0% found this document useful (0 votes)

367 views266 pages

Kiwi SysLog Administrator Guide

Kiwi Syslog Administrator Guide

Uploaded by

limchong

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

367 views266 pages

Kiwi SysLog Administrator Guide

Kiwi Syslog Administrator Guide

Uploaded by

limchong

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 266

ADMINISTRATOR GUIDE

Kiwi Syslog Server

Version 9.8.1

Last Updated: Monday, February 14, 2022

This document may not be reproduced by any means nor modified, decompiled, disassembled,
published or distributed, in whole or in part, or translated to any electronic medium or other means
without the prior written consent of SolarWinds. All right, title, and interest in and to the software,
services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates,
and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS
OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING
WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS
OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS
SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN
TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of
SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office,
and may be registered or pending registration in other countries. All other SolarWinds trademarks,
service marks, and logos may be common law marks or are registered or pending registration. All
other trademarks mentioned herein are used for identification purposes only and are trademarks of
(and may be registered trademarks) of their respective companies.

Administrator Guide: Kiwi Syslog Server page 2

Table of Contents
Kiwi Syslog Server Administrator Guide 8

Event Log Forwarder Guide 8

About Kiwi Syslog Server 9

Get started with Kiwi Syslog Server 9

Learn more about Kiwi Syslog Server 9

Features in the free and licensed editions of Kiwi Syslog Server 10

Overview of KSS licensed features 10

Detailed comparison of KSS free and licensed features 10

Configure devices to send messages to Kiwi Syslog Server 13

Set display options in Kiwi Syslog Server 14

Rename console displays and change display options in KSS 14

Customize KSS highlighting options and message font options 14

Add Kiwi Syslog Server rules 17

About Rules 17

Define rules 19

Add rule filters 19

Rule Actions 34

Test a filter or an action 74

Rearrange rules, filters, actions, and schedules 74

Copy a filter or an action to a different rule 75

Import and export rules 75

Keyboard shortcuts for rules, filters, actions, and schedules 76

Scripting resources 77

Scripting custom statistics fields 77

Script variables 78

Administrator Guide: Kiwi Syslog Server page 3

Script functions 83

JScript escape characters 99

Scripting dictionaries 100

Scripting tutorial 104

Create scheduled tasks 107

Create a scheduled task to archive log files 107

Create a scheduled task to delete files 110

Create a scheduled task to run a program 111

Create a scheduled task to run a script 113

Set alarms 116

Log file and database formats 118

Log file formats available in Kiwi Syslog Server 118

Create a custom log file format 121

Database formats available in Kiwi Syslog Server 123

Create a custom database format 125

DNS setup options 129

DNS resolution 129

DNS setup 131

DNS caching 133

Syslog message modifiers 137

Configure email options 140

Configure input options 144

Configure UDP input options 144

Configure TCP input options 146

Configure secure (TLS) TCP options 149

Configure SNMP trap input options 151

Enable keep-alive messages 156

Administrator Guide: Kiwi Syslog Server page 4

Enable IPv6 support 158

Enable a beep on every message 158

View syslog statistics 160

Protocols 164

The syslog protocol 164

The Kiwi Reliable Delivery Protocol (KRDP) 168

Error and mail logs 174

The error log 174

The send mail log 174

Registry settings for Kiwi Syslog Server 175

Best practices 175

Available settings 175

DisplayColumnsEnabled 178

DisplayRowHeight 179

MailStatsDeliveryTime 180

ServiceStartTimeout 180

ServiceUpdateTimeout 181

NTServiceSocket 181

NTServiceDependencies 182

DebugStart 182

DNSDisableWaitWhenBusy 184

DNSCacheMaxSize 184

DNSCacheFailedLookups 185

DNSSetupQueueBufferBurstCoefficient 185

DNSSetupQueueBufferClearRate 186

DNSSetupQueueLimit 186

DNSSetupDebugModeOn 187

Administrator Guide: Kiwi Syslog Server page 5

MsgBufferSize 187

MailAdditionalSubjectText 188

MailAdditionalBodyText 189

MailMaxMessageSend 190

File write caching settings 191

LogFileDateSeparator 195

LogFileTimeSeparator 196

LogFileEncodingFormat 196

ScriptEditor 198

ScriptTimeout 198

DBCommandTimeout 199

ArchiveFileReplacementChr 199

ArchiveFileSeparator 200

UseOldArchiveNaming 201

ArchiveTempPath 201

EnableArchiveTempFile 202

ErrorLogFolder 202

MailLogFolder 203

KRDPACKTimer 203

KRDPKeepAliveTimer 203

KRDPCacheFolder 204

KRDPRxDebug 204

KRDPTxDebug 205

KRDPQueueSize 205

KRDPQueueMaxMBSize 206

KRDPAutoConnect 206

KRDPConnectTime 207

Administrator Guide: Kiwi Syslog Server page 6

KRDPSendSpeed 207

KRDPIdleTimeout 208

KRDPAddSeqToMsgText 208

ProcessPriority 209

OriginalAddressStartTag and OriginalAddressEndTag 210

MaxRuleCount 212

DBLoggerCacheClearRate 212

DBLoggerCacheTimeout 213

DBLoggerCacheDisable 213

HostNosToDisplay 213

OriginalAddressPacketSniffing 214

Command line arguments 216

Start-up Debug 216

Service - Install Service 216

Service - Uninstall Service 217

Event Log Forwarder Administrator Guide 218

Event Log Forwarder Features 218

About the Event Log Forwarder 219

Subscriptions 236

Syslog Servers 244

Testing 248

Troubleshooting 250

Kiwi Syslog Web Access 251

Enabling SSL in Kiwi Web Access 251

Events 256

Administrator Guide: Kiwi Syslog Server page 7

Kiwi Syslog Server Administrator Guide

Kiwi Syslog Server Administrator Guide
Current version: 9.8.1

Kiwi Syslog Server is a syslog server for the Windows platform. It receives syslog messages and
SNMP traps from network devices such as routers, switches, and firewalls. Use this guide to further
configure and customize Kiwi Syslog Server beyond the Kiwi Syslog Server Getting Started Guide.

Download the PDF: Kiwi Syslog Server Administrator Guide

Event Log Forwarder Guide
The purpose of this guide is to assist you in installing, configuring, and using the Kiwi Syslog Server
Event Log Forwarder (ELF). Use the information in this guide to prepare your environment and begin
using Event Log Forwarder.

Download the PDF: Event Log Forwarder Guide PDF

Administrator Guide: Kiwi Syslog Server page 8

About Kiwi Syslog Server

About Kiwi Syslog Server
Kiwi Syslog Server is a syslog server for the Windows platform. It receives syslog messages and
SNMP traps from network devices such as routers, switches, and firewalls.

Kiwi Syslog Server includes many options for customization. For example, you can create rules to
automatically respond to messages that meet the specified criteria, and you can set up schedules to
automatically archive logs for regulatory compliance.

Get started with Kiwi Syslog Server
For information about downloading and installing Kiwi Syslog Server, including the system
requirements and port requirements, see the Kiwi Syslog Server Installation Guide.

When you initially install Kiwi Syslog Server, all features are available during a 14-day trial
period. When the trial period ends, you can continue to use the free edition with limited features
without purchasing a license, or you can enter a license key to access full features in the
licensed edition.

To upgrade to the latest version, see the Kiwi Syslog Server Upgrade Guide.

If you're new to Kiwi Syslog Server, see the Kiwi Syslog Server Getting Started Guide. This guide
walks you through examples of common configuration tasks.

Not seeing log messages in KSS? See the troubleshooting tips in the Getting Started Guide.

Learn more about Kiwi Syslog Server
In this guide you will learn more about:

l Configuring devices to send messages to Kiwi Syslog Server.
l Adding rules, filters, and actions to specify how Kiwi Syslog Server processes incoming
messages.
l Creating schedules to archive messages and automatically clean out the archives after the
required retaining period.
l Customizing your environment by choosing message highlighting and console display options.
l Creating scripts.
l DNS setup options.

Administrator Guide: Kiwi Syslog Server page 9

Features in the free and licensed editions of Kiwi Syslog Server

Features in the free and licensed editions of Kiwi
Syslog Server
When you initially install Kiwi Syslog Server, all features are available during a 14-day trial period.
When the trial period ends, you can continue to use the free edition with limited features without
purchasing a license. Or you can enter a license key to access the full features in the licensed edition.

Overview of KSS licensed features
With the licensed edition of Kiwi Syslog Server, you can:

l Receive messages from an unlimited number of devices.
l Automatically split logs by device, functional role, or message contents to improve log
organization.
l Implement your log retention policy with automatic archival and clean-up tasks.
l View messages from anywhere using Kiwi Syslog Web Access, a secure Web viewer.
l Apply message highlighting rules and DNS resolution of obscure IP addresses to help you
quickly find the information you need.
l Forward messages to other syslog servers, databases (such as SQL Server), the Windows
Event Log, SNMP, or other email addresses. You can configure Kiwi Syslog Server to act as a
"syslog proxy" (spoof) and forward messages with original source information in the forwarded
messages.
l Set up filters to react to specified message content, types of messages, messages sent at
specified times, or a number of similar messages (such as five alerts in a row).
l Configure additional actions, including sending email notifications, playing sounds, running
scripts, and running executables. Scripts and executables can be used to implement advanced
filters and actions.

Detailed comparison of KSS free and licensed features
Free edition Licensed edition
Collecting messages

Maximum devices 5 Unlimited

Syslog (UDP and TCP)

Administrator Guide: Kiwi Syslog Server page 10

Detailed comparison of KSS free and licensed features

Free edition Licensed edition
SNMP

Message buffer 500 500,000

Logging to disk

Write logs to disk

Split by priority

Split by time of day

Split by IP or host name

Split by network

Split on message content

Split by input source (UPD, TCP, or SNMP)

Log file retention

Unique log per day

Rotate on number of files

Rotate on file size

Rotate on file age

Viewing messages

Display windows 10 25

Statistics graphs

Custom font and color

Web-based displays

Highlighting rules

DNS resolution of IPs

Forwarding messages

To syslog (UDP or TCP)

Administrator Guide: Kiwi Syslog Server page 11

Detailed comparison of KSS free and licensed features

Free edition Licensed edition
To database

To Windows Event Log

To SNMP

To email

As proxy (spoofed source)

Filtering messages

By time received

By priority

By host name or IP address of sending device

By message text

By input source

By count of similar messages

Reacting to messages

High traffic alert

Send email

Play sound

Run script

Run executable

Configuring server and rules

Tray icon status

GUI management application

Secure Web access

Administrator Guide: Kiwi Syslog Server page 12

Configure devices to send messages to Kiwi Syslog Server

Configure devices to send messages to Kiwi
Syslog Server
To receive messages from a syslog-capable device, configure the device to send syslog messages to
the appropriate port on the computer where Kiwi Syslog Server is installed.

Kiwi Syslog Server automatically listens for UDP messages on port 514. This is the default port for
devices sending syslog messages as defined by the RFC standard 5426.

You can configure Kiwi Syslog Server to listen for UDP message on a different port. You can
also enable Kiwi Syslog Server to listen for TCP messages, secure TCP messages, and SNMP
traps.

For information about configuring a specific device, see documentation from the device manufacturer.
The Kiwi Syslog Server Getting Started Guide provides an example of configuring a Cisco switch.

Message logging must be enabled on the device. On many devices that generate syslog
messages, logging is enabled by default.

If you have configured devices but Kiwi Syslog Server is not displaying messages, see the
troubleshooting tips in the Getting Started Guide.

Administrator Guide: Kiwi Syslog Server page 13

Set display options in Kiwi Syslog Server

Set display options in Kiwi Syslog Server
You can rename and configure the console displays, and you can choose highlighting options for
messages.

l Rename console displays and change display options
l Choose message display options

Rename console displays and change display options in
KSS
Kiwi Syslog Server provides multiple displays that you can use to segment data. For example, you
can create rules to log all messages to the default display but only high-priority messages to another
display. You can give each display a more meaningful name, and specify other display options such
as how many rows are shown.

1. Select File > Setup.
2. Click Display.
3. To rename a display:
a. Select the display under Modify display names.
b. Enter the new name in the box on the right.
c. Click Update.
The menu on the left is updated.

4. To change other display options, select or clear the associated check boxes.

Except for display names, the changes you make affect all displays.

5. Click Apply to save changes to the displays.
6. Click OK.

Customize KSS highlighting options and message font
options
You can customize how messages are displayed in the console:

Administrator Guide: Kiwi Syslog Server page 14

Customize KSS highlighting options and message font options

l Use highlighting to apply a set of display options to messages that meet the specified criteria.
l Change the font, style, and color of the message text.

Highlighting options
This feature is available only in the licensed edition.

Use the highlighting options in Kiwi Syslog Server to specify a set of highlighting rules, which are
applied to each message shown on the Kiwi Syslog Service Manager display. Highlighting rules are
evaluated from the top-down, and the associated effects are applied to any syslog messages that
match a given rule.

1. Select View > Highlighting options.
2. Select the following options and click OK.

Highlight Highlighting rules that will be applied to syslog messages:
Items
l The message to be displayed
l The message field that will be searched
l The string pattern that will be searched for
l The effect to be applied
Select or unselect the leftmost checkbox on each row of the list to activate or
deactivate individual rules.
Add or delete highlighting rules by clicking the buttons on the toolbar to the right of
the highlights list.
Rule precedence can be changed in this toolbar as well, by clicking the up/down
arrows.

When first accessing the Highlighting Options, you may be prompted "No
highlighting rules have been found. Do you want to create some default rules
based on Syslog Priorities?". If you answer yes, default rules based on
Syslog Priority are created for you.

Administrator Guide: Kiwi Syslog Server page 15

Customize KSS highlighting options and message font options

String to The string pattern that is searched for in the selected syslog message field.
match
Regular If checked, this option specifies if the string to match is a regular
Expression expression. See Regular Expressions.

Invert Match If checked, this option specifies that the effect is applied only if a
match is NOT found.

Ignore Case If checked, the search pattern (string to match) is treated as case
insensitive.

Highlight Select the desired formatting and icons.
Effects
A set of default icons is supplied. You can add additional icons by dropping them in
the <Program Files>\Syslogd\Icons directory. The icon list is loaded at
startup. If you add new icons you must restart Kiwi Syslog Server for the new icons
to be displayed in this list.

Message font options
1. Select View > Choose font.
2. Select the font options, such as style and color, for displayed messages, and click OK.

If non ASCII characters appear in the display as blanks or square blocks, it means that the
selected font doesn't contain the required Unicode character glyph. If you have Microsoft Office
installed, Arial MS Unicode includes all Unicode glyphs.

Administrator Guide: Kiwi Syslog Server page 16

Add Kiwi Syslog Server rules

Add Kiwi Syslog Server rules
Use rules to specify how Kiwi Syslog Server processes the syslog messages it receives. You can then
customize each rule by setting filters and actions. Rules determine what actions Kiwi Syslog Server
takes when it receives a message, and which messages trigger these actions. For example, you can
create rules to:

l Log messages to a file.
l Send an email for high priority level messages.
l Run a script on messages containing specific words or phrases.

Use filters and actions to define rules.

l Filters determine which messages trigger actions. If a rule does not include filters, all messages
are acted on.
l Actions determine what happens when a message passes all filters.

You can define up to 100 rules in Kiwi Syslog Server. Each rule can include up to 100 filters and 100
actions. See the following topics to customize rules:

l About rules
l Define rules
l Rule filters
l Rule actions
l Test a filter or action
l Rearrange rules, filters, and actions
l Copy a filter or an action to a different rule
l Import and export rules
l Keyboard shortcuts for rules, filters, actions, and schedules

About Rules
Apply rules in the order you want the Kiwi Syslog Server to receive them. When a rule applies to a
message, Kiwi Syslog Server matches the message against each filter in the rule, starting with the top
filter.

l If each condition in the filter returns TRUE, Kiwi Syslog Server matches the message against the
next filter in that rule.
l If a condition in the filter returns FALSE, processing stops for that rule and Kiwi Syslog Server
applies the next rule to the message.

Administrator Guide: Kiwi Syslog Server page 17

About Rules

If the messages passes all filters within a rule, Kiwi Syslog Server performs each action in order,
starting with the action at the top of the list. When Kiwi Syslog Server completes the actions within a
rule, and then applies the next rule.

Default rule
When you install Kiwi Syslog Server, it automatically creates a rule called Default that applies two
actions to each message:

Administrator Guide: Kiwi Syslog Server page 18

Define rules

l Displays each message on the Kiwi Syslog Service Manager console.
l Logs each message to the SyslogCatchAll.txt file, located in the \Logs directory of the Kiwi
Syslog Server installation folder.

Define rules
Add rules to define the actions Kiwi Syslog Server takes when a message meets specified criteria.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the Kiwi Syslog Server dialogue box, right-click Rules and click Add rule.
A new rule is added to the tree.
3. Right-click the default name. Select Rename to enter a descriptive name.

4. Add rule filters.
5. Add rule actions.
6. Click OK to save your changes.

Add rule filters
Add up to 100 filters to each rule to determine which messages trigger the actions in the rule.

Kiwi Syslog Server applies filters in listed order. The output from the first filter becomes the input for
the next filter. You can change the order of the filters applied to a rule.

See the following topics for more information:

l Filter messages based on priority
l Filter messages based on IP address
l Filter messages based on host name
l Filter messages based on message text
l Filter messages based on time of day
l Trigger actions based on flags or counters
l Filter messages based on input source
l Regular expressions supported by Kiwi Syslog Server

Filter messages based on priority
Each incoming message contains a priority value, consisting of a facility and a level. Use the Priority
filter to trigger an action when you receive high or low priority messages. For example, you can create
a rule that sends an email when you receive a message with a critical or higher priority level.

Administrator Guide: Kiwi Syslog Server page 19

Add rule filters

If a rule does not contain a Priority filter, the Kiwi Syslog Server includes all priorities.

7. Right-click the highlighted area and select Toggle to On.
Green check marks indicate the column cells included in the Priority field.

8. Test the filter.
9. Click Apply.

Only messages with the priorities you select trigger the actions in the associated rule.

Filter messages based on IP address
This feature is available only in a licensed edition of Kiwi Syslog Server.

Use an IP address filter to include or exclude messages based on the IP address of the sending
device. Only messages from the IP addresses you include trigger the actions in the associated rule.

If a rule does not contain an IP address filter, the Kiwi Syslog Server includes all IP addresses.

Administrator Guide: Kiwi Syslog Server page 20

Add rule filters

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Filters below the rule, and click Add Filter.
4. Right-click the default filter name. Select Rename Filter to enter a descriptive name.
5. In the Field menu, select IP address.
6. Select an option from the Filter Type menu, and specify IP addresses.

Simple Enter IP addresses to include in the filter. Enclose each IP address in quotation
marks.
There is an OR operator between each IP address. Messages from any of the listed
IP addresses are included.

For example, a message is included if the IP address of the sending device is
192.0.2.14 or 192.0.2.15.

Administrator Guide: Kiwi Syslog Server page 21

Add rule filters

Complex Enter IP addresses to include or to exclude in the filter. Enclose each IP address in
quotation marks.
There is an OR operator between IP addresses on the same line. Messages are
included or excluded if they are sent from any of the IP addresses on the line.

For IP addresses, Complex filters are primarily used to exclude specific
addresses. Do not use both the Include and Exclude sections. If you include
specific IP addresses, all others are automatically excluded. Do not use the
And fields.

For example, a message is excluded if the IP address of the sending device is
192.0.2.14 or 192.0.2.15.

RegExp Enter one or more regular expressions to specify the IP addresses to include or
exclude in the filter.

IPv4 Enter the range of IP addresses to include, exclude, or both in the filter.
Range
For example, a message is included if the IP address of the sending device is
between 203.185.100.0 and 203.185.100.255, but is not between
203.185.100.10 and 203.185.100.20.

Administrator Guide: Kiwi Syslog Server page 22

Add rule filters

IPv4 Specify a range of IP addresses to include or exclude in the field based on mask
Mask matching. The IP address is logically conditioned with an AND relationship to the
specified Mask and then compared with the IP address of the sending device. If the
two addresses are on the same subnet, the filter result is TRUE.
For example, the message is excluded if the IP address of the sending device is
within the range of 192.168.0.0 to 255.255.255.240.

IPv6 Enter the range of IP addresses to include, exclude, or both in the filter. For a range
Range example, see IPv4 Range.

7. Test the filter.
8. Click Apply.

Filter messages based on host name
This feature is available only in the licensed edition of Kiwi Syslog Server.

Use the Hostname filter to include or exclude messages in the filter based on the host name of the
sending device. Only messages from the host you include trigger the actions in the associated rule.

If a rule does not contain a Hostname filter, the Kiwi Syslog Server includes all hosts.

Administrator Guide: Kiwi Syslog Server page 23

Add rule filters

Simple Enter host names to include in the filter. Enclose each name in quotation marks.
There is an OR operator between the host names. Messages from any of these
hosts are included.

Complex Enter the host names to include or to exclude in the filter. Enclose each name in
quotation marks.
There is an OR operator between host names on the same line. Messages are
included or excluded if they are sent from any of the hosts on the line.

RegExp Enter regular expressions to specify the host names to include or exclude in the
filter.

7. Test the filter.

8. Click Apply.

Filter messages based on message text
This feature is available only in a licensed edition of Kiwi Syslog Server.

Use the Message text filter to include or exclude messages in the filter based on the content of the
message. Only messages you include trigger the actions in the associated rule. For example, you can
create rules to send an email or run a script when a message contains specific text strings.

If a rule does not contain a Message text filter, the Kiwi Syslog Server includes all messages.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.

3. Right-click Filters below the rule, and click Add Filter.
4. Right-click the default filter name. Select Rename Filter to enter a descriptive name.
5. In the Field menu, select Message text.
6. Select an option from the Filter Type menu, and specify text strings.

Administrator Guide: Kiwi Syslog Server page 24

Add rule filters

7. Simple Enter text strings to include in the filter. Enclose each text string in quotation marks.

There is an OR operator between the strings. A message filter criteria returns TRUE
if it includes any of the strings.

l Select the C button to make the search case-sensitive.
l Select the S button to perform a substring search. The S button is
selected by default. A substring search returns TRUE if the text string is
anywhere in the message.
Deselect the S button to perform a whole string search. A whole string
search returns TRUE only if the text string matches the entire message
text.
For example, if the text string is "down" and the messages is System down, a
substring search returns TRUE, but a whole string search does not.

In the following example, Kiwi Syslog Server includes a message if it contains POP3
or SMTP or MAPI. The filter is not case-sensitive.

Administrator Guide: Kiwi Syslog Server page 25

Add rule filters

Complex Enter text strings to include, exclude, or both in the filter. Enclose each text string in
quotation marks. There is an OR operator between strings on the same line.
Enter strings on the And line to include a Boolean AND operator.

Include Kiwi Syslog Server includes a message if it contains any string on the
Include line and any string entered in the And field.
For example, Kiwi Syslog Server includes a message if it contains
(server or system) and (down or inaccessible).

The message "The system is down" is included, but not "The system is
up."

Exclude Kiwi Syslog Server excludes a message if it contains any string on the
Exclude line and any string entered in the And field.
For example, Kiwi Syslog Server excludes a message if it contains
recommended action (not case-sensitive) and None required (case
sensitive).

Administrator Guide: Kiwi Syslog Server page 26

Add rule filters

Both You can use both the Include and Exclude fields. In the following
example, Kiwi Syslog Server includes a message if it contains
(server or system) and (down or inaccessible) but does not contain
test.

The message System down is included, but not the message Test
system down.

RegExp Enter regular expressions to specify text strings to include or exclude in the filter.
Test the filter.
8. Click Apply.

Filter messages based on time of day
Use the Time of day filter to include messages sent during specific times. For example, you can use
this filter to stop processing messages sent during test or maintenance periods.

Only messages sent during the specified times trigger actions in the associated rule.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Filters below the rule, and click Add Filter.
4. Right-click the default filter name. Select Rename Filter to enter a descriptive name.
5. In the Field menu, select Time of day.
6. Click a cell or column header to select cells and to specify the times. Selected cells are
highlighted.

To exclude a time period, select that time period and click Inverse.

Administrator Guide: Kiwi Syslog Server page 27

Add rule filters

7. Right-click the highlighted area and select Toggle to On.
Green check marks indicate that the column cells are included.

8. Test the filter.
9. Click Apply.

Trigger actions based on flags or counters
This feature is available only in a licensed edition of Kiwi Syslog Server.

Use Flags/Counters filters to trigger or suppress actions based on the number of times a filter returns
TRUE during the specified interval.

l Use a Time interval filter to avoid triggering the same action multiple times during the specified
interval.
Example: a rule sends an email alert when a message contains the text link down. When a
problem occurs, the link goes up and down a number of times a minute. As a result, you receive
an email alert for each link down message. To prevent receiving several alerts for the same
event, include a Time interval filter with a value of 5. Kiwi Syslog Server sends an email alert for
the first "link down" message. Other link down messages received during next five minutes do
not trigger additional email alerts.
l Use a Threshold filter to receive alerts when a message is sent more than a certain number of
times during the specified interval.

Administrator Guide: Kiwi Syslog Server page 28

Add rule filters

Example: you occasionally receive a message containing the text port scan detected, but

you don't want to receive alerts unless it occurs more than five times within a minute. That
frequency would indicate that someone is persistently scanning your network.
You can also use this filter to watch for failed login attempts. If the text login failed occurs
more than five times within 30 seconds, it could indicate a brute force login attempt.
l Use a Timeout filter to monitor syslog devices and send an alert when a device is unexpectedly
quiet. This filter triggers an action when the filters that precede it in the rule are not met a
minimum number of times per interval.
Example: your firewall normally generates at least 200 messages per hour. If the number of
messages drops below 10 in an hour, this filter triggers an email alert.

Use the reset flags and counters action to reset the internal counter or timer used by these
filters. The internal counter or timer used by these filters can be reset with the action to reset
flags and counters.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Filters below the rule, and click Add Filter.
4. Right-click the default filter name. Click Rename Filter to enter a descriptive name.
5. In the Field menu, select Flags/Counters.
6. Select an option from the Filter Type menu.
To avoid conflicts in processing, the filter options below should not be used together within the
same rule filter. Each filter type must reside in its own individual filter.

Time Enter a time interval in minutes.
interval
A Time interval filter prevents subsequent rule filters from processing for the
specified interval. A time interval filter should be the last filter in a rule. You
can reorder filters. This filter should not be in the same rule with the
Threshold or Timeout filters.

Administrator Guide: Kiwi Syslog Server page 29

Add rule filters

Threshold a. Enter the threshold and interval in seconds.

b. To have a separate interval message counts from different IP addresses,
select Maintain individual threshold counts.

A Threshold filter prevents subsequent rule filters from processing for the
specified interval. A threshold filter should be the last filter in a rule. This
filter should not be in the same rule with the Time Interval or Timeout filters.

Timeout To configure a Timeout filter:
a. Add filters before the Timeout filter to specify which messages to count. For
example, to watch for inactivity on the firewall, create a filter to include only
messages from the firewall's IP address.
b. In the Timeout filter, enter the minimum number of times the message should
be received in Kiwi Syslog Server.
c. Enter the time interval in minutes.
d. To avoid triggering an alert at times when low activity is expected, add a
Time of day filter to include only certain days and time periods.

A Timeout filter prevents subsequent rule filters from processing for the
specified interval. Other than the optional Time of day filter, a timeout filter
should be the last filter in a rule. This filter should not be in the same rule as
the Time interval or Threshold filters.

When this filter returns TRUE, a message with the following format is passed to
actions in the rule:
Priority: Local7.Debug (191)

HostIP: 127.0.0.1 (localhost)
MsgText: The rule 'ruleName' has only been matched x times in y minutes. The
threshold was set for z times.

7. Test the filter.
8. Click Apply.

The Kiwi Syslog Server triggers actions in the associated rule when the specified threshold is
exceeded (for Time interval and Threshold filters) or is not met (for Timeout filters).

Filter messages based on input source
This feature is available only in a licensed edition of Kiwi Syslog Server.

Administrator Guide: Kiwi Syslog Server page 30

Add rule filters

Use the Input source filter to trigger an action if the input source of the message matches one of the
selected input sources. For example, only triggering on incoming TCP messages.

If there is no Input source filter in the rule, the Kiwi Syslog Server includes all messages.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Filters below the rule, and click Add Filter.
4. Click the default filter name, and enter a descriptive name.
5. In the Field menu, select Input source.
6. Select one or more input sources.

7. Test the filter.
8. Click Apply.

The Kiwi Syslog Server triggers actions in the associated rule when messages are received from the
selected input source.

Regular expressions supported by Kiwi Syslog Server
When adding a Kiwi Syslog Server filter based on IP address, host name, or message text, use the
following regular expression characters and sequences to specify the filter values.

Character Description
^ Looks only at specified characters at the beginning of a string.

Example: ^stuff matches any string starting with stuff.
$ Looks only at specified characters at the end of a string.

Example: stuff$ matches any string ending with stuff.
. Matches any character, except line breaks.

Example: o.d matches old, odd, or ord.
? Matches when the previous character is repeated zero or one time.

Example: od? matches o or od.
* Matches when the previous character is repeated zero or more times.

Example: 10* matches 1, 10, 100, 1000, and so on.

Administrator Guide: Kiwi Syslog Server page 31

Add rule filters

Character Description
+ Matches when the previous character is repeated one or more times.

Example: 12+3 matches 123, 12223, 1222223, and so on. Does not match 13.
\ Escapes the next character.

When the next character in the syntax is a special character, use this to indicate that
the character should be interpreted literally.

Example: \.\*\+\\ matches .*+\.
| Separates alternative word or letters.

Example: z|wood matches both z and wood. And (Hello | Hi) world matches

Hello world and Hi world.

{n} Matches the preceding character exactly n times, where n is a non-negative integer.

Example: o{2} does not match the singular o in Bob, but matches the first two o's in
foooood.

{n,} Matches the preceding character at least n times.

Example: o{2} does not match the singular o in Bob, but matches all the repeating
o's in foooood. o{1,} is equivalent to o+. o {0,} is equivalent to o*.

{n,m} Matches the preceding character at least n times but not more than m times.

Example: o{1,3} matches the first three o's in fooooood. o{0,1} is equivalent to
o?.

[] Matches any character enclosed within the brackets.

Example: [abc] matches the a in plain.
[^ ] Matches any character not enclosed within the brackets.

Example: [^abc] matches the k in back.
[a-z] Matches any character in the specified range.

Example: [m-s] matches any lowercase alphabetic character in the range m through
s.

[^a-z] Matches any character not in the specified range.

Example: [^m-s] matches any character not in the range m through s.

Administrator Guide: Kiwi Syslog Server page 32

Add rule filters

Character Description
\b Matches a word boundary, that is, the position between a word and a space.

Example: er\b matches the er in never but not the er in verb.
\B Matches a non-word boundary.

Example: ear\B matches the ear in never early.
\0-9 Matches a digit character. Equivalent to [0-9].
\0-9 Matches a non-digit character. Equivalent to [^0-9].
\f Matches a form-feed character.
\n Matches a newline character.
\q Matches a quote character or ASCII value of 34.

Example: dst=\qLOCAL MACHINE\q matches any occurrence of dst="LOCAL
MACHINE"

\r Matches a carriage return character.
\s Matches any white space including space, tab, form-feed, etc. Equivalent to [
\f\n\r\t\v].

\S Matches any nonwhite space character. Equivalent to [^ \f\n\r\t\v].
\t Matches a tab character.
\v Matches a vertical tab character.
\w Matches any word character including underscore. Equivalent to [A-Za-z0-9_].
\W Matches any non-word character. Equivalent to [^A-Za-z0-9_].
(x)\n Matches consecutive identical characters or strings, where x is the character or
string and n is the number of times it is repeated, not including the first occurrence.

Example: (.)\1 matches any two consecutive identical characters.
\n Matches n, where n is an octal escape value. Octal escape values must be 1, 2, or 3
digits long. For example, \11 and \011 both match a tab character. \0011 is the
equivalent of \001 and 1. Octal escape values must not exceed 256. If they do, only
the first two digits make up the expression. This allows ASCII codes to be used in
regular expressions.

Administrator Guide: Kiwi Syslog Server page 33

Rule Actions

Character Description
\xn Matches n, where n is a hexadecimal escape value. Hexadecimal escape values
must be exactly two digits long. For example, \x41 matches A. \x041 is equivalent
to \x04 and 1. This allows ASCII codes to be used in regular expressions.

Example: dst=\x22LOCAL MACHINE\x22 matches any occurrence of dst="LOCAL
MACHINE", because Hex(22) = ASCII 34, or "

Rule Actions
Actions are triggered when all the filters for a rule are evaluated as TRUE. Multiple actions can be
defined for each rule. You can define actions to do the following:

l Display a message
l Log messages to a file
l Forward messages to another host
l Play a sound
l Run an external program
l Send an email message
l Send a syslog message
l Log messages to a database
l Log messages to a database with bulk insert
l Log to the NT event log
l Send an SNMP trap
l Stop processing the message
l Run a script
l Send a pager or SMS message via NotePager Pro
l Log messages to Kiwi Server Web Access
l Reset flags and counters
l Log messages to Papertrail.com (a cloud-based server)
l Log messages to Loggly
l Log file rotation
l AutoSplit values
l Message content or counters

Add an action to display a message
You can add an action to display syslog messages on one of the Kiwi Syslog Server display screens.

Administrator Guide: Kiwi Syslog Server page 34

Rule Actions

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Actions below the rule, and click Add Action.
4. Click the default action name, and enter a descriptive name.
5. From the Action menu, select Display.
6. Select the display screen.

You can change the name of a display screen.

7. Test the action.
8. Click Apply.

Add an action to log messages to a file
You can add a Kiwi Syslog Server action to log messages to a file in the file format you select. By
logging messages to a file, you can archive received logs for compliance with, for example, internal
security or regulatory requirements.

Administrator Guide: Kiwi Syslog Server page 35

Rule Actions

Path and Enter a path and file name, or browse to select a file. The default file location is
file name <installPath>\Logs\SyslogCatchAll-%DateISO.txt.
of log file
To split incoming messages into multiple files, insert an AutoSplit value in the
path or file name.
For example, the current date variable %DateISO is inserted at the end of the
default file name. This appends the date to the end of the file name, so a new
message log file is created for each day.
To select a value:
a. Place your cursor in the path or file name at the location you want to insert
the AutoSplit value.
b. Click Insert AutoSplit value and select the value.

Log file Specify the file format. You can select a standard format or create a custom
format format.
Custom formats are listed at the end of the Log file format menu, after the standard
and reserved formats.

7. (Optional) Configure automatic log file rotation.
8. Test the action.
9. Click Apply.

You can use schedules in Kiwi Syslog Server to automate log file archival and retention.

Add an action to forward messages to another host
You can add a Kiwi Syslog Server action to forward the received message to another syslog host
using the specified syslog protocol. This is beneficial if you need to pass log messages to team
members that resides in a different location than your host machine. For example, your company has
teams in both the United States and in Japan who monitor log messages.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Actions below the rule, and click Add Action.
4. Click the default action name , and enter a descriptive name.
5. From the Action menu, select Forward to another host.

