYSTATISTICS() AS STRING
Function: Returns the daily statistics page as a CRLF delimited string.
Example usage:
MyStats = Fields.GetDailyStatistics()
FIELDS.CONVERTPRIORITYTOTEXT(PRIORITYVALUE)
Function: Converts a message priority value to a text representation of the facility level.
Range: 0 to 191
Example usage:
Filename = "C:\Programfiles\Syslogd\Logs\TestLog.txt"
' Use the date and time from the current message
With Fields
page 83
MsgDate = .VarDate & " " & .VarTime
End with
Specifying a empty string ("") for SoundFilename will result in the system beep sound.
RepeatCount options:
0 = repeat until cancelled (Cancel by pressing flashing bell on main display window)
When the repeat count is greater than 1, the wav file or beep sound will be played at 5 second intervals.
Example usage:
Call Fields.ActionPlaySound("", 0)
Importance, Priority and Sensitivity E-mail Delivery Option parameters are optional.
page 84
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
These parameters allow for the importance, priority and sensitivity flags of the e-mail message to be
specified.
The e-mail recipients will recieve the messages with the various importance/priority/sensitivity levels set
accordingly.
MailImportance:
0 - Unspecified (Default)
1 - High
2 - Normal
3 - Low
MailPriority:
0 - Unspecified (Default)
1 - Normal
2 - Urgent
3 - Non-Urgent
MailSensitivity:
0 - Unspecified (Default)
1 - Personal
2 - Private
3 - Confidential
To send the message to multiple addresses, separate each address with a comma.
E.g.:
MailTo = "[email protected],[email protected],[email protected]"
Example usage: Send e-mail to [email protected], use default importance, priority and sensitivity
MailTo = "[email protected]"
MailFrom = "[email protected]"
MailMessage = "This is a test mail message" & vbCrLf & "Multiple lines."
Example usage: Send e-mail to [email protected], High importance, Urgent priority, Confidential
sensitivity
page 85
MailTo = "[email protected]"
MailFrom = "[email protected]"
MailMessage = "This is a test mail message" & vbCrLf & "Multiple lines." MailImportance =
1
MailPriority = 2
MailSensitivity = 3
This function can be used to log messages to file in your own format.
To have the filename contain the current hour of the day, use %TimeHH
Example usage:
MsgHostAddress = Fields.VarPeerAddress
' Use the date and time from the current message MsgDate = Fields.VarDate & " " &
Fields.VarTime
Data = MsgDate & vbtab & MsgPriority & vbtab & MsgHostAddress & vbtab & MsgText
Note: this example requires that Read permission be enabled for "Other fields". This gives the script read
access to the VarDate and VarTime variables.
For more information on Log File Rotation in Kiwi Syslog Server, please see Log File Rotation.
The parameters RotateLogFile, RotationType, NumLogFiles, Amount and Unit are all optional and only need
to be specified if logging to a rotated log file.
page 86
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
RotateLogFile:
RotationType:
0 = Rotate log files when log file size exceeds the amount specified by Amount and Unit
1 = Rotate log files when log file age exceeds the amount specified by Amount and Unit
Amount:
Unit For RotationType=0 : Unit relates to the size of the file and specifies whether the Amount is Bytes, KB,
MB, etc.
0 = Bytes
1 = Kilobytes
2 = Megabytes
3 = Gigabytes
For RotationType=1: Unit relates to the age of the file and specifies whether the Amount is Minutes, Days,
Weeks, etc.
0 = Minutes
1 = Hours
2 = Days
3 = Weekdays
4 = Weeks
5 = Months
6 = Quarters
7= Years
Example Usage:
MsgHostAddress = Fields.VarPeerAddress
page 87
' Use the date and time from the current message MsgDate = Fields.VarDate & " " &
Fields.VarTime
Data = MsgDate & vbtab & MsgPriority & vbtab & MsgHostAddress & vbtab & MsgText
MsgHostAddress = Fields.VarPeerAddress
' Use the date and time from the current message MsgDate = Fields.VarDate & " " &
Fields.VarTime
Data = MsgDate & vbtab & MsgPriority & vbtab & MsgHostAddress & vbtab & MsgText
Hostname: Text string containing the hostname or IP address of the remote host.
Message: Text string containing the priority tag and syslog message text
page 88
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Port: Integer between 1 and 65535 (514 is the standard syslog port)
This function can be used to send syslog messages to another syslog host via the UDP or TCP protocol.
Example usage:
' Construct the syslog message by adding <PRI> value to the front of the text Message =
"<" + Cstr(Priority) + ">" + "This is an example of a syslog message"
FIELDS.ACTIONSPOOFSYSLOG(ADAPTERADDRESS, SRCADDRESS,
DSTADDRESS, DSTPORT, MESSAGE)
Function: Sends a spoofed Syslog Message (UDP only) to DstAddress on Port DstPort. Return value: None
AdapterAddress: Text string containing the IP or MAC address of the network adapter that the message
will be sent from.
SrcAddress: Text string containing the hostname or IP address of the source of the message (actual or
spoofed)
DstAddress: Text string containing the hostname or IP address of the remote (receiving) host.
DstPort: Integer between 1 and 65535 (514 is the standard syslog port)
Message: Text string containing the priority tag and syslog message text
This function can be used to send syslog messages to another syslog host via the UDP protocol.
Example usage:
AdapterAddress = "192.168.1.100" ' Adapter Address (Can be IP Address- ie "192.168.0.1", or MAC address -
ie. "00:50:56:C0:00:08")
page 89
' Construct the syslog message by adding <PRI> value to the front of the text Message = "<" + Cstr(Priority) +
">" + "This is an example of a syslog message"
This option also requires that WinPcap version 4.1 and above is installed. WinPcap (Windows Packet
Capture library) is available for download from: WinPcap, The Packet Capture and Network Monitoring
Library for Windows
Function: Writes data to the specified log file. This function uses a write cache to improve performance.
The cache is flushed every 100 messages or 5 seconds, which ever comes first. The cache settings can be
adjusted via registry settings. This function is exactly the same as ActionLogToFile, except that it uses a
write cache. We recommend the use of the write caching function when you are receiving more than 10
messages per second. Return value: None
This function can be used to log messages to file in your own format.
To have the filename contain the current hour of the day, use %TimeHH
Example usage:
MsgHostAddress = Fields.VarPeerAddress
' Use the date and time from the current message MsgDate = Fields.VarDate & " " &
Fields.VarTime
Data = MsgDate & vbtab & MsgPriority & vbtab & MsgHostAddress & vbtab & MsgText
Note: this example requires that Read permission be enabled for "Other fields". This gives the script read
access to the VarDate and VarTime variables.
The parameters RotateLogFile, RotationType, NumLogFiles, Amount and Unit are all optional and only need
to be specified if logging to a rotated log file.
RotateLogFile:
page 90
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
RotationType:
0 = Rotate log files when log file size exceeds the amount specified by Amount and Unit
1 = Rotate log files when log file age exceeds the amount specified by Amount and Unit
Amount:
Unit For RotationType=0 : Unit relates to the size of the file and specifies whether the Amount is Bytes, KB,
MB, etc.
0 = Bytes
1 = Kilobytes
2 = Megabytes
3 = Gigabytes
For RotationType=1: Unit relates to the age of the file and specifies whether the Amount is Minutes, Days,
Weeks, etc.
0 = Minutes
1 = Hours
2 = Days
3 = Weekdays
4 = Weeks
5 = Months
6 = Quarters
7= Years
Example Usage:
MsgHostAddress = Fields.VarPeerAddress
' Use the date and time from the current message MsgDate = Fields.VarDate & " " &
Fields.VarTime
page 91
MsgText = "This is a test message from the scripting action"
Data = MsgDate & vbtab & MsgPriority & vbtab & MsgHostAddress & vbtab & MsgText
MsgHostAddress = Fields.VarPeerAddress
' Use the date and time from the current message MsgDate = Fields.VarDate & " " &
Fields.VarTime
Data = MsgDate & vbtab & MsgPriority & vbtab & MsgHostAddress & vbtab & MsgText
FIELDS.ACTIONDELETEFILE(FILENAME)
Function: Attempts to delete the specified file.
This function can be used to delete a log file to ensure a fresh start.
This function does not support wildcards, a specific file name must be specified. No confirmation is
required, so be careful when using this function.
Example usage:
page 92
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Call Fields.ActionDeleteFile(Filename)
FIELDS.ACTIONDISPLAY(DISPLAYNUMBER, TABDELIMITEDMESSAGE)
Function: Displays a message to the specified virtual display number.
This function can be used to display messages on the screen in your own format.
The TabDelimitedMessage must contain 5 tab delimited fields. The contents of each field can be anything
you like. The normal display fields are: Date TAB Time TAB Priority TAB Hostname TAB Message.
Example usage:
With Fields
MsgPriority = ConvertPriorityToText(.VarPriority)
MsgHostAddress = .VarPeerAddress
' Use the date and time from the current message MsgDate = .VarDate & " " & .VarTime
Display = MsgDate & vbtab & MsgTime & vbtab & MsgPriority & vbtab &_
End with
Return value: For success, an empty string is returned. Otherwise the error is passed back as a string
value.
This function can be used to log messages to a database in your own format. The connection to the
database is held open internally to the program. This avoids the overhead of creating and breaking the
connection each time data is sent. If no further data is sent to the database, once the timeout period has
elapsed, the connection will be closed. The next time data needs to be sent, the connection will be
reopened.
Example usage:
page 93
In the case of this example, a System DSN called "KiwiSyslog" has been created and points to a MS Access
database. The SQL insert statement syntax changes slightly depending on the database type being written
to. The example here has only been tested on MS Access 97 and 2000.
This example assumes that a table called "Syslogd" has already been created and contains all the required
fields.
MyDSN = "DSN=KiwiSyslog;"
MyTable = "Syslogd"
MyFields = "MsgDate,MsgTime,MsgPriority,MsgHostname,MsgText"
With Fields
SQLcmd = "INSERT INTO " & MyTable & " (" & MyFields & ") VALUES (" & _
' Log the data to database using DSN, Table, SQLcmd and Timeout of 30 seconds
' VarCustom01 now holds the return value from the function.
End with
Function Quote(Data)
' Replace all occurrences of ' with '' to escape existing quotes
End Function
Note:
l This example requires that Read permission is enabled for "Other fields". This gives the script read
access to the .VarDate and .VarTime variables.
page 94
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
l There are more example scripts installed in the \Scripts sub folder.
Since the backslash itself represents the start of an escape sequence, you cannot directly type one in your
script.
If you want to include a backslash, you must type two sequential characters (\\).
For example:
The single quote and double quote escape sequences can be used to include quotes in string literals.
For example:
\b Backspace
\r Carriage return. Use with the line feed (\r\n) to format output.
\t Horizontal tab
\\ Backslash (\)
page 95
Scripting dictionaries
When you are writing scripts, the dictionaries collection allows for the creation of (named) dictionaries that
store data key and item pairs. The data stored in these dictionaries is persistent, in that it exists for the
lifetime of the application. Dictionaries have essentially the same scope as the VarGlobal variables in the
Fields namespace.
A named Dictionary is the equivalent of a PERL associative array. Items, which can be any form of data,
are stored in the array. Each item is associated with a unique key. The key is used to retrieve an individual
item and is usually a integer or a string, but can be anything except an array.
All dictionary methods and properties are accessible through the "dictionaries" namespace.
dicName Required The name of the dictionary. I.f dicName does not exist, it will be created.
dicKey Required The key associated with the item being stored. If dicKey does not exist, it will
be created.
dicItem Required The item associated with the key being stored.
ADDITEM
The .AddItem() and .UpdateItem() methods have been supplanted as of version 8.1.4 of Kiwi Syslog
Server, by the .StoreItem() method. However, to ensure backwards compatibility the usage of
.AddItem() and .UpdateItem() will continue to be supported.
The AddItem method adds a key, item pair to a named dictionary. An error will occur if the key dicKey
already exists in the dictionary dicName.
dicName Required The name of the dictionary. If dicName does not exist, it will be created.
dicKey Required The key associated with the item being added.
dicItem Required The item associated with the key being added.
page 96
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
UPDATEITEM
UpdateItem(dicName As String, dicKey As String, dicItem As Variant)
The UpdateItem method updates the item associated with key dicKey to the value in dicItem. Only the
dictionary dicName is affected. An error will occur if dictionary dicName does not exist, or if key dicKey
does not exist.
dicKey Required The key associated with the item being updated.
REMOVEITEM
RemoveItem(dicName As String, dicKey As String)
The RemoveItem method removes a key, item pair from the dictionary dicName. An error will occur if
dictionary dicName does not exist, or if key dicKey does not exist.
dicKey Required The key associated with the item being removed.
REMOVEALL
RemoveAll(dicName As String)
The RemoveAll method removes all key, item pairs from the dictionary dicName. An error will occur if
dictionary dicName does not exist.