Administrator Guide: Kiwi Syslog Server page 36

Rule Actions

6. Specify the remote host IP address or host name. To send messages to multiple hosts, separate
each host name or IP address with a comma. For example:
Myhost.com, SecondHost.net, 203.75.21.3, ABC:567:0:0:8888:9999:1111:0

7. Specify the protocol.
The Kiwi Reliable Delivery Protocol (KRDP) works between two Kiwi Syslog Servers to reliably
deliver syslog messages over a TCP transport.
8. Specify the port number. Recommended values are:
l UDP: Port 514
l TCP: Port 1468 or port 601
l KRDP: Port 1468
9. Configure any of the following optional values.
New Forces outgoing messages to use a specified facility. In most cases, accept the
Facility default value of - No change -.

New Level Forces outgoing messages to use a specified level. In most cases, accept the
default value of - No change -.

Administrator Guide: Kiwi Syslog Server page 37

Rule Actions

KRDP Specifies the unique name assigned to the KRDP connection. Each connection
connection between the source and destination syslog Server needs to be identified. When
identifier the connection is broken and re-established, the sequence numbers can be
exchanged and lost messages can be resent. A separate set of message
sequence numbers are kept against each connection identifier.
For example: Source:RemoteOffice1 or SyslogServer1
The string of text used uniquely identifies the source of the connection to the
destination syslog Server.
If you have more than one "Forward to another host" action configured, you can
use the same connection identifier on all actions. This means that a single KRDP
connection is made between the source and destination syslog Servers. If you
specify a different connection identifier, multiple KRDP sessions are created.

To ensure that the identifier is unique, we recommend the use of the
%MACAddress variable. This variable is replaced by the first MAC address of the
machine.
For example: Source:RemoteOffice1-%MACAddress
When running, the ID would look like: Source:RemoteOffice1-AA-BB-CC-DD-
EE-FF-00. The MAC Address is globally unique to each network card.

Send with Adds the standard RFC3164 header information to the outgoing message. The
RFC3164 format is:
header
<Priority>Date Hostname PID Message text
information
The Priority is a value between 0 and 191.
The Date is in the format of Mmm DD HH:NN:SS (July 4 12:44:39). Note there is no
year specified. The PID is a program identifier up to 32 characters in length.

Administrator Guide: Kiwi Syslog Server page 38

Rule Actions

Retain the Normally, the syslog protocol is unable to maintain the original sender's address
original when forwarding syslog messages. This is because the sender's address is taken
source from the received UDP or TCP packet.
address of
Kiwi Syslog solves this problem by placing a tag in the message text that contains
the
the original sender's address. By default, the tag looks like Original
message
Address=192.168.1.1. That is, the Original Address= tag, followed by the IP
address, followed by a " " (space) delimiter or tag.
These tags are inserted only if the "Retain the original source address of the
message" option is selected.

If the "Spoof Network Packet" option is used, then the Original
Address= tag is not used. The Syslog packet is forwarded to the
destination address as though it has been sent from the originating IP
address.

Use a Uses a fixed IP address in the Original Address= tag. This can be useful when

fixed you want to identify outgoing messages as coming from a particular host. For
source IP example, if you have more than one remote syslog servers sending messages to
address one central location. If each of the remote syslogs use the 10.0.0.x address range,
the received messages appear from the same host. Specifying a different source
IP address for each remote syslog could help in identifying the incoming
messages better.

Administrator Guide: Kiwi Syslog Server page 39

Rule Actions

Spoof This option only applies to syslog messages forwarded via UDP protocol with
Network IPv4 address only.
Packet
The network packet is spoofed to appear as though the forwarded message has
come directly from the originating devices' IP address, and not the address of the
Syslog Server. Kiwi Syslog Server uses the Selected Network Adapter to send
the spoofed UDP/IP packet.

This feature is only available in a licensed edition of Kiwi Syslog Server. It
requires NpCap (with NpCap Loopback Adapter) installation.

10. Test the action.
11. Click Apply.

Add an action to play a sound
You can add a Kiwi Syslog Server action to play a sound when a message matches the associated
filters.

This feature is available only in a licensed edition of Kiwi Syslog Server.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.

Administrator Guide: Kiwi Syslog Server page 40

Rule Actions

3. Right-click Actions below the rule, and click Add Action.
4. Click the default action name, and enter a descriptive name.
5. From the Action menu, select Play a sound.
6. Specify which sound option to play and how many times to play it.
7. Test the action.
8. Click Apply.

Add an action to run an external program
This feature is available only in a licensed edition of Kiwi Syslog Server.

You can add a Kiwi Syslog Server action to run an external program. Details of the message and other
Kiwi Syslog Server statistics can be passed to the external program as command-line arguments.

A new instance of the external program is launched for every message. This becomes a
problem if messages arrive faster than the external program exits. It is especially true if Kiwi
Syslog Server is installed as a service, in which case the external program is launched by the
service inside the non-interactive Windows session. To see that the program is running use the
Task Manager. If not used carefully this action leads to the computer being flooded with multiple
instances of the external program.

5. From the Action menu, select Run external program.
6. Specify the program file name.
7. In the Command line options field, specify the command line options you would like to pass to
the program.
8. To pass program variables, counters, script fields and statistics to the external program, click on
the Insert message content or counter link and choose an option.
9. Specify the priority of the new process created.

Administrator Guide: Kiwi Syslog Server page 41

Rule Actions

Priority
Value Description
level
0 Low Specify this class for a process whose threads run when the system is
idle. The threads of the process are preempted by the threads of
processes running in a higher priority class. An example is a screen
saver. The idle-priority class is inherited by child processes.

1 Below Indicates a process that has priority above Idle but below Normal.
Normal

2 Normal Default value. Specify this class for a process with no special scheduling
needs.

3 Above Indicates a process that has priority above Normal but below High.
Normal

4 High Specify this class for a process that performs time-critical tasks that must
be executed immediately. The threads of the process preempt the threads
of normal or idle priority class processes. An example is the Task List,
which must respond quickly when called by the user, regardless of the
load on the operating system. Use extreme care when using the high-
priority class, because a high-priority class application can use the
majority of available CPU time.

5 Realtime Specify this class for a process that has the highest possible priority. The
threads of the process preempt the threads of all other processes,
including operating system processes performing important tasks. For
example, a real-time process that executes for more than a very brief
interval can cause disk caches not to flush or cause the mouse to be
unresponsive.

Realtime priority can cause system lockups.

10. If the process has a user interface, specify the Window Mode.
This setting has no effect on processes that do not have a user interface. This setting is
unavailable if you are running Kiwi Syslog Server as a service.

Administrator Guide: Kiwi Syslog Server page 42

Rule Actions

If you select Wait for program initialization to complete before continuing, Kiwi Syslog
Server waits for the new process to complete its initialization. It does this by waiting until
the new process signals that it is idle. This is a blocking operation. Kiwi Syslog Server
does not process messages until it receives the InputIdle signal from the process.
Because of this, there is an additional option which specifies how long Kiwi Syslog Server
should wait for the process to initialize. Once this time interval has elapsed, Kiwi Syslog
Server assumes that the process started correctly.
This setting is useful if you are interacting with the process at a later stage, and you want
to be sure that the process has started.

11. Test the action.
12. Click Apply.

Add an action to send an email message
This feature is available only in a licensed edition of Kiwi Syslog Server.

You can add an action to send an email message to one or more recipients. Details from the syslog
message and other syslog statistics can be included in the email subject line or the message body.

Before Kiwi Syslog Server can send email, you must configure email options.

5. From the Action menu, select E-mail message.
6. Specify the following options:

E-mail Enter email recipients. Separate multiple email addresses with commas.
Recipients

E-mail From Enter the From email address. If you are using secured email (SSL or TLS), the
From email address entered must match the From email address entered in E-
mail setup options.

E-mail Specify the message subject. Only one line is allowed. Click Insert message
Subject content or counter to include a variable.

Administrator Guide: Kiwi Syslog Server page 43

Rule Actions

E-mail Specify the message body. Multiple lines are allowed. Click Insert message
Message content or counter to include variables.

Messages are not included if sent to a pager and field can be left blank.

E-mail Specify the Importance, Priority, or Sensitivity of messages sent by this action.
Delivery
Options

Expand Select this option to expand carriage return and line feed characters that have
<013><010> previously been replaced with <013> and <010>.
in message
If the Replace non printable characters with <ASCII value> option is selected in
the Modifiers setup options, carriage return (CR) and line feed (LF) characters
appearing in the syslog message are replaced. Expanding these characters
again when the message is emailed can make the text more readable.

Max subject Enter the maximum number of characters in the subject line. Leave blank to
length remove the limit.

Max Enter the maximum number of characters in the message body. Leave blank to
message remove the limit.
length
For example, if you use the variable %MsgText in the message body and a large
syslog message arrives, it could be too large to send via email. Limiting the
message body length ensures that the message can be sent.

7. Test the action.
8. Click Apply.

Add an action to send a syslog message
This feature is available only in the licensed edition of Kiwi Syslog Server.

You can add an action to send a syslog message to one or more hosts. You can use this option to
relay syslog messages to another host with extra information, or with your own text added to the
message.

Administrator Guide: Kiwi Syslog Server page 44

Rule Actions

5. From the Action menu, select Send Syslog message.
6. Specify the following options:

IP address or host Enter the IP address or host name of one or more hosts. Separate
name multiple entries with commas. IPv4 and IPv6 addresses are supported.
For example:
Myhost.com, SecondHost.net, 203.75.21.3

Syslog message Specify the message text. Click Insert message content or counter to
text include variables.

New Facility, New To change the facility, level, or socket, enter the new values.
Level, and New
Socket

7. Test the action.
8. Click Apply.

Add an action to log messages to a database
This feature is available only in the licensed version of Kiwi Syslog Server.

You can add an action to log a syslog message to an ODBC database. By default, the Log to
Database action logs the following message field values:

l Date
l Time
l Priority
l Host name
l Message text

If you want to log different values, you can:

l Create a custom database format. The custom format is available for selection when you
create a Log to Database action.
l Use the Run script action to parse the syslog message, assign values to custom fields,
and log them to a database.
l Use the scripting function ActionLogToODBC to send SQL statements and raw data to a
database connection.

Administrator Guide: Kiwi Syslog Server page 45

Rule Actions

Prepare the database
1. Create a database, or select an existing database that Kiwi Syslog Server can write to.

If the database file is opened exclusively by another process, Kiwi Syslog Server cannot
write new records to the database.

Some example ODBC databases are available for download from the SolarWinds Success
Center. The .zip file contains information and sample databases that you can use as a guide to
help you set up ODBC logging on your own system.
2. Determine how you want to create the table that stores message values. The following options
are available:

Automated When you add the action, click Create table. Kiwi Syslog Server creates a table
option containing the required columns.

Semi- When you add the action, click Show SQL commands. The SQL commands used
automated to create the table are shown in a text editor. You can run these commands in your
option database application.

Manual If you choose to create the table manually before you add the action, use the table
option design for the selected database type. Be sure that the name, data type, and size
of each column match the table design. If the sizes are too small, the data could
be truncated when it is written to the database.

Add the action
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.

3. Right-click the Actions node below the rule, and choose Add Action.
4. Replace the default name with a descriptive name.
5. From the Action menu, select Log to Database - Legacy.

Administrator Guide: Kiwi Syslog Server page 46

Rule Actions

6. Specify the following options:
l Data Link connection string
a. Click the Browse button to create or edit Data link properties.
b. On the Provider tab, select a database provider.
c. On the Connection tab, specify the source of the data by doing one of the following:
o Select the data source name (DSN) of an available provider. The drop-down
menu lists valid DSNs for providers that are predefined on your system.
o Enter a custom connection string.
d. Click Test Connection to validate that the connection properties are correct.
e. Use the Advanced tab to view and set other initialization properties for your data.

f. Click OK.
l Database Table name
Enter the name of the database table where message values are logged. You can either:
o Enter an existing table name. The table must match the expected table design.
To verify the table structure, click Query table to retrieve the last five rows of data.
o Create a new table:
a. Specify the database type.
b. Enter a table name.
c. Click Create table.
Any existing table with that name is deleted and the contents are lost. The new table
is created with the column names and data types for the database type you have
selected.
l Database type/field format
Choose from the list of default database types, or create your own format by clicking Edit
custom format.

Administrator Guide: Kiwi Syslog Server page 47

Rule Actions

l Connection Inactivity timeout
Specify how long the database connection is kept open after the last message has been
sent. Because opening and closing the connection can be the slowest part of logging to a
database, the connection is kept open while data is actively being logged. If no more
messages have been logged before the timeout value expires, the database connection is
closed. As soon as a new message arrives, the connection is reopened.
The default for this setting is 600 seconds (10 minutes). A value of 0 ensures that the
connection never times out. The maximum value is 86400 seconds (1 day).
l Run debug command
If there is a problem logging into the database, click the Run debug command button and
enter a SQL command to be executed on the database. If the command fails, the results
field displays a detailed error message.

By default, the current INSERT statement used for the selected database type is displayed
in the query field. This statement can be modified to test particular variations of the
statement.

o You cannot use this option to query the database. For example, you cannot run
a Select From statement and obtain results. Only error information is returned
to the results field.
o Use the Show SQL commands button to obtain the correct syntax to use in the
debug test.

l Database cleanup
Select this option to clean up the database by deleting older messages.
The cleanup operation is performed nightly. Click Cleanup now to perform the operation
immediately.
7. Test the action.
8. Click Apply.

When you test logging messages from the Service Manager, the program runs as the current
user (probably "Administrator"). When Kiwi Syslog Server logs messages to a database, the
service runs as the "Local System" user by default.

If your test messages work but the messages are not being logged, try changing the service
login ID to "Administrator" instead of "Local System." Use the Services applet under Control
Panel. Consider selecting the option that allows the program to interact with the desktop.

Administrator Guide: Kiwi Syslog Server page 48

Rule Actions

Add an action to log messages to a database with a bulk insert
You can add an action to log messages to a SQL database using a bulk insert. You can use a bulk
insert to log multiple events in a single connection to the database, rather than establishing and
closing a session for each event.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Actions below the rule, and choose Add Action.
4. Replace the default name with a descriptive name.
5. From the Action menu, select Log to Database - New Bulk Insert.

6. Insert the SQL Server connection string and database table name.
7. Insert the number of maximum records, maximum milliseconds, and connection inactivity timeout
if needed.

Administrator Guide: Kiwi Syslog Server page 49

Rule Actions

8. Test the action.
9. Click Apply.

Add an action to log to the NT event log
This feature is available only in the licensed edition of Kiwi Syslog Server.

You can add an action to log messages to the NT application event log.

When you view the NT event log with the NT event log viewer, the log type is set to show
System events by default. To show Application events, select the Application item in the Log
menu of the NT Event viewer.

Event log message Logging level to be used for messages logged to the NT event log by
type this action.

Administrator Guide: Kiwi Syslog Server page 50

Rule Actions

Insertion string How messages are inserted into the Event Log:
options
l Single insertion string
%1 is replaced with: Date – Tab – Time – Priority – Tab – Hostname –
Tab – Message
l 5 Tab delimited insertion strings
%1 Tab %2 Tab %3 Tab %4 Tab %5

o %1 = Date
o %2 = Time
o %3 = Priority
o %4 = Hostname
o %5 = Message

l 5 Space delimited insertion strings
%1 Space %2 Space %3 Space %4 Space %5

o %1 = Date
o %2 = Time
o %3 = Priority
o %4 = Hostname
o %5 = Message

7. Test the action.
8. Click Apply.

Add an action to send an SNMP trap
This feature is available only in the licensed edition to Kiwi Syslog Server.

You can add an action to send an SNMP trap to the specified host.

Administrator Guide: Kiwi Syslog Server page 51

Rule Actions

5. From the Action menu, select Send SNMP Trap.
6. Specify the following options.

Forward Select this option to forward the original SNMP trap to the destination host.
SNMP Trap
without
changing

Destination Enter the IP address of the system receiving the SNMP trap.
host

Retain the Select this option to identify outgoing messages coming from a particular
original (original) host. The network packet is spoofed to appear as though the
source forwarded message is coming directly from the originating devices' IP address
address of the instead of the address of the Syslog Server.
SNMP trap
This feature is only available in a licensed edition of Kiwi Syslog Server.
It requires NpCap installation (with NpCap Loopback Adapter).

IPv6 Select IPv6 next to the Destination host field to send SNMP and IPv6 trap
messages to an IPv6 destination host address.

Remote port Enter the port to which the SNMP trap is sent. The default port is 162.
If you change this setting, you must configure the receiving device to "listen"
for SNMP traps on the same port number.

Message text Enter the content of the SNMP trap to be forwarded. Click Insert message
content or counters to insert content using variables.

Agent IP Enter the IP address that appears as the source of the SNMP trap. By default
address this is set to "The original sender" but can be set to "From this machine", that
is, the address of the machine running the Kiwi Syslog Server.

Generic type For version 1 traps, select the type of trap to be sent:
l 0 - Cold Start
l 1 - Warm Start
l 2 - Link Down
l 3 - Link Up
l 4 - Authentication Failure
l 5 - EGP Neighbor Loss
l 6 - Enterprise Specific

Administrator Guide: Kiwi Syslog Server page 52

Rule Actions

Enterprise For version 1 traps, enter a dotted numerical value (1.3.6.1.x.x.x.x) that
OID represents the MIB enterprise of the SNMP trap.

Version 2 traps have the Enterprise value bound as the second variable
in the message.

If the Generic Type is set to 6, it indicates an Enterprise type trap. In this case
the Specific Trap value needs to be considered.

Variable OID Specify a dotted decimal value (1.3.6.1.x.x.x.x) that represents that MIB
variable of version 2 SNMP traps.

Community This is like a password that is included in the trap message. Normally this is
set to values such as "public", "private" or "monitor".

Specific type This is a value that indicates the condition that caused the trap to be sent. In
version 2 traps, this condition is unique to the MIB defined for the particular
device sending the trap or syslog message.

Version Select the version used to send SNMP traps to another syslog server. If you
select version 3, provide the User Name, Local Engine ID, Authentication
Password, Encryption Password, Protocol, and Algorithm.
Version type for SNMP traps (version 1, 2 or 3) should be selected to send the
traps to another syslog server. For example, if you leave the encryption
password and algorithm, it acts as 'authentication only' security level.

To send version 3 traps, SNMP credentials are required on both the
receiving and sending sides.

7. Test the action.

8. Click Apply.

Add an action to stop processing the message
You can add an action to stop processing a message. No further rules are applied to the message,
and therefore no further actions are taken.

Administrator Guide: Kiwi Syslog Server page 53

Rule Actions

5. From the Action menu, select Stop processing message.
6. Click Apply.

Add an action to run a script
You can add an action to run a script to filter or parse the current message.

You can use the Run script action to run a parsing script that breaks the syslog message down into
various sub-fields. The values can then be assigned to custom fields and logged to a database.
Because each device manufacturer creates syslog messages in a different format, it is not possible to
create a generic parser that breaks up the message text into separate fields. You must write a custom
script to parse the message text and then place it in the custom database fields. Example parsing
scripts can be found in the \Scripts sub-directory in the Kiwi Syslog Server installation directory.

Script file Enter the path and file name of an existing script file or of the file to be created.
name

Script Describe the purpose or function or the script.
description

Administrator Guide: Kiwi Syslog Server page 54

Rule Actions

Script Select the scripting language.
language
Windows Script provides two script engine languages, Visual Basic
Scripting Edition and Microsoft JScript.
l VBScript: a variation of Visual Basic or VBA (Visual Basic for Applications)
used in MS Word and Excel. See the Microsoft website for more
information on VBScript.
l JScript: a variation of JavaScript or ECMAScript used in web sites,
specifically Microsoft's Internet Explorer for web-client scripting. JScript is
usually faster than VBScript at performing string manipulations. See the
Microsoft website for more information on JScript.
Both languages offer similar functionality and speed, so the choice on which to
use is up to personal preference. However, SolarWinds recommends the use of
JScript if your script is performing mainly string manipulation. JScript appears to
perform faster during string manipulation in most cases.
It is also possible to use additional scripting languages, such as Perl or Python.
To use one of the following languages, you must install the Active Scripting
engine for that language:
l PerlScript
l Python

Python extensions for Microsoft Windows includes access to the
Win32 API. For more information see the Python for Windows
Extension website (© 2018 Python Software Foundation, available
at https://pypi.org/, obtained on December 20, 2018).
Disclaimer: Please note, any content posted herein is provided as a
suggestion or recommendation to you for your internal use. This is
not part of the SolarWinds software or documentation that you
purchased from SolarWinds, and the information set forth herein may
come from third parties. Your organization should internally review
and assess to what extent, if any, such custom scripts or
recommendations will be incorporated into your environment. You
elect to use third party content at your own risk, and you will be
solely responsible for the incorporation of the same, if any.

l RubyScript

Administrator Guide: Kiwi Syslog Server page 55

Rule Actions

Edit script Click to open the script in a text editor. If the specified file does not exist, it is
created.
Modify the script and save your changes.
Script file rules
The script must always contain a function called Main(). No parameters are
passed to the function, but a return value of OK must be passed back to indicate
that the script ran successfully. If any value other than OK is returned, Syslog
assumes an error has occurred in the script and place an entry in the error log.
The value returned from the script function is included in the error log for later
diagnoses.
Each of the available script variables can be accessed from the Fields object.

Example (VBScript):

Function Main()
' Your code goes here
' Set the return value
Main = "OK"
End Function

Additional information on scripting
For examples, descriptions of variables and functions, dictionaries, and a tutorial,
see Scripting resources. Sample scripts are located in the \Scripts
subdirectory in the Kiwi Syslog Server installation directory.

Field Select the groups of fields that Kiwi Syslog Server can access:
Read/Write
l When you grant read access to a group of fields, their values are copied
permissions
into the script variables and are readable from within the script.
l When you grant write access to a group of fields, their values are copied
from the script variables and will replace the equivalent program fields.
Each time a script runs, the available message fields are copied to the script
variables and back again upon completion of the script. The copying takes time
and uses CPU cycles. To improve script performance, SolarWinds recommends
granting read and write access only to the variables used in the script.

For more information about the fields in each group, see Script variables.

Administrator Guide: Kiwi Syslog Server page 56

Rule Actions

7. Test the action.
a. Select if you want to see any changes that the script makes to the variables.
b. Kiwi Syslog Server attempts to run the specified script.
If an error occurs, a message displays the error description and the line number on which it
occurred.
c. If you select the Show test results option and the script runs successfully, a dialog shows
the variable values before and after the script ran. Use this to see what variable values the
script changed.
8. Click Apply.

Script file caching
During normal operation, the script files are cached after they have been read from disk. This improves
the program speed and prevents additional I/O. If you modify the script externally and save it back to
disk, the changes do not take effect until the file is reloaded.

When running Kiwi Syslog Server as an application, do either of the following to reload the file:

l Flush the cache. Choose File > Debug options > Clear the script file cache, or press Ctrl+F8
from the Service Manager console.
l Restart the application.

When running Kiwi Syslog Server as a service, stop and restart the service to reload the file.

When you test a script from the Kiwi Syslog Server Setup window, the script is not cached.
Each script is freshly loaded before it is run.

Triggering a script on a regular basis
To trigger a script on a regular basis, you can:

l Create a scheduled task to run a script
l Enable a keep-alive message, and add a Run Script action to run the script when the keep-alive
message is received.

Add an action to send a pager or SMS message via NotePager Pro
This feature is available only in the licensed edition of Kiwi Syslog Server.

You can add an action to send a pager, SMS, or email message via the NotePagerPro application.
Before you create this action, you must first purchase and install NotePager Pro, a paging and SMS
gateway application. See the NotePage website to see features and download the application.

Administrator Guide: Kiwi Syslog Server page 57

Rule Actions

When a message is passed to NotePager Pro, it places the messages in the sending queue.
NotePager Pro checks the queue periodically and then sends messages via the method you have
specified. This could be via SNPP, e-mail, modem, TAPI, or what ever paging interface you have
configured.

Send Select a recipient from the drop down list. The list is automatically populated from
page to the NotePager Pro Recipients and Groups database. If no names are available in
the drop down list, then NotePager Pro has not been installed correctly.
You can choose either a single recipient or a group of recipients to send to. For
example:
Send to: Joe

or
Send To: All-Network-Staff

Message Enter a descriptive name. If the recipient is configured in NotePager Pro to receive
from the message via e-mail, the From name you specify is prepended to the default
domain you have configured. For example, if NotePager Pro is configured with the
default domain of "company.com", when you send a message from "Syslog", it
appears as if the message came from "[email protected]".

Message Specify the message text. Click Insert message content or counter to include
variables.

Max Select this option to limit the amount of data sent in the message. If you have used
message the variable %MsgText in the message body and a large syslog message arrives, it
length may be too large to send via pager. Use this option to limit the message body
length.
If your pager is capable of receiving only numeric messages, you must specify a
number in the message field instead of %MsgText. You must determine a series of
codes that mean something to you. For example, 1=link up, 2=link down, 9=Router
unreachable etc.

Administrator Guide: Kiwi Syslog Server page 58

Rule Actions

7. Test the action.
8. Click Apply.

Add an action to log messages to Kiwi Server Web Access
You can add an action to log messages to Kiwi Syslog Web Access, if it is installed.

6. Test the action.
7. Click Apply.

Add an action to reset flags and counters
You can add an action to reset all of the internal counters used by the Threshold, Timeout, and Time
Interval filters configured under every rule that uses Flag/Counter filters..

5. From the Action menu, select Reset Flags/Counters.
6. Click Apply.

Add an action to log messages to Papertrail
You can add an action to log messages to Papertrail, a cloud-based logging service. You can send
logs from Kiwi Syslog Server, or other servers or applications that can connect to the Internet. Then
monitor, search, react to, and archive your messages on Papertrail.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Actions below the rule, and choose Add Action.

Administrator Guide: Kiwi Syslog Server page 59

Rule Actions

4. Replace the default name with a descriptive name.
5. From the Action menu, select Log to Papertrail (cloud).
6. Specify the following options:

Papertrail Enter the location where logs are sent from a syslog server. The destination
Destination host is provided by Papertrail. For example:
Hostname
logs2.papertrailapp.com

Papertrail Papertrail provides specific port number while creating a login with
Destination Port Papertrail. Use the same port number to send the syslog messages. For
example:
58612

For help in Papertrail, click here.

7. Test the action.
8. Click Apply.

Add an action to log messages to Loggly
You can add an action to log messages to Loggly, a cloud-based logging service for quick searching
and troubleshooting. You can send logs from Kiwi Syslog Server, or other servers or applications that
can connect to the Internet. Then monitor, search, react to, and archive your messages on Loggly.com.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Add a rule, or locate an existing rule.
3. Right-click Actions below the rule, and choose Add Action.

4. Replace the default name with a descriptive name.
5. From the Action menu, select Log to Loggly.com.

Administrator Guide: Kiwi Syslog Server page 60

Rule Actions

6. Insert the Loggly customer token. You can view this token by navigating to your Loggly online
portal. Choose Source Setup > Customer Tokens.
7. Click Apply.

Administrator Guide: Kiwi Syslog Server page 61

Rule Actions

8. Test the action by navigating to your Loggly portal.

Log file rotation
When you add an action to log messages to a file in Kiwi Syslog Server, you can choose to
automatically rotate log files. Use log file rotation to prevent log files from growing indefinitely and
using large amounts of disk space.

Log file rotation is only available in the licensed version of Kiwi Syslog Server.

When log files are rotated:

l Messages are logged to the current log file. For example, SyslogCatchAll.txt.
l When the current log file reaches the specified size or age, it is renamed. For example,
SyslogCatchAll.txt becomes SyslogCatchAll.txt.001. The logging process then creates
a new, empty file with the original file name.
l When the new file reaches the specified size or age, the process is repeated. For example,
SyslogCatchAll.txt.001 becomesSyslogCatchAll.txt.002, and SyslogCatchAll.txt
becomes SyslogCatchAll.txt.001.
l When the maximum number of log files in the rotation have been created, the oldest is deleted.

Administrator Guide: Kiwi Syslog Server page 62

Rule Actions

To automatically rotate your log files:

1. From the Kiwi Syslog Service Manager, go to File > Setup.
2. Under the rule, select the Log to file action.
3. Select Enable Log File Rotation.
4. Specify the total number of log files in the rotation set.
5. Specify the rotation criteria:
l To rotate files based on size, select Maximum log file size.
l To rotate files based on age, select Maximum log file age.
6. Click OK.

AutoSplit values in Kiwi Syslog Server
When you add an action to log messages to a file, place an AutoSplit value in the path or file name to
automatically split the log files. When a message is received, the variable is replaced with a value
from the message.

AutoSplit values can be used anywhere within the path or log file name, as long as the result is a valid
file name. Any number of AutoSplit values can be used within the path or file name.

If you are using the Run Script action, you can use any of the configured VarCustom or VarGlobal
fields as an AutoSplit value. The following sections describe the available options.

Examples:

Administrator Guide: Kiwi Syslog Server page 63

Rule Actions

l To split the messages into separate files based on the day of the month:
C:\Logs\MyLogFile%DateD2.txt

The %DateD2 is replaced by the current day of the month. On the 23rd of the month, the message
is written to:
C:\Logs\MyLogFile23.txt

l To split the messages based on priority level and current date:
C:\Logs\%PriLevAA\MyLogFile-%DateISO.txt

On April 9, 2016, the path and file name look like this:
C:\Logs\Debug\MyLogFile-2016-04-09.txt

l To split the messages based on the sending host, and then by priority level:

C:\Logs\%HostName.%HostDomain\MyLogFile-%PriLevAA.txt

The path and file name look like this:
C:\Logs\myhost.mycompany.com\MyLogFile-Debug.txt

Date values

Menu name ISO Date (YYYY-MM-DD)

Parameter %DateISO

Explanation International formatted date in the format YYYY-MM-DD. Leading zeros, always 10
characters in length.

Example 2017-10-15

Menu name Year (YYYY)

Parameter %DateY4

Explanation 4 digit year, always 4 characters in length

Example 2017

Menu name Year (YY)

Parameter %DateY2

Explanation 2 digit year, always 2 characters in length

Example 17

Administrator Guide: Kiwi Syslog Server page 64

Rule Actions

Menu name Month (MM) with leading zero

Parameter %DateM2

Explanation 2 digit month with leading zero, always 2 characters in length

Example 12

Menu name Month (MMM) in English

Parameter %DateM3

Explanation 3 character month in English, always 3 characters in length. First letter is in upper
case.

.Example Nov

Menu name Date (DD) with leading zero

Parameter %DateD2

Explanation 2 digit day of the month with leading zero, always 2 characters in length

Example 05

Menu name Day (DDD) in English

Parameter %DateD3

Explanation 3 character day of the week in English, always 3 characters in length. First letter is in
upper case.

Example Fri

Time values

Menu name Hour (HH) with leading zero

Parameter %TimeHH

Explanation 2 digit hour, always 2 characters in length. 24 hour display. 3 p.m. = 15

Example 14

Menu name Minute (MM) with leading zero

Administrator Guide: Kiwi Syslog Server page 65

Rule Actions

Parameter %TimeMM

Explanation 2 digit minute, always 2 characters in length

Example 59

Menu name AM/PM indicator (AM or PM)

Parameter %TimeAMPM

Explanation 2 character time of day indicator. Always 2 characters in length. 00:00 to 11:59 = AM.
12:00 to 23:59 = PM

Example AM

Priority values

Menu name Level (Alpha)

Parameter %PriLevAA

Explanation The message priority level as a word: Debug, Notice, Info…

Example Critical

Menu name Facility (Alpha)

Parameter %PriFacAA

Explanation The message priority facility as a word: Local1, News, Cron…

Example User

Menu name Level (2 digit numeric)

Parameter %PriLev00

Explanation The message priority level as a 2 digit number: 00 to 07

Example 05

Menu name Facility (2 digit numeric)

Parameter %PriFac00

Explanation The message priority facility as a 2 digit number: 00 to 23

Example 23

Administrator Guide: Kiwi Syslog Server page 66

Rule Actions

Menu name Priority (3 digit numeric)

Parameter %Pri000

Explanation The message priority as a 3 digit number: 000 to 191

Example 016

IP Address values (Licensed edition only)

Menu name IP Address (4 octets, zero padded)

Parameter %IPAdd4

Explanation The IP address of the device that sent the message. Each octet is zero padded.
Always 15 characters in length

Example 192.168.001.024

Menu name IP Address (3 octets, zero padded)

Parameter %IPAdd3

Explanation The first 3 octets of the IP address of the device that sent the message. Each octet is
zero padded. Always 11 characters in length.

Example 192.168.001

Menu name IP Address (2 octets, zero padded)

Parameter %IPAdd2

Explanation The first 2 octets of the IP address of the device that sent the message. Each octet is
zero padded. Always 7 characters in length.

Example 203.056

Menu name IPv6 Address

Parameter %IPv6Add6

Explanation The IPv6 address of the device that sent the message. IPv6 address of the device is
separated with ~ as special character is not accepted in file name.

Example ABC~567~0~0~8888~9999~1111~0

Administrator Guide: Kiwi Syslog Server page 67

Rule Actions

Host name values (Licensed edition only)

Menu name Hostname (no domain name)

Parameter %HostName

Explanation The host name of the device that sent the message. No domain name is included.

Example sales-router

Menu name Domain (no host name)

Parameter %HostDomain

Explanation The domain name suffix of the device that sent the message. No host name is
included.

Example mycompany.co.nz

Menu name Reversed domain (no host name)

Parameter %HostDomRev

Explanation The domain name suffix of the device that sent the message, in reverse order. No
host name is included.

Example nz.co.mycompany

Message Text - WELF format (Licensed edition only)

WELF format is the WebTrends Extended Logging Format. This format is used by firewalls such as
GNATBox, SonicWall, CyberWallPlus, and NetScreen. Each field within the message text is prefixed
with an identifying tag, such as fw= for the firewall name or src= for the source of the packet being
logged.

Menu name Firewall name (WELF format)

Parameter %TextFW

Explanation The name of the firewall that created the message

Example protector

Menu name Source address (WELF format)

Parameter %TextSrc

Administrator Guide: Kiwi Syslog Server page 68

Rule Actions

Explanation The source IP address of the packet being logged by the firewall (not zero padded,
unless this has been done by the firewall already)

Example 192.168.1.6

Menu name Destination address (WELF format)

Parameter %TextDst

Explanation The destination IP address of the packet being logged by the firewall (not zero
padded, unless this has been done by the firewall already)

Example 203.57.12.1

Menu name Protocol (WELF format)

Parameter %TextProto

Explanation The protocol of the packet being logged by the firewall

Example http

Menu name Serial Number (WELF format)

Parameter %TextSn

Explanation The Serial number of the device as in WELF Message

Example abcdDDDXSD

Input Source values (Licensed edition only)

Menu name Input Source (UDP/TCP/SNMP)

Parameter %InpSrc

Explanation Identifies the input source of the message. (The listening method that received the
message)

Example UDP

Custom/Global script fields (Licensed edition only)

Menu name VarCustom01 to VarCustom16

Administrator Guide: Kiwi Syslog Server page 69

Rule Actions

Parameter %VarCustom01 to %VarCustom16

Explanation There are 16 custom fields that can be modified by the Run Script action. If these
fields have not been modified by the script, they are blank. Be aware that a blank
autosplit value may result in an invalid file name. The custom field values are
cleared when a new message arrives. They are only valid for the current message.
To store values longer than a single message, use VarGlobal fields.

Example Any value that the script creates can be used.