DELETE
Delete(dicName As String)
The Delete method deletes the entire dictionary dicName. An error will occur if dictionary dicName does
not exist.
page 97
Example: Call Dictionaries.RemoveItem("MyDictionary", "MyKeyName")
DELETEALL
DeleteAll()
GETITEMCOUNT
GetItemCount(dicName As String) As Long
The GetItemCount property returns the number of items in the dictionary dicName. An error will occur if
dictionary dicName does not exist.
GETITEM
GetItem(dicName As String, dicKey As String) As Variant
The GetItem property returns an item for a specified key dicKey in dictionary dicName. An error will
occur if dictionary dicName does not exist, or if key dicKey does not exist.
dicKey Required The key associated with the item being fetched.
ITEMEXISTS
ItemExists(dicName As String, dicKey As String) As Boolean
The ItemExists property returns True if the specified key dicKey exists in the dictionary dicName. An error
will occur if dictionary dicName does not exist.
dicKey Required The key associated with the item being fetched.
page 98
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
GETKEYS
GetKeys(dicName As String) As Variant
The GetKeys property returns an array containing all the keys in the dictionary dicName. An error will
occur if dictionary dicName does not exist.
GETITEMS
GetItems(dicName As String) As Variant
The GetItems property returns an array containing all the items in the dictionary dicName. An error will
occur if dictionary dicName does not exist.
Example:
MyItemArray = Dictionaries.GetItems("MyDictionary")
For i = 0 to UBound(MyItemArray)
ThisItem = MyItemArray(i)
...
Next
ERROR REFERENCE
FUNCTION
ERROR DESCRIPTION
NAME
Delete() Script Error executing .Delete() - Dictionary [x] does not exist
AddItem() Script Error executing .AddItem() - Dictionary Key [x] already exists in dictionary [y]
UpdateItem() Script Error executing .UpdateItem() - Dictionary Key [x] does not exist in dictionary
[y]
page 99
FUNCTION
ERROR DESCRIPTION
NAME
RemoveItem() Script Error executing .RemoveItem() - Dictionary Key [x] does not exist in dictionary
[y]
RemoveAllItems() Script Error executing .RemoveAllItems() - Dictionary [x] does not exist
GetItemCount() Script Error executing .GetItemCount() - Dictionary [x] does not exist
GetItems() Script Error executing .GetItems() - Dictionary [x] does not exist
GetKeys() Script Error executing .GetKeys() - Dictionary [x] does not exist
GetItem() Script Error executing .GetItem() - Dictionary Key [x] does not exist in dictionary [y]
ItemExists() Script Error executing .ItemExists() - Dictionary [x] does not exist
Scripting tutorial
This tutorial will show you how to create your own script and use it to search and replace text within a
syslog message.
page 100
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
7. Copy and paste the following script file into Notepad and then choose File > Save.
Function Main()
' Replace cat with dog within the message text field Fields.VarCleanMessageText =
Replace(Fields.VarCleanMessageText, "cat", "dog")
' Return OK to tell syslog that the script ran correctly.
Main = "OK"
End Function
The Run script action should be above the display and log to file actions. If not, you can move it up the list
by selecting the action and using the ^ toolbar button.
Rules
Filters
Actions
Run Script
Display
Log to file
page 101
Once the script runs, the results are opened in Notepad. There you will be able to see all the script
variables. Check the VarCleanMessageText field and you should see the word "cat" has been changed to
"dog".
You should now see this message appear on the display "This is a test. The dog sat on the mat."
page 102
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
l Archive tasks move or copy files to another location and (optionally) compress the files.
l Clean-up tasks delete files that meet the specified criteria (for example, files over a certain age).
l Run Program tasks run a Windows program.
l Run Script tasks run a script.
l On a schedule
l When the Kiwi Syslog Server application or service starts
l When the Kiwi Syslog Server application or service stops
If multiple tasks are set to run at the same time, the tasks run in the order they are listed on the Setup
dialog. You can rearrange scheduled tasks.
You can also create a scheduled task to remove archived files after the retention period is over. For
an example of creating archive and cleanup tasks, see Create schedules to automate log archival
and retention in the Kiwi Syslog Server Getting Started Guide.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the left pane of the Setup dialog, right-click Schedules and select Add new schedule.
3. Replace the default name with a descriptive name (for example, Archive logs after 7 days).
page 103
5. As the Task Trigger, specify when you want the archive task to run:
l To schedule the task, select On a schedule. Then specify the start date, frequency, end date,
and any exceptions on the Schedule tab.
l To run the task each time you start or stop the Kiwi Syslog Server application or service, select
On app/service startup or On app/service shutdown.
6. On the Source tab:
a. Under Source location, specify the location of the files to archive.
By default, log files are stored in the following directory:
C:\Program Files (x86)\Syslogd\Logs\
You can use the Adjust file/folder date(s) option to adjust each file or folder date to reflect the
date of the logs, instead of the current date. For example, if you are archiving files that are a
week old, you can shift the date back one week.
page 104
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
8. To compress the archived files, select the following options on the Archive Options tab:
a. Select Zip files after moving/copying.
c. (Optional) To encrypt the files, select Encrypt zip files, and specify the encryption properties.
Encryption If you selected WinZip AES, specify the size of the encryption key.
strength
9. To run a program after the files are archived, select the following options on the Archive Options
tab:
a. Select the option to run a program after each file is archived or after all files are archived.
b. Specify the location of the executable file, and enter any command-line parameters to pass to
the executable.
To include a file name, folder name, or current date in the command-line parameters, click
Variable options and select the value to include.
c. To specify the maximum time to wait for the program to run, select Wait for program
completion. Then enter the maximum number of seconds to wait.
Programs or processes that are still running after this period are terminated.
page 105
10. To email or save the report generated each time the archive task runs, select one or more options
on the Archive Notifications tab.
l To email the report to multiple recipients, separate the list of email addresses by
commas or semicolons.
l If you save the report to a file, insert date and time variables in the file name to ensure
that it is unique. If the file name is not unique, Kiwi Syslog Server overwrites the
existing file when it creates a new file.
You can also create a scheduled task to archive log files not needed for troubleshooting. For an
example of creating archive and cleanup tasks, see Create schedules to automate log archival and
retention in the Kiwi Syslog Server Getting Started Guide.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the left pane of the Setup dialog, right-click Schedules and select Add new schedule.
page 106
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
7. To delete empty folders in the source location, click the Clean-up Options tab and select Remove
empty folders.
8. To email or save the report generated each time the clean-up task runs, select one or more options
on the Clean-up Notification tab.
l To email the report to multiple recipients, separate the list of email addresses by
commas or semicolons.
l If you save the report to a file, insert date and time variables in the file name to ensure
that it is unique. If the file name is not unique, Kiwi Syslog Server overwrites the
existing file when it creates a new file.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the left pane of the Setup dialog, right-click Schedules and select Add new schedule.
page 107
4. As the Task Type, select Run Program.
5. As the Task Trigger, specify when you want the archive task to run:
l To schedule the task, select On a schedule. Then specify the start date, frequency, end date,
and any exceptions on the Schedule tab.
l To run the task each time you start or stop the Kiwi Syslog Server application or service, select
On app/service startup or On app/service shutdown.
6. On the Program Options tab, complete the following fields:
Process Select the priority of the process created when the program runs. Select Normal (the
priority default) for programs with no special scheduling needs.
Low priority processes run only when the system is idle. High and Realtime
priority processes preempt the threads of lower level priorities. For more
information on each priority level, see the ProcessPriority registry setting.
Window If the program has a user interface, select the Window mode.
mode
Wait for Select this option if you want Kiwi Syslog Server to suspend all processing until the
program program has started. Then enter the maximum time that Kiwi Syslog Server should
initialization wait.
to complete Use this setting if something interacts with the program after it starts and you want
to be sure that the program has started before the interaction is triggered. To
determine if the program has started, Kiwi Syslog Server monitors the process that
is created when the program starts, and waits for that process to signal that it is
idle.
7. To email or save the report generated each time the clean-up task runs, select one or more options
on the Run Program Notification tab.
l To email the report to multiple recipients, separate the list of email addresses by
commas or semicolons.
l If you save the report to a file, insert date and time variables in the file name to ensure
that it is unique. If the file name is not unique, Kiwi Syslog Server overwrites the
existing file when it creates a new file.
page 108
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
For information about writing scripts to use with Kiwi Syslog Server, see Scripting resources.
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the left pane of the Setup dialog, right-click Schedules and select Add new schedule.
page 109
6. On the Program Options tab, complete the following fields:
Script file Enter the path and file name of an existing script file or of the file to be created.
name
l VBScript: a variation of Visual Basic or VBA (Visual Basic for Applications) used
in MS Word and Excel.
l PerlScript
l Python
l RubyScript
Field Select the groups of fields that Kiwi Syslog Server can access:
Read/Write
l When you grant read access to a group of fields, their values are copied into
permissions
the script variables and are readable from within the script.
l When you grant write access to a group of fields, their values are copied
from the script variables and replace the equivalent program fields.
Each time a script runs, the available message fields are copied to the script
variables and back again upon completion of the script. The copying takes time and
uses CPU cycles. To improve script performance, SolarWinds recommends granting
read and write access only to the variables used in the script.
For more information about the fields in each group, see Script variables.
page 110
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
7. To email or save the report generated each time the clean-up task runs, select one or more options
on the Run Program Notification tab.
l To email the report to multiple recipients, separate the list of email addresses by
commas or semicolons.
l If you save the report to a file, insert date and time variables in the file name to ensure
that it is unique. If the file name is not unique, Kiwi Syslog Server overwrites the
existing file when it creates a new file.
page 111
Set alarms
Use alarms to monitor network traffic, disk space, and the number of messages in the queue waiting to be
processed. When an alarm is triggered, Kiwi Syslog Server alerts you by playing a sound, sending an email,
or running a program.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Alarms node.
3. Click the type of alarm you want to enable.
Min The alarm is triggered if Kiwi Syslog Server receives fewer than the specified
message number of messages per hour. This could indicate that messages are not being
count received.
Max The alarm is triggered if Kiwi Syslog Server receives more than the specified
message number of messages per hour.
count
Disk space The alarm is triggered if the amount of free disk space on the disk where Kiwi Syslog
usage Server is installed drops below the specified threshold.
You can also select options to close TCP connections or stop disk logging when free
disk space is below the specified levels.
page 112
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Notify An email is sent to the alarm message recipients specified in E-mail settings.
by e- The email message includes the alarm message, the threshold exceeded, and the
mail current threshold value. For context, the last hour's statistics are also included.
page 113
Log file and database formats
When you add an action to log messages to a file, you can:
Example 2017-07-22 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64
Example 2017-07-22 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64
Example 07-22-2017 [TAB] 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64
page 114
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Message text
Example 22-07-2017 [TAB] 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64
Example 07-22-2017 [TAB] 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64
Example 22-07-2017 [TAB] 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64
Example Jul 22 12:34:56 [SPACE] firewall-inside [SPACE] amd[308]: key sys: No value component in
"rw,intr"
page 115
Text </MessageText></Message>
Example <Message><DateTime>2017-07-23
21:53:35</DateTime><Priority>Local7.Debug</Priority><Source_Host>firewall-inside</Source_
Host><MessageText> prot=UDP port=53 dst=203.25.36.47 src=192.168.1.2
bytes=64</MessageText></Message>
Example rnrsoft [TAB] 2017-07-23 [TAB] 22:02:51 [TAB] firewall-inside [TAB] 7 [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64
More information on ReportGen for SonicWall, PIX, GNATbox and Netscreen can be found on their website.
WEBTRENDS FORMAT
Format WTsyslog [SPACE] Date (YYYY-MM-DD) [SPACE] Time (HH:MM:SS) [SPACE] ip=Host address
(a.b.c.d) [SPACE] pri=Level (numeric 0-7) [SPACE] Message text
Example <191>Built outbound TCP connection 12004 for faddr grc.com/80 gaddr 192.168.2.2/4120 laddr
192.168.1.1/4391
Example Jul 22 12:34:56 [SPACE] 192.168.1.1 [SPACE] key sys: No value component in "rw,intr"
Example Built outbound TCP connection 12004 for faddr grc.com/80 gaddr 192.168.2.2/4120 laddr
192.168.1.1/4391
page 116
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Example 2017-07-22 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64
More information on Sawmill log processing software can be found on Sawmill website.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Formatting node.
3. Right-click the Custom file formats node and choose Add new custom file format.
page 117
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. Specify the following options:
Log file 1. Select the fields that you want to include in the log file. (See the examples of
fields fields and values below.)
2. Drag and drop the fields to specify the order in which the information is shown.
Custom fields are for use by the run script action. By writing a parsing script, the
syslog message text can be broken down into various sub fields. The values can
then be assigned to the 16 custom fields and then logged to a file. Because each
device manufacturer creates syslog messages in a different format, it is not
possible to create a generic parser that will break up the message text into
separate fields. A custom script must be written to parse the message text and
then place it in the custom fields. Example parsing scripts can be found in the
\Scripts sub folder. If you select the Custom field checkbox, all 16 custom
fields will be written to the log file. Each custom field is separated by the
selected delimiter character.
Date and Select the date and time formats appropriate for your location.