Menu name VarGlobal01 to VarGlobal16

Parameter %VarGlobal01 to %VarGloabl16

Explanation There are 16 global fields that can be modified by the Run Script action. If these
fields have not been modified by the script, they are blank. Be aware that a blank
autosplit value may result in an invalid file name. The global fields retain their value
between messages.

Example Any value that the script creates can be used.

Message content or counters
This option allows you to choose a variable or counter from a pop-up menu. The variable is then
replaced with the current value before the message is sent. For example, %MsgText is replaced with
the text of the current syslog message.

To add a variable:

1. Position your cursor where you want to insert the variable.

2. Click Insert message content or counter.
3. Select a variable.

The following variables are available.

All of the message

Parameter %MsgAll

Explanation The entire message as it appears on the display, including the time, date, priority
and message text. Each field is space delimited.

Example 2005-10-10 11:28:04 Local7.Debug host.company.com. This is a test

message.

Administrator Guide: Kiwi Syslog Server page 70

Rule Actions

Date

Parameter %MsgDate

Explanation The date the message arrived in the format YYYY-MM-DD.

Example 2005-02-18

Time

Parameter %MsgTime

Explanation The time the message arrived in the format HH:MM:SS.

Example 22:30:16

Facility

Parameter %MsgFacility

Explanation The facility of the message in text format.

Example Local7, Mail

Level

Parameter %MsgLevel

Explanation The level of the message in text format.

Example Debug, Info

Host address of sender

Parameter %MsgHost

Explanation The host IP address of the sending device.

Example 192.168.1.1

The message text

Parameter %MsgText

Explanation The message text part of the syslog message.

Example This is a test message

Administrator Guide: Kiwi Syslog Server page 71

Rule Actions

Alarm min msg threshold

Parameter %MsgAlarmMin

Explanation The threshold level set for the minimum message count alarms.

Example 100 (messages per hour minimum)

Alarm max msg threshold

Parameter %MsgAlarmMax

Explanation The threshold level set for the maximum message count alarms.

Example 5000 (messages per hour maximum)

Alarm disk space threshold

Parameter %MsgAlarmDisk

Explanation The threshold level set for the minimum disk space remaining in MB.

Example 90 (MB)

Message count this hour

Parameter %MsgThisHour

Explanation The number of messages received so far this hour.

Example 254

Message count last hour

Parameter %MsgLastHour

Explanation The number of messages received in the last hour.

Example 254

Machine MAC address

Parameter %MACAddress

Explanation The MAC address value of the first network adaptor found.

Example AA-BB-CC-DD-EE-FF-00

Administrator Guide: Kiwi Syslog Server page 72

Rule Actions

Rule Name

Parameter %RuleName

Explanation The name of the Rule that triggered this action.

Example EmailAction

Custom/Global/Statistics fields (Only in the registered edition)
VarCustom01 to VarCustom16

Parameter %VarCustom01 to %VarCustom16

Explanation There are 16 custom fields that can be modified by the Run Script action. If these
fields are not modified by the script, they remain blank. Be aware that a blank
autosplit value may result in an invalid file name. The custom field values are
cleared when a new message arrives. They are only valid for the current message.
To store values longer than a single message, use VarGlobal fields.

Example Any value that the script creates can be used.

VarGlobal01 to VarGlobal16

Parameter %VarGlobal01 to %VarGloabl16

Explanation There are 16 global fields that can be modified by the Run Script action. If these
fields are not modified by the script, they remain blank. Be aware that a blank
autosplit value may result in an invalid file name. The global fields retain their value
between messages.

Example Any value that the script creates can be used.

VarStats01 to VarStats16

Parameter %VarStats01 to %VarStats16

Explanation There are 16 statistics fields that can be modified by the Run Script action. The
statistics fields retain their value between messages. You can modify the names
associated with the statistics fields and their initial value from the Script options
section on the setup window. The custom statistics values are viewable on the
statistics display and on the daily statistics e-mail.

Example Any value that the script creates can be used.

Administrator Guide: Kiwi Syslog Server page 73

Test a filter or an action

Test a filter or an action
Before enabling a rule, test the filters or actions to make sure they work as intended.

Use the Test button on the filter or action setup dialog
When you add a filter or action, you can use the Test button to test your configuration.

1. At the bottom of the action or filter setup dialog, click Test Setup.
l The Test message dialog displays the values that are passed to the filter or action when
you perform the test.
l If necessary, change these inputs to match the values you are filtering for.
2. Click Test.

A green check mark next to the Test button indicates that the filter or action passed the test.

Use the Kiwi SyslogGen utility
You can test filters and actions using Kiwi SyslogGen, a free utility that generates and sends syslog
messages. You can specify message properties such as priority, message text, and sending IP
address.

1. Go to www.kiwisyslog.com/downloads.aspx and download Kiwi SyslogGen.
2. Install Kiwi SyslogGen on the computer where Kiwi Syslog Server is installed.
3. Use Kiwi SyslogGen to generate messages that meet the filter criteria, and verify that the results
are what you intended.

Rearrange rules, filters, actions, and schedules
Rules are applied in the order they are listed on the Kiwi Syslog Server Setup dialog. Within each
rule, filters and actions are applied in order. If multiple scheduled tasks are set to run at the same time,
they run in the order that they are listed on the Setup dialog.

You can change the order of rules, filters, actions, or scheduled tasks.

You can also copy a filter or an action to a different rule.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Right-click the rule, filter, action, or schedule.
3. Select Move up or Move down.

Administrator Guide: Kiwi Syslog Server page 74

Copy a filter or an action to a different rule

Copy a filter or an action to a different rule
To use the same filter or action in multiple rules, you can create it for one rule and then copy it to a
different rule.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Right-click the filter or action.
3. Select Copy filter or Copy action.

4. Right-click the Filters or Actions section of a different rule.
5. Select Paste filter or Paste action.

Import and export rules
You can export a rule definition to a file to share with other Kiwi Syslog Server users. Other users can
then import the rule definition to their servers.

Export a rule
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. Right-click the rule and choose Export rule.
3. Browse to the location where you want to save the rule and click Save.

Administrator Guide: Kiwi Syslog Server page 75

Keyboard shortcuts for rules, filters, actions, and schedules

The rule definition file is automatically given a .ksr extension, and the default file name is based
on the rule name.

Import a rule
1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. At the top of the left pane, right-click Rules and choose Import rule.
3. Browse to the file location, select the .ksr file, and click Open.
The imported rule is listed in the left pane at the bottom of the rules section. You can move the
rule to a different position.

Keyboard shortcuts for rules, filters, actions, and schedules
When you are creating a rule, filter, action, or schedule in Kiwi Syslog Server, the following keyboard
shortcuts are available.

Press To
Delete Delete the selected Rule, Filter, Action, or Archive schedule.

Insert Add a new Rule, Filter, Action, or Archive schedule. The selected item must be Rules,
Filters, Actions, or Archiving.

Ctrl-V Paste the copied Rule, Filter, Action, or Archive schedule. The selected item must be
Rules, Filters, Actions, or Archiving.

Ctrl-C Copy the selected Rule, Filter, Action, or Archive schedule.

F2 Rename the selected Rule, Filter, Action, or Archive schedule.

F4 Auto-name the selected Filter, Action, or Archive schedule.

Home Move the cursor to the top of the tree.

End Move the cursor to the bottom of the tree.

Enter Collapse or expand the tree at the selected position, which is the same as double-
clicking with the mouse.

Space bar Enable or Disable the selected Rule, Filter, Action, or Archive schedule.

Shift + Up Move the selected Rule, Filter, Action, or Archive schedule up one position.
Arrow

Administrator Guide: Kiwi Syslog Server page 76

Scripting resources

Scripting resources
When you add an action to run a script or create a scheduled task to run a script, use the following
resources to help you write the script. Use the examples in the \Scripts folder located in the Kiwi
Syslog Server installation directory to get started writing scripts. The folder contains sample scripts
that show you how to play sounds, send e-mail, log to file, and other actions.

You can share your custom parsing scripts with the SolarWinds Community.

l Scripting custom statistics fields
l Script variables
l Script functions
l JScript escape characters
l Scripting dictionaries
l Scripting tutorial

Note: Kiwi Syslog Server only supports Visual Basic Scripting and Microsoft JScript. For
information on installing additional scripting languages, see Add an action to run a script.

Scripting custom statistics fields
There are 16 custom statistics available for scripting. The system does not erase static values with
each new message like the other script fields. You can view custom statistic values in the Statistics
window under the Counters tab.

Set names and initial values for custom statistics fields for use within the script files and statistics
reports.

You can see the field names you specify in the Statistics window and in the daily statistics e-mail
report.

1. In Kiwi Syslog Service Manager, choose File > Setup to open the Kiwi Syslog Server Setup
dialog box.
2. Click Scripting.
3. Next to each Script variable, enter the Name and Initial value.
To create a decrementing count, specify an initial value and use a run script action to decrement
starting at that value.

Administrator Guide: Kiwi Syslog Server page 77

Script variables

4. Click Apply to save your changes.
The Names and Initial values apply when the program starts. To force the program to reinitialize
the fields with these values, press Ctrl+F9 from the main syslog window. This is not the standard
restart procedure for Kiwi Syslog Server.

Script variables
Fields, a globally accessible object, passes variables to and from the script. Variables are used to
store data values you receive from messages. To access a variable, prefix "Fields." to the variable
name. Use the following variables for scripts used with Kiwi Syslog Server.

Depending on the read/write permissions you set for the action or scheduled task, the variables can
be modified and returned for use in the syslog program.

Fields.VarFacility

Details The facility value of the message.

Type Integer (0-32767)

Range 0 to 23. List of syslog facility values.

Fields.VarLevel

Details The level value of the message.

Type Integer (0-32767)

Range 0 to 7. List of syslog level values.

Fields.VarInputSource

Details The message input source.

Type Integer (0-32767)

Range 0 to 4. 0=UDP, 1=TCP, 2=SNMP, 3 = KeepAlive, 4 = TLS/Syslog

Administrator Guide: Kiwi Syslog Server page 78

Script variables

Fields.VarPeerAddress

Details The IP address of the sending device in nnn.nnn.nnn.nnn format. If another syslog
collector forwards the message, this value contains the original sender's address.

Example A: Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This
syslog collector (192.168.1.3).

The field value would be 192.168.1.1.

Example B: Firewall device (192.168.1.1) ---> This syslog collector (192.168.1.3).

The field value would be 192.168.1.1.

Type String

Format nnn.nnn.nnn.nnn (Values are not zero padded.)

Example 192.168.1.67

Fields.VarPeerName

Details If you enable DNS lookup options and a lookup is successful, this field only contains a
resolved host name. Otherwise, this field contains the same value as VarPeerAddress in
the format nnn.nnn.nnn.nnn. The name identifies the host portion of the fully qualified
domain name (FQDN). It does not contain the domain suffix.

Type String

Format myhost

Fields.VarPeerDomain

Details The domain name of the resolved FQDN. This is the domain suffix. It does not contain the
host name. If you enable DNS lookup options, and a lookup is successful, this field only
contains a value. Otherwise, this field contains an empty string ("").

Type String

Format mydomain.com

Fields.VarCleanMessageText

Details The modified message text (for example, header removed, DNS lookups, original address
removed, and Cisco date removed).

Type String

Administrator Guide: Kiwi Syslog Server page 79

Script variables

Example %SEC-6-IPACCESSLOGP: list 101 denied udp 10.0.0.3 (firewall) (137) ->
216.7.14.105 (webserver.company. com) (137), 1 packet

Fields.VarDate

Details The date the message was received by the syslog program.

Type String (10 bytes)

Format YYYY-MM-DD

Example 2005-03-17

Fields.VarTime

Details The time the message was received by the syslog program.

Type String (8 bytes)

Format HH:MM:SS

Example 23:10:04

Fields.VarMilliSeconds

Details The time the message was received by the syslog program, in milliseconds past the
second.

Type String (3 bytes)

Range 000 to 999

Format nnn (three bytes, zero padded)

Fields.VarSocketPeerAddress

Details The IP address of the device, or the closest syslog collector, that sent the message.

Example A: Firewall device (192.168.1.1) ---> First syslog collector (192.168.1.2) ---> This
syslog collector (192.168.1.3)

The field value would be 192.168.1.2.

Example B: Firewall device (192.168.1.1) ---> This syslog collector (192.168.1.3)

The field value would be 192.168.1.3.

Administrator Guide: Kiwi Syslog Server page 80

Script variables

Type String

Format nnn.nnn.nnn.nnn (Values are not zero padded.)

Example 192.168.1.67

Fields.VarPeerAddressHex

Details The IP address of the device that sent the message converted to an 8 digit hex value.

The IP Mask and IP Range filters use a hex address. If you make changes to the
VarPeerAddress and want to use the IP Mask or Range filters, you must also make
changes to the VarPeerAddressHex field.

Type String (8 bytes)

Range 00000000 to FFFFFFFF

Example C0A80102 (192.168.1.2 converted to 2 byte zero padded hex)

Fields.VarPeerPort

Details The UDP/TCP port that the message was sent from.

Type Integer (0-65535)

Range 0 to 65535

Typically A value greater than 1023

Fields.VarLocalAddress

Details The IP address that the message was sent to on this machine.

Type String

Examples 127.0.0.1, 192.0.2.0

Fields.VarLocalPort

Details The local machine UDP/TCP port that received the message.

Type Integer (0-65535)

Range 0 to 65535

Typically 514 for UDP, 1468 for TCP, 162 for SNMP

Administrator Guide: Kiwi Syslog Server page 81

Script variables

Fields.VarPriority

Details The message priority value.

Type Integer (0-32767)

Range 0 to 191

Fields.VarRawMessageText

Details The message as it was received before modification (includes <pri> tag, original address,
and so on).

This field is read only. Changing the field within the script does not modify the equivalent
program variable.

Custom fields
Custom fields are dynamic and clear with each new message. Use these fields to hold script results
so you can use them in Log to file or Log to Database actions.

Use the %VarCustom01 Insert message content or counter option or the AutoSplit syntax to

pass a field to actions as parameters. You can also break up a message into separate fields through
the script and then log them to a file or database in separate fields.

The current field values can be viewed from the Statistics view window under the Counters tab. The
custom stats are included in the daily statistics e-mail.

There are 16 of each custom field type - global fields and custom statistic fields - available. Values
from 1 to 9 are zero padded (VarCustom01 not VarCustom1).

Inter-script fields: Fields.VarGlobal01 to Fields.VarGlobal16
These static fields do not change with each message. Use these fields to pass values from one script
to another or to delay value modification of the same script. Use the %VarGlobal01 Insert
message content or counter option or the AutoSplit syntax to pass these values to actions as
parameters.

Custom script fields: Fields.VarStats01 to Fields.VarStats16
These static fields do not change with each message. Use these fields to hold your custom statistics
and counters. Use the %VarStats01 Insert message content or counter option to pass
these values to actions as parameters.

Set names and initial values of the Statistics fields from the Scripting option.

Administrator Guide: Kiwi Syslog Server page 82

Script functions

Control and timing fields: Fields.VarGlobal01 to Fields.VarGlobal16
Fields.ActionQuit

Details Set this field to define what occurs after you run the script.

l A value of 0 means the program continue on to the next action in the rule.
l A value of 1 to 99 means skips the next n actions within this rule (1 = skip the next 1
action, 3 = skip the next 3 actions).
l A value of 100 means jump to the next rule.
l A value of 1000 means skip all rules and stop processing this message.

A value of 0 is assumed if no value is set.

Type Integer (0-32767) Range: 0 to 1000

Enum 0=No skip, 1-99=skip next n actions, 100=skip to next rule, 1000=stop processing message

Fields.SecondsSinceMidnight

Details The number of seconds elapsed since midnight.

Type Long (0-2 billion)

Range 0 to 86400

Fields.SecondsSinceStartup

Details The number of seconds elapsed since the program started.

Type Long (0-2 billion)

Script functions
When you write scripts for use with Kiwi Syslog Server, you can find several built in functions
available from the Fields object.

Built-in functions of the Fields object
To use a built in function, access the function name prefixed with the Fields object. Pass any
parameters needed and the result is returned.

Administrator Guide: Kiwi Syslog Server page 83

Script functions

Fields.IsValidIPAddress(IPAddress as string) as Boolean

Details This function verifies the string passed to the Field object and returns true if the string
has a valid IP address format.

Input IPAddress as string
parameters

Return Boolean (true/false)
value

Example If Fields.IsValidIPAddress(Fields.VarPeerAddress) = True

then

Fields.VarCustom01 = Fields.VarPeerAddress

End if

Fields.ConvertIPtoHex(IPAddress As String) As String

Details This function converts an IP address to 8 byte hex value.

Input parameters IPAddress as string

Return value 8 byte hex value

Example If Fields.IsValidIPAddress
(Fields.VarPeerAddress) = True then

Fields.VarCustom01 =
Fields.ConvertIPToHex(Fields.VarPeerAddress)

End if

Fields.GetDailyStatistics() As String

Details This function returns the daily statistics page as a CRLF
delimited string. The string can then be written to a file or e-
mailed.

Input parameters None

Return value String

Example MyStats = Fields.GetDailyStatistics()

Administrator Guide: Kiwi Syslog Server page 84

Script functions

Fields.ConvertPriorityToText(PriorityValue)

Details This function converts a message priority value to a text
representation of the facility level. For example, a value of 191
returns Local7.Debug.

Input parameters Priority value

Range 0 to 191

Return value Facility.Level as text string

Example Filename =
"C:\Programfiles\Syslogd\Logs\TestLog.txt"

' Use the date and time from the current

message

With Fields

MsgDate = .VarDate & " " & .VarTime

MsgText = "This is a test message

from the scripting action"

Data = MsgDate & vbtab &

.ConvertPriorityToText(.VarPriority) & vbtab
& _

.VarPeerAddress & vbtab &

MsgText Call .ActionLogToFile(Filename, Data)

End with

Fields.ActionPlaySound(SoundFilename As String, RepeatCount as Long)

Details This function plays a beep or .wav file. You can set a number of
times to repeat or until canceled.

Input parameters SoundFilename as string, RepeatCount as long

Return value None. Specifying a empty string ("") for SoundFilename results
in the system beep sound.

Administrator Guide: Kiwi Syslog Server page 85

Script functions

RepeatCount options l 0 = repeat until canceled (press the flashing bell on the
main display window to cancel).
l 1 to 100 = repeat a set number of times, or until canceled
manually

When the repeat count is greater than 1, the wav file or beep
sound plays at 5 second intervals.

Example For example, to play the squeak sound 5 times:
Call Fields.ActionPlaySound("C:\Program
Files\Syslogd\Sounds\Squeak.wav", 5)

To play the squeak sound until canceled:
Call Fields.ActionPlaySound("C:\Program
Files\Syslogd\Sounds\Squeak.wav", 0)

Fields.ActionSendEmail(MailTo, MailFrom, MailSubject, MailMessage , [MailImportance] ,
[MailPriority] , [MailSensitivity] )

Details This function sends an e-mail to the addresses you specify.

Return value None

E-mail Delivery Options

Importance, Priority, and Sensitivity E-mail Delivery Option parameters are optional. These
parameters allow you to specify the importance, priority, and sensitivity flags of the e-mail message.

Email recipients receive the messages with the MailImportance, MailPriority, or
MailSensitivity level you set.

MailImportance 0 - Unspecified (Default)

1 - High

2 - Normal

3 - Low

MailPriority 0 - Unspecified (Default)

1 - Normal

2 - Urgent

3 - Non-Urgent

Administrator Guide: Kiwi Syslog Server page 86

Script functions

MailSensitivity 0 - Unspecified (Default)

1 - Personal

2 - Private

3 - Confidential

To send the message to multiple addresses, separate each address with a comma. For example:
MailTo = "[email protected],[email protected],[email protected]"

This first example shows you how MailTo = "[email protected]"

to send an e-mail to
MailFrom = "[email protected]"
[email protected], with default
importance, priority, and MailSubject = "This is a test of the
sensitivity. scripting action"

MailMessage = "This is a test mail message" &

vbCrLf & "Multiple lines."

Call Fields.ActionSendEmail(MailTo, MailFrom,

MailSubject, MailMessage)

This second example shows you MailTo = "[email protected]"

how to send an e-mail to
MailFrom = "[email protected]"
[email protected], with high
importance, urgent priority, and MailSubject = "This is a test of the
confidential sensitivity. scripting action"

MailMessage = "This is a test mail message" &

vbCrLf & "Multiple lines." MailImportance = 1

MailPriority = 2

MailSensitivity = 3

Call Fields.ActionSendEmail(MailTo, MailFrom,

MailSubject, MailMessage, MailImportance,
MailPriority, MailSensitivity)

Administrator Guide: Kiwi Syslog Server page 87

Script functions

Fields.ActionLogToFile(Filename, Data, [RotateLogFile] , [RotationType] , [NumLogFiles] ,
[Amount] , [Unit])

Details This function opens the log file you specify and appends the
Data to the end of the file. Use this function to log messages to
file in your format. You can also use AutoSplit syntax values in
the filename. For example, to have the filename contain the
current hour of the day, use %TimeHH: Filename = "C:\Program
files\Syslogd\Logs\TestLog%TimeHH.txt"

Return value None

Example Filename = "C:\Program

files\Syslogd\Logs\TestLog.txt" MsgPriority =
"Local7.Info"

MsgHostAddress = Fields.VarPeerAddress

' Use the date and time from the current

message MsgDate = Fields.VarDate & " " &
Fields.VarTime

MsgText = "This is a test message from the

scripting action"

Data = MsgDate & vbtab & MsgPriority & vbtab

& MsgHostAddress & vbtab & MsgText

Call Fields.ActionLogToFile(Filename, Data)

This example requires you enable Read permission for Other fields. This gives the script read
access to the VarDate and VarTime variables.

Log File Rotation:

For more information on Log File Rotation in Kiwi Syslog Server, see Log File Rotation.

The parameters RotateLogFile, RotationType, NumLogFiles, Amount, and Unit are optional and you
only need to specify if logging to a rotated log file.

RotateLogFile 0 = Do not rotate log file

1 = Rotate log file

Administrator Guide: Kiwi Syslog Server page 88

Script functions

RotationType 0 = Rotate log files when log file size exceeds the amount
specified by Amount and Unit

1 = Rotate log files when log file age exceeds the amount
specified by Amount and Unit

NumLogFiles The number of log files used in the rotation.

Amount For RotationType=0 : Amount is a file size

For RotationType=1 : Amount is a file age

Unit For RotationType=0 Unit relates to the size of the file and specifies whether the
Amount is Bytes, KB, MB, and so on.

0 = Bytes

1 = Kilobytes

2 = Megabytes

3 = Gigabytes

Unit For RotationType=1 Unit relates to the age of the file and specifies whether the
Amount is Minutes, Days, Weeks, and so on.

0 = Minutes

1 = Hours

2 = Days

3 = Weekdays

4 = Weeks

5 = Months

6 = Quarters

7 = Years

Administrator Guide: Kiwi Syslog Server page 89

Script functions

Example usage This example shows you how to create an ActionLogToFile
script.
Filename = "C:\Program
files\Syslogd\Logs\TestLog.txt" MsgPriority =
"Local7.Info"

MsgHostAddress = Fields.VarPeerAddress

' Use the date and time from the current

message MsgDate = Fields.VarDate & " " &
Fields.VarTime

MsgText = "This is a test message from the

scripting action"

Data = MsgDate & vbtab & MsgPriority & vbtab

& MsgHostAddress & vbtab & MsgText

RotateLogFile = 1 'Rotate this log

RotationType = 0 'Using File size rotation -

NumLogFiles = 4 'Use up to 4 log files

Amount = 1000 'Each log file no more than

1000

Unit = 0 'bytes in length

Call Fields.ActionLogToFile(Filename, Data,

RotateLogFile, RotationType, NumLogFiles,
Amount, Unit)

Fields.ActionSendSyslog(Hostname, Message, Port, Protocol)

Details This function sends a syslog Message to Hostname on Port via
Protocol. Use this function to send syslog messages to
another syslog host via the UDP or TCP protocol.

Return value None

Hostname Text string containing the host name or IP address of the remote
host.

Message Text string containing the priority tag and syslog message text

Port Integer between 1 and 65535 (514 is the standard syslog port)

Administrator Guide: Kiwi Syslog Server page 90

Script functions

Protocol Integer between 0 and 1 (0=UDP, 1=TCP)

Example Hostname = "10.0.0.1" ' Remote syslog host

Priority = 191 ' Local7.Debug

Port = 514 0 ' Use the standard syslog port

Protocol = ' 0=UDP, 1=TCP

' Construct the syslog message by adding

<PRI> value to the front of the text Message
= "<" + Cstr(Priority) + ">" + "This is an
example of a syslog message"

Call Fields.ActionSendSyslog(Hostname,
Message, Port, Protocol)

Fields.ActionSpoofSyslog(AdapterAddress, SrcAddress, DstAddress, DstPort, Message)

Details This function sends a spoofed Syslog Message (UDP only) to
DstAddress on Port DstPort. Use this function to send syslog
messages to another syslog host via the UDP protocol.

Return value None

AdapterAddress Text string containing the IP address or MAC address of the
network adapter that the message is sent from.

SrcAddress Text string containing the host name or IP address of the source
of the message (actual or spoofed).

DstAddress Text string containing the host name or IP address of the remote
(receiving) host.

DstPort Integer between 1 and 65535 (514 is the standard syslog port)

Message Text string containing the priority tag and syslog message text

Administrator Guide: Kiwi Syslog Server page 91

Script functions

Example AdapterAddress = "192.168.1.100" ' Adapter Address (this
can be IP Address or MAC address)

SrcAddress = "192.10.10.1" ' Source of message

DstAddress = "10.0.0.1" ' Destination of message

DstPort = 514 ' Use the standard syslog port

Priority = 191 ' Local7.Debug

Construct the syslog message by adding the<pri> value to the
front of the text Message = "<" + Cstr(Priority) + ">" +
"This is an example of a syslog message"

Call Fields.ActionSpoofSyslog(AdapterAddress, SrcAddress, DstAddress, DstPort, Message)

You must install Windows Packet Capture library (WinPcap) version 4.1 or later to access the
SPOOFSYSLOG field. See WinPcap, The Packet Capture and Network Monitoring Library for
Windows to download.

Fields.ActionLogToFileWithCache(Filename, Data, [RotateLogFile] , [RotationType] ,
[NumLogFiles] , [Amount] , [Unit])

Details This function writes data to the log you specify. This function
uses a write cache to improve performance. The cache is
flushed either every 100 messages or every 5 seconds. Use
registry settings to adjust the cache settings. SolarWinds
recommends that you use the write cache function if you receive
more than 10 messages per second.

Use this function to log messages to a file in your format. You
can also use AutoSplit syntax values in the filename.

For example, to have the filename contain the current hour of the
day, use %TimeHH: Filename = "C:\Program
files\Syslogd\Logs\TestLog%TimeHH.txt"

Return value None

Administrator Guide: Kiwi Syslog Server page 92

Script functions

Example usage Filename = "C:\Program

files\Syslogd\Logs\TestLog.txt" MsgPriority =
"Local7.Info"

MsgHostAddress = Fields.VarPeerAddress

' Use the date and time from the current

message MsgDate = Fields.VarDate & " " &
Fields.VarTime

MsgText = "This is a test message from the

scripting action"

Data = MsgDate & vbtab & MsgPriority & vbtab

& MsgHostAddress & vbtab & MsgText

Call Fields.ActionLogToFileWithCache
(Filename, Data)

This example requires that you enable Read permission
for Other fields. This gives the script read access to the
VarDate and VarTime variables.

Log File Rotation:

The parameters RotateLogFile, RotationType, NumLogFiles, Amount, and Unit are optional and you
only need to specify if logging to a rotated log file.

RotateLogFile 0 = Do not rotate log file

1 = Rotate log file

RotationType 0 = Rotate log files when log file size exceeds the amount
specified by Amount and Unit

1 = Rotate log files when log file age exceeds the amount
specified by Amount and Unit

NumLogFiles The number of log files to be used in the rotation.

Amount For RotationType=0 : Amount is a file size

For RotationType=1 : Amount is a file age

Administrator Guide: Kiwi Syslog Server page 93

Script functions

Unit For RotationType=0 Unit relates to the size of the file and specifies whether the
Amount is Bytes, KB, MB, and so on.

0 = Bytes

1 = Kilobytes

2 = Megabytes

3 = Gigabytes

Unit For RotationType=1 Unit relates to the age of the file and specifies whether the
Amount is Minutes, Days, Weeks, and so on.

0 = Minutes

1 = Hours

2 = Days

3 = Weekdays

4 = Weeks

5 = Months

6 = Quarters

7= Years

Administrator Guide: Kiwi Syslog Server page 94

Script functions

Example usage This example shows you how to create an
ActionLogToFileWithCache script.

Filename = "C:\Program
files\Syslogd\Logs\TestLog.txt" MsgPriority =
"Local7.Info"

MsgHostAddress = Fields.VarPeerAddress

' Use the date and time from the current

message MsgDate = Fields.VarDate & " " &
Fields.VarTime

MsgText = "This is a test message from the

scripting action"

Data = MsgDate & vbtab & MsgPriority & vbtab

& MsgHostAddress & vbtab & MsgText

RotateLogFile = 1 'Rotate this log

RotationType = 0 'Using File size rotation -

NumLogFiles = 4 'Use up to 4 log files

Amount = 1000 'Each log file no more than

1000

Unit = 0 'bytes in length

Call Fields.ActionLogToFileWithCache
(Filename, Data, RotateLogFile, RotationType,
NumLogFiles, Amount, Unit)

Fields.ActionDeleteFile(Filename)

Details This function attempts to delete the file you specify. Use this
function to delete a log file to ensure a fresh start. This function
does not support wildcards. You must specify a file name. No
confirmation is required, so use caution when using this
function.

Return value None

Example usage Filename = "C:\Program

files\Syslogd\Logs\TestLog.txt"

Call Fields.ActionDeleteFile(Filename)

Administrator Guide: Kiwi Syslog Server page 95

Script functions

Fields.ActionDisplay(DisplayNumber, TabDelimitedMessage)

Details This function displays a message to the specified virtual display
number. This function can be used to display messages on the
screen in your format. The TabDelimitedMessage must contain
5 tab delimited fields. The contents of each field can be
anything. The normal display fields are: Date TAB Time TAB
Priority TAB Hostname TAB Message.

Return value None

Example usage With Fields

MsgPriority = ConvertPriorityToText
(.VarPriority)

MsgHostAddress = .VarPeerAddress

' Use the date and time from the current

message MsgDate = .VarDate & " " & .VarTime

MsgText = "This is a test message from the

scripting action"

Display = MsgDate & vbtab & MsgTime & vbtab &

MsgPriority & vbtab &_

MsgHostAddress & vbtab & MsgText

Call .ActionDisplay(0, Display)

End with

Fields.ActionLogToODBC(DSNString, TableName, InsertStatement, Timeout)

Details This function passes the InsertStatement to the database
specified by DSNString and TableName. The timeout specifies how
many seconds to keep the database connection open when idle.

Use this function to log messages to a database in your format. The
connection to the database remains open internally to the program.
This avoids the overhead of creating and breaking the connection
each time a device sends data to the database. If no further data is
sent to the database, after the timeout period elapses, the connection
closes. The next time data is sent, the connection reopens.

Administrator Guide: Kiwi Syslog Server page 96

Script functions

Return value After successful execution, the field returns an empty string.
Otherwise, the error passes back a string value.

Administrator Guide: Kiwi Syslog Server page 97

Script functions

Example usage In this example, you create a System DSN called "KiwiSyslog" that
points to a MS Access database. The SQL insert statement syntax
changes depending on the database type that is written to.

This example:

A. Requires you to enable Read permission for Other fields. This
gives the script read access to the VarDate and VarTime
variables.
B. Assumes that you have created a table called "Syslogd" and
that it contains the required fields.
C. Has only been tested on MS Access 97 and MS Access 2000.
MyDSN = "DSN=KiwiSyslog;"

MyTable = "Syslogd"

MyFields =
"MsgDate,MsgTime,MsgPriority,MsgHostname,MsgText"

' MS Access DB SQL INSERT command example:

' INSERT INTO Syslogd

(MsgDate,MsgTime,MsgPriority,MsgHostname,MsgText)

' VALUES ('2004-08-

08','13:26:26','Local7.Debug','host.company.com',

' 'This is a test message from Kiwi Syslog

Server')

With Fields

' Construct the insert statement

SQLcmd = "INSERT INTO " & MyTable & " (" &
MyFields & ") VALUES (" & _

Quote(.VarDate) & "," & Quote(.VarTime) & "," & _

Quote(.ConvertPriorityToText(.VarPriority)) & ","

& _

Quote(.VarPeerAddress) & "," & Quote

(.VarCleanMessageText) & ")"

' Log the data to database using DSN, Table,

SQLcmd and Timeout of 30 seconds

Administrator Guide: Kiwi Syslog Server page 98

JScript escape characters

.VarCustom01 = .ActionLogToODBC(MyDSN, MyTable,

SQLcmd, 30)

' VarCustom01 now holds the return value from the

function.

End with

Function Quote(Data)

' Replace all occurrences of ' with '' to escape

existing quotes

' Wrap data with single quotes

Quote = "'" & Replace(Data, "'", "''") & "'"

End Function

Find additional example scripts in the \Scripts sub folder.

JScript escape characters
Use the following escape characters in JScript scripts to turn special characters, such as backslashes,
quotation marks, and so on, into string characters when used in script syntax. Excluding the escape
sequences included in this table, codes for the character that follows the backslash in the escape
sequence. For example, "\a" is interpreted as "a".

Because the backslash represents the start of an escape sequence, you cannot directly enter a
sequence into your script.

If you want to include a backslash, you must type two sequential characters (\\). For example: The
log file path is C:\\Program Files\\Syslogd\\Logs\\SyslogCatchAll.txt

Use the single quotes and double quote to escape sequences to include quotes in string literals. For
example: The caption reads, \"This is a test message from \'Kiwi SyslogGen\'.\"

Escape sequence Meaning
\b Backspace
\f Form feed

\n Line feed (new line)

\r Carriage return. Use with the line feed (\r\n) to format output.

Administrator Guide: Kiwi Syslog Server page 99

Scripting dictionaries

Escape sequence Meaning
\t Horizontal tab
\v Vertical tab
\' Single quote (')
\" Double quote (")
\\ Backslash (\)
\n ASCII character represented by the octal number n. *
\xhh ASCII character represented by the two-digit hexadecimal number hh.
\uhhhh Unicode character represented by the four-digit hexadecimal number hhhh.

Scripting dictionaries
When you write scripts, you can use the dictionaries collection to create named dictionaries that store
data key and item pairs. The data stored in these dictionaries exists for the lifetime of the application.
Dictionaries have the same scope as the VarGlobal variables in the Fields namespace.

A named Dictionary is the equivalent of a PERL associative array. Dictionaries store items (data) in
the array and each item is associated with a unique key.

The key is used to retrieve an individual item and can be anything except an array, such as an integer
or string.

Find dictionary methods and properties through the dictionaries namespace.

Built in functions of the Dictionaries object
StoreItem(dicName As String, dicKey As String, dicItem As Variant)
The StoreItem function stores a key and item pair to a named dictionary.

dicName Required The name of the dictionary. If dicName does not exist, it is created.

dicKey Required The key associated with the stored item. If dicKey does not exist, is

created.

dicItem Required The item associated with the stored key.