Time
formats
Field Select the character used to separate the fields. Tab characters are the most common
delimiter delimiters used for syslog files.
Qualifier Select an option if you want to enclose each field can be enclosed in quotes or tags.
This option is useful when the delimiter is a comma.
Adjust Select this option to adjust the date and time stamps in your log files to be adjusted to
time to UTC (GMT) time. The current time difference (in hours) between your system and UTC
UTC is shown in brackets.
Time 16:12:54
Milliseconds 123
page 118
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Facility Local7
Level Debug
Priority Local7.Debug
HostAddress 192.168.0.1
Hostname host.company.com
InputSource UDP
l Microsoft Access
l Microsoft SQL
l MySQL
l Oracle
The following sections describe the table columns used to store message field values. If you choose to
create the table manually before you add a Log to Database action, use the table design for the selected
database type.
page 119
DEFAULT MICROSOFT SQL AND GENERIC SQL DATABASE TABLE
DESIGN
FIELD NAME TYPE SIZE
Date MSGDATE Date 10
page 120
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Formatting node.
3. Right-click the Custom DB formats node and choose Add new custom DB Muformat.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. Specify the following options:
Type Select your database type from the Type dropdown menu. If your database type is
not included, select Unknown format.
Function Drag and drop the gray Function cells to specify the order in which fields are
created in the database table. This is also the order that data is inserted into the
table.
Field name 1. Select the fields to include as columns in the database table.
Custom fields are for use by the run script action. By writing a parsing
script, the syslog message text can be broken down into various sub
fields. The values can then be assigned to the 16 custom fields and then
logged to a file. Because each device manufacturer creates syslog
messages in a different format, it is not possible to create a generic
parser that will break up the message text into separate fields. A custom
script must be written to parse the message text and then place it in the
custom fields. Example parsing scripts can be found in the \Scripts
sub folder. If you select the Custom field checkbox, all 16 custom fields
will be written to the log file. Each custom field is separated by the
selected delimiter character.
2. To edit a field name, double-click the name and replace it.
The default names are known to work on all databases. If you change the
date field to a name of "DATE" for example, this may cause a problem
with some database types because "DATE" is a reserved word. By using
MSG at the beginning of the field name, you can avoid using reserved
words.
Size For each field, specify the field size so that the largest data element can fit into the
field. Some field types do not need a size specified since it is implied by the field
type. For example, a field type of Time is always assumed to be a size of 8 bytes. The
size value is also needed by the program when it comes time to log data to the
database. As the data is passed to the database via an INSERT statement, the data is
trimmed to the specified field size. This avoids any errors caused by data that is too
large for the field. For example, if you have specified the message text field to be
255 bytes, but a message arrives that is 300 bytes, the data will be trimmed back to
page 121
255 bytes before being logged.
Type Match each field type to the type of data being logged. If you are not sure of the
correct data type to use it is safe to use "VarChar" in most cases. When the data type
cell is edited, a drop down combo will show allowing you to choose from a list of
known data types. You can choose your own type instead of one from the list, by
simply typing the value into the cell. The data types shown in the list are specific to
the database format selected. For example, "Text" in Access becomes "VarChar" in
SQL.
Format The data format can be specified for each data field. In most cases no formatting is
needed. For date and time fields, the database will accept data in many formats and
convert it to its own internal format. When it is queried, the data may actually appear
to be in a different format to which it was logged.
The HostAddress field formatting allows you to zero pad the address so that it
appears with leading zeros. This ensures the address is always 15 bytes long and
allows for easy sorting by IP address.
Leaving the format cell blank will leave the data unmodified and it will be added as it
is received.
Show SQL Click this button to display a list of commands used to create and insert data into a
commands table. You can use these commands to create your own table within your database
application. A default table name of "Syslogd" is assumed when generating the
commands.
Example SQL commands:
Database type: MySQL database
Database name: New Format
SQL command to create the table:
CREATE TABLE Syslogd (MsgDate DATE,MsgTime TIME,MsgPriority VARCHAR
(30),MsgHostname VARCHAR
(255),MsgText TEXT)
SQL INSERT command example:
page 122
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
MsgTimeMS adInteger 4 0
MsgFacilityNum adInteger 4 23
MsgLevelNum adInteger 4 7
page 123
DNS setup options
See the following topics to set DNS options:
l DNS resolution
l DNS setup
l DNS caching
DNS resolution
Complete the following steps to specify DNS resolution options.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click DNS Resolution.
3. Specify the following options:
Resolve This converts the IP address of the sending device into a more meaningful host name.
the Instead of 203.50.23.4 you will see something like "sales-router.company.com"
address The resolved host name is then used in the display and other actions.
of the
The Host name is also used for the "Hostname" type filter.
sending
device If you like, the domain name section can be removed from the display by using the
Remove the domain name option.
Remove If the Resolve the address of the sending device option is also checked, this option will
the remove the trailing domain name from the resolved host name. In this case, instead of
domain "sales-router.company.com" you will see just "sales-router".
name Enabling this option is useful when you only receive messages from a single domain or
(show to reduce the amount of space used by the host name in the scrolling display.
only the
This option also effects the host name field used for all the logging actions.
host
name)
page 124
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
* NetBIOS names can require more time to resolve than normal DNS entries. If you
want to resolve NetBIOS names, increase the DNS timeout to 20 or 30 seconds.
Examples:
Test user connected to website http://192.168.1.2/index.html. src=192.168.5.100
rxbytes=64
With replace IP address with host name option, the message becomes...
Test user connected to website http://website.company.com/index.html.
src=userpc.company.com rxbytes=64
With place host name next to IP address option, the message becomes...
Test user connected to website http://192.168.1.2 (website.company.com) /index.html.
src=192.168.5.100 (userpc.company.com) rxbytes=64
The Remove the domain name option allows the stripping of the domain name
portion from the resolved host name.
To selectively keep or remove the domain name based on a filter match, check the If
domain name contains check box.
Place the domain name substrings to remove in quotes. To filter multiple domains,
separate each quoted string with a space or comma.
".companyabc.com", ".companyxyz.co.uk"
An IP address resolved to mypc.company.co.uk will be changed to just "mypc".
Hostname tagging:
When you have selected the place host name next to IP address option, the hostname
is normally tagged with brackets and a space character. The resolved host name can
be tagged with any characters you like. For example, you might like to prefix the host
name with "hostname=[" and then have a "] " suffix. You can change the prefix and
suffix characters to fit the format of your messages.
A suggested tagging format for WELF format messages would be a prefix of resolved_
host= and a suffix of a space character.
DNS This option specifies the time to wait for the DNS server to respond to lookup queries.
query The default is 8 seconds. You may change this value if you are accessing a slow DNS
timeout server, or requests go through a slow network link.
This timeout value should only be increased if you are trying to resolve addresses via
NetBOIS (Machine names of computers running Windows). Sometimes NetBOIS names
can take up to 20 seconds to resolve via a unicast lookup request.
If your DNS server is local and you are only resolving internal addresses, you can
safely reduce your timeout value down to 3 seconds.
page 125
If you increase the timeout value too much, you may find that the messages are being
queued up waiting for the resolution to finish. In this case, when the queue reaches
1000 entries, messages will be dropped. The message buffer free space can be seen
from the main syslog screen.
DNS setup
To view or edit DNS setup information:
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the DNS Resolution node.
3. Click DNS Setup.
4. Under Internal IP address - Name Resolution, specify the following options:
Internal IP address A list of masked IP addresses that identify your internal network address
range(s) space.
The default entries in this list are standard internal (private) network address
spaces, as identified in RFC1918/3330/3927. These include IANA reserved
private internet address spaces, and the link-local address range.
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12
prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 169.254.0.0 -
169.254.255.255 (link-local)
Adding an internal IP address range:
Enter the masked IP address in the text box directly underneath the "Internal
IP address range" list, and click the "Add" button.
IP addresses must be masked with an "x" character, the "x" signifying that
any value within the range (0-255) is acceptable.
For example, if you have an internal address space of '10.0.0.0' -
'10.255.255.255', you should enter the masked IP address as '10.x.x.x'.
page 126
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Resolve internal If checked, Kiwi Syslog Server will attempt to resolve the internal IP address
addresses using by sending a NetBIOS broadcast query to the local subnet.
NetBIOS
Resolve internal If checked, Kiwi Syslog Server will attempt to resolve the internal IP address
addresses using by sending a DNS query to a DNS server.
DNS server
Preferred/Alternate These entries determine which internal network address the DNS query will
internal DNS be sent to.
server addresses By default these addresses are auto-detected by Kiwi Syslog Server, and
depending on your network configuration may need to be altered.
If the preferred DNS server is unavailable or cannot service the request, the
same query will be asked of the alternate DNS server.
If no alternate DNS server is available, then this address is to be left blank.
page 127
5. Under External IP address - Name Resolution, specify the following options:
Resolve external If checked, Kiwi Syslog Server will attempt to resolve the external IP
addresses using NetBIOS address using NetBIOS.
Resolve external If checked, Kiwi Syslog Server will attempt to resolve the external IP
addresses using DNS address by sending a DNS query to a DNS server.
server
Preferred/Alternate These entries determine which external network address the DNS
external DNS server query will be sent to.
addresses By default these addresses are auto-detected by Kiwi Syslog Server,
and depending on your network configuration may need to be altered.
If the preferred DNS server is unavailable or cannot service the
request, the same query will be asked of the alternate DNS server.
If no alternate DNS server is available, then this address is to be left
blank.
DNS caching
Every time an IP address to hostname resolution is needed, the DNS server is queried. This can be an extra
overhead on the program, the network and the DNS server, especially if you receive lots of messages.
To reduce the DNS traffic and resolution time, a DNS cache is used. Once a hostname has been resolved
the result is stored locally. The next time that address needs to be resolved, the result is taken from the
cache instead of making another DNS request.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the DNS Resolution node.
3. Click DNS Caching.
page 128
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
View This dumps all the current cache entries into a file and then views the file with notepad.
button Information about the cache performance is also displayed.
Clear This will clear all the dynamic (learned from DNS lookups) entries. It won't clear the
button static entries that have been loaded from file.
Clear All This will clear the entire DNS cache of all the entries (static and dynamic). A program
button restart is required to re-read the static entry file again.
page 129
5. UnderCache settings:
Flush This option allows old cached entries to be flushed from the cache after a specified
entries time. By default a time to live of 1440 minutes (1 day) is used. After an entry has been
after X in the cache for a day, it will be flushed from the cache and have to be re-learned via
minutes a lookup.
Enable Instead of looking up each address sequentially, this option will extract the IP
preemptive addresses from the message before it is added to the processing queue. The
lookup of addresses will be asynchronously resolved and the results cached. When the
IP message is processed seconds later, the results will already be available in the
addresses cache. The DNS resolution is done via a multi-threaded lookup system that can
handle up to 100 simultaneous lookups. If you are receiving lots of messages and
want to resolve IP addresses as they arrive, it is highly recommended that this option
be enabled.
Pre-load Enabling this option will cause the program to load a list of static host entries at
the cache start-up. The list must contain IP addresses and host names separated by a tab
with static character. The addresses are loaded into the cache and marked as static, this means
entries they will never expire and won't be flushed like the dynamically learned entries.
from a An example host file is included in the install folder. It is named "StaticHosts.txt".
hosts file
Example of a host file:
page 130
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
page 131
Syslog message modifiers
When a message arrives, various modifications can be made to the message to ensure that it fits within
the specified bounds. The length of the message can be reduced, an invalid priority can be corrected and
extra CR and LF characters can be removed.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click Modifiers.
3. Specify the following options:
Replace Some routers or hosts may send messages that contain control characters in the
non- message text. For example, multi-line messages will contain carriage returns and line
printable feeds. If you enable this option, instead of trying to display control characters, the
characters equivalent ASCII value will be displayed.
with <ASCII For example, when a carriage return is received, it will be replaced with a <013>
value> instead.
Remove Some routers or hosts send messages with a CR/LF attached to the end of the
CR/LF from message text. This will cause the log files to be double spaced.
end of Check this box if you want to remove all trailing CR/LF characters from the messages.
messages
Remove When a Cisco device sends a Syslog message, it adds its own time stamp to the
imbedded message. You may want to remove these extra time stamps to save space or make
date and the logged files more readable.
time from This option works by looking for a particular Cisco message format. It will work with
Cisco the following known Cisco date and time formats:
messages
l Format for timestamp with timezone
47: *Mar 1 00:45:43 UTC: %CLEAR-5-COUNTERS: Clear counter
on all interfaces by console
page 132
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Allow Each Syslog message has a priority code at the beginning of the message. Normally
messages with Unix systems and router devices, this priority code has a value between 0 and
with 191. Sometimes devices send messages with a priority code higher than 191. Even
priority > though the priority value can be higher than 191, there is no standard to define
191 (use priority levels or facilities above 191.
default If this option is enabled, messages received with a priority higher than 191 will have
priority) their priorities set to the default priority setting.
Allow Some routers and hosts may send messages that contain no priority code in the
messages message. In situations where this occurs you can apply a default priority to the
with no message. Check this box and then set the default priority you want to use, from the
priority drop down lists.