Example syntax: Call Dictionaries.StoreItem("MyDictionary", "MyKeyName",

"MyItemValue")

Administrator Guide: Kiwi Syslog Server page 100

Scripting dictionaries

AddItem(dicName As String, dicKey As String, dicItem As Variant)
The AddItem function stores a key and item pair to a named dictionary. A script error occurs if the key
dicKey already exists in the dictionary dicName.

dicName Required The name of the dictionary. If dicName does not exist, it is created.

dicKey Required The key associated with the item added.

dicItem Required The item associated with the key added.

Example syntax: Call Dictionaries.AddItem("MyDictionary", "MyKeyName",

"MyItemValue")

The .AddItem() and .UpdateItem() have been supplanted by the .StoreItem() function
as of Kiwi Syslog Server version 8.1.4. However, to ensure backwards compatibility the usage
of .AddItem() and .UpdateItem() will continue to be supported.

UpdateItem(dicName As String, dicKey As String, dicItem As Variant)
The UpdateItem function updates the item associated with key dicKey to the value in dicItem. Only
the dictionary dicName is affected. A script error occurs if the dictionary dicName does not exist, or if
the key dicKey does not exist.

dicName Required The name of the dictionary.

dicKey Required The key associated with the item updated.

dicItem Required The new item to be updated.

Example syntax: Call Dictionaries.UpdateItem("MyDictionary", "MyKeyName",

"MyNewItemValue")

RemoveItem(dicName As String, dicKey As String)
The RemoveItem function removes a key and item pair from the dictionary dicName. A script error
occurs if the dictionary dicName does not exist, or if the key dicKey does not exist.

dicName Required The name of the dictionary.

dicKey Required The key associated with the item removed.

Example syntax: Call Dictionaries.RemoveItem("MyDictionary", "MyKeyName")

Administrator Guide: Kiwi Syslog Server page 101

Scripting dictionaries

RemoveAll(dicName As String)
The RemoveAll function removes all key and item pairs from the dictionary dicName. A script error
occurs if the dictionary dicName does not exist.

dicName Required The name of the dictionary removed.

Example syntax: Call Dictionaries.RemoveAll("MyDictionary")

Delete(dicName As String)
The Delete function deletes the entire dictionary dicName. A script error occurs if the dictionary
dicName does not exist.

dicName Required The name of the dictionary being deleted.

Example syntax: Call Dictionaries.RemoveItem("MyDictionary", "MyKeyName")

DeleteAll
The DeleteAll function deletes all dictionaries.

Example syntax: Call Dictionaries.DeleteAll()

GetItemCount(dicName As String) As Long
The GetItemCount function returns the number of items in the dictionary dicName. A script error
occurs if the dictionary dicName does not exist.

dicName Required The name of the dictionary.

Example syntax: ItemCount = Dictionaries.GetItemCount("MyDictionary")

GetItem(dicName As String, dicKey As String) As Variant
The GetItem function returns an item for a specified key dicKey in the dictionary dicName. An error
occurs if the dictionary dicName does not exist, or if the key dicKey does not exist.

dicName Required The name of the dictionary.

dicKey Required The key associated with the item fetched.

Example syntax: MyItem = Dictionaries.GetItem("MyDictionary", "MyKeyName")

Administrator Guide: Kiwi Syslog Server page 102

Scripting dictionaries

ItemExists(dicName As String, dicKey As String) As Boolean
The ItemExists property returns True if the specified key dicKey exists in the dictionary dicName.
An error occurs if the dictionary dicName does not exist.

dicName Required The name of the dictionary.

dicKey Required The key associated with the item fetched.

Example syntax: If Dictionaries.ItemExists("MyDictionary", "MyKeyName") Then

...
End If

GetKeys(dicName As String) As Variant
The GetKeys property returns an array containing the keys in the dictionary dicName. An error occurs
if the dictionary dicName does not exist.

dicName Required The name of the dictionary.

Example syntax: MyKeyArray = Dictionaries.GetKeys("MyDictionary")
For i = 0 to UBound(MyKeyArray)
ThisKey = MyKeyArray(i)
...
Next

GetItems(dicName As String) As Variant
The GetItems property returns an array containing the items in the dictionary dicName. An error
occurs if the dictionary dicName does not exist.

dicName Required The name of the dictionary.

Example syntax:
MyItemArray = Dictionaries.GetItems("MyDictionary")
For i = 0 to UBound(MyItemArray)
ThisItem = MyItemArray(i)
...
Next

Error Reference
The following table lists and provides a brief explanation of some of the common errors you may
receive when attempting to execute each function.

Administrator Guide: Kiwi Syslog Server page 103

Scripting tutorial

Function Name Error Description
GetName() Script Error executing .GetName() - Dictionary does not exist

Delete() Script Error executing .Delete() - Dictionary [x] does not exist

AddItem() Script Error executing .AddItem() - Dictionary Key [x] already exists in dictionary
[y]

UpdateItem() Script Error executing .UpdateItem() - Dictionary Key [x] does not exist in
dictionary [y]

Script Error executing .UpdateItem() - Dictionary [x] does not exist

RemoveItem() Script Error executing .RemoveItem() - Dictionary Key [x] does not exist in
dictionary [y]

Script Error executing .RemoveItem() - Dictionary [x] does not exist

RemoveAllItems Script Error executing .RemoveAllItems() - Dictionary [x] does not exist
()

GetItemCount() Script Error executing .GetItemCount() - Dictionary [x] does not exist

GetItems() Script Error executing .GetItems() - Dictionary [x] does not exist

GetKeys() Script Error executing .GetKeys() - Dictionary [x] does not exist

GetItem() Script Error executing .GetItem() - Dictionary Key [x] does not exist in dictionary [y]

Script Error executing .GetItem() - Dictionary [x] does not exist

ItemExists() Script Error executing .ItemExists() - Dictionary [x] does not exist

Scripting tutorial
This tutorial demonstrates how to create a script and use it to search and replace text within a syslog
message.

The scripting action is available only in the registered version of Kiwi Syslog Server Service
Manager.

Each of the four tasks outlined below must be completed in sequential order to successfully create
and execute the tutorial script.

Administrator Guide: Kiwi Syslog Server page 104

Scripting tutorial

Task 1: Create the script action in Setup
1. Open Setup window from the File menu.
2. Create a rule called Replace text.
3. Add a Run Script action.
4. Set the script file name to: ReplaceText.txt.
5. Set the Script Description field to Replaces occurrences of "cat" with "dog".
6. Set the Script Language to VBScript.
7. Set the Field Read/Write permissions to:
l Common fields: Read = Checked, Write = Checked
l Other fields: Read = Unchecked, Write = Unchecked
l Custom fields: Read = Unchecked, Write = Unchecked
8. Click the Edit Script button to open the file in Notepad. Because the file does not exist, you will
be prompted to create a file.
9. Copy and paste the following script file into Notepad and  Save.
Function Main()
' Replace cat with dog within the message text field
Fields.VarCleanMessageText = Replace(Fields.VarCleanMessageText,
"cat", "dog")
' Return OK to tell syslog that the script ran correctly.
Main = "OK"
End Function

Task 2: Create the log to file actions
1. Return to Replace Text rule created in Task 1.
2. Add a Log to file action.
3. Enter the Path and file name of log file as: MyCustomLog.txt in a folder.
4. Leave the log file format as the default: Kiwi format ISO yyyy-mm-dd (Tabdelimited).
5. Click the action and then press F4 to auto name the action Log to file.
6. Add a Display action.
7. Leave the display number as the default: Display 00 (Default).
8. Click the action and then press F4 to auto name the action Display.

Administrator Guide: Kiwi Syslog Server page 105

Scripting tutorial

The Run script action should be listed above the Display and Log to file actions. If not, you can select
the action and use the ^ toolbar button to move it up the list.

Your rule should look like this:
Rules

Rule: Replace Text

Filters

Actions

Run Script

Display

Log to file

Task 3: Test the script
1. Select the Run Script action.
2. Click the Test Setup button.
3. Change the message text to read: The cat sat on the mat.
4. Click the Show action button.
5. Check the Show test results check box.
6. Press the Test button.

After the script runs, the results open in Notepad. There you see the script variables. Check the
VarCleanMessageText field and you should see the word "cat" has been changed to "dog."

Task 4: Test the script with SyslogGen
1. To apply the rule changes, click OK on the Kiwi Syslog Server Setup window.
2. Download SyslogGen from http://www.kiwisyslog.com/downloads.aspx and install it on the
same machine as the Syslog Server.
3. Set the send options to send message once. Set the destination to localhost (127.0.0.1).
4. Set the message text to "This is a test. The cat sat on the mat."
5. Press the Send button.

The message: "This is a test. The dog sat on the mat." is displayed.

Administrator Guide: Kiwi Syslog Server page 106

Create scheduled tasks

Create scheduled tasks
You can create up to 100 scheduled tasks in Kiwi Syslog Server. The following types of tasks are
available:

l Archive tasks move or copy files to another location and (optionally) compress the files.
l Clean-up tasks delete files that meet the specified criteria (for example, files over a certain age).
l Run Program tasks run a Windows program.
l Run Script tasks run a script.

Each task can be triggered to run:

l On a schedule
l When the Kiwi Syslog Server application or service starts
l When the Kiwi Syslog Server application or service stops

If multiple tasks are set to run at the same time, the tasks run in the order they are listed on the Setup
dialog. You can rearrange scheduled tasks.

Create a scheduled task to archive log files
To save disk space, you can create a task to automatically archive log files that are no longer needed
for troubleshooting (for example, log files that are more than a week old). The archive task includes
options to move files to another location, compress them, encrypt them, and send notifications. You
can schedule the task to run at regular intervals.

You can also create a scheduled task to remove archived files after the retention period is over.
For an example of creating archive and cleanup tasks, see Create schedules to automate log
archival and retention in the Kiwi Syslog Server Getting Started Guide.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the left pane of the Setup dialog, right-click Schedules and select Add new schedule.

3. Replace the default name with a descriptive name (for example, Archive logs after 7 days).

4. As the Task Type, select Archive.

Administrator Guide: Kiwi Syslog Server page 107

Create a scheduled task to archive log files

5. As the Task Trigger, specify when you want the archive task to run:
l To schedule the task, select On a schedule. Then specify the start date, frequency, end
date, and any exceptions on the Schedule tab.
l To run the task each time you start or stop the Kiwi Syslog Server application or service,
select On app/service startup or On app/service shutdown.
6. On the Source tab:
a. Under Source location, specify the location of the files to archive.
By default, log files are stored in the following directory:
C:\Program Files (x86)\Syslogd\Logs\

b. Under Source files, specify which files are archived.

The following example archives TXT files that are at least 8 days old.

7. On the Destination tab:

a. Specify the destination folder.
Kiwi Syslog Server provides the following default folder for storing archived logs:
C:\Program Files (x86)\Syslogd\Dated Logs\

b. Specify whether you want to move or copy the files.
c. (Optional) Select options to create a dated root folder in the specified destination, and to
add a date to each archived file name.
You can use the Adjust file/folder date(s) option to adjust each file or folder date to reflect
the date of the logs, instead of the current date. For example, if you are archiving files that
are a week old, you can shift the date back one week.

Administrator Guide: Kiwi Syslog Server page 108

Create a scheduled task to archive log files

8. To compress the archived files, select the following options on the Archive Options tab:
a. Select Zip files after moving/copying.
b. Select the compression level and method:

Compression l None: does not compress the files.
level l Low: takes the least amount of time to compress the data, but files
are larger.
l Medium: provides the best balance between the time required to
compress the data and the compression ratio.
l High: produces slightly smaller files but requires significantly longer
compression times. This option is recommended only when space
is limited and processing time is not important.

Compression l Stored (None): does not compress the files.
method l Deflate: provides the fastest compression.
l Deflate64: takes longer but provides better compression.

c. (Optional) To encrypt the files, select Encrypt zip files, and specify the encryption
properties.

Password Enter a case-sensitive password of up to 79 characters. If the password is
blank, the files are not encrypted.

Encryption WinZip AES provides stronger encryption than Compatible.
type

Encryption If you selected WinZip AES, specify the size of the encryption key.
strength

9. To run a program after the files are archived, select the following options on the Archive Options
tab:
a. Select the option to run a program after each file is archived or after all files are archived.
b. Specify the location of the executable file, and enter any command-line parameters to pass
to the executable.
To include a file name, folder name, or current date in the command-line parameters, click
Variable options and select the value to include.
c. To specify the maximum time to wait for the program to run, select Wait for program
completion. Then enter the maximum number of seconds to wait.
Programs or processes that are still running after this period are terminated.

Administrator Guide: Kiwi Syslog Server page 109

Create a scheduled task to delete files

10. To email or save the report generated each time the archive task runs, select one or more
options on the Archive Notifications tab.

l To email the report to multiple recipients, separate the list of email addresses by
commas or semicolons.
l If you save the report to a file, insert date and time variables in the file name to
ensure that it is unique. If the file name is not unique, Kiwi Syslog Server overwrites
the existing file when it creates a new file.

11. Click Apply to save your changes.

Create a scheduled task to delete files
A clean-up task deletes files that match the specified criteria (including age, size, and file type). For
example, you can create a clean-up task to remove archived log files after they have been retained for
the required period. You can schedule the task to run at regular intervals.

You can also create a scheduled task to archive log files not needed for troubleshooting. For an
example of creating archive and cleanup tasks, see Create schedules to automate log archival
and retention in the Kiwi Syslog Server Getting Started Guide.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the left pane of the Setup dialog, right-click Schedules and select Add new schedule.

3. Replace the default name with a descriptive name.
4. As the Task Type, select Clean-up.

5. As the Task Trigger, specify when you want the archive task to run:
l To schedule the task, select On a schedule. Then specify the start date, frequency, end
date, and any exceptions on the Schedule tab.
l To run the task each time you start or stop the Kiwi Syslog Server application or service,
select On app/service startup or On app/service shutdown.
6. On the Source tab:
a. Under Source location, specify the folder that contains the files to be deleted.
To delete files from subdirectories, select Include sub-folders.
b. Under Source files, specify which files are deleted.

Administrator Guide: Kiwi Syslog Server page 110

Create a scheduled task to run a program

The following example deletes ZIP files that are at least 7 years old.

7. To delete empty folders in the source location, click the Clean-up Options tab and select
Remove empty folders.
8. To email or save the report generated each time the clean-up task runs, select one or more
options on the Clean-up Notification tab.

9. Click Apply to save your changes.

Create a scheduled task to run a program
Create a Run Program task to execute a Windows program, process, or batch file. You can schedule
the task to run at regular intervals.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the left pane of the Setup dialog, right-click Schedules and select Add new schedule.

3. Replace the default name with a descriptive name.
4. As the Task Type, select Run Program.

Administrator Guide: Kiwi Syslog Server page 111

Create a scheduled task to run a program

5. As the Task Trigger, specify when you want the archive task to run:
l To schedule the task, select On a schedule. Then specify the start date, frequency, end
date, and any exceptions on the Schedule tab.
l To run the task each time you start or stop the Kiwi Syslog Server application or service,
select On app/service startup or On app/service shutdown.
6. On the Program Options tab, complete the following fields:

Program Specify the program to run.
file name

Command Enter any command-line parameters to be passed to the program.
line options

Process Select the priority of the process created when the program runs. Select Normal
priority (the default) for programs with no special scheduling needs.

Low priority processes run only when the system is idle. High and
Realtime priority processes preempt the threads of lower level priorities.
For more information on each priority level, see the ProcessPriority registry
setting.

Realtime priority processes can cause system lockups.

Window If the program has a user interface, select the Window mode.
mode

Wait for Select this option if you want Kiwi Syslog Server to suspend all processing until
program the program has started. Then enter the maximum time that Kiwi Syslog Server
initialization should wait.
to complete
Use this setting if something interacts with the program after it starts and you
want to be sure that the program has started before the interaction is triggered.
To determine if the program has started, Kiwi Syslog Server monitors the process
that is created when the program starts, and waits for that process to signal that it
is idle.

7. To email or save the report generated each time the clean-up task runs, select one or more
options on the Run Program Notification tab.

Administrator Guide: Kiwi Syslog Server page 112

Create a scheduled task to run a script

8. Click Apply to save your changes.

Create a scheduled task to run a script
Create a Run Script task to run a script. You can schedule the task to run at regular intervals.

For information about writing scripts to use with Kiwi Syslog Server, see Scripting resources.

1. From the Kiwi Syslog Service Manager, choose File > Setup.
2. In the left pane of the Setup dialog, right-click Schedules and select Add new schedule.

3. Replace the default name with a descriptive name.
4. As the Task Type, select Run Program.
5. As the Task Trigger, specify when you want the archive task to run:
l To schedule the task, select On a schedule. Then specify the start date, frequency, end
date, and any exceptions on the Schedule tab.
l To run the task each time you start or stop the Kiwi Syslog Server application or service,
select On app/service startup or On app/service shutdown.

6. On the Program Options tab, complete the following fields:

Script file Enter the path and file name of an existing script file or of the file to be created.
name

Script Describe the purpose or function of the script.
description

Administrator Guide: Kiwi Syslog Server page 113

Create a scheduled task to run a script

l RubyScript

Administrator Guide: Kiwi Syslog Server page 114

Create a scheduled task to run a script

For more information about the fields in each group, see Script variables.

7. To email or save the report generated each time the clean-up task runs, select one or more
options on the Run Program Notification tab.

8. Click Apply to save your changes.

Administrator Guide: Kiwi Syslog Server page 115

Set alarms

Set alarms
Use alarms to monitor network traffic, disk space, and the number of messages in the queue waiting to
be processed. When an alarm is triggered, Kiwi Syslog Server alerts you by playing a sound, sending
an email, or running a program.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Alarms node.
3. Click the type of alarm you want to enable.

Min The alarm is triggered if Kiwi Syslog Server receives fewer than the specified
message number of messages per hour. This could indicate that messages are not being
count received.

Max The alarm is triggered if Kiwi Syslog Server receives more than the specified
message number of messages per hour.
count

Disk space The alarm is triggered if the amount of free disk space on the disk where Kiwi
usage Syslog Server is installed drops below the specified threshold.
You can also select options to close TCP connections or stop disk logging when
free disk space is below the specified levels.

Message The alarm is triggered if:
queue
l The syslog message queue overflows more than the specified number of
monitor
times per hour.
l More than the specified number of messages are in the queue waiting to be
processed.

The configuration panel for the selected alarm opens.
4. Enter the alarm threshold.

Administrator Guide: Kiwi Syslog Server page 116

Set alarms

5. Select the notification method.

Audible This feature is available only in the licensed version.
alarm
l If you select Beep, the system beeps every second until the alarm is canceled.
l If you select Play a sound file, the sound file is played every five seconds until
the alarm is canceled.
To cancel an alarm, double-click the red alarm bell icon in the tool bar at the top of
the Kiwi Syslog Service Manager window.

Run This feature is available only in the licensed version.
program
Select the program file to run. You can pass information to the program using
command line parameters and message content variables. Place quotation marks (")
around file names or paths that contain spaces. For example:
Pager.exe "555-1234" ,"Syslog - Warning, lots of messages
received, Max set at %MsgAlarmMax but received %MsgThisHour so far
this hour."

Use the Test button to make sure the program runs as expected.

Notify An email is sent to the alarm message recipients specified in E-mail settings.
by e-
The email message includes the alarm message, the threshold exceeded, and the
mail
current threshold value. For context, the last hour's statistics are also included.

6. Click Apply to save your changes.

Administrator Guide: Kiwi Syslog Server page 117

Log file and database formats

Log file and database formats
When you add an action to log messages to a file, you can:

l Select an existing log file format
l Create a custom log file format

When you add an action to log messages to a database, you can:

l Select an existing database format
l Create a custom database format

Log file formats available in Kiwi Syslog Server
When you add an action to log messages to a file, you can choose any of the following standard log
file formats.

You can also create a custom log file format.

Kiwi format ISO yyyy-mm-dd (Tab delimited)
Format DateTime (YYYY-MM-DD HH:MM:SS) [TAB] Priority (Facility.Level) [TAB] Host name
[TAB] Message text

Example 2017-07-22 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64

Kiwi format ISO UTC yyyy-mm-dd (Tab delimited)
Format UTC DateTime (YYYY-MM-DD HH:MM:SS) [TAB] Priority (Facility.Level) [TAB] Host
name [TAB] Message text

Example 2017-07-22 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64

Kiwi format mm-dd-yyyy (Tab delimited)
Format Date (MM-DD-YYYY) [TAB] Time (HH:MM:SS) [TAB] Priority (Facility.Level) [TAB] Host
name [TAB] Message text

Example 07-22-2017 [TAB] 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP
port=53 dst=203.25.36.47 src=192.168.1.2 bytes=64

Administrator Guide: Kiwi Syslog Server page 118

Log file formats available in Kiwi Syslog Server

Kiwi format dd-mm-yyyy (Tab delimited)
Format Date (DD-MM-YYYY) [TAB] Time (HH:MM:SS) [TAB] Priority (Facility.Level) [TAB] Host
name [TAB] Message text

Example 22-07-2017 [TAB] 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP
port=53 dst=203.25.36.47 src=192.168.1.2 bytes=64

Kiwi format UTC mm-dd-yyyy (Tab delimited)
Format UTC Date (MM-DD-YYYY) [TAB] UTC Time (HH:MM:SS) [TAB] Priority (Facility.Level)
[TAB] Host name [TAB] Message text

Example 07-22-2017 [TAB] 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP
port=53 dst=203.25.36.47 src=192.168.1.2 bytes=64

Kiwi format UTC dd-mm-yyyy (Tab delimited)
Format UTC Date (DD-MM-YYYY) [TAB] UTC Time (HH:MM:SS) [TAB] Priority (Facility.Level)
[TAB] Host name [TAB] Message text

Example 22-07-2017 [TAB] 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP
port=53 dst=203.25.36.47 src=192.168.1.2 bytes=64

Comma Separated Values yyyy-mm-dd (CSV)
Format DateTime (YYYY-MM-DD HH:MM:SS),Priority (Facility.Level),Host name,Message text

Example 2017-07-22 12:34:56,Local5.Debug,firewall-inside,"prot=UDP port=53 dst=203.25.36.47
src=192.168.1.2 bytes=64"

Comma Separated Values UTC yyyy-mm-dd (CSV)
Format UTC DateTime (YYYY-MM-DD HH:MM:SS),Priority (Facility.Level),Host name,Message
text

Example 2017-07-22 12:34:56,Local5.Debug,firewall-inside,"prot=UDP port=53 dst=203.25.36.47
src=192.168.1.2 bytes=64"

BSD Unix syslog format
Format DateTime (Mmm DD HH:MM:SS) [SPACE] Host name [SPACE] Message text (PID tag
followed by message content)

Administrator Guide: Kiwi Syslog Server page 119

Log file formats available in Kiwi Syslog Server

Example Jul 22 12:34:56 [SPACE] firewall-inside [SPACE] amd[308]: key sys: No value
component in "rw,intr"

XML tagged format
Format <Message><DateTime> DateTime (YYYY-MM-DD HH:MM:SS) </DateTime><Priority>
Priority (Facility. Level) </Priority><Source_Host> Host name </Source_
Host><MessageText> Message Text </MessageText></Message>

Example <Message><DateTime>2017-07-23
21:53:35</DateTime><Priority>Local7.Debug</Priority><Source_Host>firewall-
inside</Source_Host><MessageText> prot=UDP port=53 dst=203.25.36.47
src=192.168.1.2 bytes=64</MessageText></Message>

RnRsoft ReportGen format
Format rnrsoft [TAB] Date (YYYY-MM-DD) [TAB] Time (HH:MM:SS) [TAB] Host name [TAB]
Level (numeric 0-7) [TAB] Message text

Example rnrsoft [TAB] 2017-07-23 [TAB] 22:02:51 [TAB] firewall-inside [TAB] 7 [TAB] prot=UDP
port=53 dst=203.25.36.47 src=192.168.1.2 bytes=64

More information on ReportGen for SonicWall, PIX, GNATbox and Netscreen can be found on their
website.

WebTrends format
Format WTsyslog [SPACE] Date (YYYY-MM-DD) [SPACE] Time (HH:MM:SS) [SPACE] ip=Host
address (a.b.c.d) [SPACE] pri=Level (numeric 0-7) [SPACE] Message text

Example WTsyslog [2017-11-12 12:44:45 ip=192.168.168.1 pri=6] <134>id=firewall time="2017-
11-15 08:43:42" fw=192.168.1.1 pri=6 src=192.168.1.34 proto=http

More information on Webtrends firewall suite can be found on their website.

Cisco PIX PFSS format (Raw logging)
Format <Priority value (0-191)>Message text

Example <191>Built outbound TCP connection 12004 for faddr grc.com/80 gaddr 192.168.2.2/4120
laddr 192.168.1.1/4391

Administrator Guide: Kiwi Syslog Server page 120

Create a custom log file format

3Com 3CDaemon format (BSD space delimited)
Format DateTime (Mmm DD HH:MM:SS) [SPACE] Host address [SPACE] Message text

Example Jul 22 12:34:56 [SPACE] 192.168.1.1 [SPACE] key sys: No value component in "rw,intr"

Raw - Message text only (no priority)
Format Message text only

Example Built outbound TCP connection 12004 for faddr grc.com/80 gaddr 192.168.2.2/4120 laddr
192.168.1.1/4391

Sawmill format ISO yyyy-mm-dd (Tab delimited)
Format DateTime (YYYY-MM-DD HH:MM:SS) [TAB] Priority (Facility.Level) [TAB] Host name
[TAB] Message text

Example 2017-07-22 12:34:56 [TAB] Local5.Debug [TAB] firewall-inside [TAB] prot=UDP port=53
dst=203.25.36.47 src=192.168.1.2 bytes=64

More information on Sawmill log processing software can be found on Sawmill website.

Create a custom log file format
When you add an action to log messages to a file, you can specify the log file format. If you do not
want to use the standard formats available, you can create your own custom file logging format.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Formatting node.

3. Right-click the Custom file formats node and choose Add new custom file format.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)

Administrator Guide: Kiwi Syslog Server page 121

Create a custom log file format

5. Specify the following options:

Log file a. Select the fields that you want to include in the log file. (See the examples of

fields fields and values below.)
b. Drag and drop the fields to specify the order in which the information is shown.

Custom fields are for use by the run script action. By writing a parsing script,
the syslog message text can be broken down into various sub fields. The
values can then be assigned to the 16 custom fields and then logged to a file.
Because each device manufacturer creates syslog messages in a different
format, it is not possible to create a generic parser that will break up the
message text into separate fields. A custom script must be written to parse the
message text and then place it in the custom fields. Example parsing scripts
can be found in the \Scripts sub folder. If you select the Custom field
checkbox, all 16 custom fields will be written to the log file. Each custom field
is separated by the selected delimiter character.

Date Select the date and time formats appropriate for your location.
and
Time
formats

Field Select the character used to separate the fields. Tab characters are the most
delimiter common delimiters used for syslog files.

Qualifier Select an option if you want to enclose each field can be enclosed in quotes or tags.
This option is useful when the delimiter is a comma.

Adjust Select this option to adjust the date and time stamps in your log files to be adjusted
time to to UTC (GMT) time. The current time difference (in hours) between your system and
UTC UTC is shown in brackets.

6. Click Apply to save the format.

Examples of fields and values
The following table shows examples of fields and their values.

Field name Example
Date 28/01/2017

Time 16:12:54

Date-Time 28/01/2017 16:12:54

Administrator Guide: Kiwi Syslog Server page 122

Database formats available in Kiwi Syslog Server

Field name Example
Milliseconds 123

TimeZone -13 hrs

Facility Local7

Level Debug

Priority Local7.Debug

HostAddress 192.168.0.1

Hostname host.company.com

InputSource UDP

Message Text This is a test message from Kiwi Syslog Server

Custom Custom01 Custom02 Custom03 etc.

Database formats available in Kiwi Syslog Server
When you add an action to log messages to a database, you can choose any of the following standard
database formats:

l Microsoft Access
l Microsoft SQL
l MySQL
l Oracle

You can also create a custom database format.

The following sections describe the table columns used to store message field values. If you choose
to create the table manually before you add a Log to Database action, use the table design for the
selected database type.

Default Microsoft Access database table design
Field Name Type Size
Date MSGDATE Date 10

Time MSGTIME Time 8

Priority MSGPRIORITY Text 30

Administrator Guide: Kiwi Syslog Server page 123

Database formats available in Kiwi Syslog Server

Field Name Type Size

Hostname MSGHOSTNAME Text 255

Message text MSGTEXT Memo 1024

Default Microsoft SQL and generic SQL database table design
Field Name Type Size
Date MSGDATE Date 10

Time MSGTIME Time 8

Priority MSGPRIORITY VarChar 30

Hostname MSGHOSTNAME VarChar 255

Message text MSGTEXT VarChar 1024

Default MySQL database table design
Field Name Type Size
Date MSGDATE Date 10

Time MSGTIME Time 8

Priority MSGPRIORITY VarChar 30

Hostname MSGHOSTNAME VarChar 255

Message text MSGTEXT Text 1024

Default Oracle database table design
Field Name Type Size
Date MSGDATE Date 10

Time MSGTIME Time 8

Priority MSGPRIORITY VarChar2 30

Hostname MSGHOSTNAME VarChar2 255

Message text MSGTEXT VarChar2 1024

Administrator Guide: Kiwi Syslog Server page 124

Create a custom database format

Create a custom database format
When you add an action to log messages to a database, you must specify the database format. If you
do not want to use the standard formats available, you can create your own custom database format.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Formatting node.
3. Right-click the Custom DB formats node and choose Add new custom DB Muformat.
4. Replace the default name with a descriptive name. (The name does not have to be unique.)
5. Specify the following options:

Type Select your database type from the Type dropdown menu. If your database type is
not included, select Unknown format.

Function Drag and drop the gray Function cells to specify the order in which fields are
created in the database table. This is also the order that data is inserted into the
table.

Field a. Select the fields to include as columns in the database table.

name
Custom fields are for use by the run script action. By writing a parsing
script, the syslog message text can be broken down into various sub
fields. The values can then be assigned to the 16 custom fields and
then logged to a file. Because each device manufacturer creates
syslog messages in a different format, it is not possible to create a
generic parser that will break up the message text into separate fields.
A custom script must be written to parse the message text and then
place it in the custom fields. Example parsing scripts can be found in
the \Scripts sub folder. If you select the Custom field checkbox, all
16 custom fields will be written to the log file. Each custom field is
separated by the selected delimiter character.

b. To edit a field name, double-click the name and replace it.

The default names are known to work on all databases. If you change
the date field to a name of "DATE" for example, this may cause a
problem with some database types because "DATE" is a reserved
word. By using MSG at the beginning of the field name, you can avoid
using reserved words.

Administrator Guide: Kiwi Syslog Server page 125

Create a custom database format

Size For each field, specify the field size so that the largest data element can fit into the
field. Some field types do not need a size specified since it is implied by the field
type. For example, a field type of Time is always assumed to be a size of 8 bytes.
The size value is also needed by the program when it comes time to log data to
the database. As the data is passed to the database via an INSERT statement,
the data is trimmed to the specified field size. This avoids any errors caused by
data that is too large for the field. For example, if you have specified the message
text field to be 255 bytes, but a message arrives that is 300 bytes, the data will be
trimmed back to 255 bytes before being logged.

Type Match each field type to the type of data being logged. If you are not sure of the
correct data type to use it is safe to use "VarChar" in most cases. When the data
type cell is edited, a drop down combo will show allowing you to choose from a
list of known data types. You can choose your own type instead of one from the
list, by simply typing the value into the cell. The data types shown in the list are
specific to the database format selected. For example, "Text" in Access becomes
"VarChar" in SQL.

Format The data format can be specified for each data field. In most cases no formatting is
needed. For date and time fields, the database will accept data in many formats
and convert it to its own internal format. When it is queried, the data may actually
appear to be in a different format to which it was logged.
The HostAddress field formatting allows you to zero pad the address so that it
appears with leading zeros. This ensures the address is always 15 bytes long and
allows for easy sorting by IP address.
Leaving the format cell blank will leave the data unmodified and it will be added
as it is received.

Administrator Guide: Kiwi Syslog Server page 126

Create a custom database format

Show SQL Click this button to display a list of commands used to create and insert data into a
commands table. You can use these commands to create your own table within your
database application. A default table name of "Syslogd" is assumed when
generating the commands.
Example SQL commands:
Database type: MySQL database
Database name: New Format
SQL command to create the table:
CREATE TABLE Syslogd (MsgDate DATE,MsgTime
TIME,MsgPriority VARCHAR(30),MsgHostname VARCHAR
(255),MsgText TEXT)
SQL INSERT command example:
INSERT INTO Syslogd
(MsgDate,MsgTime,MsgPriority,MsgHostname,MsgText) VALUES
('2005-01-
28','16:22:44','Local7.Debug','host.company.com','This is
a test message from Kiwi Syslog Server')

6. Click Apply to save the format.

Examples of data formats
Field name Type Size Data
MsgUnique adInteger 4 1

MsgDate adDBTimeStamp 16 28/01/2017

MsgTime adDBTimeStamp 16 16:12:54

MsgDateTime adDBTimeStamp 16 28/01/2017 16:12:54

MsgUTCDate adDBTimeStamp 16 28/01/2017

MsgUTCTime adDBTimeStamp 16 04:12:54

MsgUTCDateTime adDBTimeStamp 16 28/01/2017 04:12:54

MsgTimeMS adInteger 4 0

MsgPriorityNum adInteger 4 191

Administrator Guide: Kiwi Syslog Server page 127

Create a custom database format

Field name Type Size Data

MsgFacilityNum adInteger 4 23

MsgLevelNum adInteger 4 7

MsgPriority adVarWChar 30 Local7.Debug

MsgFacility adVarWChar 15 Local7

MsgLevel adVarWChar 15 Debug

MsgHostAddress adVarWChar 15 192.168.0.1

MsgHostname adVarWChar 255 host.company.com

MsgInputSource adVarWChar 10 UDP

MsgText adLongVarWChar 1024 This is a test message from KSS

Administrator Guide: Kiwi Syslog Server page 128

DNS setup options

DNS setup options
See the following topics to set DNS options:

l DNS resolution
l DNS setup
l DNS caching

DNS resolution
Complete the following steps to specify DNS resolution options.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click DNS Resolution.
3. Specify the following options:

Resolve This converts the IP address of the sending device into a more meaningful host
the name. Instead of 203.50.23.4 you will see something like "sales-
address of router.company.com"
the
The resolved host name is then used in the display and other actions.
sending
device The Host name is also used for the "Hostname" type filter.
If you like, the domain name section can be removed from the display by using the
Remove the domain name option.

Remove If the Resolve the address of the sending device option is also checked, this option
the will remove the trailing domain name from the resolved host name. In this case,
domain instead of "sales-router.company.com" you will see just "sales-router".
name
Enabling this option is useful when you only receive messages from a single
(show
domain or to reduce the amount of space used by the host name in the scrolling
only the
display.
host
name) This option also effects the host name field used for all the logging actions.