(use A normal Syslog message has a priority code at the start of the message text.
default
Example. <100>This is a test message
priority)
The priority value should be between 0 and 191 for standard Unix priority codes
Maximum This option allows you to limit the maximum message size of incoming messages.
message You may want to change this to a lower value than the default 4096 bytes if you are
length only expecting small messages.
(bytes) This limit allows the program to reject oversize messages sent by hackers or errors in
transmission.
Some Syslog Servers may crash when receiving large packets, this option limits the
size of the packet that the program will accept and process.
The Syslog RFC 3164 states that legal Syslog messages may not exceed 1024 bytes in
length. (Not including packet headers)
page 133
Configure email options
Before you add an action to send email, specify the email format and configure other email options. For
example, you can send alarm messages, send statistics, and enable logging.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Scroll down and click E-mail.
3. Specify the following options.
l None: This option can be used for sending email via SMTP server through
insecure channel.
l SSL: This option can be used for sending secured emails via email server
which supports SSL (Secure Socket Layer), for example Gmail and Yahoo
email servers.
l TLS: This option can be used for sending secured emails via email server
which supports TLS (Transport Layer Security), for example Webmail, POP,
IMAP, and SMTP email servers.
Send syslog Select this option to send an email when an alarm threshold has been exceeded.
alarm The email can be sent securely.
messages Enter the email address or addresses you want notified when an alarm is triggered.
to Email addresses must be separated by commas. For example:
[email protected], [email protected], [email protected]
If the message is being sent to a paging service and there is a limited amount of
display space, select Short alarm messages (for pagers). This option sends only the
subject line, not the message body.
Send syslog Select this option to email statistics for a selected interval. The message contains
statistics to information on log file size, disk space remaining on the archive drive, number of
total messages and a breakdown of where the messages came from and the facility
and level.
The message is best viewed in a fixed font such as Courier New so all the columns
line up. This can be sent securely.
Enter one or more recipients, separated by commas, and specify the interval:
l Hours: Hour interval can be in multiples of 24. Hour interval can accept
values of 1, 2, 3, 4, 6, 8, and 12.
page 134
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
l Days: Statistics are emailed out on midnight 00:00 based on the number of
days set.
l Weeks: By default, the statistics are emailed out on Sunday, for example,
00:00 based on the number of weeks set.
l Months: By default, the statistics are emailed on the 1st of every month or
for the number of months set.
Click More to set a maximum number of hosts to be displayed in the statistics email
and in diagnostics.
Hostname Enter the IP address or host name of your SMTP server. This can be your local
or IP server, or one provided by your ISP.
address of The host name of the mail server is usually something like mail.company.com or
SMTP mail smtp.company.com. Below are examples:
server
l Gmail - smtp.gmail.com
l Yahoo - smtp.mail.yahoo.com
l Hotmail - smtp.live.com
SMTP port If your SMTP server listens on a non-standard port, specify the alternate value here.
Normally SMTP servers listen on port 25. Some companies change this value for
security reasons. The value can be from 1 to 65535.
The default port for SSL is 465 and for TLS is 587.
Valid 'from' SolarWinds recommends that you use a valid reply address in this field. In case of a
e-mail mail failure, the SMTP server will send the bounce message to this address.
address on Some SMTP servers require you to specify a domain name on the end, others do not.
SMTP server
The address you use here will be the name that appears in the 'message from' field
on your received email.
Optionally, you can specify a friendlier name in brackets after the address. This will
be shown as the From address in the mail client. For example:
[email protected] (Syslog Server)
In the example above, the name "Syslog Server" will appear in the From field of the
received message. Some SMTP servers might not support this format of from
address.
Timeout The timeout value is how long the program waits for a response from the SMTP
server before giving up. If your SMTP is via a dial-up link or very busy, you may
want to increase this value from the default of 30 seconds. Valid values are from 1
second to 240 seconds.
page 135
SMTP Set these options only if your SMTP server requires authentication before accepting
Username email. Most SMTP servers do not need these options set.
and To enable authentication, select the checkbox to the left and fill in your user name
Password and password for the SMTP server. These values are supplied by your network
administrator, SMTP server provider, or ISP.
If you need to use the POP before SMTP option for authentication. SolarWinds
recommends that you download a freeware POP mailbox checker and run this on
your system as well. Have it check for new messages every 5 minutes which will then
allow the SMTP mail to go through.
Default E- Use this option to change the default importance, priority, and sensitivity flags of
mail email messages sent by Kiwi Syslog Server.
Delivery
Options
Keep a log If you intend to use the e-mail feature to notify you of alarms and statistics, select
file of e- this option to keep a log of what messages have been sent and to whom. The log file
mail activity is named SendMailLog.txt and is located in the Kiwi Syslog Server installation
directory.
Enable Enable this option if the mail is not being sent correctly. All the information being
verbose sent between the program and the mail server is logged to file. (The message
logging content is not shown.)
page 136
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.
3. Click UPD.
page 137
4. Specify the following options:
Listen for This option is selected by default to enable Kiwi Syslog Server to receive UPD
UPD messages.
messages
UPD Port The default port for UDP Syslog messages is 514. If you want to listen on a different
port for UDP messages, you can enter any port value from 1 to 65535. If you change the
port from 514, the device sending the syslog message must also be able to support the
alternate port number.
Kiwi Syslog Server can listen for messages on only one UDP port.
Bind to By default, the UDP socket will listen for messages on all connected interfaces. If you
address want to limit the binding to a single specific interface, you can specify the IP address in
the Bind to address field. Otherwise, leave this field blank. (If the Bind to address field
is left blank, it will listen on all interfaces. This is the best option in most cases.)
For example, if you have two non-routed interfaces on the computer, 192.168.1.1 and
192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface. This will
ignore any syslog messages sent to the other interface.
Data If you are receiving messages from systems that use different data encoding formats,
encoding you can specify the decoding method to apply to the incoming data. The default is to
use the System code page.
Select a commonly used encoding format from the drop-down menu. Or, to select a
different encoding, choose "Other-->" and then enter the code page number into the
field on the right.
The various code pages available on most Windows systems can be found on the
Microsoft website. Here are some common code page numbers that can be used.
CODE PAGE
NAME DESCRIPTION
N UMBER
ANSI 0 ANSI
page 138
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
CODE PAGE
NAME DESCRIPTION
N UMBER
If the number you specify is not a valid Code Page on your system, the incoming
data will not be decoded correctly and will be dropped. If in doubt, use UTF-8
encoding (65001) as it will handle all Unicode characters.
If any of your network devices send syslog messages using TCP, complete the following steps to enable
Kiwi Syslog Server to listen for TCP messages.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.
3. Click TCP.
4. Specify the following options:
Listen for Select this option to enable Kiwi Syslog Server to receive TCP messages.
TCP
Syslog
messages
TCP Port The default port for TCP syslog messages is 1468. If you want to listen on a different
port for TCP messages, you can enter any port value from 1 to 65535. If you change the
port from 1468, the device sending the syslog message must also be able to support
the alternate port number.
Bind to By default, the TCP socket listens for messages on all connected interfaces. To limit the
address binding to a single specific interface, you can specify the IP address in the Bind to
address field. Otherwise, leave this field blank. (If the Bind to address field is left
blank, it will listen on all interfaces. This is the best option in most cases.)
page 139
For example, if you have two non-routed interfaces on the computer, 192.168.1.1 and
192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface. This will
ignore any syslog messages sent to the other interface.
The Cisco PIX uses port 1468. Its default behavior is that if it cannot connect to
the syslog server, it blocks all network traffic through it. For more information
on the Cisco Pix Firewall, please refer to Cisco website.
Data If you are receiving messages from systems that use different data encoding formats,
encoding you can specify the decoding method to apply to the incoming data. The default is to
use the System code page.
Select a commonly used encoding format from the drop-down menu. Or, to select a
different encoding, choose "Other-->" and then enter the code page number into the
field on the right.
The various code pages available on most Windows systems can be found on the
Microsoft website. Here are some common code page numbers that can be used.
CODE PAGE
NAME DESCRIPTION
N UMBER
ANSI 0 ANSI
If the number you specify is not a valid Code Page on your system, the incoming
data will not be decoded correctly and will be dropped. If in doubt, use UTF-8
encoding (65001) as it will handle all Unicode characters.
page 140
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Message Because Syslog messages that are sent via TCP are not necessarily contained in a
delimiters single TCP packet, Kiwi Syslog Server has a buffering facility which accumulates
sequential TCP packets in an internally. Because of this, Kiwi Syslog Server needs to
know how to identify separate Syslog messages in a single TCP stream. It does this
through the use of message delimiters (or separators). Each delimiter signifying the
character (or sequence of characters) that will be used to split the stream into
individual Syslog messages.
The kind of delimiter to use depends very much on the client or device which is
sending Syslog over TCP.
By default, Kiwi Syslog Server does not listen for TCP messages, because syslog messages are traditionally
sent using UDP. If any of your network devices send syslog messages over the TCP channel with transport
layer security (TLS), complete the following steps to enable Kiwi Syslog Server to listen for these messages.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.
3. Click TCP.
4. Specify the following options:
Listen for Select this option to enable Kiwi Syslog Server to receive secure TCP messages.
secure
(TLS) TCP
Syslog
messages
Certificates that will be used by Kiwi Syslog Server have to be installed into the
Local Machine certificate store. Use the Microsoft Management Console to
install certificates.
page 141
What kind of certificate should be used and configuration of public key infrastructure
(PKI) is device-specific. See the manufacturer documentation.
TCP Port The default port for secure TCP syslog messages is 6514. If you want to listen on a
different port for TCP messages, you can enter any port value from 1 to 65535. If you
change the port from 6514, the device sending the syslog message must also be able
to support the alternate port number.
Bind to By default, the TCP socket listens for messages on all connected interfaces. To limit
address the binding to a single specific interface, you can specify the IP address in the Bind to
address field. Otherwise, leave this field blank. (If the Bind to address field is left
blank, it will listen on all interfaces. This is the best option in most cases.)
For example, if you have two non-routed interfaces on the computer, 192.168.1.1 and
192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface. This will
ignore any syslog messages sent to the other interface.
Data If you are receiving messages from systems that use different data encoding formats,
encoding you can specify the decoding method to apply to the incoming data. The default is to
use the System code page.
Select a commonly used encoding format from the drop-down menu. Or, to select a
different encoding, choose "Other-->" and then enter the code page number into the
field on the right.
The various code pages available on most Windows systems can be found on the
Microsoft website. Here are some common code page numbers that can be used.
CODE PAGE
NAME DESCRIPTION
N UMBER
ANSI 0 ANSI
page 142
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
If the number you specify is not a valid Code Page on your system, the
incoming data will not be decoded correctly and will be dropped. If in doubt,
use UTF-8 encoding (65001) as it will handle all Unicode characters.
Message Because Syslog messages that are sent via TCP are not necessarily contained in a
delimiters single TCP packet, Kiwi Syslog Server has a buffering facility which accumulates
sequential TCP packets in an internally. Because of this, Kiwi Syslog Server needs to
know how to identify separate Syslog messages in a single TCP stream. It does this
through the use of message delimiters (or separators). Each delimiter signifying the
character (or sequence of characters) that will be used to split the stream into
individual Syslog messages.
The kind of delimiter to use depends very much on the client or device which is
sending Syslog over TCP.
The RFC 5425 option is available for secure TCP messages. This delimiter
conforms to the rule defined in RFC 5425. If you decide to look for this
delimiter inside incoming message stream the search for this delimiter is
performed before other delimiters are checked.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.
3. Click SNMP.
4. Specify the following options:
Listen for Select this option to enable Kiwi Syslog Server to receive SNMP traps.
SNMP Traps
page 143
l Private Password and Algorithm: The data encryption for privacy is
performed using the private password and algorithm which is either AES or
DES/3DES.
l Security Level: Security level follows any of the communication mechanism
shown below:
UDP Port Specify the UDP port that listens for SNMP traps. IPv4 Traps are usually sent to port
162 and IPv6 traps are sent to port 163. A value between 1 to 65535 can be entered
here. If you choose a value other than 162 or 163, make sure the device sending the
trap is also sending to the specified port.
Port number shouldn't be the same for IPv4 and IPv6 in receiving SNMP
traps.
Bind to By default, the SNMP trap receiver will listen for messages on all connected
address interfaces. If you want to limit the binding to a single specific interface, you can
specify the IP address in the Bind to address field. Otherwise, leave this field blank.
(If the Bind to address field is left blank, it will listen on all interfaces. This is the
best option in most cases.)
For example, if you have two non routed interfaces on the computer, 192.168.1.1
and 192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface. This
will ignore any syslog messages sent to the other interface.
Variable SNMP traps can be bound into custom fields. Below are the SNMP fields that can be
Binding assigned to custom variables such as Custom1, Custom2... Custom16.
For example:
In the Send SNMP trap action, click Insert message content or counter to select
custom variables.
Specified This option allows you to choose which SNMP fields are decoded and added to the
fields incoming message. Check the box next to the field that you want enabled. You can
change the order in which the message is decoded by clicking and dragging on the
field name.