Administrator Guide: Kiwi Syslog Server page 129

DNS resolution

Resolve This option is available only in the registered version.
IP
addresses When you are logging data from web servers or firewalls etc, the message text
found may contain IP addresses. To turn these IP addresses into meaningful names and
within the website addresses you need to enable this option. The program will search
syslog through the message text and look for any IP address entries. You can also specify
message how the resolved name will be displayed. You may replace the IP address with the
text name or adding the name after the IP address in the message text.
* NetBIOS names can require more time to resolve than normal DNS entries. If you
want to resolve NetBIOS names, increase the DNS timeout to 20 or 30 seconds.
Examples:
Test user connected to website http://192.168.1.2/index.html. src=192.168.5.100
rxbytes=64
With replace IP address with host name option, the message becomes...
Test user connected to website http://website.company.com/index.html.
src=userpc.company.com rxbytes=64
With place host name next to IP address option, the message becomes...
Test user connected to website http://192.168.1.2 (website.company.com)
/index.html. src=192.168.5.100 (userpc.company.com) rxbytes=64
The Remove the domain name option allows the stripping of the domain name
portion from the resolved host name.
To selectively keep or remove the domain name based on a filter match, check the
If domain name contains check box.

Place the domain name substrings to remove in quotes. To filter multiple domains,
separate each quoted string with a space or comma.
".companyabc.com", ".companyxyz.co.uk"
An IP address resolved to mypc.company.co.uk will be changed to just "mypc".
Hostname tagging:

Administrator Guide: Kiwi Syslog Server page 130

DNS setup

When you have selected the place host name next to IP address option, the
hostname is normally tagged with brackets and a space character. The resolved
host name can be tagged with any characters you like. For example, you might like
to prefix the host name with "hostname=[" and then have a "] " suffix. You can
change the prefix and suffix characters to fit the format of your messages.
A suggested tagging format for WELF format messages would be a prefix of
resolved_host= and a suffix of a space character.

DNS This option specifies the time to wait for the DNS server to respond to lookup
query queries. The default is 8 seconds. You may change this value if you are accessing
timeout a slow DNS server, or requests go through a slow network link.
This timeout value should only be increased if you are trying to resolve addresses
via NetBOIS (Machine names of computers running Windows). Sometimes
NetBOIS names can take up to 20 seconds to resolve via a unicast lookup
request.
If your DNS server is local and you are only resolving internal addresses, you can
safely reduce your timeout value down to 3 seconds.
If you increase the timeout value too much, you may find that the messages are
being queued up waiting for the resolution to finish. In this case, when the queue
reaches 1000 entries, messages will be dropped. The message buffer free space
can be seen from the main syslog screen.

4. Click Apply to save your changes.

DNS setup
To view or edit DNS setup information:

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the DNS Resolution node.
3. Click DNS Setup.
4. Under Internal IP address - Name Resolution, specify the following options:

Administrator Guide: Kiwi Syslog Server page 131

DNS setup

Internal IP address A list of masked IP addresses that identify your internal network address
range(s) space.
The default entries in this list are standard internal (private) network
address spaces, as identified in RFC1918/3330/3927. These include
IANA reserved private internet address spaces, and the link-local address
range.
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255
(172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 169.254.0.0 -
169.254.255.255 (link-local)
Adding an internal IP address range:

Enter the masked IP address in the text box directly underneath the
"Internal IP address range" list, and click the "Add" button.
IP addresses must be masked with an "x" character, the "x" signifying that
any value within the range (0-255) is acceptable.
For example, if you have an internal address space of '10.0.0.0' -
'10.255.255.255', you should enter the masked IP address as '10.x.x.x'.

Syslog host IP addresses which match any of these address
ranges will be resolved according to the options which are set for
"Internal IP Address - Name Resolution" only. Those host IP
addresses which do not match any of the internal address ranges
will be resolved according to the options which are set for "External
IP Address - Name Resolution". This distinction is important - the
address range list essentially acts like a filter. The filter determining
whether to try and resolve an IP address on an internal network
using local DNS servers or NetBIOS, or whether to try and resolve
the IP address with an external DNS server, etc. Ensuring that your
internal address space is setup correctly can have a direct bearing
on the turn-around times of each name resolution query.

Resolve internal If checked, Kiwi Syslog Server will attempt to resolve the internal IP
addresses using address by sending a NetBIOS broadcast query to the local subnet.
NetBIOS

Administrator Guide: Kiwi Syslog Server page 132

DNS caching

Resolve internal If checked, Kiwi Syslog Server will attempt to resolve the internal IP
addresses using address by sending a DNS query to a DNS server.
DNS server

Preferred/Alternate These entries determine which internal network address the DNS query
internal DNS will be sent to.
server addresses
By default these addresses are auto-detected by Kiwi Syslog Server, and
depending on your network configuration may need to be altered.
If the preferred DNS server is unavailable or cannot service the request,
the same query will be asked of the alternate DNS server.
If no alternate DNS server is available, then this address is to be left
blank.

5. Under External IP address - Name Resolution, specify the following options:

Resolve external If checked, Kiwi Syslog Server will attempt to resolve the external IP
addresses using address using NetBIOS.
NetBIOS

Resolve external If checked, Kiwi Syslog Server will attempt to resolve the external IP
addresses using DNS address by sending a DNS query to a DNS server.
server

Preferred/Alternate These entries determine which external network address the DNS
external DNS server query will be sent to.
addresses
By default these addresses are auto-detected by Kiwi Syslog
Server, and depending on your network configuration may need to
be altered.

If the preferred DNS server is unavailable or cannot service the
request, the same query will be asked of the alternate DNS server.
If no alternate DNS server is available, then this address is to be left
blank.

6. Click Apply to save your changes.

DNS caching
Every time an IP address to hostname resolution is needed, the DNS server is queried. This can be an
extra overhead on the program, the network and the DNS server, especially if you receive lots of
messages.

Administrator Guide: Kiwi Syslog Server page 133

DNS caching

To reduce the DNS traffic and resolution time, a DNS cache is used. Once a hostname has been
resolved the result is stored locally. The next time that address needs to be resolved, the result is
taken from the cache instead of making another DNS request.

The registered version can hold up to 20,000 entries.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the DNS Resolution node.
3. Click DNS Caching.
4. Under Entries in the cache:

View This dumps all the current cache entries into a file and then views the file with
button notepad. Information about the cache performance is also displayed.

Refresh Counts the number of valid entries currently in the cache.
button

Clear This will clear all the dynamic (learned from DNS lookups) entries. It won't clear the
button static entries that have been loaded from file.

Clear This will clear the entire DNS cache of all the entries (static and dynamic). A
All program restart is required to re-read the static entry file again.
button

Administrator Guide: Kiwi Syslog Server page 134

DNS caching

5. UnderCache settings:

Flush This option allows old cached entries to be flushed from the cache after a
entries specified time. By default a time to live of 1440 minutes (1 day) is used. After an
after X entry has been in the cache for a day, it will be flushed from the cache and have to
minutes be re-learned via a lookup.

Enable Instead of looking up each address sequentially, this option will extract the IP
preemptive addresses from the message before it is added to the processing queue. The
lookup of addresses will be asynchronously resolved and the results cached. When the
IP message is processed seconds later, the results will already be available in the
addresses cache. The DNS resolution is done via a multi-threaded lookup system that can
handle up to 100 simultaneous lookups. If you are receiving lots of messages and
want to resolve IP addresses as they arrive, it is highly recommended that this
option be enabled.

Administrator Guide: Kiwi Syslog Server page 135

DNS caching

Pre-load Enabling this option will cause the program to load a list of static host entries at
the cache start-up. The list must contain IP addresses and host names separated by a tab
with static character. The addresses are loaded into the cache and marked as static, this
entries means they will never expire and won't be flushed like the dynamically learned
from a entries.
hosts file
An example host file is included in the install folder. It is named "StaticHosts.txt".
Example of a host file:

# Static DNS host file

# Each entry must have an IP address, a tab, then a host name
# The IP address is in the format aaa.bbb.ccc.ddd
# The host name can be any text value up to 63 characters
#
# Comments can be on a separate line and start with a #
#
# Example:
# 192.168.1.1 myhost.mycompany.com
#
# NOTE: The IP address and host name MUST be separated
# with a tab (ASCII chr 9)
# Spaces will not be recognized as a valid separator
# Default value for localhost
127.0.0.1 localhost
# local machines
192.168.1.2 myfunny.valentine.com
192.168.1.5 flyme2.themoon.com

6. Click Apply to save your changes.

Administrator Guide: Kiwi Syslog Server page 136

Syslog message modifiers

Syslog message modifiers
When a message arrives, various modifications can be made to the message to ensure that it fits
within the specified bounds. The length of the message can be reduced, an invalid priority can be
corrected and extra CR and LF characters can be removed.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click Modifiers.
3. Specify the following options:

Replace Some routers or hosts may send messages that contain control characters in the
non- message text. For example, multi-line messages will contain carriage returns and
printable line feeds. If you enable this option, instead of trying to display control characters,
characters the equivalent ASCII value will be displayed.
with
For example, when a carriage return is received, it will be replaced with a <013>
<ASCII
instead.
value>

Remove Some routers or hosts send messages with a CR/LF attached to the end of the
CR/LF message text. This will cause the log files to be double spaced.
from end of
Check this box if you want to remove all trailing CR/LF characters from the
messages
messages.

Administrator Guide: Kiwi Syslog Server page 137

Syslog message modifiers

Remove When a Cisco device sends a Syslog message, it adds its own time stamp to the
imbedded message. You may want to remove these extra time stamps to save space or
date and make the logged files more readable.
time from
This option works by looking for a particular Cisco message format. It will work
Cisco
with the following known Cisco date and time formats:
messages
l Format for timestamp with timezone
47: *Mar 1 00:45:43 UTC: %CLEAR-5-COUNTERS: Clear counter
on all interfaces by console

l Format for uptime
49: 00:54:46: %SYS-5-CONFIG_I: Configured from console by
console

l Format for timestamp localtime with msec
50: *Mar 1 00:56:30.475: %SYS-5-CONFIG_I: Configured from
console by console

l Format for timestamp localtime with msec and timezone
51: *Mar 1 00:58:52.767 UTC: %SYS-5-CONFIG_I: Configured
from console by console

l Format for timestamp
53: *Mar 1 01:11:17: %CLEAR-5-COUNTERS: Clear counter on
all interfaces by console

Allow Each Syslog message has a priority code at the beginning of the message.
messages Normally with Unix systems and router devices, this priority code has a value
with between 0 and 191. Sometimes devices send messages with a priority code
priority > higher than 191. Even though the priority value can be higher than 191, there is
191 (use no standard to define priority levels or facilities above 191.
default
If this option is enabled, messages received with a priority higher than 191 will
priority)
have their priorities set to the default priority setting.

Administrator Guide: Kiwi Syslog Server page 138

Syslog message modifiers

Allow Some routers and hosts may send messages that contain no priority code in the
messages message. In situations where this occurs you can apply a default priority to the
with no message. Check this box and then set the default priority you want to use, from
priority the drop down lists.
(use
A normal Syslog message has a priority code at the start of the message text.
default
priority) Example. <100>This is a test message
The priority value should be between 0 and 191 for standard Unix priority codes

Maximum This option allows you to limit the maximum message size of incoming messages.
message You may want to change this to a lower value than the default 4096 bytes if you
length are only expecting small messages.
(bytes)
This limit allows the program to reject oversize messages sent by hackers or
errors in transmission.
Some Syslog Servers may crash when receiving large packets, this option limits
the size of the packet that the program will accept and process.
The Syslog RFC 3164 states that legal Syslog messages may not exceed 1024
bytes in length. (Not including packet headers)

4. Click Apply to save your changes.

Administrator Guide: Kiwi Syslog Server page 139

Configure email options

Configure email options
Before you add an action to send email, specify the email format and configure other email options.
For example, you can send alarm messages, send statistics, and enable logging.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Scroll down and click E-mail.
3. Specify the following options.

Email Choose HTML or Plain Text.
format

Security Select one of the following:
l None: This option can be used for sending email via SMTP server through
insecure channel.
l SSL: This option can be used for sending secured emails via email server
which supports SSL (Secure Socket Layer), for example Gmail and Yahoo
email servers.
l TLS: This option can be used for sending secured emails via email server
which supports TLS (Transport Layer Security), for example Webmail,
POP, IMAP, and SMTP email servers.

Send Select this option to send an email when an alarm threshold has been exceeded.
syslog The email can be sent securely.
alarm
Enter the email address or addresses you want notified when an alarm is
messages
triggered. Email addresses must be separated by commas. For example:
to
[email protected], [email protected], [email protected]

If the message is being sent to a paging service and there is a limited amount of
display space, select Short alarm messages (for pagers). This option sends only
the subject line, not the message body.

Administrator Guide: Kiwi Syslog Server page 140

Configure email options

Send Select this option to email statistics for a selected interval. The message contains
syslog information on log file size, disk space remaining on the archive drive, number of
statistics to total messages and a breakdown of where the messages came from and the
facility and level.
The message is best viewed in a fixed font such as Courier New so all the
columns line up. This can be sent securely.
Enter one or more recipients, separated by commas, and specify the interval:
l Hours: Hour interval can be in multiples of 24. Hour interval can accept
values of 1, 2, 3, 4, 6, 8, and 12.
l Days: Statistics are emailed out on midnight 00:00 based on the number of
days set.
l Weeks: By default, the statistics are emailed out on Sunday, for example,
00:00 based on the number of weeks set.
l Months: By default, the statistics are emailed on the 1st of every month or
for the number of months set.
Click More to set a maximum number of hosts to be displayed in the statistics
email and in diagnostics.

Hostname Enter the IP address or host name of your SMTP server. This can be your local
or IP server, or one provided by your ISP.
address of
The host name of the mail server is usually something like mail.company.com or
SMTP mail
smtp.company.com. Below are examples:
server
l Gmail - smtp.gmail.com
l Yahoo - smtp.mail.yahoo.com
l Hotmail - smtp.live.com

SMTP port If your SMTP server listens on a non-standard port, specify the alternate value
here. Normally SMTP servers listen on port 25. Some companies change this
value for security reasons. The value can be from 1 to 65535.
The default port for SSL is 465 and for TLS is 587.

Administrator Guide: Kiwi Syslog Server page 141

Configure email options

Valid 'from' SolarWinds recommends that you use a valid reply address in this field. In case
e-mail of a mail failure, the SMTP server will send the bounce message to this address.
address on
Some SMTP servers require you to specify a domain name on the end, others do
SMTP
not.
server
The address you use here will be the name that appears in the 'message from'
field on your received email.
Optionally, you can specify a friendlier name in brackets after the address. This
will be shown as the From address in the mail client. For example:
[email protected] (Syslog Server)

In the example above, the name "Syslog Server" will appear in the From field of
the received message. Some SMTP servers might not support this format of from
address.

Timeout The timeout value is how long the program waits for a response from the SMTP
server before giving up. If your SMTP is via a dial-up link or very busy, you may
want to increase this value from the default of 30 seconds. Valid values are from
1 second to 240 seconds.

SMTP Set these options only if your SMTP server requires authentication before
Username accepting email. Most SMTP servers do not need these options set.
and
To enable authentication, select the checkbox to the left and fill in your user
Password
name and password for the SMTP server. These values are supplied by your
network administrator, SMTP server provider, or ISP.
If you need to use the POP before SMTP option for authentication. SolarWinds
recommends that you download a freeware POP mailbox checker and run this
on your system as well. Have it check for new messages every 5 minutes which
will then allow the SMTP mail to go through.

Default E- Use this option to change the default importance, priority, and sensitivity flags of
mail email messages sent by Kiwi Syslog Server.
Delivery
Options

Administrator Guide: Kiwi Syslog Server page 142

Configure email options

Keep a log If you intend to use the e-mail feature to notify you of alarms and statistics, select
file of e- this option to keep a log of what messages have been sent and to whom. The log
mail activity file is named SendMailLog.txt and is located in the Kiwi Syslog Server
installation directory.
l Click View log to open the log.
l Click Delete log to delete the file and start a new log file.

Enable Enable this option if the mail is not being sent correctly. All the information being
verbose sent between the program and the mail server is logged to file. (The message
logging content is not shown.)

This option can use a lot of disk space.

4. Click Apply to save your changes.

Administrator Guide: Kiwi Syslog Server page 143

Configure input options

Configure input options
Configure input options to enable Kiwi Syslog Server to listen on the port and for the protocol used by
your network devices. You can also configure keep-alive messages and enable support for IPv6.

l Configure UDP input options
l Configure TCP input options
l Configure secure (TLS) TCP options
l Configure SNMP trap input options
l Enable keep-alive messages
l Enable IPv6 support
l Enable a beep on every message

Configure UDP input options
By default, Kiwi Syslog Server listens for UDP messages on port 514. You can configure UDP input
options to change the port, bind to a specific interface, or specify a data encoding format.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.
3. Click UDP.

Administrator Guide: Kiwi Syslog Server page 144

Configure UDP input options

4. Specify the following options:

Listen for This option is selected by default to enable Kiwi Syslog Server to receive UDP
UDP messages.
messages

UDP Port The default port for UDP Syslog messages is 514. If you want to listen on a
different port for UDP messages, you can enter any port value from 1 to 65535. If
you change the port from 514, the device sending the syslog message must also
be able to support the alternate port number.

Kiwi Syslog Server can listen for messages on only one UDP port.

Bind to By default, the UDP socket will listen for messages on all connected interfaces. If
address you want to limit the binding to a single specific interface, you can specify the IP
address in the Bind to address field. Otherwise, leave this field blank. (If the Bind to
address field is left blank, it will listen on all interfaces. This is the best option in
most cases.)
For example, if you have two non-routed interfaces on the computer, 192.168.1.1
and 192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface.
This will ignore any syslog messages sent to the other interface.

Administrator Guide: Kiwi Syslog Server page 145

Configure TCP input options

Data If you are receiving messages from systems that use different data encoding
encoding formats, you can specify the decoding method to apply to the incoming data. The
default is to use the System code page.
Select a commonly used encoding format from the drop-down menu. Or, to select a
different encoding, choose "Other-->" and then enter the code page number into
the field on the right.
The various code pages available on most Windows systems can be found on the
Microsoft website. Here are some common code page numbers that can be used.

Code Page
Name Description
Number
System 1 System Code Page

ANSI 0 ANSI

UTF-8 65001 Unicode Transformation

Format

8Shift-JIS 932 Japanese

EUC-JP 51932 Japanese Extended Unix Code

BIG5 950 Traditional Chinese

Chinese 936 Simplified Chinese

If the number you specify is not a valid Code Page on your system, the
incoming data will not be decoded correctly and will be dropped. If in doubt,
use UTF-8 encoding (65001) as it will handle all Unicode characters.

5. Click Apply to save your changes.

Configure TCP input options
By default, Kiwi Syslog Server does not listen for TCP messages, because syslog messages are
traditionally sent using UDP.

If any of your network devices send syslog messages using TCP, complete the following steps to
enable Kiwi Syslog Server to listen for TCP messages.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.

Administrator Guide: Kiwi Syslog Server page 146

Configure TCP input options

3. Click TCP.
4. Specify the following options:

Listen for Select this option to enable Kiwi Syslog Server to receive TCP messages.
TCP
Syslog
messages

TCP Port The default port for TCP syslog messages is 1468. If you want to listen on a
different port for TCP messages, you can enter any port value from 1 to 65535. If
you change the port from 1468, the device sending the syslog message must also
be able to support the alternate port number.

Bind to By default, the TCP socket listens for messages on all connected interfaces. To
address limit the binding to a single specific interface, you can specify the IP address in the
Bind to address field. Otherwise, leave this field blank. (If the Bind to address field
is left blank, it will listen on all interfaces. This is the best option in most cases.)
For example, if you have two non-routed interfaces on the computer, 192.168.1.1
and 192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface.
This will ignore any syslog messages sent to the other interface.

The Cisco PIX uses port 1468. Its default behavior is that if it cannot connect
to the syslog server, it blocks all network traffic through it. For more
information on the Cisco Pix Firewall, please refer to Cisco website.

Administrator Guide: Kiwi Syslog Server page 147

Configure TCP input options

Code Page
Name Description
Number
System 1 System Code Page

ANSI 0 ANSI

UTF-8 65001 Unicode Transformation

Format

8Shift-JIS 932 Japanese

EUC-JP 51932 Japanese Extended Unix Code

BIG5 950 Traditional Chinese

Chinese 936 Simplified Chinese

Message Because Syslog messages that are sent via TCP are not necessarily contained in
delimiters a single TCP packet, Kiwi Syslog Server has a buffering facility which
accumulates sequential TCP packets in an internally. Because of this, Kiwi Syslog
Server needs to know how to identify separate Syslog messages in a single TCP
stream. It does this through the use of message delimiters (or separators). Each
delimiter signifying the character (or sequence of characters) that will be used to
split the stream into individual Syslog messages.
The kind of delimiter to use depends very much on the client or device which is
sending Syslog over TCP.

5. Click Apply to save your changes.

Administrator Guide: Kiwi Syslog Server page 148

Configure secure (TLS) TCP options

Configure secure (TLS) TCP options
Some devices support sending secure syslog messages over the TCP channel with transport layer
security (TLS). Kiwi Syslog Server supports Secure (TLS) Syslog (RFC 5425).

By default, Kiwi Syslog Server does not listen for TCP messages, because syslog messages are
traditionally sent using UDP. If any of your network devices send syslog messages over the TCP
channel with transport layer security (TLS), complete the following steps to enable Kiwi Syslog Server
to listen for these messages.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.
3. Click TCP.

4. Specify the following options:

Listen for Select this option to enable Kiwi Syslog Server to receive secure TCP messages.
secure
(TLS) TCP
Syslog
messages

Certificates TLS relies on certificate-based authentication. A proper certificate has to be
selected from certificate store before any client will be able to successfully
connect to Kiwi Syslog Server using TLS secured TCP channel. "Select
Certificate" button allows the user to browse local certificate stores and pickup a
suitable certificate. The selected certificate is used to prove identity of Kiwi Syslog
Server to the client. The server itself does not check client certificate and accepts
TLS connection from any client.

Certificates that will be used by Kiwi Syslog Server have to be installed into
the Local Machine certificate store. Use the Microsoft Management
Console to install certificates.

What kind of certificate should be used and configuration of public key
infrastructure (PKI) is device-specific. See the manufacturer documentation.

TCP Port The default port for secure TCP syslog messages is 6514. If you want to listen on
a different port for TCP messages, you can enter any port value from 1 to 65535. If
you change the port from 6514, the device sending the syslog message must also
be able to support the alternate port number.

Administrator Guide: Kiwi Syslog Server page 149

Configure secure (TLS) TCP options

Bind to By default, the TCP socket listens for messages on all connected interfaces. To
address limit the binding to a single specific interface, you can specify the IP address in
the Bind to address field. Otherwise, leave this field blank. (If the Bind to address
field is left blank, it will listen on all interfaces. This is the best option in most
cases.)
For example, if you have two non-routed interfaces on the computer, 192.168.1.1
and 192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface.
This will ignore any syslog messages sent to the other interface.

Data If you are receiving messages from systems that use different data encoding
encoding formats, you can specify the decoding method to apply to the incoming data. The
default is to use the System code page.
Select a commonly used encoding format from the drop-down menu. Or, to select
a different encoding, choose "Other-->" and then enter the code page number into
the field on the right.
The various code pages available on most Windows systems can be found on the
Microsoft website. Here are some common code page numbers that can be used.

Code Page
Name Description
Number
System 1 System Code Page

ANSI 0 ANSI

UTF-8 65001 Unicode Transformation

Format

8Shift-JIS 932 Japanese

EUC-JP 51932 Japanese Extended Unix Code

BIG5 950 Traditional Chinese

Chinese 936 Simplified Chinese

Administrator Guide: Kiwi Syslog Server page 150

Configure SNMP trap input options

Message Because Syslog messages that are sent via TCP are not necessarily contained in
delimiters a single TCP packet, Kiwi Syslog Server has a buffering facility which
accumulates sequential TCP packets in an internally. Because of this, Kiwi
Syslog Server needs to know how to identify separate Syslog messages in a
single TCP stream. It does this through the use of message delimiters (or
separators). Each delimiter signifying the character (or sequence of characters)
that will be used to split the stream into individual Syslog messages.
The kind of delimiter to use depends very much on the client or device which is
sending Syslog over TCP.

The RFC 5425 option is available for secure TCP messages. This delimiter
conforms to the rule defined in RFC 5425. If you decide to look for this
delimiter inside incoming message stream the search for this delimiter is
performed before other delimiters are checked.

5. Click Apply to save your changes.

Configure SNMP trap input options
Use the following options to enable Kiwi Syslog Server to listen for version 1, 2c, and 3 SNMP traps.
The traps are decoded and then handled like syslog messages.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.
3. Click SNMP.
4. Specify the following options:

Listen for Select this option to enable Kiwi Syslog Server to receive SNMP traps.
SNMP Traps

Administrator Guide: Kiwi Syslog Server page 151

Configure SNMP trap input options

Add/Remove SNMP v3 adds security and remote configuration enhancements. To process
SNMP v3 SNMP v3 traps, click this button and enter credential details:
Credentials
l User name: User name that is specified in the device. It must be a unique
value.
l Authentication Password and Algorithm: Authentication from the valid
source is focused using Authentication password and Algorithm which is
ether MD5 or SHA.
l Private Password and Algorithm: The data encryption for privacy is
performed using the private password and algorithm which is either AES
or DES/3DES.
l Security Level: Security level follows any of the communication
mechanism shown below:

o No security: no authentication and no encryption for users.
o Authentication only: authentication without any encryption of the
data sent.
o Authentication and Privacy: with authentication and encryption of
data.

UDP Port Specify the UDP port that listens for SNMP traps. IPv4 Traps are usually sent to
port 162 and IPv6 traps are sent to port 163. A value between 1 to 65535 can be
entered here. If you choose a value other than 162 or 163, make sure the device
sending the trap is also sending to the specified port.

Port number shouldn't be the same for IPv4 and IPv6 in receiving SNMP
traps.

Bind to By default, the SNMP trap receiver will listen for messages on all connected
address interfaces. If you want to limit the binding to a single specific interface, you can
specify the IP address in the Bind to address field. Otherwise, leave this field
blank. (If the Bind to address field is left blank, it will listen on all interfaces. This
is the best option in most cases.)
For example, if you have two non routed interfaces on the computer,
192.168.1.1 and 192.168.2.1, then you can choose to bind to only the
192.168.1.1 interface. This will ignore any syslog messages sent to the other
interface.

Administrator Guide: Kiwi Syslog Server page 152

Configure SNMP trap input options

Variable SNMP traps can be bound into custom fields. Below are the SNMP fields that
Binding can be assigned to custom variables such as Custom1, Custom2... Custom16.
For example:
In the Send SNMP trap action, click Insert message content or counter to select
custom variables.

Specified This option allows you to choose which SNMP fields are decoded and added to
fields the incoming message. Check the box next to the field that you want enabled.
You can change the order in which the message is decoded by clicking and
dragging on the field name.

Community This is like a password that is included in the trap message. Normally this value
is set to values such as "public", "private" or "monitor".

SNMP Community strings are used only by devices which support
SNMPv1 and SNMPv2 protocol. SNMPv3 uses username/password
authentication, along with an encryption key.

Enterprise This is a dotted numerical value (1.3.6.1.x.x.x.x) that represents the MIB
enterprise of the SNMP trap. This field only applies for version 1 traps. Version
2 and 3 traps have the Enterprise value bound as the second variable in the
message.

Uptime This is a value that represents the system uptime of the device sending the
message. The value is in time ticks. The value resets to 0 when the device
restarts. A low value would indicate that the device has been warm or cold
started recently. This field only applies to version 1 traps. Version 2 traps have
the system uptime value bound as the first variable in the message.

Agent This represents the IP address of the sending device.
address

Trap type This check box represents three trap type fields. Generic Type and Specific
Trap-Type and Specific Trap-Name. These fields only applies for version 1
traps. There are 6 defined Generic Type traps. If the Generic Type is set to 6 it
indicates an Enterprise type trap. In this case the Specific Trap value needs to
be considered.

Version This field indicates the version of the received trap. The program currently
supports version 1 and 2c and 3.

Administrator Guide: Kiwi Syslog Server page 153

Configure SNMP trap input options

Message This field is made up of all the bound variables. Some traps may include more
than a single variable binding. If the variable is an Octet String type, then it will
be visible as plain text. Some variables represent counters or integer values. In
this case, it is advisable to check the value against the MIB syntax for further
explanation.

Syslog Each SNMP message that is received is converted internally into a standard
priority to syslog message. This allows you to filter the message like a standard syslog
use message. Because SNMP traps don't have a message facility and level, a
default value must be applied. You can then use this value in the rule engine.
For example, you might like to set all traps to be tagged as Local0.Debug. You
can then create a priority filter to catch that facility and level and perform a
specified action.

SNMP field This drop down list allows you to specify how the decoded fields are converted
tagging into a message. By default, the "fieldname=value" option is used. This allows
for easy parsing of the logs later. Other options are XML, comma delimited or
delimited by [].
Here is an example of a message tagged with the fieldname=value option:
community=public enterprise=1.3.6.1.2.1.1.1 enterprise_mib_
name=sysDescr uptime=15161 agent_ip=192.168.0.1 generic_num=6
specific_num=0 version=Ver1 generic_name="Enterprise specific"
var_count=01 var01_oid=1.3.6.1.2.1.1.1 var01_value="This is a
test message from Kiwi Syslog Server" var01_mib_name=sysDescr

The values are only contained in quotes ("") if they contain a space.

Use LinkSys The LinkSys Display filter simply removes all PPP messages from being
Display filter displayed. The PPP messages are still logged to file as normal.

This feature is only useful if you are logging from a LinkSys network device.

Administrator Guide: Kiwi Syslog Server page 154

Configure SNMP trap input options

Perform MIB A well-known list of object ID values and their text names have been included in
lookups a database that is included with the program. This will handle the most common
traps from Cisco, 3Com, Allied Telesyn, SonicWall, Nokia, Checkpoint,
BreezeCom, Nortel and SNMP MIB-II.
The MIB database file is located in the InstallPath\MIBs folder in a file named:
KiwiMIBDB.dat
This database is a propriatry database file which has been compiled from over
60,000 MIB definitions. Since most MIB files only contain less than 5% of
usable trap information, this pre-compiled method saves a huge amount of
lookup time, disk space and hash table memory over using a standard MIB
compiler/parser.
If you would like to add additional MIB lookup values, please contact
SolarWinds Support. Send your zipped MIB files, and also include your
Unknown_OID_list.txt file so we can ensure all the OIDs are referenced.
When creating the MIB database, all the traps, notifications and referenced
variables are parsed from the MIB files. Sometimes an object may not be
referenced correctly and therefore won't be added. In this case, all we need to
know is the OID value and we can ensure that it is included.

Log failed If an OID value is unable to be located in the database, if you have the "log
lookups to failed lookups" option checked, the OID value will be logged to a debug file.
debug file The file is located in InstallPath\MIBs and is named: Unknown_OID_list.txt.

Show Sometimes a device will send additional information encoded after the main
additional OID number. This information can include things like the interface index, source
OID suffix and destination addresses and port numbers etc. This information can be
info shown as a suffix to the MIB name.

For example, a Cisco switch might send a "Link up" trap containing the variable:
1.3.6.1.2.1.2.2.1.2.3.
The last "3" of the OID refers to the interface index. The rest of the OID can be
resolved to the MIB name of "ifDescr".
If the "Show additional OID suffix info" option is checked, then the MIB name
displayed will contain the extra ".3" information. For example:
ifDescr.3=SlowEthernet0/3. With the option unchecked, the display will look
like: ifDescr=SlowEthernet0/3.

5. Click Apply to save your changes.

Administrator Guide: Kiwi Syslog Server page 155

Enable keep-alive messages

Enable keep-alive messages
Keep alive messages can be injected into the syslog input stream at a regular interval and used to
trigger scripting actions or can serve as a method of stamping the log files at a regular interval.

The injected keep alive messages are treated as any other incoming message would be, and are
processed by the rule engine. Depending on the rule set configured, the message may be written to
disk, displayed or forwarded on to another syslog server.

When the keep alive message is forwarded on to another syslog server, it can act as a "I am still alive
and well" message to tell the other server that everything is OK. On the remote server, a filter can be
setup to detect missing keep alive messages and raise an alarm if necessary.

The injected message properties can be modified by specifying a Facility, Level, Host IP address and
message text values.

For more information about using keep-alive messages, see How to use a keep-alive message in a
script and Forwarding a keep-alive message to another host as a beacon.

Enable and configure keep-alive messages
1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Expand the Inputs node.
3. Click Keep-alive.

Administrator Guide: Kiwi Syslog Server page 156

Enable keep-alive messages

4. Specify the following options:

Enable By default this option is disabled. Check the box to enable the injection of keep-
keep-alive alive messages.
messages

Frequency This sets how often the keep-alive messages are injected into the input stream.
Every 60 seconds is the default value, but any value between 1 and 86400
seconds (1 day) can be entered.

Syslog This sets the facility of the keep-alive message. You can use a priority filter in the
facility rule set to work with this facility only. Normally this option is set to a value of
"Syslog" to indicate that it is the Syslog program generating the message.

Syslog This sets the level of the keep-alive message. You can use a priority filter in the
level rule set to work with this facility/level combination only. Normally this option is set
to a value of "Info" to indicate that it is an informational message.

From IP This sets the "From" IP address of the keep-alive message. This value can be
Address from 1.1.1.1 to 255.255.255.255 for IPv4 and it supports IPv6 address as well. It is
recommended that a value of 127.0.0.1 be used as the default. The address
specified can be filtered against by the rule set later.

Message This is the message text that is used for the keep-alive message. It can be any
text message or text string that you like. By default the message reads "Keep-alive
message".

5. Click Apply to save your changes.

How to use a keep-alive message in a script
Normally, the rules/filters/actions are only run when a message arrives and is processed by the rule
engine. If you need to take action based on a time, then you can use the keep-alive messages as a
regular trigger of the rule engine.

Rules
Rule: MyScript
Filters
Priority: Match Syslog.Info only
Actions
Action: Run script
Action: Stop processing (Exits the rule engine here)
Other Rules here...

Administrator Guide: Kiwi Syslog Server page 157

Enable IPv6 support

The keep-alive message can be identified in a script by checking the varInputSource field value. A
keep-alive message uses a value of "3".

Forwarding a keep-alive message to another host as a beacon
The keep-alive messages can be forwarded to another host to tell it that "All is well".

Rules
Rule: Send keep alive message
Filters
Priority: Match Syslog.Info only
Actions
Action: Forward to host (send to another host via a syslog message)
Action: Stop processing (Exits the rule engine here)

Other Rules here...

Because we are using the "Stop processing" action, the keep alive messages won't be seen by any
other rules below this one. The priority filter will match the "Syslog.Info" priority, then the action will be
taken (forward message) then the rule engine will discard the message and wait for the next one to
arrive.

Enable IPv6 support
If you want Kiwi Syslog Server to send and receive IPv6 messages, you must enable IPv6 support.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click the Inputs node.

3. Select Enable IPv6 support .
4. Click Apply to save your changes.

Enable a beep on every message
If this option is enabled, Kiwi Syslog Server plays a beep when it receives any syslog message or
SNMP trap. The beep will be heard even if a filter blocks the display or logging of the message. This
option can be used for debugging to let you know that a message has been received.

Administrator Guide: Kiwi Syslog Server page 158

Enable a beep on every message

If you are hearing a beep on every message that comes in and this option isn't checked then
there is a problem logging the messages to disk. Check the Error log for details of the problem.
(From the View menu). If a message can't be written to the specified log file, a beep will sound
to notify you of the problem.