Community This is like a password that is included in the trap message. Normally this value is
set to values such as "public", "private" or "monitor".
page 144
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Enterprise This is a dotted numerical value (1.3.6.1.x.x.x.x) that represents the MIB enterprise
of the SNMP trap. This field only applies for version 1 traps. Version 2 and 3 traps
have the Enterprise value bound as the second variable in the message.
Uptime This is a value that represents the system uptime of the device sending the
message. The value is in time ticks. The value resets to 0 when the device restarts.
A low value would indicate that the device has been warm or cold started recently.
This field only applies to version 1 traps. Version 2 traps have the system uptime
value bound as the first variable in the message.
Trap type This check box represents three trap type fields. Generic Type and Specific Trap-
Type and Specific Trap-Name. These fields only applies for version 1 traps. There
are 6 defined Generic Type traps. If the Generic Type is set to 6 it indicates an
Enterprise type trap. In this case the Specific Trap value needs to be considered.
Version This field indicates the version of the received trap. The program currently
supports version 1 and 2c and 3.
Message This field is made up of all the bound variables. Some traps may include more
than a single variable binding. If the variable is an Octet String type, then it will be
visible as plain text. Some variables represent counters or integer values. In this
case, it is advisable to check the value against the MIB syntax for further
explanation.
Syslog Each SNMP message that is received is converted internally into a standard syslog
priority to message. This allows you to filter the message like a standard syslog message.
use Because SNMP traps don't have a message facility and level, a default value must
be applied. You can then use this value in the rule engine. For example, you might
like to set all traps to be tagged as Local0.Debug. You can then create a priority
filter to catch that facility and level and perform a specified action.
SNMP field This drop down list allows you to specify how the decoded fields are converted into
tagging a message. By default, the "fieldname=value" option is used. This allows for easy
parsing of the logs later. Other options are XML, comma delimited or delimited by
[].
Here is an example of a message tagged with the fieldname=value option:
page 145
community=public enterprise=1.3.6.1.2.1.1.1 enterprise_mib_
name=sysDescr uptime=15161 agent_ip=192.168.0.1 generic_num=6
specific_num=0 version=Ver1 generic_name="Enterprise specific"
var_count=01 var01_oid=1.3.6.1.2.1.1.1 var01_value="This is a
test message from Kiwi Syslog Server" var01_mib_name=sysDescr
The values are only contained in quotes ("") if they contain a space.
Use LinkSys The LinkSys Display filter simply removes all PPP messages from being displayed.
Display filter The PPP messages are still logged to file as normal.
This feature is only useful if you are logging from a LinkSys network device.
Perform A well-known list of object ID values and their text names have been included in a
MIB lookups database that is included with the program. This will handle the most common
traps from Cisco, 3Com, Allied Telesyn, SonicWall, Nokia, Checkpoint, BreezeCom,
Nortel and SNMP MIB-II.
The MIB database file is located in the InstallPath\MIBs folder in a file named:
KiwiMIBDB.dat
This database is a propriatry database file which has been compiled from over
60,000 MIB definitions. Since most MIB files only contain less than 5% of usable trap
information, this pre-compiled method saves a huge amount of lookup time, disk
space and hash table memory over using a standard MIB compiler/parser.
If you would like to add additional MIB lookup values, please contact SolarWinds
Support. Send your zipped MIB files, and also include your Unknown_OID_list.txt file
so we can ensure all the OIDs are referenced.
When creating the MIB database, all the traps, notifications and referenced
variables are parsed from the MIB files. Sometimes an object may not be
referenced correctly and therefore won't be added. In this case, all we need to know
is the OID value and we can ensure that it is included.
Log failed If an OID value is unable to be located in the database, if you have the "log failed
lookups to lookups" option checked, the OID value will be logged to a debug file. The file is
debug file located in InstallPath\MIBs and is named: Unknown_OID_list.txt.
Show Sometimes a device will send additional information encoded after the main OID
additional number. This information can include things like the interface index, source and
OID suffix destination addresses and port numbers etc. This information can be shown as a
info suffix to the MIB name.
For example, a Cisco switch might send a "Link up" trap containing the variable:
1.3.6.1.2.1.2.2.1.2.3.
page 146
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
The last "3" of the OID refers to the interface index. The rest of the OID can be
resolved to the MIB name of "ifDescr".
If the "Show additional OID suffix info" option is checked, then the MIB name
displayed will contain the extra ".3" information. For example:
ifDescr.3=SlowEthernet0/3. With the option unchecked, the display will look like:
ifDescr=SlowEthernet0/3.
The injected keep alive messages are treated as any other incoming message would be, and are processed
by the rule engine. Depending on the rule set configured, the message may be written to disk, displayed or
forwarded on to another syslog server.
When the keep alive message is forwarded on to another syslog server, it can act as a "I am still alive and
well" message to tell the other server that everything is OK. On the remote server, a filter can be setup to
detect missing keep alive messages and raise an alarm if necessary.
The injected message properties can be modified by specifying a Facility, Level, Host IP address and
message text values.
For more information about using keep-alive messages, see How to use a keep-alive message in a script
and Forwarding a keep-alive message to another host as a beacon.
page 147
4. Specify the following options:
Enable By default this option is disabled. Check the box to enable the injection of keep-alive
keep-alive messages.
messages
Frequency This sets how often the keep-alive messages are injected into the input stream. Every
60 seconds is the default value, but any value between 1 and 86400 seconds (1 day)
can be entered.
Syslog This sets the facility of the keep-alive message. You can use a priority filter in the rule
facility set to work with this facility only. Normally this option is set to a value of "Syslog" to
indicate that it is the Syslog program generating the message.
Syslog This sets the level of the keep-alive message. You can use a priority filter in the rule
level set to work with this facility/level combination only. Normally this option is set to a
value of "Info" to indicate that it is an informational message.
From IP This sets the "From" IP address of the keep-alive message. This value can be from
Address 1.1.1.1 to 255.255.255.255 for IPv4 and it supports IPv6 address as well. It is
recommended that a value of 127.0.0.1 be used as the default. The address specified
can be filtered against by the rule set later.
Message This is the message text that is used for the keep-alive message. It can be any
text message or text string that you like. By default the message reads "Keep-alive
message".
Rules
Rule: MyScript
Filters
Priority: Match Syslog.Info only
Actions
Action: Run script
Action: Stop processing (Exits the rule engine here)
Other Rules here...
The keep-alive message can be identified in a script by checking the varInputSource field value. A keep-
alive message uses a value of "3".
page 148
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Rules
Rule: Send keep alive message
Filters
Priority: Match Syslog.Info only
Actions
Action: Forward to host (send to another host via a syslog message)
Action: Stop processing (Exits the rule engine here)
Because we are using the "Stop processing" action, the keep alive messages won't be seen by any other
rules below this one. The priority filter will match the "Syslog.Info" priority, then the action will be taken
(forward message) then the rule engine will discard the message and wait for the next one to arrive.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click the Inputs node.
3. Select Enable IPv6 support .
4. Click Apply to save your changes.
If you are hearing a beep on every message that comes in and this option isn't checked then there is
a problem logging the messages to disk. Check the Error log for details of the problem. (From the
View menu). If a message can't be written to the specified log file, a beep will sound to notify you of
the problem.
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click the Inputs node.
3. Select Beep on every message received.
4. Click Apply to save your changes.
page 149
View syslog statistics
1. To view syslog statistics, select View > View Syslog Statistics.
The Syslog Statistics dialog opens.
Syslog Statistics are updated every 10 seconds. Press the Refresh button or F5 to cause the statistics
to be recalculated and displayed immediately.
1 Hour Displays a bar chart of the last 60 minutes of traffic. Each bar in the chart shows the
history number of messages received during that minute. The chart scrolls from right to left.
The left side of the chart shows traffic an hour ago, the right most bar (0) indicates the
current traffic.
24 Hour Displays a bar chart of the last 24 hours’ of traffic. Each bar in the chart shows the
history number of messages received during that hour. The chart scrolls from right to left.
The left side of the chart shows traffic 24 hours ago, the right most bar (0) indicates
the current traffic.
Severity The Severity table shows the breakdown of messages by priority level. 0-Emergency has
the highest severity all the way down to 7-Debug type messages which are used for
troubleshooting.
The message count and percentage of total traffic is shown in the table.
Click on any header to sort the table by that column. Click again to reverse the sort
order.
Top 20 The hosts table shows the breakdown of messages by sending host. The message count
Hosts per host and percentage of total traffic is shown in the table.
Click on any header to sort the table by that column. Click again to reverse the sort
order.
If a particular host is generating a lot of the traffic or the pattern changes, it could
indicate a problem on that device.
Counters The counters show the traffic and error statistics for the program. The average
messages counter can help you set maximum thresholds for alarm notification and to
get a feel for the amount of syslog traffic being generated.
Some counters show values for the interval period, and some are from the last 24-hour
period (from the current time of display). Others show values since Midnight (0:00).
page 150
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
The intervals start at 00 from the time the program starts rather than being related to
the actual MM/DD/YYY HH: MM:SS time. To see how long the program has been
running, check the Program uptime counter, see the duration of the interval period, and
check the start and end date & time.
Messages - Total:
This counter value shows the number of messages received since the program starts.
To reset this value, you must restart the program or service.
Messages - Last 24 hours:
This counter value shows the number of messages received during the last 24-hour
period (from the current time of display). This value is a rolling count of the messages
received in the last 23 hours, plus the messages received in the last hour. At the turn of
each hour, the value will drop as the last 23 hours are shuffled. The value will then
build again as more messages are received during the current hour. The value is
represented by the formula: LastHours(1 to 23) + messages this hour.
Messages - Last Interval (Hours/Days/Weeks/Months):
This counter value shows the numbers of messages received during the last interval
period. The counter is reset once the statistics report is emailed out.
Messages - Since Midnight:
This counter value shows the number of messages received since midnight (00:00 -
23:59). This counter automatically resets at 00:00 every day.
Messages - Last hour:
This counter value shows the number of messages received in the last full hour. The
hours are counted from the time the program was started. If the program has been
running less than 60 minutes, this value will be 0. Once an hour has completed, the
value will contain the total number of messages received for the last hour. The value
will remain constant until the next hour rolls over.
Messages - This hour:
This counter value shows the number of messages received since the last hour roll
over. The hours are counted from the time the program was started. This value will
reset to 0 each hour and will be incremented as each new message arrives.
Messages - Average:
This counter value shows the average number of messages received per hour over the
last 24-hour period. At the turn of each hour, the value will be recalculated as the last
24 hours are shuffled. After the first hour has elapsed, the value is only updated once
per hour.
Messages - Average Last Interval (Hours/Days/Weeks/Months):
page 151
This counter value shows the average number of messages received per hour over the
last interval period.
Messages - Forwarded:
This counter value shows the number of messages that have been forwarded to other
syslog collectors or relays using the "Forward message" action. This counter is reset
immediately after the stats report have been emailed out. The stats are usually sent
based on the interval set. The value being displayed is based on the interval duration.
Messages - logged to disk:
This counter value shows the number of messages that have been logged to disk using
the "Log to file" action. This counter is reset immediately after the stats report have
been emailed out. The stats are usually sent based on the interval set. The value being
displayed is based on the interval duration.
Total number of hosts that can be listed depends on the total number set in More
options > Number of host. Value should be within 1 to 999.
CustomStats:
The custom statistics values can be viewed from the Counters tab. These values can be
modified by using the Run Script action. These statistics counters can be used to count
and display any values you like.
To set the counter name to something more meaningful, use Scripting custom statistics
fields to set the counter name and initial values
page 152
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Protocols
For detailed information about syslog protocols, see the following topics:
l Syslog Facilities
l Syslog Levels
l Syslog Priority values
l Transport
l Syslog RFC 3164 header format
SYSLOG FACILITIES
Each Syslog message includes a priority value at the beginning of the text. The priority value ranges from 0
to 191 and is made up of a Facility value and a Level value. The priority is enclosed in "<>" delimiters.
The priority is a value from 0 to 191 and is not space or leading zero padded.
For more information on the Syslog message format, please read the RFC.
The Facility value is a way of determining which process of the machine created the message. Since the
Syslog protocol was originally written on BSD Unix, the Facilities reflect the names of Unix processes and
Daemons. The priority value is calculated using the following formula:
l 0 - kernel messages
l 1 - user-level messages
l 2 - mail system
l 3 - system daemons
l 4 - security/authorization messages
l 5 - messages generated internally by syslogd
l 6 - line printer subsystem
l 7 - network news subsystem
l 8 - UUCP subsystem
page 153
l 9 - clock daemon
l 10 - security/authorization messages
l 11 - FTP daemon
l 12 - NTP subsystem
l 13 - log audit
l 14 - log alert
l 15 - clock daemon
l 16 - local use 0 (local0)
l 17 - local use 1 (local1)
l 18 - local use 2 (local2)
l 19 - local use 3 (local3)
l 20 - local use 4 (local4)
l 21 - local use 5; (local5)
l 22 - local use 6 (local6)
l 23 - local use 7 (local7)
If you are receiving messages from a Unix system, it is suggested you use the 'User' Facility as your first
choice. Local0 through to Local7 are not used by Unix and are traditionally used by networking equipment.
Cisco routers for example use Local6 or Local7.
SYSLOG LEVELS
Each Syslog message includes a priority value at the beginning of the text. The priority value ranges from 0
to 191 and is made up of a Facility value and a Level value. The priority is enclosed in "<>" delimiters.
The priority is a value from 0 to 191 and is not space or leading zero padded.
For more information on the Syslog message format, please read the RFC.
page 154
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Recommended practice is to use the Notice or Informational level for normal messages.
DEBUG:
Info useful to developers for debugging the app, not useful during operations
INFORMATIONAL:
Normal operational messages - may be harvested for reporting, measuring throughput, etc - no action
required
NOTICE:
Events that are unusual but not error conditions - might be summarized in an email to developers or
admins to spot potential problems - no immediate action required
WARNING:
Warning messages - not an error, but indication that an error will occur if action is not taken, e.g. file
system 85% full - each item must be resolved within a given time
ERROR:
Non-urgent failures - these should be relayed to developers or admins; each item must be resolved within
a given time
ALERT:
Should be corrected immediately - notify staff who can fix the problem - example is loss of backup ISP
connection
CRITICAL:
Should be corrected immediately, but indicates failure in a primary system - fix CRITICAL problems before
ALERT - example is loss of primary ISP connection
EMERGENCY:
A "panic" condition - notify all tech staff on call? (earthquake? tornado?) - affects multiple
apps/servers/sites...
page 155
The priority is a value from 0 to 191 and is not space or leading zero padded.
For more information on the Syslog message format, please read the RFC.
To manually set a particular priority number, enter a number into the Priority value field and check the
'Use this value' box. This value will be sent in the <PRI> field of the Syslog message. This allows you to use
values above 191 (up to 255). Values above 191 are illegal and could cause unknown results.
TRANSPORT
Kiwi Syslog Server can listen for UDP messages and TCP messages. Normally Syslog messages are sent
using UDP. Some networking devices such as the Cisco PIX firewall can send messages using TCP to ensure
each packet is received and acknowledged by the Syslog Server.
When sending messages using UDP, the destination port is usually 514.
When sending messages using TCP, the destination port is usually 1468.
The TIMESTAMP will immediately follow the trailing ">" from the PRI part and single space characters
MUST follow each of the TIMESTAMP and HOSTNAME fields.
HOSTNAME will contain the hostname, as it knows itself. If it does not have a hostname, then it will contain
its own IP address.
The TIMESTAMP field is the local time and is in the format of: "Mmm dd hh:mm:ss" (without the quote
marks).
The MSG part has two fields known as the TAG field and the CONTENT field. The value in the TAG field will
be the name of the program or process that generated the message. The CONTENT contains the details of
the message. This has traditionally been a freeform message that gives some detailed information of the
event. The TAG is a string of ABNF alphanumeric characters that MUST NOT exceed 32 characters. Any
non-alphanumeric character will terminate the TAG field and will be assumed to be the starting character
of the CONTENT field. Most commonly, the first character of the CONTENT field that signifies the
conclusion of the TAG field has been seen to be the left square bracket character ("["), a colon character
(":"), or a space character
page 156
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
The BSD Syslog protocol is discussed in RFC 3164. Check out their community discussion on Roxen website.
For a comprehensive description of the syslog protocol, see Sans Institute website.
KRDP uses the TCP protocol as the underlying transport. This ensures that each packet sent is sequenced
and acknowledged when received. The TCP protocol on the receiving system handles the packet order and
ensures that any missing packets are resent.
THE PROBLEM
TCP works well as a reliable transport when the connection can be opened and closed cleanly. During a
TCP close handshake, any outstanding packets are usually received and acknowledged before the
connection is closed.
However, if a break in the network occurs during message sending, the sender will continue to send
packets until the TCP window size is reached. When no acknowledgment is received after a timeout period,
the Winsock stack will fire a timeout event. When this happens, it is not possible to know exactly which
message (or part message) was last received and acknowledged by the remote end. Any data that was
sitting in the Winsock stack's buffer will be lost. Depending on the TCP window size and the speed of the
data being sent, this could be hundreds of lost messages.
THE SOLUTION
KRDP works by adding another acknowledgment and sequencing layer over the top of the TCP transport.
KRDP wraps each syslog message with a header which contains a unique sequence number. The KRDP
sender keeps a local copy of each message it has sent. The KRDP receiver periodically acknowledges
receipt of the last KRDP wrapped syslog message it has received. The KRDP sender can then remove all
locally stored messages up to the last acknowledged sequence number. When the connection is broken
and re-established, the receiver informs the sender which messages need to be resent.
Each KRDP sender is identified with a unique connection name. This allows the sender and receiver to
reestablish the same session and sequence numbers, even if the IP address or sending port of the sender
has been changed due to DHCP etc.
page 157
DEALING WITH INTERNATIONAL CHARACTERS
Unicode allows the mapping of all international character sets into a known byte sequence. The mapping
of non US-ASCII characters requires the use of more than a single byte per character. The most commonly
used way of sending these multi-byte characters over TCP is to use UTF-8 encoding. The KRDP sender will
encode the syslog messages as UTF-8 and the KRDP receiver will decode them back to Unicode again.
01 = ReceiverResponse
02 = Sequenced message
03 = Message acknowledgement
04 = Receiver KeepAlive
99 = Error message
MESSAGE FORMAT
KRDP AA 0000000000 Message<CR>
SEQUENCE OF EVENTS
S connects via TCP
page 158
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
RULES
1. If the first message R receives is not a ID message (MsgType 00), R disconnects. (Any data received is
ignored).
2. If R does not receive ID message after 60 seconds, R disconnects.
3. After S sends the ID message, S will wait up to 60 seconds for a ReceiverResponse message. If there
is no response, S will disconnect session.
4. R sends ACK messages to S with the next expected message sequence.
5. ACK messages are sent no more frequently than once every 200ms.
MESSAGE FORMATS
MsgType 00 (Version and SenderID)
KRDP 00 PV UniqueKey<CR>
The unique key identifies the channel and is used to synchronise the message numbers
Since the receiver might already have an "Instance1" name from another source, the first UniqueKey
would
be better. Use as much information to uniquely describe the source of the messages
page 159
ACK messages are sent at a maximum rate of once every 200ms
If being sent by Receiver, MsgSeq should be set to next expected message number
MsgType 99 (Error)
Message number indicates which message caused the error if any. Set to zero (0) if not related to a
message number
Error 1001 - Sender is unable to supply message number: <NextMsgSeq>. Starting again from 0. Sender
ID: <UniqueSenderID> Expecting a sequence > 0, but sender unable to supply message, must start at 0
again. The receiver will now re-sync with the sender.
Error 1003 - Received unexpected message data. Message ignored. Sender ID: <UniqueSenderID>
Message data arrived while the receiver was not expecting it. This data is ignored.
Error 1004 - First message did not contain Sender ID. Connection closed. The first message received after
connection was established did not contain the Sender ID. The receiver has closed the connection.
Error 1005 - Unable to send Expected message number reply. Connection closed. The receiver was unable
to send a reply message over the established connection. The receiver has closed the connection.
Error 1006 - Unable to send error message. The receiver was unable to send an error message over the
established connection.
page 160
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Error 1007 - Unable to send KeepAlive message. Connection closed. The receiver was unable to send a
KeepAlive message over the established connection. The receiver has closed the connection.
Error 1008 - Unable to send KeepAlive to connection: <UniqueSenderID> The receiver was unable to send
a KeepAlive message over the established connection.
Error 1009 - Unable to send ACK to connection: <UniqueSenderID> The receiver was unable to send an
ACK message over the established connection.
Error 1099 - <Error message content from sender> The sender can notify the receiver of an error by using
the 1099 error type. The message content is from the sender.
Error 1010 - Unexpected message received. Type: <MsgType>. Message content: <Message Content> An
unexpected message type was received. The message content appears for debugging purposes.
page 161
Error and mail logs
Kiwi Syslog Server automatically creates an error log that you can use for troubleshooting. You can also
choose to log information about emails that Kiwi Syslog Server sends.
To open this log from the Kiwi Syslog Service Manager, select View > View error log file.
If this option is selected, you can open the send mail log by selecting View > View e-mail log file.
When this option is selected, Kiwi Syslog Server emails an alarm notification or the daily statistics, it
records information about the email in the email log file.
page 162
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Best practices
Before you make changes to the registry:
After you update registry values, restart Kiwi Syslog Server to ensure that your changes take effect.
Available settings
The following registry settings are available. Click any setting for details.
SETTING SPECIFIES
DisplayColumnsEnabled Which columns are shown on the Kiwi Syslog Service Manager
display.
DisplayRowHeight The row height (in pixels) on the Kiwi Syslog Service Manager
display.
ServiceStartTimeout How long (in seconds) the Service Manager waits for a Service
Start or Service Stop request to complete.
ServiceUpdateTimeout How long (in seconds) the Service Manager waits for a
Properties Update request to complete.
NTServiceSocket The port used by the Manager part of Kiwi Syslog Server to
connect to the Service.
DNSDisableWaitWhenBusy How full the input message buffer can get before disabling the
DNS resolution waiting.
page 163
SETTING SPECIFIES
MailAdditionalSubjectText A text string added to the beginning of the e-mail subject for
daily statistics and alarm e-mails.
MailMaxMessageSend The maximum number of email messages that are sent per
minute.
File write caching settings Values that enable and configure file write caching.
ScriptEditor The script editor to be launched when you click the Edit Script
button.
ArchiveFileSeparator The separator character placed between the existing file name
and the current system date and time when files are archived.
page 164
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
SETTING SPECIFIES
ArchiveTempPath The default temp folder used by Kiwi Syslog Server's archiver.
KRDPRxDebug Whether the debug log file for KRDP receive events is enabled
or disabled.
KRDPTxDebug Whether the debug log file for KRDP send events is enabled or
disabled.
KRDPQueueSize The size of the message queues used to buffer the KRDP and
TCP messages.
KRDPAutoConnect Whether the KRDP and TCP senders will try to automatically
connect to the remote host.
KRDPIdleTimeout The time the sending socket will remain connected after the
last message has been sent.
OriginalAddressStartTag and The start and end tags for the original sender's address.
OriginalAddressEndTag
page 165
SETTING SPECIFIES
DisplayColumnsEnabled
Use this Kiwi Syslog Server registry setting to specify which columns are shown on the Kiwi Syslog Service
Manager display.
Min value 0
Max value 31
Default value 31
By default, all the columns are shown. To display a different set of columns, enter the sum of the columns'
decimal values.
0 1 Date
1 2 Time
2 4 Priority
3 8 Hostname
4 16 Message
For example:
page 166
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
l To display the Message (16) and Hostname (8) columns, set the value to 24 (16 = 8 = 24).
l To display the Message (16) and Time (2) columns, set the value to 18 (16 + 2 = 18).
DisplayRowHeight
Use this Kiwi Syslog Server registry setting to specify the row height (in pixels) on the Kiwi Syslog Service
Manager display.
If the font is taller than the specified row height, the row is automatically resized to accommodate
the text.
Min value 5
Max value 50
Default value 15
MailStatsDeliveryTime
Use this Kiwi Syslog Server registry setting to specify when the daily statistics email is sent.
By default, the statistics email is sent at midnight (00:00). To change the time, enter the new time using the
24 hour clock. For example, to specify 6 PM, enter 18:00.
page 167
Max value 23:59
Type HH:MM
ServiceStartTimeout
Use this Kiwi Syslog Server registry setting to specify how long (in seconds) the Service Manager waits for a
Service Start or Service Stop request to complete.
If you have more than 10 actions configured or are running on a computer with a CPU speed of less than
300 MHz, increase this value as needed.
Min value 1
Default value 30
Type Seconds
ServiceUpdateTimeout
Use this Kiwi Syslog Server registry setting to specify how long (in seconds) the Service Manager waits for a
Properties Update request to complete.
If you have more than 10 actions configured or are running on a machine with a CPU speed of less than
300 MHz, increase this value as needed.
Min value 1
page 168
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Default value 5
Type Seconds
NTServiceSocket
The Manager part of Kiwi Syslog Server connects to the Service via TCP port 3300. This allows the two
applications to communicate. The Service passes messages to be displayed, alarms and statistic
information to the Manager so it can be viewed as it arrives.
Use this Kiwi Syslog Server registry setting to change the port value if some other process is also using this
port.
Min value 1
NTServiceDependencies
Under most operating systems, the service will start without problems. On some Windows Server systems,
the service may have to wait for some other system services starting before it can start. Otherwise you will
see the error message "One or more system services failed to start" on the console after a reboot.
To ensure that the required services have started before Kiwi Syslog Server is started, you can modify this
Kiwi Syslog Server registry setting.
page 169
Default value Blank
ServiceName1;ServiceName2;ServiceName3
The example above will ensure that the Workstation, WMI (Windows Management Interface) and TCP/IP
stack services are running before trying to start the Kiwi Syslog Server Service.