1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
2. Click the Inputs node.
3. Select Beep on every message received.
4. Click Apply to save your changes.

Administrator Guide: Kiwi Syslog Server page 159

View syslog statistics

View syslog statistics
1. To view syslog statistics, select View > View Syslog Statistics.
The Syslog Statistics dialog opens.
Syslog Statistics are updated every 10 seconds. Press the Refresh button or F5 to cause the
statistics to be recalculated and displayed immediately.
2. Click any of the following tabs.

1 Hour Displays a bar chart of the last 60 minutes of traffic. Each bar in the chart shows the
history number of messages received during that minute. The chart scrolls from right to left.
The left side of the chart shows traffic an hour ago, the right most bar (0) indicates
the current traffic.

24 Hour Displays a bar chart of the last 24 hours’ of traffic. Each bar in the chart shows the
history number of messages received during that hour. The chart scrolls from right to left.
The left side of the chart shows traffic 24 hours ago, the right most bar (0) indicates
the current traffic.

Severity The Severity table shows the breakdown of messages by priority level. 0-
Emergency has the highest severity all the way down to 7-Debug type messages
which are used for troubleshooting.
The message count and percentage of total traffic is shown in the table.
Click on any header to sort the table by that column. Click again to reverse the sort
order.

Top 20 The hosts table shows the breakdown of messages by sending host. The message
Hosts count per host and percentage of total traffic is shown in the table.
Click on any header to sort the table by that column. Click again to reverse the sort
order.
If a particular host is generating a lot of the traffic or the pattern changes, it could
indicate a problem on that device.

Administrator Guide: Kiwi Syslog Server page 160

View syslog statistics

Counters The counters show the traffic and error statistics for the program. The average
messages counter can help you set maximum thresholds for alarm notification and
to get a feel for the amount of syslog traffic being generated.
Some counters show values for the interval period, and some are from the last 24-
hour period (from the current time of display). Others show values since Midnight
(0:00).
The intervals start at 00 from the time the program starts rather than being related to
the actual MM/DD/YYY HH: MM:SS time. To see how long the program has been
running, check the Program uptime counter, see the duration of the interval period,
and check the start and end date & time.
Messages - Total:
This counter value shows the number of messages received since the program
starts. To reset this value, you must restart the program or service.
Messages - Last 24 hours:
This counter value shows the number of messages received during the last 24-hour
period (from the current time of display). This value is a rolling count of the
messages received in the last 23 hours, plus the messages received in the last
hour. At the turn of each hour, the value will drop as the last 23 hours are shuffled.
The value will then build again as more messages are received during the current
hour. The value is represented by the formula: LastHours(1 to 23) + messages this
hour.
Messages - Last Interval (Hours/Days/Weeks/Months):
This counter value shows the numbers of messages received during the last
interval period. The counter is reset once the statistics report is emailed out.

Messages - Since Midnight:
This counter value shows the number of messages received since midnight (00:00 -
23:59). This counter automatically resets at 00:00 every day.
Messages - Last hour:
This counter value shows the number of messages received in the last full hour.
The hours are counted from the time the program was started. If the program has
been running less than 60 minutes, this value will be 0. Once an hour has
completed, the value will contain the total number of messages received for the last
hour. The value will remain constant until the next hour rolls over.
Messages - This hour:

Administrator Guide: Kiwi Syslog Server page 161

View syslog statistics

This counter value shows the number of messages received since the last hour roll
over. The hours are counted from the time the program was started. This value will
reset to 0 each hour and will be incremented as each new message arrives.
Messages - Average:
This counter value shows the average number of messages received per hour over
the last 24-hour period. At the turn of each hour, the value will be recalculated as
the last 24 hours are shuffled. After the first hour has elapsed, the value is only
updated once per hour.
Messages - Average Last Interval (Hours/Days/Weeks/Months):
This counter value shows the average number of messages received per hour over
the last interval period.

Messages - Forwarded:
This counter value shows the number of messages that have been forwarded to
other syslog collectors or relays using the "Forward message" action. This counter
is reset immediately after the stats report have been emailed out. The stats are
usually sent based on the interval set. The value being displayed is based on the
interval duration.
Messages - logged to disk:
This counter value shows the number of messages that have been logged to disk
using the "Log to file" action. This counter is reset immediately after the stats report
have been emailed out. The stats are usually sent based on the interval set. The
value being displayed is based on the interval duration.
Errors - logged to disk:

This counter value shows the number of internal program errors that have been
logged to disk. Errors are usually caused when the log file cannot be accessed or if
an internal program error has occurred. If the value is not 0, check the error log
(View | Error log menu) for more details on the error.
Disk space remaining:
This counter value shows the amount of disk space remaining in MB. The drive
being watched can be set from the Alarms | Disk space monitor setup option. By
default, drive C: is monitored.
Breakdown of messages by sending host in Stats:

Administrator Guide: Kiwi Syslog Server page 162

View syslog statistics

The host table shows the breakdown of messages by sending the host. The
message count per host and percentage of total traffic is show in the table.
Total number of hosts that can be listed depends on the total number set in More
options > Number of host. Value should be within 1 to 999.
CustomStats:
The custom statistics values can be viewed from the Counters tab. These values
can be modified by using the Run Script action. These statistics counters can be
used to count and display any values you like.
To set the counter name to something more meaningful, use Scripting custom
statistics fields to set the counter name and initial values

Administrator Guide: Kiwi Syslog Server page 163

Protocols

Protocols
For detailed information about syslog protocols, see the following topics:

l The syslog protocol
l The Kiwi Reliable Delivery Protocol (KRDP)

The syslog protocol
The following sections provide information about the syslog protocol:

l Syslog Facilities
l Syslog Levels
l Syslog Priority values
l Transport
l Syslog RFC 3164 header format

Syslog Facilities
Each Syslog message includes a priority value at the beginning of the text. The priority value ranges
from 0 to 191 and is made up of a Facility value and a Level value. The priority is enclosed in "<>"
delimiters.

A BSD Unix Syslog message looks like this: <PRI>HEADER MESSAGE

The priority is a value from 0 to 191 and is not space or leading zero padded.

For more information on the Syslog message format, please read the RFC.

The Facility value is a way of determining which process of the machine created the message. Since
the Syslog protocol was originally written on BSD Unix, the Facilities reflect the names of Unix
processes and Daemons. The priority value is calculated using the following formula:

Priority = Facility * 8 + Level

The list of Facilities available:

l 0 - kernel messages
l 1 - user-level messages
l 2 - mail system
l 3 - system daemons
l 4 - security/authorization messages

Administrator Guide: Kiwi Syslog Server page 164

The syslog protocol

l 5 - messages generated internally by syslogd
l 6 - line printer subsystem
l 7 - network news subsystem
l 8 - UUCP subsystem
l 9 - clock daemon
l 10 - security/authorization messages
l 11 - FTP daemon
l 12 - NTP subsystem
l 13 - log audit
l 14 - log alert
l 15 - clock daemon
l 16 - local use 0 (local0)
l 17 - local use 1 (local1)
l 18 - local use 2 (local2)
l 19 - local use 3 (local3)
l 20 - local use 4 (local4)
l 21 - local use 5; (local5)
l 22 - local use 6 (local6)
l 23 - local use 7 (local7)

If you are receiving messages from a Unix system, it is suggested you use the 'User' Facility as your
first choice. Local0 through to Local7 are not used by Unix and are traditionally used by networking
equipment. Cisco routers for example use Local6 or Local7.

Syslog Levels
Each Syslog message includes a priority value at the beginning of the text. The priority value ranges
from 0 to 191 and is made up of a Facility value and a Level value. The priority is enclosed in "<>"
delimiters.

A BSD Unix Syslog message looks like this: <PRI>HEADER MESSAGE

The priority is a value from 0 to 191 and is not space or leading zero padded.

For more information on the Syslog message format, please read the RFC.

The priority value is calculated using the following formula:

Priority = Facility * 8 + Level

The list of severity Levels:

Administrator Guide: Kiwi Syslog Server page 165

The syslog protocol

l 0 - Emergency: system is unusable
l 1 - Alert: action must be taken immediately
l 2 - Critical: critical conditions
l 3 - Error: error conditions
l 4 - Warning: warning conditions
l 5 - Notice: normal but significant condition
l 6 - Informational: informational messages
l 7 - Debug: debug-level messages

Recommended practice is to use the Notice or Informational level for normal messages.

A detailed explanation of the severity Levels:

DEBUG:

Info useful to developers for debugging the app, not useful during operations

INFORMATIONAL:

Normal operational messages - may be harvested for reporting, measuring throughput, etc - no action
required

NOTICE:

Events that are unusual but not error conditions - might be summarized in an email to developers or
admins to spot potential problems - no immediate action required

WARNING:

Warning messages - not an error, but indication that an error will occur if action is not taken, e.g. file
system 85% full - each item must be resolved within a given time

ERROR:

Non-urgent failures - these should be relayed to developers or admins; each item must be resolved
within a given time

ALERT:

Should be corrected immediately - notify staff who can fix the problem - example is loss of backup ISP
connection

CRITICAL:

Should be corrected immediately, but indicates failure in a primary system - fix CRITICAL problems
before ALERT - example is loss of primary ISP connection

EMERGENCY:

Administrator Guide: Kiwi Syslog Server page 166

The syslog protocol

A "panic" condition - notify all tech staff on call? (earthquake? tornado?) - affects multiple
apps/servers/sites...

Syslog Priority values
Each Syslog message includes a priority value at the beginning of the text. The priority value ranges
from 0 to 191 and is made up of a Facility value and a Level value. The priority is enclosed in "<>"
delimiters.

A BSD Unix Syslog message looks like this: <PRI>HEADER MESSAGE

The priority is a value from 0 to 191 and is not space or leading zero padded.

For more information on the Syslog message format, please read the RFC.

The priority value is calculated using the following formula:

Priority = Facility * 8 + Level

To manually set a particular priority number, enter a number into the Priority value field and check the
'Use this value' box. This value will be sent in the <PRI> field of the Syslog message. This allows you
to use values above 191 (up to 255). Values above 191 are illegal and could cause unknown results.

Transport
Kiwi Syslog Server can listen for UDP messages and TCP messages. Normally Syslog messages are
sent using UDP. Some networking devices such as the Cisco PIX firewall can send messages using
TCP to ensure each packet is received and acknowledged by the Syslog Server.

l When sending messages using UDP, the destination port is usually 514.
l When sending messages using TCP, the destination port is usually 1468.

For ports used by Kiwi Syslog Server, review the KSS system requirements.

Syslog RFC 3164 header format
The HEADER part contains a timestamp and an indication of the hostname or IP address of the
device. The HEADER contains two fields called the TIMESTAMP and the HOSTNAME.

The TIMESTAMP will immediately follow the trailing ">" from the PRI part and single space characters
MUST follow each of the TIMESTAMP and HOSTNAME fields.

HOSTNAME will contain the hostname, as it knows itself. If it does not have a hostname, then it will
contain its own IP address.

The TIMESTAMP field is the local time and is in the format of: "Mmm dd hh:mm:ss" (without the quote
marks).

Administrator Guide: Kiwi Syslog Server page 167

The Kiwi Reliable Delivery Protocol (KRDP)

The MSG part has two fields known as the TAG field and the CONTENT field. The value in the TAG
field will be the name of the program or process that generated the message. The CONTENT contains
the details of the message. This has traditionally been a freeform message that gives some detailed
information of the event. The TAG is a string of ABNF alphanumeric characters that MUST NOT
exceed 32 characters. Any non-alphanumeric character will terminate the TAG field and will be
assumed to be the starting character of the CONTENT field. Most commonly, the first character of the
CONTENT field that signifies the conclusion of the TAG field has been seen to be the left square
bracket character ("["), a colon character (":"), or a space character

Kiwi SyslogGen uses the following format for its messages:

<PRI>Jul 10 12:00:00 192.168.1.1 SyslogGen MESSAGE TEXT

The BSD Syslog protocol is discussed in RFC 3164. Check out their community discussion on Roxen
website.

For a comprehensive description of the syslog protocol, see Sans Institute website.

The Kiwi Reliable Delivery Protocol (KRDP)
The Kiwi Reliable Delivery Protocol was designed to solve the problem of losing data when a TCP
connection is broken due to a network failure.

KRDP uses the TCP protocol as the underlying transport. This ensures that each packet sent is
sequenced and acknowledged when received. The TCP protocol on the receiving system handles the
packet order and ensures that any missing packets are resent.

The problem
TCP works well as a reliable transport when the connection can be opened and closed cleanly.
During a TCP close handshake, any outstanding packets are usually received and acknowledged
before the connection is closed.

However, if a break in the network occurs during message sending, the sender will continue to send
packets until the TCP window size is reached. When no acknowledgment is received after a timeout
period, the Winsock stack will fire a timeout event. When this happens, it is not possible to know
exactly which message (or part message) was last received and acknowledged by the remote end.
Any data that was sitting in the Winsock stack's buffer will be lost. Depending on the TCP window size
and the speed of the data being sent, this could be hundreds of lost messages.

Administrator Guide: Kiwi Syslog Server page 168

The Kiwi Reliable Delivery Protocol (KRDP)

The solution
KRDP works by adding another acknowledgment and sequencing layer over the top of the TCP
transport. KRDP wraps each syslog message with a header which contains a unique sequence
number. The KRDP sender keeps a local copy of each message it has sent. The KRDP receiver
periodically acknowledges receipt of the last KRDP wrapped syslog message it has received. The
KRDP sender can then remove all locally stored messages up to the last acknowledged sequence
number. When the connection is broken and re-established, the receiver informs the sender which
messages need to be resent.

Each KRDP sender is identified with a unique connection name. This allows the sender and receiver
to reestablish the same session and sequence numbers, even if the IP address or sending port of the
sender has been changed due to DHCP etc.

Unique message sequencing
Each KRDP message is identified with a unique sequence number. The sequence starts at 1 and
increments in steps of 1 up to 2147483647 (2 billion), then wraps around to 1 again. The message
number 0 is used to indicate that the system does not know the last sequence number and that it has
had to assume a fresh start. If this occurs, both the sender and receiver will log an error to note the lost
messages.

Dealing with international characters
Unicode allows the mapping of all international character sets into a known byte sequence. The
mapping of non US-ASCII characters requires the use of more than a single byte per character. The
most commonly used way of sending these multi-byte characters over TCP is to use UTF-8 encoding.
The KRDP sender will encode the syslog messages as UTF-8 and the KRDP receiver will decode
them back to Unicode again.

The KRDP message format
l Sender (S)
l Receiver (R)

Message Types (MsgType)
00 = SenderID

01 = ReceiverResponse

02 = Sequenced message

03 = Message acknowledgement

04 = Receiver KeepAlive

Administrator Guide: Kiwi Syslog Server page 169

The Kiwi Reliable Delivery Protocol (KRDP)

99 = Error message

Message format
KRDP AA 0000000000 Message<CR>

KRDP = Unique tag

Space (ASCII 32)

AA = Msg type (as above)

Space (ASCII 32)

0000000000 = Sequence number 0 to 2147483647

Space (ASCII 32)

Message = UTF-8 encoded message text

<CR> = Carriage return character ASCII 13 to indicate end of message stream

Sequence of events
S connects via TCP

S sends first ID packet (MsgType 00)

R responds with ReceiverResponse message (MsgType 01)

S sends sequenced messages (MsgType 02)

Rules
1. If the first message R receives is not a ID message (MsgType 00), R disconnects. (Any data
received is ignored).
2. If R does not receive ID message after 60 seconds, R disconnects.
3. After S sends the ID message, S will wait up to 60 seconds for a ReceiverResponse message. If
there is no response, S will disconnect session.
4. R sends ACK messages to S with the next expected message sequence.
5. ACK messages are sent no more frequently than once every 200ms.

Message formats
MsgType 00 (Version and SenderID)

KRDP 00 PV UniqueKey<CR>

The unique key identifies the channel and is used to synchronise the message numbers

Administrator Guide: Kiwi Syslog Server page 170

The Kiwi Reliable Delivery Protocol (KRDP)

PV = Protocol Version to use. 01 = KRDP Reliable/Acknowledged

Unique key format is free form.

An example would be: "IP=192.168.1.1, Host=myhost.com, ID=Instance1"

Or, just: "Instance1"

Since the receiver might already have an "Instance1" name from another source, the first UniqueKey
would

be better. Use as much information to uniquely describe the source of the messages

MsgType 01 (ReceiverResponse message)

KRDP 01 0000000000 Listener ID<CR>

Message number is 10 digit number 0000000000 to 2147483647

MsgType 02 (Sender Message content)

KRDP 02 0000000000 Message content<CR>

Message number is 10 digit number 0000000000 to 2147483647

MsgType 03 (Receiver ACK)

KRDP 03 0000000000 ACK<CR>

Message number is 10 digit number 0000000000 to 2147483647

Message number indicates the next sequence number it expects to receive

ACK messages are sent at a maximum rate of once every 200ms

MsgType 04 (Keep alive)

KRDP 04 0000000000 KeepAlive<CR>

Message number is 10 digit number 0000000000 to 2147483647

Message number = Next expected message number

If being sent by Sender, MsgSeq should be set to 0

If being sent by Receiver, MsgSeq should be set to next expected message number

MsgType 99 (Error)

KRDP 99 0000000000 0000 Error message here<CR>

Message number is 10 digit number 0000000000 to 2147483647

Administrator Guide: Kiwi Syslog Server page 171

The Kiwi Reliable Delivery Protocol (KRDP)

Message number indicates which message caused the error if any. Set to zero (0) if not related to a
message number

0000 = Error number (0000 to 9999)

Error message can be any text

KRDP error messages
Error 1000 - Unable to decode the following message: <Invalid message appears here> A message
was received that wasn't encoded correctly or corrupted. The message content appears for debugging
purposes.

Error 1001 - Sender is unable to supply message number: <NextMsgSeq>. Starting again from 0.
Sender ID: <UniqueSenderID> Expecting a sequence > 0, but sender unable to supply message,
must start at 0 again. The receiver will now re-sync with the sender.

Error 1002 - Missed message number: <NextMsgSeq>. Received: <ActualMsgSeq> on ID:
<UniqueSenderID> The expected message number was not received from the sender. The receiver
will now re-sync with the sender.

Error 1003 - Received unexpected message data. Message ignored. Sender ID: <UniqueSenderID>
Message data arrived while the receiver was not expecting it. This data is ignored.

Error 1004 - First message did not contain Sender ID. Connection closed. The first message received
after connection was established did not contain the Sender ID. The receiver has closed the
connection.

Error 1005 - Unable to send Expected message number reply. Connection closed. The receiver was
unable to send a reply message over the established connection. The receiver has closed the
connection.

Error 1006 - Unable to send error message. The receiver was unable to send an error message over
the established connection.

Error 1007 - Unable to send KeepAlive message. Connection closed. The receiver was unable to
send a KeepAlive message over the established connection. The receiver has closed the connection.

Error 1008 - Unable to send KeepAlive to connection: <UniqueSenderID> The receiver was unable to
send a KeepAlive message over the established connection.

Error 1009 - Unable to send ACK to connection: <UniqueSenderID> The receiver was unable to send
an ACK message over the established connection.

Error 1099 - <Error message content from sender> The sender can notify the receiver of an error by
using the 1099 error type. The message content is from the sender.

Administrator Guide: Kiwi Syslog Server page 172

The Kiwi Reliable Delivery Protocol (KRDP)

Error 1010 - Unexpected message received. Type: <MsgType>. Message content: <Message
Content> An unexpected message type was received. The message content appears for debugging
purposes.

Administrator Guide: Kiwi Syslog Server page 173

Error and mail logs

Error and mail logs
Kiwi Syslog Server automatically creates an error log that you can use for troubleshooting. You can
also choose to log information about emails that Kiwi Syslog Server sends.

The error log
Kiwi Syslog Server writes to the error log if it has a problem writing messages to a log file or archiving
log files. It also records any other error messages it encounters. If you are troubleshooting a problem,
information in this log might help.

To open this log from the Kiwi Syslog Service Manager, select View > View error log file.

The log file location is <installDir>\ErrorLog.txt.

The send mail log
To log information about each email message that Kiwi Syslog Server sends, go to E-mail settings.
and select Keep a log file of e-mail activity.

If this option is selected, you can open the send mail log by selecting View > View e-mail log file.

When this option is selected, Kiwi Syslog Server emails an alarm notification or the daily statistics, it
records information about the email in the email log file.

The log file location is <installDir>\SendMailLog.txt.

Administrator Guide: Kiwi Syslog Server page 174

Registry settings for Kiwi Syslog Server

Registry settings for Kiwi Syslog Server
The registry values listed below can be used to affect the operation of Kiwi Syslog Server.

Best practices
Before you make changes to the registry:

l Back up the registry.
l Make sure that Kiwi Syslog Server is not running. If you are using the Service edition, stop the
Syslogd service.

Use RegEdit to view and change registry values.

After you update registry values, restart Kiwi Syslog Server to ensure that your changes take effect.

Available settings
The following registry settings are available. Click any setting for details.

Setting Specifies
DisplayColumnsEnabled Which columns are shown on the Kiwi Syslog Service
Manager display.

DisplayRowHeight The row height (in pixels) on the Kiwi Syslog Service
Manager display.

MailStatsDeliveryTime What time the daily statistics email is sent.

ServiceStartTimeout How long (in seconds) the Service Manager waits for a
Service Start or Service Stop request to complete.

ServiceUpdateTimeout How long (in seconds) the Service Manager waits for a
Properties Update request to complete.

NTServiceSocket The port used by the Manager part of Kiwi Syslog Server to
connect to the Service.

NTServiceDependencies Services that need to start before the Syslogd service.

DebugStart Whether debug mode is enabled.

Administrator Guide: Kiwi Syslog Server page 175

Available settings

Setting Specifies
DNSDisableWaitWhenBusy How full the input message buffer can get before disabling
the DNS resolution waiting.

DNSCacheMaxSize The size of the cache buffer.

DNSCacheFailedLookups Failed lookups to cache to Improve DNS name resolution
performance.

DNSSetupQueueBufferBurstCoefficient The number of DNS/NetBIOS requests that will be
dequeued from the internal queue buffer at once.

DNSSetupQueueBufferClearRate The rate at which the DNS/NetBIOS internal queue buffer
is cleared.

DNSSetupQueueLimit The DNS/NetBIOS internal queue buffer size.

DNSSetupDebugModeOn Whether verbose debug mode is enabled.

MsgBufferSize The maximum number of message buffer entries.

MailAdditionalSubjectText A text string added to the beginning of the e-mail subject
for daily statistics and alarm e-mails.

MailAdditionalBodyText An additional line of text included in the daily statistics and
alarm e-mails.

MailMaxMessageSend The maximum number of email messages that are sent per
minute.

File write caching settings Values that enable and configure file write caching.

LogFileDateSeparator The separation character used in dates.

LogFileTimeSeparator The default separation character used in times.

LogFileEncodingFormat The encoding format used to write messages to log files.

ScriptEditor The script editor to be launched when you click the Edit
Script button.

ScriptTimeout The timeout value for scripts.

DBCommandTimeout The timeout value for logging messages to a database.

ArchiveFileReplacementChr The replacement character for invalid characters in dates
that are not valid in file names.

Administrator Guide: Kiwi Syslog Server page 176

Available settings

Setting Specifies
ArchiveFileSeparator The separator character placed between the existing file
name and the current system date and time when files are
archived.

UseOldArchiveNaming The default Scheduled Archive Task archive naming
convention for Single Zip Archives.

ArchiveTempPath The default temp folder used by Kiwi Syslog Server's
archiver.

EnableArchiveTempFile The default Scheduled Archive Task archiving behavior.

ErrorLogFolder The location of the errorlog.txt file where operational

errors are logged.

MailLogFolder The location of the SendMailLog.txt file where mail

activity is logged.

KRDPACKTimer The interval of the TCP_ACK protocol's acknowledgment
timer.

KRDPKeepAliveTimer The interval between the sending of Keep Alive messages
to of the connected sessions.

KRDPCacheFolder The location of the disk cache files.

KRDPRxDebug Whether the debug log file for KRDP receive events is
enabled or disabled.

KRDPTxDebug Whether the debug log file for KRDP send events is
enabled or disabled.

KRDPQueueSize The size of the message queues used to buffer the KRDP
and TCP messages.

KRDPQueueMaxMBSize The maximum size (in MB) of the memory queue.

KRDPAutoConnect Whether the KRDP and TCP senders will try to
automatically connect to the remote host.

KRDPSendSpeed The maximum number of messages that can be sent per
second.

KRDPIdleTimeout The time the sending socket will remain connected after
the last message has been sent.

Administrator Guide: Kiwi Syslog Server page 177

DisplayColumnsEnabled

Setting Specifies
KRDPAddSeqToMsgText Whether the KRDP listener adds the received sequence
number to the end of the message text.

ProcessPriority The priority setting in Windows for the syslogd service.

OriginalAddressStartTag and The start and end tags for the original sender's address.
OriginalAddressEndTag

MaxRuleCount The maximum number of rules.

DBLoggerCacheClearRate The rate (in milliseconds) at which the Database Cache is
checked for SQL data to be executed.

DBLoggerCacheTimeout The maximum age (in days) of an unchanged cache file.

DBLoggerCacheDisable Whether the default database caching behavior is
overridden.

HostNosToDisplay The number of hosts to display in the statistics report.

OriginalAddressPacketSniffing The option for WinpCap or NpCap for packet spoofing.

DisplayColumnsEnabled
Use this Kiwi Syslog Server registry setting to specify which columns are shown on the Kiwi Syslog
Service Manager display.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DisplayColumnsEnabled

Min value 0

Max value 31

Default value 31

Type Decimal number from 0-31

By default, all the columns are shown. To display a different set of columns, enter the sum of the
columns' decimal values.

Administrator Guide: Kiwi Syslog Server page 178

DisplayRowHeight

Bit number Decimal value Column name

0 1 Date

1 2 Time

2 4 Priority

3 8 Hostname

4 16 Message

For example:

l To display all columns, set the value to 31.
l To display the Message (16) and Hostname (8) columns, set the value to 24 (16 = 8 = 24).

l To display the Message (16) and Time (2) columns, set the value to 18 (16 + 2 = 18).
l To display only the Message column, set the value to 16.

DisplayRowHeight
Use this Kiwi Syslog Server registry setting to specify the row height (in pixels) on the Kiwi Syslog
Service Manager display.

If the font is taller than the specified row height, the row is automatically resized to
accommodate the text.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DisplayRowHeight

Min value 5

Max value 50

Default value 15

Type Height of row in pixels

Administrator Guide: Kiwi Syslog Server page 179

MailStatsDeliveryTime

MailStatsDeliveryTime
Use this Kiwi Syslog Server registry setting to specify when the daily statistics email is sent.

By default, the statistics email is sent at midnight (00:00). To change the time, enter the new time using
the 24 hour clock. For example, to specify 6 PM, enter 18:00.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) MailStatsDeliveryTime

Min value 00:00

Max value 23:59

Default value 00:00

Type HH:MM

ServiceStartTimeout
Use this Kiwi Syslog Server registry setting to specify how long (in seconds) the Service Manager
waits for a Service Start or Service Stop request to complete.

If you have more than 10 actions configured or are running on a computer with a CPU speed of less
than 300 MHz, increase this value as needed.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ServiceStartTimeout

Min value 1

Max value 120

Default value 30

Type Seconds

Administrator Guide: Kiwi Syslog Server page 180

ServiceUpdateTimeout

ServiceUpdateTimeout
Use this Kiwi Syslog Server registry setting to specify how long (in seconds) the Service Manager
waits for a Properties Update request to complete.

If you have more than 10 actions configured or are running on a machine with a CPU speed of less
than 300 MHz, increase this value as needed.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ServiceUpdateTimeout

Min value 1

Max value 120

Default value 5

Type Seconds

NTServiceSocket
The Manager part of Kiwi Syslog Server connects to the Service via TCP port 3300. This allows the
two applications to communicate. The Service passes messages to be displayed, alarms and statistic
information to the Manager so it can be viewed as it arrives.

Use this Kiwi Syslog Server registry setting to change the port value if some other process is also
using this port.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) NTServiceSocket

Min value 1

Max value 65535

Default value 3300

Type TCP port number

Administrator Guide: Kiwi Syslog Server page 181

NTServiceDependencies

NTServiceDependencies
Under most operating systems, the service will start without problems. On some Windows Server
systems, the service may have to wait for some other system services starting before it can start.
Otherwise you will see the error message "One or more system services failed to start" on the console
after a reboot.

To ensure that the required services have started before Kiwi Syslog Server is started, you can modify
this Kiwi Syslog Server registry setting.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) NTServiceDependencies

Default value Blank

Type Text string of service names. Delimited by semi-colons. For example:

ServiceName1;ServiceName2;ServiceName3

To add service dependencies:

1. Uninstall the service from the Manage menu.
2. Run RegEdit.
3. Locate the section HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties.
4. Create the new string value of NTServiceDependencies.

5. Modify the value data to include the list of services that need to start first (for example,
LanmanWorkstation;TCPIP;WMI).

6. Install the service from the Manage menu.

The example above will ensure that the Workstation, WMI (Windows Management Interface) and
TCP/IP stack services are running before trying to start the Kiwi Syslog Server Service.

DebugStart
Set this Kiwi Syslog Server registry setting value to "1" to enable debug for both the Service and
Manager.

Administrator Guide: Kiwi Syslog Server page 182

DebugStart

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Options
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Options

Value (STRING) DebugStart

Enable Debug 1

Disable Debug 0

Type String

Command line value
DEBUGSTART

Applies to
Syslogd.exe, Syslogd_Service.exe & Syslogd_Manager.exe

Effect
When the program is run with this registry value set to "1", a debug file is created in the install
directory. The file name will depend on the executable name (see below). The debug file will contain
the results from the program start-up and socket initialization routines.

Files created
SyslogNormal = Syslogd_Startup.txt

SyslogService = Syslogd_Service_Startup.txt

SyslogManager = Syslogd_Manager_Startup.txt

When to use
If the program does not appear to be receiving messages on the port specified on the "Inputs" setup
option, check the start-up debug file to ensure the sockets initialized correctly. If the program appears
to crash on start-up, this option can help locate the problem.

Administrator Guide: Kiwi Syslog Server page 183

DNSDisableWaitWhenBusy

DNSDisableWaitWhenBusy
Normally, if an IP address is not found in the DNS cache, the program will wait for a set period of time
for the IP address to finish resolving. Under heavy load this delay can fill the message input buffer until
it overflows and drops new messages.

Use this Kiwi Syslog Server registry setting to specify how full the input message buffer can get before
disabling the DNS resolution waiting. By default, when the input buffer reaches more than 10% of
capacity, the Syslog Server will stop waiting for the IP addresses to be resolved.

If you have preemptive lookup enabled, the IP addresses will still be resolved in the background and
results placed in the cache. This option just disables the "DNS timeout" waiting period while the buffer
is under load. This frees the program up so that it can process the buffered messages without waiting
for resolutions to occur.

When the input buffer level drops below the set value, the normal resolution waiting timeouts will be
re-enabled.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Min value 0

Max value 100

Default value 10

Type Percentage

DNSCacheMaxSize
Use this Kiwi Syslog Server registry setting to limit the size of the cache buffer to conserve memory.
The registered version will allow 1,000,000 entries. Set this value to the number of IP addresses you
are expecting to have to cache.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DNSCacheMaxSize

Administrator Guide: Kiwi Syslog Server page 184

DNSCacheFailedLookups

Min value 50

Max value 1000000

Default value 20000

Type Maximum number of cache entries

DNSCacheFailedLookups
Use this Kiwi Syslog Server registry setting to Improve DNS name resolution performance by caching
failed lookups. In the event that a DNS server responds with a valid response, but where the response
does not include a resolved name, Kiwi Syslog Server will cache that response to avoid repeated
queries to the DNS server. This situation can occur when querying a DNS server for the name of and
IP address that the DNS server itself does not know. Instead of timing out, the DNS server sends a
valid response of "NAME NOT FOUND". This is the sort of response that is cached, which avoids
repeated queries to the DNS server for a name that will not be found. Failed lookups will be flushed
from the cache at the frequency defined in "Flush entries after X minutes".

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ServiceUpdateTimeout

Min value 0

Max value 1

Default value

Type 1=Cache Failed DNS lookups, 0=Do not Cache Failed DNS lookups

DNSSetupQueueBufferBurstCoefficient
Use this Kiwi Syslog Server registry setting to specify the number of DNS/NetBIOS requests that will
be dequeued from the internal queue buffer at once.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Administrator Guide: Kiwi Syslog Server page 185

DNSSetupQueueBufferClearRate

Value (STRING) DNSSetupQueueBufferBurstCoefficient

Min value 1

Max value 50

Default value 10

Type Numeric

DNSSetupQueueBufferClearRate
Use this Kiwi Syslog Server registry setting to specify the rate at which the DNS/NetBIOS internal
queue buffer is cleared.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DNSSetupQueueBufferClearRate

Min value 1

Max value 100

Default value 10

Type Numeric

DNSSetupQueueLimit
Use this Kiwi Syslog Server registry setting to specify the DNS/NetBIOS internal queue buffer size.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DNSSetupQueueLimit

Min value 100

Max value 30000

Administrator Guide: Kiwi Syslog Server page 186

DNSSetupDebugModeOn

Default value 1000

Type Numeric

DNSSetupDebugModeOn
Set this Kiwi Syslog Server registry setting to 1 to enable verbose debug mode, This mode uploads
verbose DNS/NetBIOS requests and responses to {Program files}/Syslogd/DNSdebug.txt.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DNSSetupDebugModeOn

Min value 0

Max value 1

Default value 0

Type DNS/NetBIOS verbose debug mode (1 is on, 0 is off)

MsgBufferSize
Use this Kiwi Syslog Server registry setting to specify the maximum number of message buffer entries.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) MsgBufferSize

Min value 100

Max value 10000000 (10 million)

Default value 500000

Type Maximum number of message buffer entries

Administrator Guide: Kiwi Syslog Server page 187

MailAdditionalSubjectText

As messages are received via the inputs (UDP, TCP, SNMP, Keep Alive), the messages are placed in
an internal queue. The messages are then taken from the queue and processed in the order they
arrived (FIFO). If a burst of messages arrive while the processing engine is busy, the messages are
queued. This ensures messages are not lost under times of heavy load.

Each message that is queued uses a small amount of memory. In most situations, buffering up to
500,000 messages is sufficient. You may want to increase the buffer size in situations where
messages are arriving in large bursts. The buffering will smooth the message flow and allow the
processing engine to catch up when it can.

Messages are stored in Unicode which uses 2 bytes for each character. Therefore, if each message is
100 characters, it will occupy 200 bytes of memory. Messages can vary in size based on their content.
500,000 messages of 100 characters each will use 100,000,000 bytes (~100 MB) of memory. If each
message was 200 characters long, it would use ~200 MB of memory. Memory is only used when the
messages are being queued. Under normal traffic loads, the processing engine will be able to keep up
with message flow and no messages will need to be queued.

MailAdditionalSubjectText
Use this Kiwi Syslog Server registry setting to add a text string to the beginning of the e-mail subject
for daily statistics and alarm e-mails. If you are receiving daily statistics or alarm e-mails from many
syslog Servers, it can be useful to include a way of identifying which syslog Server the e-mail came
from.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) MailAdditionalSubjectText

Default value Blank

Type Text string

In the registry setting, add a line of text that best describes the name or location of the syslog Server.
The text will be added to the beginning of the e-mail subject.