DebugStart
Set this Kiwi Syslog Server registry setting value to "1" to enable debug for both the Service and Manager.
Enable Debug 1
Disable Debug 0
Type String
APPLIES TO
Syslogd.exe, Syslogd_Service.exe & Syslogd_Manager.exe
page 170
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
EFFECT
When the program is run with this registry value set to "1", a debug file is created in the install directory.
The file name will depend on the executable name (see below). The debug file will contain the results from
the program start-up and socket initialization routines.
FILES CREATED
SyslogNormal = Syslogd_Startup.txt
SyslogService = Syslogd_Service_Startup.txt
SyslogManager = Syslogd_Manager_Startup.txt
WHEN TO USE
If the program does not appear to be receiving messages on the port specified on the "Inputs" setup
option, check the start-up debug file to ensure the sockets initialized correctly. If the program appears to
crash on start-up, this option can help locate the problem.
DNSDisableWaitWhenBusy
Normally, if an IP address is not found in the DNS cache, the program will wait for a set period of time for
the IP address to finish resolving. Under heavy load this delay can fill the message input buffer until it
overflows and drops new messages.
Use this Kiwi Syslog Server registry setting to specify how full the input message buffer can get before
disabling the DNS resolution waiting. By default, when the input buffer reaches more than 10% of capacity,
the Syslog Server will stop waiting for the IP addresses to be resolved.
If you have preemptive lookup enabled, the IP addresses will still be resolved in the background and
results placed in the cache. This option just disables the "DNS timeout" waiting period while the buffer is
under load. This frees the program up so that it can process the buffered messages without waiting for
resolutions to occur.
When the input buffer level drops below the set value, the normal resolution waiting timeouts will be re-
enabled.
Min value 0
page 171
Default value 10
Type Percentage
DNSCacheMaxSize
Use this Kiwi Syslog Server registry setting to limit the size of the cache buffer to conserve memory. The
registered version will allow 1,000,000 entries. Set this value to the number of IP addresses you are
expecting to have to cache.
Min value 50
DNSCacheFailedLookups
Use this Kiwi Syslog Server registry setting to Improve DNS name resolution performance by caching failed
lookups. In the event that a DNS server responds with a valid response, but where the response does not
include a resolved name, Kiwi Syslog Server will cache that response to avoid repeated queries to the DNS
server. This situation can occur when querying a DNS server for the name of and IP address that the DNS
server itself does not know. Instead of timing out, the DNS server sends a valid response of "NAME NOT
FOUND". This is the sort of response that is cached, which avoids repeated queries to the DNS server for a
name that will not be found. Failed lookups will be flushed from the cache at the frequency defined in
"Flush entries after X minutes".
Min value 0
page 172
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Max value 1
Default value
Type 1=Cache Failed DNS lookups, 0=Do not Cache Failed DNS lookups
DNSSetupQueueBufferBurstCoefficient
Use this Kiwi Syslog Server registry setting to specify the number of DNS/NetBIOS requests that will be
dequeued from the internal queue buffer at once.
Min value 1
Max value 50
Default value 10
Type Numeric
DNSSetupQueueBufferClearRate
Use this Kiwi Syslog Server registry setting to specify the rate at which the DNS/NetBIOS internal queue
buffer is cleared.
Min value 1
Default value 10
Type Numeric
page 173
DNSSetupQueueLimit
Use this Kiwi Syslog Server registry setting to specify the DNS/NetBIOS internal queue buffer size.
Type Numeric
DNSSetupDebugModeOn
Set this Kiwi Syslog Server registry setting to 1 to enable verbose debug mode, This mode uploads verbose
DNS/NetBIOS requests and responses to {Program files}/Syslogd/DNSdebug.txt.
Min value 0
Max value 1
Default value 0
MsgBufferSize
Use this Kiwi Syslog Server registry setting to specify the maximum number of message buffer entries.
page 174
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
As messages are received via the inputs (UDP, TCP, SNMP, Keep Alive), the messages are placed in an
internal queue. The messages are then taken from the queue and processed in the order they arrived
(FIFO). If a burst of messages arrive while the processing engine is busy, the messages are queued. This
ensures messages are not lost under times of heavy load.
Each message that is queued uses a small amount of memory. In most situations, buffering up to 500,000
messages is sufficient. You may want to increase the buffer size in situations where messages are arriving
in large bursts. The buffering will smooth the message flow and allow the processing engine to catch up
when it can.
Messages are stored in Unicode which uses 2 bytes for each character. Therefore, if each message is 100
characters, it will occupy 200 bytes of memory. Messages can vary in size based on their content. 500,000
messages of 100 characters each will use 100,000,000 bytes (~100 MB) of memory. If each message was 200
characters long, it would use ~200 MB of memory. Memory is only used when the messages are being
queued. Under normal traffic loads, the processing engine will be able to keep up with message flow and
no messages will need to be queued.
MailAdditionalSubjectText
Use this Kiwi Syslog Server registry setting to add a text string to the beginning of the e-mail subject for
daily statistics and alarm e-mails. If you are receiving daily statistics or alarm e-mails from many syslog
Servers, it can be useful to include a way of identifying which syslog Server the e-mail came from.
page 175
In the registry setting, add a line of text that best describes the name or location of the syslog Server. The
text will be added to the beginning of the e-mail subject.
For example, a normal max message alarm e-mail subject line looks like this:
If you set the MailAdditionalSubjectText setting to [London], the alarm subject e-mail will look like this:
A space is automatically added after the text to separate it from the existing subject text.
MailAdditionalBodyText
Use this Kiwi Syslog Server registry setting to include an additional line of text in the daily statistics and
alarm e-mails. If you are receiving daily statistics or alarm e-mails from many syslog Servers, it can be
useful to include a way of identifying which syslog Server the e-mail came from.
In the registry setting, add a line of text that best describes the name or location of the syslog Server. The
text will be added to the beginning of the e-mail body.
page 176
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
If you set the MailAdditionalBodyText setting to London - Firewall Monitoring Syslog Server,
the daily statistics e-mail will look like this:
An additional CRLF is added before and after the text for better visibility.
MailMaxMessageSend
Use this Kiwi Syslog Server registry setting to specify the maximum number of email messages that are
sent per minute. Any messages not sent will be requeued until the next email send a minute later.
Email messages are queued internally for up to a minute and then sent in bulk. This means only a single
connection to the SMTP server is required. Each message is sent separately, and then the connection to
the server is closed.
This option can be useful when a lot of e-mail messages are being sent via an SMS gateway which has a
limit on message sending. It can also reduce the load on a mail server and spread the message load out
over a few sending intervals.
Min value 1
Default value 50
page 177
Type Message count
When enabled, the "Log to File" action will cache the output data for X seconds or X messages before
writing to the log file. The data is cached in memory until the log file is updated in bulk. This is more
efficient than writing a single message to a file as it arrives.
There is a separate memory cache for each output file. In most cases there is only a single output file, but
if AutoSplit or filters are used to split the messages into separate files, there could be additional active
output files.
When an output file cache is not being used X seconds, the cache is destroyed to save resources.
When the program shuts down, all the caches are written to the appropriate files so that no data is lost.
FILEWRITECACHEENABLED
Use this setting to enable or disable file write caching. When enabled, the "Log to File" action will cache the
output data for X seconds or X messages before writing to the log file. The data is cached in memory and
the log file is updated in bulk. This is more efficient than writing a single message to a file as it arrives.
Min value 0
Max value 1
Default value 1
page 178
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
FILEWRITECACHETIMEOUT
Use this setting to specify the timeout in seconds. After the timeout period the contents of the cache are
written to disk. The timer is started when the first message arrives in the cache. If the cache is not full and
has not been flushed before the timeout period has expired, the cache will be flushed automatically. This
value sets the maximum time that the cache will hold a message before writing it to disk. The less
frequently the disk is written to, the more efficient the file logging process becomes.
Min value 1
Default value 5
FILEWRITECACHEENTRIES
Use this setting to specify the maximum number of messages to be cached for each output file before
being written to file. Messages are added to the cache until the maximum is reached or the timeout period
elapses. The less frequently the disk is written to, the more efficient the file logging process becomes. The
messages are stored in memory in UNICODE which requires two bytes for each character in the message.
For example, a 100 character message requires 200 bytes of memory for storage.
Min value 10
page 179
FILEWRITECACHEMAXSIZEKB
Use this setting to specify the maximum cache size in KBytes. When the cache exceeds this size, it is
written to file. Messages are added to the cache until the maximum memory size is reached or the timeout
period elapses. The less frequently the disk is written to, the more efficient the file logging process
becomes. The messages are stored in memory in UNICODE which requires two bytes for each character in
the message. For example, a 100 character message requires 200 bytes of memory for storage. If you
experience any "Out of Memory" errors, lower this value or disable the file write caching.
Min value 1
Default value 50
FILEWRITECACHECLEANUP
Use this setting to specify the time (in minutes) that a cache can inactive before being destroyed. When a
cache becomes inactive and is not receiving any further messages, the cleanup process will destroy the
cache to free up resources. No data is lost because the cleanup process only destroys inactive caches that
have already been written to file.
Min value 10
Default value 10
Type Time (in minutes) that a cache can inactive before being destroyed
page 180
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
FILEWRITECACHEFILELOCK
Use this setting to enable or disable log file locking.
For efficiency and security reasons, the log files can be held open in "append shared" mode. This improves
efficiency by not having to open and close the file with each write. While the file is held open, not other
application can modify or delete the contents. Only new entries can be added to the file. The files can be
opened for viewing, but not for modification.
If you are receiving high syslog message traffic, enable this option to improve performance. The only
drawback is that the file may not immediately show the new log entries. The OS will cache the data until
the internal buffers are full then it will write the buffers to file. Under heavy load, this happens
immediately, but when traffic is low, it can take a while for the buffers to fill and the data to be written.
The log file is automatically updated and closed when the cache has been inactive for
FileWriteCacheCleanup minutes.
Min value 0
Max value 1
Default value 0
FILEWRITECACHEOPENFILES
When FileWriteCacheFileLock is set to 1 (enabled), each log file is held open in "append shared" mode. The
program can only open a maximum of 255 files at once.
Use this value to set the maximum number of concurrently open files. Once this limit is reached, the
FileWriteCacheFileLock value for the current cache is disabled. Log files will then be opened and closed
with each cache write. If the Log to File action uses the AutoSplit syntax to create separate files for each
logging host, it is possible that more than 255 files could be opened at once (assuming more than 255
actively sending hosts). A value of 100 files is recommended to keep system resource usage to a
reasonable level.
page 181
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties
Min value 1
LogFileDateSeparator
Use this Kiwi Syslog Server registry setting to change the separation character used in dates.
Normally the current date is represented in the YYYY-MM-DD format using a dash (-) as the separation
character. You can change the separation character to any character you like. For example, some countries
use a forward slash (/) as a date separator.
Be aware that changing the date separator may make the log files unreadable by some log file parsers and
reporters. Reporting software may be looking for the dash (-) characters and may get confused when they
are not present.
A normal Kiwi ISO log file format message is formatted like this:
If you change the separator character to forward slash (/), the message would become:
page 182
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
LogFileTimeSeparator
Use this Kiwi Syslog Server registry setting to change the default separation character used in times.
Normally the current time is represented in the HH:MM:SS format using a colon (:) as the separation
character. You can change the separation character to any character you like. For example, some countries
use a dot (.) as the time separator.
Be aware that changing the time separator may make the log files unreadable by some log file parsers and
reporters. Reporting software may be looking for the colon (:) characters and may get confused when they
are not present.
If you change the time separator character to dot (.), the message would become:
LogFileEncodingFormat
Use this Kiwi Syslog Server registry setting to change the encoding format used to write messages to log
files.
page 183
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties
Min value 1
Default value 5
Type Seconds
Normally the messages are written to the log files using the default encoding format (code page) of the
system. If you are receiving messages from systems that use different default code pages, the best
solution is to send/ receive the messages using UTF-8 encoding. Kiwi Syslog Server can be set to convert
the received messages into Unicode internally. When writing Unicode messages to a log file, it is
recommended that you use UTF-8 (code page 65001) encoding. UTF-8 can represent all of the Unicode
character set.
The various code pages available on most Windows systems are available on Microsoft website.
ANSI 0 ANSI
If the number you specify is not a valid Code Page on your system, no data will be written to the file.
If in doubt, use UTF-8 encoding (65001) as it will handle all Unicode characters.
ScriptEditor
Use this Kiwi Syslog Server registry setting to choose and alternate script editor to be launched when you
click the Edit Script button. By default, the scripts are edited with Notepad. This setting applies only to the
Run Script action.
page 184
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Type Path and file name of script editor application. For example:
ScriptTimeout
Use this Kiwi Syslog Server registry setting to specify the timeout value for scripts.
Some scripts may take longer to run than others. If your script causes a timeout error, you may want to
extend the timeout value for running the script. Because the scripts are processed in real time, a script
that takes a long time to run may cause message loss or delay the processing of other messages in the
queue. If you have a complex or long running script, it is recommended that you run it as a post process.
To do this, use the Windows Scripting Host to run your script against the log file that Kiwi Syslog Server
creates. Try to avoid using long running scripts in real time.
By default, the script can run for a maximum of 10 seconds before returning a timeout condition. If your
scripts need more time to process the data in real-time, you can extend the timeout up to a maximum of
60 seconds. Setting the timeout value to 0 will cause the script to never timeout (this setting is not
recommended as it can cause the program to fail if a script gets into an infinite loop).
page 185
DBCommandTimeout
Use this Kiwi Syslog Server registry setting to specify the timeout value for logging messages to a database.
Min value 1
Default value 5
Type Seconds
The Log to Database action uses ADO to insert records into the specified database. By default ADO
database commands will timeout after 30 seconds if the database is busy or does not respond.
If you see ADO command timeout errors in the error log, you may want to extend the timeout value.
Because the database records are inserted in real time, a long timeout may cause message loss or delay
the processing of other messages in the queue. Only extend this timeout if you are experiencing timeout
errors.
By default, the database insert command will wait up to 30 seconds before returning a timeout condition.
If your database is slow and needs more time to process the data in real-time, you can extend the timeout
up to a maximum of 120 seconds. Setting the timeout value to 0 will cause the command to never timeout
(this setting is not recommended as it can cause the program to fail if the database does not respond).
ArchiveFileReplacementChr
Use this Kiwi Syslog Server registry setting to specify the replacement character for invalid characters in
dates that are not valid in file names.
The archiving process uses the current system date and time to create dated files or dated folders for the
archived log files. Because the date format is user selectable, it may contain characters that are not valid
in file names. The archiving process will create a valid file or folder name by replacing invalid values such
as "&*+=:;,/\|?<>" with a valid character such as "-".
For example, if the system date and time is 2004/12/25 12:45:00, the archiving process will convert the
name to 2004-12-25 12-45-00. This string will be used as a folder or file name for archiving purposes.
Instead of using the "-" character, an different character can be chosen. Be aware that if any illegal
character is used, it may cause the archiving process to create incorrect files or folders.
page 186
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
ArchiveFileSeparator
When an archiving schedule is setup for "Use dated file names", a separator is placed between the
existing file name and the current system date and time. Normally this character is a dash ("-"). Use
thisKiwi Syslog Server registry setting to specify an alternative character.
UseOldArchiveNaming
Use this Kiwi Syslog Server registry setting to override the default Scheduled Archive Task archive naming
convention for Single Zip Archives. Setting this to (1) triggers Kiwi Syslog Server to use the Archive naming
convertion present prior to version 8.3.x. Only archive tasks which zip to a single zip file are affected by
this setting.
Min value 0
page 187
Max value 1
Type Number
ArchiveTempPath
Use this Kiwi Syslog Server registry setting to override the default temp folder used by Kiwi Syslog Server's
archiver. By default, the Windows temp folder location is used (usually C:\Windows\Temp, or C:\Documents
and Settings\<Username>\Local Settings\Temp).
This setting takes effect only if the EnableArchiveTempFile has been enabled.
Min value 0
Max value 1
Type Number
EnableArchiveTempFile
Use this Kiwi Syslog Server registry setting to override the default Scheduled Archive Task archiving
behavior.
If set (to 1) then Kiwi Syslog Server will use Temporary files when creating Archives. A temporary file is
useful when writing to zip files located on write-once media (CD-WORM) or across a network because the
zip file is created in the temporary file (usually on a local drive) and written to the destination drive or
network location only when the zipping operation is complete.
page 188
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Min value 0
Max value 1
Type Number
ErrorLogFolder
Use this Kiwi Syslog Server registry setting to specify the location of the errorlog.txt file where
operational errors are logged. By default, this file is located in the installation directory.
MailLogFolder
Use this Kiwi Syslog Server registry setting to specify the location of the SendMailLog.txt file where
mail activity is logged. By default, this file is located in the installation directory.
page 189
KRDPACKTimer
Use this Kiwi Syslog Server registry setting to specify the interval of the TCP_ACK protocol's
acknowledgment timer. By default, the protocol will acknowledge (ACK) the received packets after 200
milliseconds.
Min value 10
Type Milliseconds
KRDPKeepAliveTimer
Use this Kiwi Syslog Server registry setting to specify the interval between the sending of Keep Alive
messages to of the connected sessions. This counter is a multiple of the KRDPACKTimer. For example, if
KRDPACKTimer is set to 200ms and you want a keep alive time of 5 seconds, you will need to set the value
to 25 (25 x 200ms = 5 seconds).
Min value 1
Default value 25
page 190
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
KRDPCacheFolder
Use this Kiwi Syslog Server registry setting to specify the location of the disk cache files that might be
created. Disk cache files are created only if the remote host is unavailable for some time and the memory
cache has become full.
KRDPRxDebug
Use this Kiwi Syslog Server registry setting to enable or disable the debug log file for KRDP receive events.
This is all the events relating to the KRDP TCP listener. The log file is created in the installation folder and
named KRDPRxDebug.txt.
The KRDP listener is created by enabling the Inputs > TCP option.
Min value 0
Max value 1
Default value 0
KRDPTxDebug
Use this Kiwi Syslog Server registry setting to enable or disable the debug log file for KRDP send events.
This is all the events relating to the KRDP senders. The log file is created in the installation folder and
named KRDPTxDebug.txt.
page 191
The KRDP senders are created by using the Forward to another host actions.
Min value 0
Max value 1
Default value 0
KRDPQueueSize
Use this Kiwi Syslog Server registry setting to specify the size of the message queues used to buffer the
KRDP and TCP messages. If the memory queue becomes full, the queue is written to a cache file.
Min value 50
KRDPQueueMaxMBSize
Use this Kiwi Syslog Server registry setting to specify the maximum size (in MB) of the memory queue.
As each buffered message is added to the memory queue the total size of the memory queue is
monitored. When the total size of the queue exceeds the KRDPQueueMaxMBSize setting, the queue is
written to a cache file. This ensures that if the messages are larger than normal, the system memory is not
exhausted.
page 192
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Min value 1
Default value 20
Type Maximum size (in MB) of memory queue and cache file
KRDPAutoConnect
Use this Kiwi Syslog Server registry setting to specify whether the KRDP and TCP senders will try to
automatically connect to the remote host.
When this value is set to "1" the KRDP and TCP senders will try to automatically connect to the remote host.
If this value is set to "0" then a connection will only occur if there are messages queued to be sent.
Min value 0
Max value 1
Default value 1
KRDPConnectTime
Use this Kiwi Syslog Server registry setting to specify the time between connection retries. When a
connection cannot be made to the remote peer, a connection attempt will be made every
KRDPConnectTime seconds.
page 193
Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties
Min value 5
Default value 5
Type Seconds
KRDPSendSpeed
Use this Kiwi Syslog Server registry setting to specify the maximum number of messages that can be sent
per second. This allows the messages to be sent to the remote peer at a maximum speed and avoids
overloading the receiver or network link.
Min value 10
KRDPIdleTimeout
Use this Kiwi Syslog Server registry setting to specify the time the sending socket will remain connected
after the last message has been sent. Because TCP has an overhead when connecting and disconnecting,
the TCP connection will remain open for a time to allow any further messages to be sent without triggering
a new connection. The idle timer starts as soon as a message has been sent. If no further messages have
been sent in the time specified by KRDPIdleTimeout then the connection is closed.
page 194
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties
Default value 60
Type Seconds
KRDPAddSeqToMsgText
Use this Kiwi Syslog Server registry setting to specify whether the KRDP listener adds the received
sequence number to the end of the message text.
Min value 0
Max value 1
Default value 0
When this value is set to "1" the KRDP listener will add the received sequence number to the end of the
message text. Each sequence number is unique per connection ID and will range from 0 to 2147483647.
For example:
The quick brown fox jumped over the lazy dogs back KRDP_Seq=5742
The quick brown fox jumped over the lazy dogs back KRDP_Seq=5743
The quick brown fox jumped over the lazy dogs back KRDP_Seq=5744
The quick brown fox jumped over the lazy dogs back KRDP_Seq=5745
ProcessPriority
Use this Kiwi Syslog Server registry setting to enable syslogd to modify its priority setting in Windows.
page 195
Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)
Min value 0
Max value 5
Default value 0
PRIORITY
VALUE DESCRIPTION
LEVEL
0 Low Specify this class for a process whose threads run only when the system is idle.
The threads of the process are preempted by the threads of any process
running in a higher priority class. An example is a screen saver. The idle-priority
class is inherited by child processes.
1 Below Indicates a process that has priority above Idle but below Normal.
Normal
2 Normal (Default value.) Specify this class for a process with no special scheduling needs.
3 Above Indicates a process that has priority above Normal but below High.
Normal
4 High Specify this class for a process that performs time-critical tasks that must be
executed immediately. The threads of the process preempt the threads of
normal or idle priority class processes. An example is the Task List, which must
respond quickly when called by the user, regardless of the load on the operating
system. Use extreme care when using the high-priority class, because a high-
priority class application can use nearly all available CPU time.
5 Realtime Specify this class for a process that has the highest possible priority. The
threads of the process preempt the threads of all other processes, including
operating system processes performing important tasks. For example, a real-
time process that executes for more than a very brief interval can cause disk
caches not to flush or cause the mouse to be unresponsive.
page 196
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
PRIORITY
VALUE DESCRIPTION
LEVEL
Use the OriginalAddressEndTag setting to override the default end tag for the sender's original address.
Normally, the syslog protocol is unable to maintain the original sender's address when forwarding/relaying
syslog messages. This is because the sender's address is taken from the received UDP or TCP packet.
Kiwi Syslog solves this problem by placing a tag in the message text that contains the original sender's
address. By default, the tag looks like Original Address=192.168.1.1. That is, the "Original Address=" tag,
followed by the IP address, followed by a " " (space) delimiter or tag.
These tags are only inserted if the "Retain the original source address of the message" option is checked in
the "Forward to another host" action.
page 197
The two registry keys above allow you to override the default start and end tags with custom start and end
tag values.
For example, when nnn.nnn.nnn.nnn is the originating IP address, the default originating address tags
yield the following:
Original Address=nnn.nnn.nnn.nnn
If you change the start tag to <ORIGIN> and the end tag to </ORIGIN>, the result is:
<ORIGIN>nnn.nnn.nnn.nnn</ORIGIN>
MaxRuleCount
Use this Kiwi Syslog Server registry setting to specify the maximum number of rules allowed in Kiwi Syslog
Server.
Exceeding the maximum rule count of 100 is not recommended. Setting this value too high can
adversely affect performance and increase memory consumption dramatically. SolarWinds
recommends investigating alternative methods if you are approaching the rule count limit of 100.
Using the autosplit feature of file logging is one potential solution.
Min value 10
DBLoggerCacheClearRate
Use this Kiwi Syslog Server registry setting to specify the rate (in milliseconds) at which the Database
Cache is checked for SQL data to be executed.
page 198
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Min value 10
Type Milliseconds
DBLoggerCacheTimeout
Use this Kiwi Syslog Server registry setting to specify the maximum age (in days) of an unchanged cache
file. Any database cache file that is older than this will be deleted by the system.
Min value 1
Max value 30
Default value 3
DBLoggerCacheDisable
Use this Kiwi Syslog Server registry setting to override the default database caching behavior.
Min value 0
Max value 1
page 199
Type Enabled or disabled
HostNosToDisplay
Use this Kiwi Syslog Server registry setting to specify the number of hosts to display in the statistics report.
Min value 25
Default value No default value. If required, you must manually add this setting.
Type Number
page 200
ADMINISTRATOR GUIDE: KIWI SYSLOG SERVER
Start-up Debug
This command creates a debug file that contains the results from the program start-up and socket
initialization routines. The debug file is created in the installation directory, and the file name is based on
the program file it was used with (as described below).
This debug file can help you troubleshoot the following issues:
l if the program does not appear to be receiving messages on the port specified by the Inputs setup
option, check the start-up debug file to ensure that the sockets initialized correctly.
l If the program appears to crash on start-up, this option can help locate the problem.
If you are running Kiwi Syslog Server as a service, the service can't be provided with a command line
argument. Use the DebugStart registry entry to create this file.
Syslogd.exe Syslogd_Startup.txt
Syslogd_Service.exe Syslogd_Service_Startup.txt
Syslogd_Manager.exe Syslogd_Manager_Startup.txt
l Installing the service from the Manage menu of the Syslog Server Service Manager failed.
l You need to run the command from a batch file to automate the installation.
page 201
Applies to Syslogd_Service.exe
Silent option Follow this command line value with -silent to prevent the status message from
being displayed:
-install -silent
l Uninstalling the service from the Manage menu of the Syslog Server Service Manager failed.
l You need to run the command from a batch file to automate the process.
Be sure to stop the service before you uninstall it. To stop it from a command line, use the net stop
command. For example:
Applies to Syslogd_Service.exe
Silent option Follow this command line value with -silent to prevent the status message from
being displayed:
-uninstall -silent
page 202