For example, a normal max message alarm e-mail subject line looks like this:
Syslog Alarm: 16000 messages received this hour.

If you set the MailAdditionalSubjectText setting to [London], the alarm subject e-mail will look like
this:
[London] Syslog Alarm: 16000 messages received this hour.

Administrator Guide: Kiwi Syslog Server page 188

MailAdditionalBodyText

A space is automatically added after the text to separate it from the existing subject text.

You can also add additional body text.

MailAdditionalBodyText
Use this Kiwi Syslog Server registry setting to include an additional line of text in the daily statistics
and alarm e-mails. If you are receiving daily statistics or alarm e-mails from many syslog Servers, it
can be useful to include a way of identifying which syslog Server the e-mail came from.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) MailAdditionalBodyText

Default value Blank

Type Text string

In the registry setting, add a line of text that best describes the name or location of the syslog Server.
The text will be added to the beginning of the e-mail body.

For example, a normal statistics e-mail looks like this:

/// Kiwi Syslog Server Statistics ///

---------------------------------------------------
24 hour period ending on: Fri, 06 Feb 2004 13:04:55 +1300
Syslog Server started on: Fri, 06 Feb 2004 13:03:54
Syslog Server uptime: 24 hours, 0 minutes
---------------------------------------------------

+ Messages received - Total: 20000

+ Messages received - Last 24 hours: 20000

If you set the MailAdditionalBodyText setting to London - Firewall Monitoring Syslog Server,

the daily statistics e-mail will look like this:

London - Firewall Monitoring Syslog Server

Administrator Guide: Kiwi Syslog Server page 189

MailMaxMessageSend

/// Kiwi Syslog Server Statistics ///

+ Messages received - Total: 20000

+ Messages received - Last 24 hours: 20000

An additional CRLF is added before and after the text for better visibility.

You can also add additional subject text.

MailMaxMessageSend
Use this Kiwi Syslog Server registry setting to specify the maximum number of email messages that
are sent per minute. Any messages not sent will be requeued until the next email send a minute later.

Email messages are queued internally for up to a minute and then sent in bulk. This means only a
single connection to the SMTP server is required. Each message is sent separately, and then the
connection to the server is closed.

This option can be useful when a lot of e-mail messages are being sent via an SMS gateway which
has a limit on message sending. It can also reduce the load on a mail server and spread the message
load out over a few sending intervals.

Restart the service for any change in value to become active.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) MailMaxMessageSend

Min value 1

Max value 1000

Default value 50

Type Message count

Administrator Guide: Kiwi Syslog Server page 190

File write caching settings

File write caching settings
Use the following Kiwi Syslog Server registry settings to enable and configure file write caching. File
write caching considerably improves the performance of the "Log to file" action under heavy message
load.

When enabled, the "Log to File" action will cache the output data for X seconds or X messages before
writing to the log file. The data is cached in memory until the log file is updated in bulk. This is more
efficient than writing a single message to a file as it arrives.

There is a separate memory cache for each output file. In most cases there is only a single output file,
but if AutoSplit or filters are used to split the messages into separate files, there could be additional
active output files.

When an output file cache is not being used X seconds, the cache is destroyed to save resources.

When the program shuts down, all the caches are written to the appropriate files so that no data is lost.

FileWriteCacheEnabled
Use this setting to enable or disable file write caching. When enabled, the "Log to File" action will
cache the output data for X seconds or X messages before writing to the log file. The data is cached in
memory and the log file is updated in bulk. This is more efficient than writing a single message to a file
as it arrives.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) FileWriteCacheEnabled

Min value 0

Max value 1

Default value 1

Type Enabled = 1, Disabled = 0

Administrator Guide: Kiwi Syslog Server page 191

File write caching settings

FileWriteCacheTimeout
Use this setting to specify the timeout in seconds. After the timeout period the contents of the cache
are written to disk. The timer is started when the first message arrives in the cache. If the cache is not
full and has not been flushed before the timeout period has expired, the cache will be flushed
automatically. This value sets the maximum time that the cache will hold a message before writing it to
disk. The less frequently the disk is written to, the more efficient the file logging process becomes.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) FileWriteCacheTimeout

Min value 1

Max value 120

Default value 5

Type Timeout in seconds

FileWriteCacheEntries
Use this setting to specify the maximum number of messages to be cached for each output file before
being written to file. Messages are added to the cache until the maximum is reached or the timeout
period elapses. The less frequently the disk is written to, the more efficient the file logging process
becomes. The messages are stored in memory in UNICODE which requires two bytes for each
character in the message. For example, a 100 character message requires 200 bytes of memory for
storage.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) FileWriteCacheEntries

Min value 10

Max value 100000

Default value 1000

Type Maximum number of cache entries (messages)

Administrator Guide: Kiwi Syslog Server page 192

File write caching settings

FileWriteCacheMaxSizeKB
Use this setting to specify the maximum cache size in KBytes. When the cache exceeds this size, it is
written to file. Messages are added to the cache until the maximum memory size is reached or the
timeout period elapses. The less frequently the disk is written to, the more efficient the file logging
process becomes. The messages are stored in memory in UNICODE which requires two bytes for
each character in the message. For example, a 100 character message requires 200 bytes of memory
for storage. If you experience any "Out of Memory" errors, lower this value or disable the file write
caching.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) FileWriteCacheMaxSizeKB

Min value 1

Max value 2000

Default value 50

Type Maximum size in KBytes for each cache

FileWriteCacheCleanup
Use this setting to specify the time (in minutes) that a cache can inactive before being destroyed.
When a cache becomes inactive and is not receiving any further messages, the cleanup process will
destroy the cache to free up resources. No data is lost because the cleanup process only destroys
inactive caches that have already been written to file.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) FileWriteCacheCleanup

Min value 10

Max value 1440

Default value 10

Type Time (in minutes) that a cache can inactive before being destroyed

Administrator Guide: Kiwi Syslog Server page 193

File write caching settings

FileWriteCacheFileLock
Use this setting to enable or disable log file locking.

For efficiency and security reasons, the log files can be held open in "append shared" mode. This
improves efficiency by not having to open and close the file with each write. While the file is held
open, not other application can modify or delete the contents. Only new entries can be added to the
file. The files can be opened for viewing, but not for modification.

If you are receiving high syslog message traffic, enable this option to improve performance. The only
drawback is that the file may not immediately show the new log entries. The OS will cache the data
until the internal buffers are full then it will write the buffers to file. Under heavy load, this happens
immediately, but when traffic is low, it can take a while for the buffers to fill and the data to be written.
The log file is automatically updated and closed when the cache has been inactive for
FileWriteCacheCleanup minutes.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) FileWriteCacheFileLock

Min value 0

Max value 1

Default value 0

Type Enabled = 1, Disabled = 0

FileWriteCacheOpenFiles
When FileWriteCacheFileLock is set to 1 (enabled), each log file is held open in "append shared"
mode. The program can only open a maximum of 255 files at once.

Use this value to set the maximum number of concurrently open files. Once this limit is reached, the
FileWriteCacheFileLock value for the current cache is disabled. Log files will then be opened and
closed with each cache write. If the Log to File action uses the AutoSplit syntax to create separate files
for each logging host, it is possible that more than 255 files could be opened at once (assuming more
than 255 actively sending hosts). A value of 100 files is recommended to keep system resource usage
to a reasonable level.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Administrator Guide: Kiwi Syslog Server page 194

LogFileDateSeparator

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) FileWriteCacheOpenFiles

Min value 1

Max value 250

Default value 100

Type Maximum number of open file handles

LogFileDateSeparator
Use this Kiwi Syslog Server registry setting to change the separation character used in dates.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) LogFileDateSeparator

Default value - (dash)

Type Character, or string of characters

Normally the current date is represented in the YYYY-MM-DD format using a dash (-) as the
separation character. You can change the separation character to any character you like. For
example, some countries use a forward slash (/) as a date separator.

Be aware that changing the date separator may make the log files unreadable by some log file parsers
and reporters. Reporting software may be looking for the dash (-) characters and may get confused
when they are not present.

This setting applies only to the following formats:

l Kiwi format ISO yyyy-mm-dd (Tab delimited)
l Kiwi format ISO UTC yyyy-mm-dd (Tab delimited)

A normal Kiwi ISO log file format message is formatted like this:
2004-05-27 10:58:22 Kernel.Warning 192.168.0.1 kernel: This is a test message

If you change the separator character to forward slash (/), the message would become:
2004/05/27 10:58:22 Kernel.Warning 192.168.0.1 kernel: This is a test message

Administrator Guide: Kiwi Syslog Server page 195

LogFileTimeSeparator

You can also change the time separator character.

LogFileTimeSeparator
Use this Kiwi Syslog Server registry setting to change the default separation character used in times.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) LogFileTimeSeparator

Default value : (colon)

Type Character, or string of characters

Normally the current time is represented in the HH:MM:SS format using a colon (:) as the separation
character. You can change the separation character to any character you like. For example, some
countries use a dot (.) as the time separator.

Be aware that changing the time separator may make the log files unreadable by some log file parsers
and reporters. Reporting software may be looking for the colon (:) characters and may get confused
when they are not present.

This setting applies only to the following formats:

l Kiwi format ISO yyyy-mm-dd (Tab delimited)
l Kiwi format ISO UTC yyyy-mm-dd (Tab delimited)

The following is a default Kiwi ISO log file format message:
2004-05-27 10:58:22 Kernel.Warning 192.168.0.1 kernel: This is a test message

If you change the time separator character to dot (.), the message would become:
2004-05-27 10.58.22 Kernel.Warning 192.168.0.1 kernel: This is a test message

You can also change the date separator character.

LogFileEncodingFormat
Use this Kiwi Syslog Server registry setting to change the encoding format used to write messages to
log files.

Administrator Guide: Kiwi Syslog Server page 196

LogFileEncodingFormat

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) LogFileEncodingFormat

Min value 1

Max value 120

Default value 5

Type Seconds

Normally the messages are written to the log files using the default encoding format (code page) of the
system. If you are receiving messages from systems that use different default code pages, the best
solution is to send/ receive the messages using UTF-8 encoding. Kiwi Syslog Server can be set to
convert the received messages into Unicode internally. When writing Unicode messages to a log file,
it is recommended that you use UTF-8 (code page 65001) encoding. UTF-8 can represent all of the
Unicode character set.

The various code pages available on most Windows systems are available on Microsoft website.

Here are some common code page numbers.

Name Code page number Description

System 1 System Code Page

ANSI 0 ANSI

UTF-8 65001 Unicode Transformation Format 8

Shift-JIS 932 Japanese

EUC-JP 51932 Japanese Extended Unix Code

BIG5 950 Traditional Chinese

Chinese 936 Simplified Chinese

If the number you specify is not a valid Code Page on your system, no data will be written to the
file.

If in doubt, use UTF-8 encoding (65001) as it will handle all Unicode characters.

Administrator Guide: Kiwi Syslog Server page 197

ScriptEditor

ScriptEditor
Use this Kiwi Syslog Server registry setting to choose and alternate script editor to be launched when
you click the Edit Script button. By default, the scripts are edited with Notepad. This setting applies
only to the Run Script action.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ScriptEditor

Default value Notepad.exe

Type Path and file name of script editor application. For example:
C:\Program Files (x86)\Notepad++\notepad++.exe

ScriptTimeout
Use this Kiwi Syslog Server registry setting to specify the timeout value for scripts.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ScriptTimeout

Min value 0 (No timeout - not recommended)

Max value 60000

Default value 10000

Type Timeout in milliseconds (10000 = 10 seconds)

Some scripts may take longer to run than others. If your script causes a timeout error, you may want to
extend the timeout value for running the script. Because the scripts are processed in real time, a script
that takes a long time to run may cause message loss or delay the processing of other messages in
the queue. If you have a complex or long running script, it is recommended that you run it as a post
process. To do this, use the Windows Scripting Host to run your script against the log file that Kiwi
Syslog Server creates. Try to avoid using long running scripts in real time.

Administrator Guide: Kiwi Syslog Server page 198

DBCommandTimeout

By default, the script can run for a maximum of 10 seconds before returning a timeout condition. If your
scripts need more time to process the data in real-time, you can extend the timeout up to a maximum
of 60 seconds. Setting the timeout value to 0 will cause the script to never timeout (this setting is not
recommended as it can cause the program to fail if a script gets into an infinite loop).

DBCommandTimeout
Use this Kiwi Syslog Server registry setting to specify the timeout value for logging messages to a
database.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DBCommandTimeout

Min value 1

Max value 120

Default value 5

Type Seconds

The Log to Database action uses ADO to insert records into the specified database. By default ADO
database commands will timeout after 30 seconds if the database is busy or does not respond.

If you see ADO command timeout errors in the error log, you may want to extend the timeout value.
Because the database records are inserted in real time, a long timeout may cause message loss or
delay the processing of other messages in the queue. Only extend this timeout if you are experiencing
timeout errors.

By default, the database insert command will wait up to 30 seconds before returning a timeout
condition. If your database is slow and needs more time to process the data in real-time, you can
extend the timeout up to a maximum of 120 seconds. Setting the timeout value to 0 will cause the
command to never timeout (this setting is not recommended as it can cause the program to fail if the
database does not respond).

ArchiveFileReplacementChr
Use this Kiwi Syslog Server registry setting to specify the replacement character for invalid characters
in dates that are not valid in file names.

Administrator Guide: Kiwi Syslog Server page 199

ArchiveFileSeparator

The archiving process uses the current system date and time to create dated files or dated folders for
the archived log files. Because the date format is user selectable, it may contain characters that are
not valid in file names. The archiving process will create a valid file or folder name by replacing invalid
values such as "&*+=:;,/\|?<>" with a valid character such as "-".

For example, if the system date and time is 2004/12/25 12:45:00, the archiving process will convert the
name to 2004-12-25 12-45-00. This string will be used as a folder or file name for archiving purposes.
Instead of using the "-" character, an different character can be chosen. Be aware that if any illegal
character is used, it may cause the archiving process to create incorrect files or folders.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ArchiveFileReplacementChr

Default value - (dash)

Type Character, or string of characters

ArchiveFileSeparator
When an archiving schedule is setup for "Use dated file names", a separator is placed between the
existing file name and the current system date and time. Normally this character is a dash ("-"). Use
thisKiwi Syslog Server registry setting to specify an alternative character.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ArchiveFileSeparator

Default value - (dash)

Type Character, or string of characters

Administrator Guide: Kiwi Syslog Server page 200

UseOldArchiveNaming

UseOldArchiveNaming
Use this Kiwi Syslog Server registry setting to override the default Scheduled Archive Task archive
naming convention for Single Zip Archives. Setting this to (1) triggers Kiwi Syslog Server to use the
Archive naming conversion present prior to version 8.3.x. Only archive tasks which zip to a single zip
file are affected by this setting.

Section (32-bit HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
Windows OS)

Section (64-bit HKEY_LOCAL_MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties
Windows OS)

Value (STRING) UseOldArchiveNaming

Min value 0

Max value 1

Default value 0 (disabled)

Type Number

ArchiveTempPath
Use this Kiwi Syslog Server registry setting to override the default temp folder used by Kiwi Syslog
Server's archiver. By default, the Windows temp folder location is used (usually C:\Windows\Temp, or
C:\Documents and Settings\<Username>\Local Settings\Temp).

This setting takes effect only if the EnableArchiveTempFile has been enabled.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ArchiveTempPath

Min value 0

Max value 1

Default value 0 (disabled)

Type Number

Administrator Guide: Kiwi Syslog Server page 201

EnableArchiveTempFile

EnableArchiveTempFile
Use this Kiwi Syslog Server registry setting to override the default Scheduled Archive Task archiving
behavior.

If set (to 1) then Kiwi Syslog Server will use Temporary files when creating Archives. A temporary file
is useful when writing to zip files located on write-once media (CD-WORM) or across a network
because the zip file is created in the temporary file (usually on a local drive) and written to the
destination drive or network location only when the zipping operation is complete.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) EnableArchiveTempFile

Min value 0

Max value 1

Default value 0 (disabled)

Type Number

ErrorLogFolder
Use this Kiwi Syslog Server registry setting to specify the location of the errorlog.txt file where
operational errors are logged. By default, this file is located in the installation directory.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ErrorLogFolder

Default value Application installation path

Type A path (for example, C:\My Logs\)

Administrator Guide: Kiwi Syslog Server page 202

MailLogFolder

MailLogFolder
Use this Kiwi Syslog Server registry setting to specify the location of the SendMailLog.txt file
where mail activity is logged. By default, this file is located in the installation directory.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) MailLogFolder

Default value Application installation path

Type A path (for example, C:\My Logs\)

KRDPACKTimer
Use this Kiwi Syslog Server registry setting to specify the interval of the TCP_ACK protocol's
acknowledgment timer. By default, the protocol will acknowledge (ACK) the received packets after
200 milliseconds.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPACKTimer

Min value 10

Max value 65535

Default value 200

Type Milliseconds

KRDPKeepAliveTimer
Use this Kiwi Syslog Server registry setting to specify the interval between the sending of Keep Alive
messages to of the connected sessions. This counter is a multiple of the KRDPACKTimer. For
example, if KRDPACKTimer is set to 200ms and you want a keep alive time of 5 seconds, you will
need to set the value to 25 (25 x 200ms = 5 seconds).

Administrator Guide: Kiwi Syslog Server page 203

KRDPCacheFolder

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPKeepAliveTimer

Min value 1

Max value 65535

Default value 25

Type ACK Timer intervals

KRDPCacheFolder
Use this Kiwi Syslog Server registry setting to specify the location of the disk cache files that might be
created. Disk cache files are created only if the remote host is unavailable for some time and the
memory cache has become full.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPCacheFolder

Default value <InstallFolder>\Cache\

Type Path to cache folder

KRDPRxDebug
Use this Kiwi Syslog Server registry setting to enable or disable the debug log file for KRDP receive
events. This is all the events relating to the KRDP TCP listener. The log file is created in the
installation folder and named KRDPRxDebug.txt.

The KRDP listener is created by enabling the Inputs > TCP option.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Administrator Guide: Kiwi Syslog Server page 204

KRDPTxDebug

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPRxDebug

Min value 0

Max value 1

Default value 0

Type Enable or disable

KRDPTxDebug
Use this Kiwi Syslog Server registry setting to enable or disable the debug log file for KRDP send
events. This is all the events relating to the KRDP senders. The log file is created in the installation
folder and named KRDPTxDebug.txt.

The KRDP senders are created by using the Forward to another host actions.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPTxDebug

Min value 0

Max value 1

Default value 0

Type Enable or disable

KRDPQueueSize
Use this Kiwi Syslog Server registry setting to specify the size of the message queues used to buffer
the KRDP and TCP messages. If the memory queue becomes full, the queue is written to a cache file.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Administrator Guide: Kiwi Syslog Server page 205

KRDPQueueMaxMBSize

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPQueueSize

Min value 50

Max value 200000

Default value 10000

Type Number of queued messages

KRDPQueueMaxMBSize
Use this Kiwi Syslog Server registry setting to specify the maximum size (in MB) of the memory queue.

As each buffered message is added to the memory queue the total size of the memory queue is
monitored. When the total size of the queue exceeds the KRDPQueueMaxMBSize setting, the queue
is written to a cache file. This ensures that if the messages are larger than normal, the system memory
is not exhausted.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPQueueMaxMBSize

Min value 1

Max value 100

Default value 20

Type Maximum size (in MB) of memory queue and cache file

KRDPAutoConnect
Use this Kiwi Syslog Server registry setting to specify whether the KRDP and TCP senders will try to
automatically connect to the remote host.

When this value is set to "1" the KRDP and TCP senders will try to automatically connect to the
remote host. If this value is set to "0" then a connection will only occur if there are messages queued to
be sent.

Administrator Guide: Kiwi Syslog Server page 206

KRDPConnectTime

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPAutoConnect

Min value 0

Max value 1

Default value 1

Type Enable or disable

KRDPConnectTime
Use this Kiwi Syslog Server registry setting to specify the time between connection retries. When a
connection cannot be made to the remote peer, a connection attempt will be made every
KRDPConnectTime seconds.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPConnectTime

Min value 5

Max value 65535

Default value 5

Type Seconds

KRDPSendSpeed
Use this Kiwi Syslog Server registry setting to specify the maximum number of messages that can be
sent per second. This allows the messages to be sent to the remote peer at a maximum speed and
avoids overloading the receiver or network link.

Administrator Guide: Kiwi Syslog Server page 207

KRDPIdleTimeout

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPSendSpeed

Min value 10

Max value 10000

Default value 2000

Type Messages per second send speed

KRDPIdleTimeout
Use this Kiwi Syslog Server registry setting to specify the time the sending socket will remain
connected after the last message has been sent. Because TCP has an overhead when connecting
and disconnecting, the TCP connection will remain open for a time to allow any further messages to
be sent without triggering a new connection. The idle timer starts as soon as a message has been
sent. If no further messages have been sent in the time specified by KRDPIdleTimeout then the
connection is closed.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPIdleTimeout

Min value 0 (off)

Max value 65535

Default value 60

Type Seconds

KRDPAddSeqToMsgText
Use this Kiwi Syslog Server registry setting to specify whether the KRDP listener adds the received
sequence number to the end of the message text.

Administrator Guide: Kiwi Syslog Server page 208

ProcessPriority

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) KRDPAddSeqToMsgText

Min value 0

Max value 1

Default value 0

Type Enable or disable

When this value is set to "1" the KRDP listener will add the received sequence number to the end of
the message text. Each sequence number is unique per connection ID and will range from 0 to
2147483647.

The tag added will look like KRDP_Seq=1234.

For example:
The quick brown fox jumped over the lazy dogs back KRDP_Seq=5742

The quick brown fox jumped over the lazy dogs back KRDP_Seq=5743

The quick brown fox jumped over the lazy dogs back KRDP_Seq=5744

The quick brown fox jumped over the lazy dogs back KRDP_Seq=5745

ProcessPriority
Use this Kiwi Syslog Server registry setting to enable syslogd to modify its priority setting in Windows.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) ProcessPriority

Min value 0

Max value 5

Default value 0

Administrator Guide: Kiwi Syslog Server page 209

OriginalAddressStartTag and OriginalAddressEndTag

Type Syslog Process Priority

Acceptable values are listed below.

Priority
Value Description
level
0 Low Specify this class for a process whose threads run only when the system is
idle. The threads of the process are preempted by the threads of any process
running in a higher priority class. An example is a screen saver. The idle-
priority class is inherited by child processes.

1 Below Indicates a process that has priority above Idle but below Normal.
Normal

2 Normal (Default value.) Specify this class for a process with no special scheduling
needs.

3 Above Indicates a process that has priority above Normal but below High.
Normal

4 High Specify this class for a process that performs time-critical tasks that must be
executed immediately. The threads of the process preempt the threads of
normal or idle priority class processes. An example is the Task List, which
must respond quickly when called by the user, regardless of the load on the
operating system. Use extreme care when using the high-priority class,
because a high-priority class application can use nearly all available CPU
time.

5 Realtime Specify this class for a process that has the highest possible priority. The
threads of the process preempt the threads of all other processes, including
operating system processes performing important tasks. For example, a real-
time process that executes for more than a very brief interval can cause disk
caches not to flush or cause the mouse to be unresponsive.

Realtime priority can cause system lockups.

OriginalAddressStartTag and OriginalAddressEndTag
Use the Kiwi Syslog Server registry setting OriginalAddressStartTag to override the default start tag for
the sender's original address.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Administrator Guide: Kiwi Syslog Server page 210

OriginalAddressStartTag and OriginalAddressEndTag

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) OriginalAddressStartTag

Default value Orignial Address=

Type Original Address Start Tag

Use the OriginalAddressEndTag setting to override the default end tag for the sender's original
address.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) OriginalAddressEndTag

Default value (Space)

Type Original Address End Tag

Normally, the syslog protocol is unable to maintain the original sender's address when
forwarding/relaying syslog messages. This is because the sender's address is taken from the received
UDP or TCP packet.

Kiwi Syslog solves this problem by placing a tag in the message text that contains the original
sender's address. By default, the tag looks like Original Address=192.168.1.1. That is, the "Original
Address=" tag, followed by the IP address, followed by a " " (space) delimiter or tag.

These tags are only inserted if the "Retain the original source address of the message" option is
checked in the "Forward to another host" action.

The two registry keys above allow you to override the default start and end tags with custom start and
end tag values.

For example, when nnn.nnn.nnn.nnn is the originating IP address, the default originating address
tags yield the following:
Original Address=nnn.nnn.nnn.nnn

If you change the start tag to <ORIGIN> and the end tag to </ORIGIN>, the result is:
<ORIGIN>nnn.nnn.nnn.nnn</ORIGIN>

Administrator Guide: Kiwi Syslog Server page 211

MaxRuleCount

MaxRuleCount
Use this Kiwi Syslog Server registry setting to specify the maximum number of rules allowed in Kiwi
Syslog Server.

Exceeding the maximum rule count of 100 is not recommended. Setting this value too high can
adversely affect performance and increase memory consumption dramatically. SolarWinds
recommends investigating alternative methods if you are approaching the rule count limit of
100. Using the autosplit feature of file logging is one potential solution.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Options
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Options

Value (STRING) MaxRuleCount

Min value 10

Max value 999

Default value 100

Type Maximum number of rules

DBLoggerCacheClearRate
Use this Kiwi Syslog Server registry setting to specify the rate (in milliseconds) at which the Database
Cache is checked for SQL data to be executed.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DBLoggerCacheClearRate

Min value 10

Max value 1000

Default value 1000 (ms)

Type Milliseconds

Administrator Guide: Kiwi Syslog Server page 212

DBLoggerCacheTimeout

DBLoggerCacheTimeout
Use this Kiwi Syslog Server registry setting to specify the maximum age (in days) of an unchanged
cache file. Any database cache file that is older than this will be deleted by the system.

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) DBLoggerCacheTimeout

Min value 1

Max value 30

Default value 3

Type Number (days)

DBLoggerCacheDisable
Use this Kiwi Syslog Server registry setting to override the default database caching behavior.

Section (32-bit Windows OS):

HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties

Section (64-bit Windows OS):

HKEY_LOCAL_MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING): DBLoggerCacheDisable

Min value: 0

Max value: 1

Default value: 0 (Enabled)

Type: Enabled or disabled

HostNosToDisplay
Use this Kiwi Syslog Server registry setting to specify the number of hosts to display in the statistics
report.

Administrator Guide: Kiwi Syslog Server page 213

OriginalAddressPacketSniffing

Section (32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Syslogd\Options
OS)

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Options

Value (STRING) HostNosToDisplay

Min value 25

Max value 999

Default value No default value. If required, you must manually add this setting.

Type Number

OriginalAddressPacketSniffing
As of Kiwi Syslog Server 9.7, spoofing (retaining the original source address) requires NpCap instead
of WinpCap. Users have the option to keep using the WinpCap application by setting this Kiwi Syslog
Server registry setting value to "0".

Section (32-bit Windows HKEY_LOCAL_
OS) MACHINE\SOFTWARE\SolarWinds\Syslogd\Properties

Section (64-bit Windows HKEY_LOCAL_
OS) MACHINE\Software\WOW6432Node\SolarWinds\Syslogd\Properties

Value (STRING) OriginalAddressPacketSniffing

Enable NpCap usage 1
(default)

Enable WinpCap usage 0

Type String

Command line value
OriginalAddressPacketSniffing

Effect
When the registry value is set to "1" (default), the option to spoof (retain the original source address)
will be performed using NpCap. This will require NpCap to be pre-installed.

Administrator Guide: Kiwi Syslog Server page 214

OriginalAddressPacketSniffing

When the registry value is set to "0", the option to spoof (retain the original source address) will be
performed using WinpCap. This will require WinpCap to be pre-installed.

Restart the service in order to apply changes.

When to use
WinpCap may be used with older operation systems that do not function properly using NpCap.
NpCap is the preferred and secure solution that SolarWinds recommends.

Administrator Guide: Kiwi Syslog Server page 215

Command line arguments

Command line arguments
The following command line parameters can be used when starting the syslog executable,
Syslogd.exe, Syslogd_Manager.exe, or Syslogd_Service.exe. Parameters are not case
sensitive. If you specify more than one parameter at a time, separate the values with a space.

Start-up Debug
This command creates a debug file that contains the results from the program start-up and socket
initialization routines. The debug file is created in the installation directory, and the file name is based
on the program file it was used with (as described below).

This debug file can help you troubleshoot the following issues:

l if the program does not appear to be receiving messages on the port specified by the Inputs
setup option, check the start-up debug file to ensure that the sockets initialized correctly.
l If the program appears to crash on start-up, this option can help locate the problem.

If you are running Kiwi Syslog Server as a service, the service can't be provided with a
command line argument. Use the DebugStart registry entry to create this file.

Command line value DEBUGSTART

Applies to Syslogd.exe, Syslogd_Service.exe, and Syslogd_Manager.exe

Files created When run with: The file name is:

Syslogd.exe Syslogd_Startup.txt

Syslogd_Service.exe Syslogd_Service_Startup.txt

Syslogd_Manager.exe Syslogd_Manager_Startup.txt

Service - Install Service
This command attempts to install the Syslog Server as a service. A status message indicates whether
the installation was successful.

Use this command if:

l Installing the service from the Manage menu of the Syslog Server Service Manager failed.
l You need to run the command from a batch file to automate the installation.

Administrator Guide: Kiwi Syslog Server page 216

Service - Uninstall Service

Command line -INSTALL
value

Applies to Syslogd_Service.exe

Silent option Follow this command line value with -silent to prevent the status message from
being displayed:

-install -silent

Service - Uninstall Service
This command attempts to uninstall the Syslog Server as a service. A status message indicates
whether the installation was successful.

Use this command if:

l Uninstalling the service from the Manage menu of the Syslog Server Service Manager failed.
l You need to run the command from a batch file to automate the process.

Be sure to stop the service before you uninstall it. To stop it from a command line, use the net stop
command. For example:
net stop "Kiwi Syslog Server"

Command line -UNINSTALL
value

Applies to Syslogd_Service.exe

Silent option Follow this command line value with -silent to prevent the status message from
being displayed:

-uninstall -silent

Administrator Guide: Kiwi Syslog Server page 217

Event Log Forwarder Administrator Guide

Event Log Forwarder Administrator Guide
The purpose of this guide is to assist you in installing, configuring, and using the Kiwi Syslog Server
Event Log Forwarder (ELF). Use the information in this guide to prepare your environment and begin
using Event Log Forwarder.

Download the PDF: Administrator Guide PDF

Event Log Forwarder Features

Administrator Guide: Kiwi Syslog Server page 218

About the Event Log Forwarder

About the Event Log Forwarder
SolarWinds Event Log Forwarder for Windows (Log Forwarder) is a tool that runs on a Windows®
operating system and automatically forwards event log records to a syslog server via User Datagram
Protocols (UDP) or Transmission Control Protocols (TCP). It sends events - based on the event
source, event ID, users, computers, and keywords in the event - to your syslog server and allows you
to take further action against the event. Log Forwarder can be used to send syslog messages to a
configured NPM server or Kiwi Syslog Server.

For more information, see the SolarWinds Academy.

Event Log Forwarder for Windows supports forwarding of both Windows Eventing 5 and 6 event
records:

l Windows eventing 5 Event Log records: Windows operating system versions prior to Windows
Vista and Windows Server 2008.
l Windows eventing 6 ("Crimson") Windows Event Log records: Windows operating system
versions based on the Windows NT 6.0 kernel (Windows Vista and Windows Server 2008,
2012).

Key Features
Log Forwarder provides the following features for monitoring and send Windows events:

l Quickly specify and automatically send events from workstations and servers to your syslog
server.
l Export event data from Windows servers and workstations.
l Filter events to forward by source, type ID, and specific keywords.
l Forward events to external systems to alert, store, and audit activity.
l Send events to multiple servers over UDP or TCP.

Supported Operating Systems
You can run Log Forwarder on the following Windows operating system versions:

Both x86 and x64 editions of Windows are supported.

l Windows 10
l Windows 8 | Windows 8.1
l Windows 7 | Windows 7 SP1
l Windows Server 2016

Administrator Guide: Kiwi Syslog Server page 219

About the Event Log Forwarder

l Windows Server 2012 | 2012 R2
l Windows Server 2008 | 2008 SP2 | 2008 R2 | 2008 R2 SP1
l Windows Server 2003 R2 SP2

For more information on supported software, see Windows Server Support.

Administrator Guide: Kiwi Syslog Server page 220

About the Event Log Forwarder

Event Log Forwarder Service vs User Interface
After you have downloaded and extract the Log Forwarder files, you can use one of two options to set
up your program: the application or the Windows installer. Event Log Forwarder for Windows is
comprised of two standard application executables (.exe):

l The Service (LogForwarder.exe)
l The User Interface (LogForwarderClient.exe)

Log Forwarder User Interface

The Event Log Forwarder for Windows user interface allows you to configure the Service. It can -
depending on which options were selected during installation - be opened using the SolarWinds
Event Log Forwarder for Windows desktop shortcut item, the Quicklaunch item, or from the
SolarWinds Event Log Forwarder for Windows Program group accessible from the Windows Start
button.

Log Forwarder Service

Event Log Forwarder for Windows Service is named SolarWinds Event Log Forwarder for Windows
and is installed and started during the installation process. The Service allows you to check or
manage the Event Log Forwarder for Windows Service (start, stop, restart etc.) from the Windows
Services manager. You can also run the Windows command prompt: Net Start "ServiceName".

Administrator Guide: Kiwi Syslog Server page 221

About the Event Log Forwarder

System requirements for Event Log Forwarder
Before you install Event Log Forwarder, verify that your server meets the following minimum hardware
and software requirements.

Hardware and software requirements

For more information on supported software, see Windows Server
Support.

Both x86 and x64 editions of Windows are supported.

Hard drive space 20 MB

CPU 1.2 GHz

RAM 256 MB

Administrator Guide: Kiwi Syslog Server page 222

About the Event Log Forwarder

Install Event Log Forwarder
Use the following information to prepare the environment and install Log Forwarder.

Prepare the server to install Event Log Forwarder

Review Verify that your environment meets the hardware and software requirements.
system
requirements

Run all Check for and run all Microsoft Windows Updates on the server. If a Windows
Windows update runs, your system might reboot.
updates

Check for Determine if any antivirus software is installed on the server where you plan to
antivirus install Event Log Forwarder. Exclude the SolarWinds directory. For example, on
software Windows Server 2016, exclude the directory:
C:\ProgramData\SolarWinds\

For a full list of antivirus exclusions, see Files and directories to exclude from
antivirus scanning.

Do not exclude executable files. SolarWinds assumes that C:\ is the
default volume.

Administrator Guide: Kiwi Syslog Server page 223

About the Event Log Forwarder

Installation steps for Event Log Forwarder

Download the Complete the following steps for new and existing users.
installation file
If you have purchased another Kiwi product, such as Kiwi Syslog Server or
Kiwi CatTools:

1. Log in to the SolarWinds Customer Portal.
If you do not have a SolarWinds account, see Access the Customer
Portal to create an account.
2. Navigate to Downloads > Download Product.
3. Select "Kiwi (CatTools, Syslog Viewer, Log Viewer)" from the
Products drop-down field.
4. Under Additional Downloads, click Download for Log Forward for
Windows.

If you do not have a previously purchased Kiwi product:

1. Go to the Free Downloads page on SolarWinds.com.
2. Scroll to Free IT Security Tools, and click Download Free Tool under
Event Log Forwarder for Windows.
3. Enter your contact information. All fields are required to download
Event Log Forwarder.
4. Click Proceed to Free Download.

Run the installation 1. Log in to your server as an administrator.

file
2. Extract the contents of the downloaded installation ZIP file to the
server.
3. Run the application version of SolarWinds_Event_LogForwarder_
Setup.exe.
If .NET framework 4.0 is not installed, you are prompted to install it.
Click Download and install this feature. Then restart SolarWinds_
Event_LogForwarder_Setup.exe.

Complete the Event 1. If you agree with the license agreement, click Next.

Log Forwarder
2. Select the shortcuts to create, and click Next.
setup wizard
3. Specify the installation location, and click Next.
The installer displays status messages as is installs Event Log
Forwarder.

Administrator Guide: Kiwi Syslog Server page 224

About the Event Log Forwarder

Close the wizard Click Finish to close the Event Log Forwarder setup wizard and open
Event Log Forwarder.

Administrator Guide: Kiwi Syslog Server page 225

About the Event Log Forwarder

Configure Log Forwarder settings
The Event Log Forwarder for Windows Subscriptions and Syslog Server settings are stored in the
LogForwarderSettings.cfg configuration file, located in the product installation directory:
\Program Files (x86)\SolarWinds\SolarWinds Event Log Forwarder for Windows. The
configuration file uses XML markup language.

You can make changes to Subscription or Syslog Server settings from this configuration file, or from
the Log Forwarder user interface. When a change is saved within the user interface, the configuration
file is updated and the Service re-initializes to pick up the changes immediately.

EventLogSubscriptions
Edit the details of an event log subscription used by Log Forwarder. Each subscription is contained
under an individual <EventLogSubscription> element. You can configure the event type, event
sources, event IDs, tasks, and so on, for specific subscriptions.

Element Description

<channels> l Channels monitored by the subscription, for example, System or Windows
PowerShell.
l Each channel type must be entered on an individual <string> child-
element.
l Example:
<channels>
<string>Application</string>
<string>Microsoft-Windows-Application Server-
Applications/Admin</string>

</channels>

Administrator Guide: Kiwi Syslog Server page 226

About the Event Log Forwarder

<types> l The event type logged by the subscription.
l The event type is indicated by an integer. Each type must be entered on an
individual <int> child-element.
o 1 = Error
o 2 = Warning
o 3 = Information
l Example:
<types>
<int>1</int>
<int>2</int>
</types>

<sources> l Source device of the event.
l The source must be entered on an individual <string> child-element.
l To indicate that all device sources should be used, leave the <source>
element empty.

<eventIDs> l Events to include, or exclude. For excluded events, type a minus sign before
the ID: 1, -3, 5
l Each eventID must be entered on an individual <string> child-element.

<categories> l Task category of the event.
l Each task category must be entered on an individual <string> child-
element.
l To indicate that all task categories should be used, leave the <source>
element empty.

<keywords> l Keywords used by the event subscription filter. Event Log Forwarder has
specific pre-configured keywords that must be used.
l Each keyword must be entered on an individual <string> child-element.
l To indicate that all keywords should be used, leave the <source> element
empty.

<users> l User types used by the event subscription filter. For example: Admin,
System, Local
l Each user must be entered on an individual <string> child-element.

<computers> l Name of the device the event subscription filters by. For
example: AdminMachine, Workstation05
l Each computer must be entered on an individual <string> child-element.

Administrator Guide: Kiwi Syslog Server page 227

About the Event Log Forwarder

<facility> l Default syslog facility priority for the event subscription.
l The facility is determined by an integer. Use the appropriate facility ID:
o 1 = Kernel (messages)
o 2 = User-level messages
o 3 = Mail (System)
o 4 = Security/authorization messages
o 5 = Messages generated internally by syslogd
o 6 = Line printer subsystem
o 7 = Network news subsystem
o 8 = UUCP (subsystem)
o 9 = Clock (daemon)
o 10 = Security/authorization messages
o 11 = FTP (daemon)
o 12 = NTP (subsystem)
o 13 = Log (audit)
o 14 = Log (alert)
o 15 = Clock (daemon)
o 16 = Local use 0 (local0)
o 17 = Local use 1 (local1)
o 18 = Local use 2 (local2)
o 19 = Local use 3 (local3)
o 20 = Local use 4 (local4)
o 21 = Local use 5 (local5)
o 22 = Local use 6 (local6)
o 23 = Local use 7 (local7)
l Example:
<facility>0</facility>

<enabled> l True/false boolean that determines if the configured event subscription is
active.
l This triggers the Enable/Disable button on the Subscriptions tab.
l Example:
<enabled>true</enabled>

<name> l Name of the configured event subscription.
l Example:
<name>New Event Log Subscription</name>

Administrator Guide: Kiwi Syslog Server page 228

About the Event Log Forwarder

<HidePreview> l Activates the "preview of matching events" window in the event subscription
configuration window.
l When shown, the preview window displays the records that matches the
event subscription criteria.
l Example:
<HidePreview>0</HidePreview>

SyslogServers
Edit the details of a syslog server used by Log Forwarder. Each syslog server is contained under an
individual <SyslogServer> element. You can configure the server name, IP address, port, and so on,
for specific syslog servers.

Element Description

<enabled> l True/false boolean that determines if the configured syslog server is active.
l This triggers the Enable/Disable button on the Syslog Server tab in Log
Forwarder.
l Example:
<enabled>true</enabled>

<SendMode> l Protocol used for sending messages from the syslog server
l The protocol is indicated by an integer.
o 0 = UDP
o 1 = TCP
l Example:
<SendMode>0</SendMode>

<SourceFormat> l Server address system type of the syslog server.
l The source format is indicated by an integer.
o 0 = IPv4
o 1 = IPv6
o 2 = FQDN
o 3 = Host name
l Example:
<SourceFormat>0</SourceFormat>

Administrator Guide: Kiwi Syslog Server page 229

About the Event Log Forwarder

Deploy the program installer
The Event Log Forwarder for Windows installer is provided as a standard application executable file
(.exe) and as a Windows Installer Package file (.msi). The Windows Installer Package file is
provided for "silent" deployments using the /quiet switch.

To run the .msi file on the target machine, use the following command syntax: SolarWinds_Event_
LogForwarder_<Version>_Setup.msi /quiet

The .msi installer package for Event Log Forwarder for Windows does not include the
prerequisites installer, which automatically downloads and installs any required prerequisite
software, such as .NET Framework 4.0 from Microsoft. In order to successfully deploy Event Log
Forwarder, first ensure that the required software is already installed on your server.

Event Log Forwarder configuration file
Configuration information for Event Log Forward for Windows is contained in a file named
LogForwarderSettings.cfg.

The configuration file contains a nest hierarchy of XML tags and subtags that specify the configuration
settings. It is located in the installation directory of Event Log Forwarder, usually C:\Program Files
(x86)\SolarWinds\SolarWinds Event Log Forwarder for Windows. To deploy the
configuration file to a target machine, copy the LogForwarderSettings.cfg file to the Event Log
Forwarder for Windows installation directory after the .msi file has been successfully installed.

All configuration information resides between the <LogForwarderSettings> and
</LogForwarderSettings> root XML tags. Configuration information between the tags is grouped
into two main sections:
l <EventLogSubscriptions>
l <SyslogServers>

Both of the above groups are required.

<?xml version="1.0" encoding="utf-8"?>

Administrator Guide: Kiwi Syslog Server page 230

About the Event Log Forwarder

</SyslogServers>
</LogForwarderSettings>

Example: Declare Event Log Subscriptions

For Event Log Subscriptions, each subscription is declared with an <EventLogSubscription> tag.
The following LogForwarder.cfg code snippet declares to Event Log Subscriptions:

<?xml version="1.0" encoding="utf-8"?>

<LogForwarderSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:
xsd="http://www.w3.org/2001/XMLSchema">
<EventLogSubscriptions>
<EventLogSubscription>
<channels>
<string>Security</string>
</channels>
<types>
<int>1</int>
<int>2</int>
<int>4</int>
<int>8</int>
<int>16</int>
</types>
<sources />
<eventIDs />
<categories />
<keywords />
<users />
<computers />
<facility>4</facility>
<enabled>true</enabled>
<name>New Security Event Log Subscription</name>
<description>Security Event Log - All Event Types
(Error, Warning, Information, Audit Success, Audit Failure)</description>
</EventLogSubscription>
<EventLogSubscription>
<channels>
<string>System</string>
</channels>
<types>

Administrator Guide: Kiwi Syslog Server page 231

About the Event Log Forwarder

<int>1</int>
<int>2</int>
<int>4</int>
</types>
<sources />
<eventIDs />
<categories />
<keywords />
<users />
<computers />
<facility>10</facility>
<enabled>true</enabled>
<name>New System Event Log Subscription</name>
<description>Security Event Log - Error, Warning and
Information Event Types</description>
</EventLogSubscription>
</EventLogSubscriptions>
<SyslogServers>
...
</SyslogServers>
</LogForwarderSettings>

Example: Declare syslog servers

For syslog servers, each syslog server is declared with an <Syslog Server> tag. The following
LogForwarderSettings.cfg file declares two syslog servers in Log Forwarder.

<?xml version="1.0" encoding="utf-8"?>

<LogForwarderSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:
xsd="http://www.w3.org/2001/XMLSchema">
<EventLogSubscriptions>
...
</EventLogSubscriptions>
<SyslogServers>
<SyslogServer>
<serverName>Syslog Server A</serverName>
<IPAddress>10.190.2.243</IPAddress>
<Port>514</Port>
<enabled>true</enabled>
<SendMode>0</SendMode>

Administrator Guide: Kiwi Syslog Server page 232

About the Event Log Forwarder

<SourceFormat>0</SourceFormat>
</SyslogServer>
<SyslogServer>
<serverName>Syslog Server B</serverName>
<IPAddress>192.168.1.10</IPAddress>
<Port>514</Port>
<enabled>true</enabled>
<SendMode>0</SendMode>
<SourceFormat>0</SourceFormat>
</SyslogServer>
</SyslogServers>
</LogForwarderSettings>

Event log subscriptions
Each configured event log subscription must include the following tag declarations:

Tag Description

<channels> A list of valid event log channels (e.g. Application, System, Security) that are
subscribed to. Each is a subtag of type <string>.
<types> A list of valid event log types. Each is a subtag of type <int>. Valid values are:

l 1 - Error
l 2 - Warning
l 4 - Information
l 8 - Audit Success
l 16 - Audit Failure

<sources> A list of valid event log sources. Each is a subtag of type <string>.
<eventIDs> A list of valid event IDs or event ID ranges. Each is a subtag of type <string>.
<categories> A list of valid event log task categories. Each is a subtag of type <string>.
<keywords> A list of event keywords. Each is a subtag of type <string>.
<users> A list of users on the syslog server. Each is a subtag of type <string>.
<computers> A list of computers monitored by the syslog server. Each is a subtag of type
<string>.

<facility> The default syslog facility number to use when generating a syslog message to
send. For more information, see Syslog facility numbers.

Administrator Guide: Kiwi Syslog Server page 233

About the Event Log Forwarder

<enabled> Enables the event log subscription. Uses TRUE/FALSE syntax.

l TRUE: the event log subscription is active in Log Forwarder.
l FALSE: the event log subscription is inactive in Log Forwarder.

Events collected when the even log subscription is enabled are forwarded to the
configured syslog servers.
<name> The name of event log subscription.
<description> The description of the event log subscription.

Syslog facility numbers
A facility number (code) is used to specify the program type logging the syslog message. The list
below identifies the default syslog facility numbers to use when generating a syslog message to send
to a syslog server.

Facility Code

Kernal (messages) 0

User-level messages 1

Mail system 2

System (daemons) 3

Security / authorization messages 4

Messages generated internally by syslogd 5

Line printer subsystem 6

Network news subsystem 7

Unix-to-Unix Copy Protocol (UUCP) (subsystem) 8

Clock (daemon) 9

Security / authorization messages 10

File Transfer Protocol (FTP) (daemon) 11

Network Time Protocol (NTP) (subsystem) 12

Log (audit) 13

Log (alert) 14

Administrator Guide: Kiwi Syslog Server page 234

About the Event Log Forwarder

Clock (daemon) 15

Local use 0 (local0) 16

Local use 1 (local1) 17

Local use 2 (local2) 18

Local use 3 (local3) 19

Local use 4 (local4) 20

Local use 5 (local5) 21

Local use 6 (local6) 22

Local use 7 (local7) 23

Syslog server subscription
Each syslog server must include the following tag declarations.

Tag Description

<serverName> The name of the syslog server you are subscribing.
<IPAddress> A valid syslog server IP address, host name, or FQDN.

IP address must be IPv4 or IPv6.

<Port> The syslog server port number. Default is 514.
<enabled> Enables the syslog server. Uses TRUE/FALSE syntax.

l TRUE: the syslog server is active in Log Forwarder.
l FALSE: the syslog server is inactive in Log Forwarder.

Events collected are only forwarded to syslog servers that are enabled.
<SendMode> Decides which protocol to use when sending logs:

l TCP
l UDP
l 1- TCP
l 0- UDP
<SourceFormat> Decides the server address format as IPv4 or IPv6.

Administrator Guide: Kiwi Syslog Server page 235

Subscriptions

Sample syslog server subscription

<?xml version="1.0" encoding="utf-8"?>

<LogForwarderSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:
xsd="http://www.w3.org/2001/XMLSchema">
<EventLogSubscriptions>
...
</EventLogSubscriptions>
<SyslogServers>
<SyslogServer>
<serverName>Syslog Server A</serverName>
<IPAddress>10.190.2.243</IPAddress>
<Port>514</Port>
<enabled>true</enabled>
<SendMode>0</SendMode>
<SourceFormat>0</SourceFormat>
</SyslogServer>
<SyslogServer>
<serverName>Syslog Server B</serverName>
<IPAddress>192.168.1.10</IPAddress>
<Port>514</Port>
<enabled>true</enabled>
<SendMode>0</SendMode>
<SourceFormat>0</SourceFormat>
</SyslogServer>
</SyslogServers>
</LogForwarderSettings>

Subscriptions
Creating event log subscriptions defines which event log records are forwarded to your syslog servers.
The Subscriptions screen allows you to add or maintain the subscriptions you have created for the
Event Log Forwarder program.

Administrator Guide: Kiwi Syslog Server page 236

Subscriptions

The command buttons Edit, Rename, Enable/Disable, and Remove are only available when a
subscription item has been selected.

This chapter provides information relating to the Subscriptions screens in Event Log Forwarder for
Windows. The following topics are covered:

l Add an event log subscription
l Rename an event log subscription
l Edit event log subscription properties
l Remove an event log subscription

Administrator Guide: Kiwi Syslog Server page 237

Subscriptions

Add an event log subscription
In the Add window, you can configure the event type and filtering options.

1. From the Subscriptions tab, click Add.

2. Select the event log (or event logs) you wish to subscribe to from the left column tree.
3. Configure the Event type, Event sources, and Task category, and filtering options:
Field Value

Event Type Filters the event records by the event type selected.

Event Filters the event records by one or more event source.
Sources
The Event Sources field is populated based on the selected event log.

Administrator Guide: Kiwi Syslog Server page 238

Subscriptions

Include or Enter the relevant event IDs. Event records containing an specified event ID are
Exclude excluded or included in the event filter. Event IDs with a minus sign are excluded.
Event
For example, to apply a filter that only shows records with event ID 1,3, are
within the range of IDs 5-99, and excludes event ID 76, enter: 1,3,5-99,-76.

Task Filter event records by one or more selected task categories.
Category
The Task Category field is populated based on the selected event log.

Keywords Filter the event records by specified keywords.
Not available for Windows Eventing 5 versions of Windows.

Users Filter event records by the user logged in to the device at the time of the event.
Multiple users must be separated by commas.

Computers Filter event records by devices the event occurs on.

4. By default, you are provided a grid view of the event from the selected subscriptions. To hide or
show this preview, click Hide / Show preview of matching records.
5. Click Refresh to preview the event records currently found in your event logs, based on
configured subscription settings.
6. Click Next to continue to the Define Priority screen.
7. Select the default syslog facility number that the event records when forwarding messages to the
syslog server.
The default syslog facility number is combined with the record event type to form the message
Priority column data within the syslog server display window.
8. Click Finish.

Enable or disable a subscription
You can enable or disable an existing subscription from the Subscriptions screen. Only one
subscription can be enabled or disabled at a time. Any disabled subscription is greyed out on the
subscriptions tab.

Administrator Guide: Kiwi Syslog Server page 239

Subscriptions

1. From the Subscriptions tab, select a subscription item.

2. Hover your pointer over Enable/Disable.
3. From the drop-down field, select Enable or Disable.

Administrator Guide: Kiwi Syslog Server page 240

Subscriptions

Rename an event log subscription
To rename an existing subscription within the Subscriptions screen:

1. From the Subscriptions tab, select the subscription item to edit.
2. Click Rename.

3. Enter a new subscription name.

You cannot enter a subscription name that already exists.

4. Click Update to save your changes.

Administrator Guide: Kiwi Syslog Server page 241

Subscriptions

Edit event log subscription properties
To edit the properties of an existing subscription:

1. From the Subscriptions tab, select the subscription to edit.
2. Click Edit.
3. Make your changes to the existing subscription fields accordingly.

4. Click Refresh to preview selected filtering changes on the event log records.
5. Click Next.

Administrator Guide: Kiwi Syslog Server page 242

Subscriptions

6. Confirm or update your default syslog facility settings.

7. Click Finish to save your changes.

Administrator Guide: Kiwi Syslog Server page 243

Syslog Servers

Delete an event log subscription
To delete an existing subscription from Event Log Forwarder:

1. From the Subscriptions tab, select the subscription to be deleted.
2. Click Remove.

3. In the confirmation message box, click Yes to continue removing the selected subscription item.

Syslog Servers
The Syslog Servers tab allows you to add or maintain syslog servers that the Event Log Forwarder
program forwards log messages to.

For example, the following image displays the setup of two syslog servers in Event Log Forwarder:

Administrator Guide: Kiwi Syslog Server page 244

Syslog Servers

l The Alpha Syslog Server has been added using a local host IP address and UDP port 468.
l The Beta Syslog Server has been added using the host name and TCP port 514. Notice that the
Beta Syslog Server has been disabled in Event Log Forwarder and therefore does not receive
forwarded log records.

This chapter provides information relating to the Syslog Servers tab in Event Log Forwarder. The
following topics are covered:

l Add a syslog server
l Edit syslog server properties
l Remove a syslog server

Administrator Guide: Kiwi Syslog Server page 245

Syslog Servers

Add a syslog server
From the Add Syslog Server window, you can configure the syslog server details. Only syslog servers
added to Event Log Forwarder receive configured log subscription reports.

1. From the Syslog Servers tab, click Add. The Add Syslog Server properties window opens with
pre-populated field default values.
2. Enter values into the default fields accordingly.

The Server Address field accepts IPv4, IPv6, host names, or fully qualified domain names
of a syslog server.

3. Click Create to add the syslog server.

Administrator Guide: Kiwi Syslog Server page 246

Syslog Servers

Edit syslog server properties
To edit the properties of an existing syslog server in Event Log Forwarder:

1. From the Syslog Servers tab, select the syslog server item to edit.
2. Click Edit.
3. To rename the syslog server, enter the new syslog server name.

You cannot enter a name that already exists.

4. Edit existing values displayed in fields as necessary.
5. Click Update to save your changes.

Administrator Guide: Kiwi Syslog Server page 247

Testing

Delete a syslog server
To remove an existing syslog server from Event Log Forwarder:

1. From the Syslog Server tab, select the syslog server to be deleted.
2. Click Remove.

3. In the confirmation message box, click Yes to continue removing the selected syslog server.

Testing
The Test tab allows you to add a test event to an available event log subscription. You can only
perform a test event on subscriptions that are configured with a syslog server configured in Event Log
Forwarder to receive messages from that subscription.

Both the subscription and the syslog server must be configured to test the Event Log Forwarder's
functionality and ensure that events are correctly forwarding.

Administrator Guide: Kiwi Syslog Server page 248

Testing

Test an event log subscription
1. From the Test tab, select which event log subscriptions you want to test from the drop-down field.

You can select multiple event logs subscriptions to test.

2. Under Type of test event, select the event message type to add to the event log subscription.
3. Click Create a test event to add the test event to the event log subscription.

A test that has been created successfully is validated with a confirmation message "Test event
successfully created":

Administrator Guide: Kiwi Syslog Server page 249

Troubleshooting

If the test event does not execute, the validation message instead states: "Creation of test event was
unsuccessful".

Troubleshooting
You can find discussion topics and solutions to common issues in Event Log Forwarder on the
Success Center or on THWACK.

Event Log Forwarder is a free tool and is not supported by SolarWinds technical support.

Windows Firewall
When the Windows Firewall is enabled, the firewall may block programs or program functionality from
executing on your system.

To prevent blocking of the Event Log Forwarder, the product installer automatically adds an exception
for the program to prevent the Windows Firewall from blocking Event Log Forwarder functions.

l If log messages are not forwarding to your designated syslog server, check your Windows
Firewall settings to ensure that a program exception exists.
l The Windows Firewall exception is automatically removed when Event Log Forwarder is
uninstalled using the program's uninstaller. Re-installation of Event Log Forwarder requires
adding the exception back into your system's Window Firewall.

Administrator Guide: Kiwi Syslog Server page 250

Kiwi Syslog Web Access

Kiwi Syslog Web Access
Kiwi Syslog Web Access is a web-based access portal for Kiwi Syslog Server, which provides web-
based filtering and highlighting for syslog events logged fromKiwi Syslog Server.

To configure KSS to log events to Kiwi Syslog Web Access, users will need to create a "Log To Kiwi
Syslog Web Access" action in Kiwi Syslog Server:

Kiwi Syslog Web Access can be run on the following:

l Windows Server 2019
l Windows Server 2016
l Windows Server 2012
l WIndows 2012 R2
l Windows 2003 R2 *
l Windows 2008 R2 *
l Windows 10
l Windows 8.1
l Windows 8
l Windows 7 *

* x86 and x64 editions supported

Enabling SSL in Kiwi Web Access
This procedure applies to KSS versions 9.7.2 and earlier.

In Kiwi Web Access, you can enable SSL for certificate creation using the UltiDev Web App Explorer.

These steps must be completed after Kiwi Web Access is finished installing.

1. Open the UltiDev Web App Explorer.
2. Click Ecosystem to create the SSL certificate.
3. Click Create New Certificate > Create Self-Signed Test Certificate.
4. Select or enter the name of SSL identity.
5. Once you have reviewed the certificate details, click OK.
6. Click to register a new site or application with the UltiDev Web Server.

Administrator Guide: Kiwi Syslog Server page 251

7. Select ASP.NET web application and proceed.
8. Select ASP.NET 2.0, 3.0 or 3.5 and proceed.
9. Select the option Load Native 32-bit Components and click Next.
10. Select LOCAL SYSTEM and click Next. Browse for the default document that will be used.
11. Select Gateway.aspx file from \\SolarWinds\Kiwi Syslog Web Access\html in the
installation location. Change the application name to Syslogd.
12. Remove the virtual directory default entry and leave it blank.
13. Remove the existing HTTP listen address for Kiwi Web Access. Add the HTTPS/SSL listen
address.
14. Select the created certificate.

15. Choose the port using Find Free Port, or enter your own and proceed. Select Anonymous, and
click Finish.

The created host will be listed in the left side panel, which can be verified via browsing. Your host can
now be accessed using HTTPS.

This chapter provides information and guidance relating to the Login Gateway page in Kiwi Syslog
Web Access.

The following topics can be found in this chapter :

l See Overview for a general overview of the Login Gateway page.
l See Pass-through Authentication for a general overview of the Login Gateway's Pass-through
Authentication support page.

See AD Authentication to configure the Active Directory Authentication for Kiwi Web Access.

The Login Gateway restricts access to Kiwi Syslog Web Access.

Administrator Guide: Kiwi Syslog Server page 252

The default (Administrator) account is configured during product installation. To login to Kiwi Syslog
Web Access, supply the password created during the installation process.

*Several users can be configured in Kiwi Syslog Web Access. These accounts can be a mixture of
both Administrative or Standard Users, with at least one Administrative account.

Administrator Authentication
This setting will allow an Administrator to configure the Active Directory Authentication for Kiwi Web
Access. The AD users has to use their Login ID as “domain\domain ID”. Then KWA will use the
authentication through AD.

Domain URL:

Enter the Active Directory LDAP URL here.

Authentication Type:

This setting determines how KWA Server is interacting with the Domain Server by using the Domain
URL. If the field is blank, the application will treat it as ‘Secure’ Different types are:

Anonymous No authentication is performed.

Administrator Guide: Kiwi Syslog Server page 253

Delegation Enables Active Directory Services Interface (ADSI) to delegate the user's security
context, which is necessary for moving objects across domains.
Encryption Attaches a cryptographic signature to the message that both identifies the sender
and ensures that the message has not been modified in transit.
FastBind Specifies that ADSI will not attempt to query the Active Directory Domain Services
objectClass property. Therefore, only the base interfaces that are supported by all
ADSI objects will be exposed. Other interfaces that the object supports will not be
available. A user can use this option to boost the performance in a series of object
manipulations that involve only methods of the base interfaces. However, ADSI
does not verify if any of the request objects actually exist on the server.
None Equates to zero, which means to use basic authentication (simple bind) in the
LDAP provider.
ReadonlyServer For a WinNT provider, ADSI tries to connect to a domain controller. For Active
Directory Domain Services, this flag indicates that a writable server is not required
for a serverless binding.
Sealing Encrypts data using Kerberos. The Secure flag must also be set to use sealing.
Secure Requests secure authentication. When this flag is set, the WinNT provider uses
NTLM to authenticate the client. Active Directory Domain Services uses Kerberos,
and possibly NTLM, to authenticate the client. When the user name and password
are a null reference (Nothing in Visual Basic), ADSI binds to the object using the
security context of the calling thread, which is either the security context of the user
account under which the application is running or of the client user account that the
calling thread is impersonating.
SecureSocketsL Attaches a cryptographic signature to the message that both identifies the sender
ayer and ensures that the message has not been modified in transit. Active Directory
Domain Services requires the Certificate Server be installed to support Secure
Sockets Layer (SSL) encryption.
ServerBind If your ADsPath includes a server name, specify this flag when using the LDAP
provider. Do not use this flag for paths that include a domain name or for server
less paths. Specifying a server name without also specifying this flag results in
unnecessary network traffic.
Signing Verifies data integrity to ensure that the data received is the same as the data sent.
The Secure flag must also be set to use signing.

User Groups:

Administrator Guide: Kiwi Syslog Server page 254

Administrator can restrict the access to Kiwi Web Access to specific domain user groups. Multiple user
groups can also be provided here (separated by ;).

For example:

Domain (FQDN): server.domain.com

Authentication Type: <blank>, defaults to Secure

User Groups: Domain Admins

For more information about enabling SSL for Kiwi Web Access.

Enabling SSL in Kiwi Web Access
This procedure applies to KSS versions 9.7.2 and earlier.

In Kiwi Web Access, you can enable SSL for certificate creation using the UltiDev Web App Explorer.

These steps must be completed after Kiwi Web Access is finished installing.

Administrator Guide: Kiwi Syslog Server page 255

Events

8. Select ASP.NET 2.0, 3.0 or 3.5 and proceed.
9. Select the option Load Native 32-bit Components and click Next.
10. Select LOCAL SYSTEM and click Next. Browse for the default document that will be used.
11. Select Gateway.aspx file from \\SolarWinds\Kiwi Syslog Web Access\html in the
installation location. Change the application name to Syslogd.
12. Remove the virtual directory default entry and leave it blank.
13. Remove the existing HTTP listen address for Kiwi Web Access. Add the HTTPS/SSL listen
address.
14. Select the created certificate.
15. Choose the port using Find Free Port, or enter your own and proceed. Select Anonymous, and
click Finish.

The created host will be listed in the left side panel, which can be verified via browsing. Your host can
now be accessed using HTTPS.

Events

This chapter provides information and guidance relating to the Events page in Kiwi Syslog Web
Access.

The following topics can be found in this chapter :

l See Events Overview for a general overview of the Events page.
l See Filtering Events for information on displaying filtered events.
l See Events Grid for information on the layout of the events grid.
l See Event Highlighting for information on event highlighting in the events grid.
l See Find for information on searching for events in the events grid.
l See Quick Filtering for information on event filter refinement in the events grid.
l See Direct Link for information on direct linking to the Events page.
l See Export to CSV for information on exporting to CSV from the Events page.

Overview

Administrator Guide: Kiwi Syslog Server page 256

Events

The Events Overview page displays syslog events that have been logged to Kiwi Syslog Web Access
by Kiwi

Syslog Server.

The events page is set to auto-refresh, based upon the Page Refresh Rate setting, accessible from
the Settings page.

Whether or not the events page refreshes automatically is controllable through the Pause and
Resume buttons.

Filtering Events

The syslog events that are displayed in the Events grid can be filtered by selecting from the Filter
drop-down in the events page of Kiwi Syslog Web Access:

Administrator Guide: Kiwi Syslog Server page 257

Events

The filter drop-down includes two default (system-defined) filters:

l [All Kiwi Syslog Server Events]
   Displays all available syslog event data.
l Warnings and above
   Displays syslog events with a priority level of Warning and above (ie. Emergency, Critical, Alert
and Warning).

*Additional (user-defined) filters appear in this drop-down as well.

Events Grid

The layout of the Kiwi Syslog Web Access events grid is fully customizable. Changes made, including
column order (positioning), column sizes and column visibility, apply only to the selected filter,
enabling users to create layouts that relate directly to the filtered event data.

Columns can be repositioned by clicking and dragging columns in the column header.

Administrator Guide: Kiwi Syslog Server page 258

Events

Columns can be resized by clicking and dragging between columns in the column header.

Columns can be shown or hidden by clicking on the Columns button and checking or unchecking the
column names.

Administrator Guide: Kiwi Syslog Server page 259

Events

Event Highlighting

Syslog events that are displayed in the events grid inherit highlighting attributes from highlighting rules
configured in the Highlighting page.

Highlighting in the events grid can be turned on or off using the Toggle Highlighting button.

Administrator Guide: Kiwi Syslog Server page 260

Events

Find function

Syslog events can be searched easily using the Find function.

Items matching the search terms provided will be highlighted in the events grid.

Quick filtering

Syslog events that are displayed in the events grid can be refined using the filter refinement or quick
filter function.

By clicking on items in the events grid, quick filter terms are added, and the currently selected filter is
refined to include these terms.

Administrator Guide: Kiwi Syslog Server page 261

Events

Quick filter terms can be removed individually, or altogether by clicking the Clear All.

The current filter refinement can be saved as a new filter, by clicking the Save as Filter.

Administrator Guide: Kiwi Syslog Server page 262

Events

Direct linking

Kiwi Syslog Web Access support direct linking.

Direct linking is a way of specifying filter refinements in the URL, enabling links to be built and passed
to Web Access from other systems (such as SolarWinds® Orion NPM).

The Direct Link button:

Clicking on the Direct Link button will open a new window with the direct link in the Address bar.

Administrator Guide: Kiwi Syslog Server page 263

Events

eg. This link was generated from a Quick Filter, by clicking Direct Link in the toolbar.

Note: The AccountId and Password URL parameters are also supported.

http://localhost:8088/Events.aspx?FID=1&UID=0&Facility=Local7&Level=Debug&Date=2009-12-
03&AccountId=Administrator&Password=*****

Export to CSV

Syslog events that are displayed in the events grid can be exported to CSV.

Administrator Guide: Kiwi Syslog Server page 264

Events

The CSV export function can export either the Current Page or a specified Page Range.

When Export is complete, a save dialog will appear. The filename will default to the name of the filter
in

the current view.

Administrator Guide: Kiwi Syslog Server page 265

Events

Administrator Guide: Kiwi Syslog Server page 266

TE and TE Agent Installation Guide
No ratings yet
TE and TE Agent Installation Guide
15 pages
Rapid7 InsightVM Product Brief
No ratings yet
Rapid7 InsightVM Product Brief
2 pages
NSX 64 Admin
No ratings yet
NSX 64 Admin
590 pages
RTP Audio and Video For The Internet
No ratings yet
RTP Audio and Video For The Internet
208 pages
BMC PATROL For Microsoft Windows Servers Getting Started
No ratings yet
BMC PATROL For Microsoft Windows Servers Getting Started
304 pages
Esm Guide PDF
No ratings yet
Esm Guide PDF
340 pages
Kiwi Syslog Server: Installation Guide
No ratings yet
Kiwi Syslog Server: Installation Guide
9 pages
The Asterisk Book
No ratings yet
The Asterisk Book
306 pages
Configuration Manual
No ratings yet
Configuration Manual
30 pages
QRadar 71MR1 DSMConfigurationGuide
No ratings yet
QRadar 71MR1 DSMConfigurationGuide
774 pages
B Qradar Users Guide
No ratings yet
B Qradar Users Guide
226 pages
CP R80.40 CLI ReferenceGuide
No ratings yet
CP R80.40 CLI ReferenceGuide
1,782 pages
CP R80.40 EndpointSecurity AdminGuide
No ratings yet
CP R80.40 EndpointSecurity AdminGuide
295 pages
Panorama Admin
No ratings yet
Panorama Admin
596 pages
Mcafee Network Security Platform 10.1.x Installation Guide 9-6-2022
No ratings yet
Mcafee Network Security Platform 10.1.x Installation Guide 9-6-2022
289 pages
Pan Os Web Interface Help PDF
No ratings yet
Pan Os Web Interface Help PDF
840 pages
Attivo BOTsink Appliance User Guide
No ratings yet
Attivo BOTsink Appliance User Guide
874 pages
Pccet 1
No ratings yet
Pccet 1
7 pages
Integration Between ISE and HPE-ArubaOS
No ratings yet
Integration Between ISE and HPE-ArubaOS
16 pages
Array APV 1800/2800/5800 Quick Installation Guide
No ratings yet
Array APV 1800/2800/5800 Quick Installation Guide
2 pages
Safelisting PSAT in Proofpoint Protection Services
No ratings yet
Safelisting PSAT in Proofpoint Protection Services
4 pages
Falcon GPO Deployment Apr 2020
No ratings yet
Falcon GPO Deployment Apr 2020
7 pages
Sophos Firewall Competitor Ecosystem Playbook
No ratings yet
Sophos Firewall Competitor Ecosystem Playbook
8 pages
Pccet 0
No ratings yet
Pccet 0
10 pages
CP R81 CLI ReferenceGuide
No ratings yet
CP R81 CLI ReferenceGuide
1,673 pages
Identity Service Engine User Guide
No ratings yet
Identity Service Engine User Guide
1,200 pages
156-315 80 PDF
No ratings yet
156-315 80 PDF
92 pages
SISAS Slides Book
No ratings yet
SISAS Slides Book
68 pages
Brksec-2203 (2015)
No ratings yet
Brksec-2203 (2015)
115 pages
ENV-Overview and Solutions-2022
No ratings yet
ENV-Overview and Solutions-2022
87 pages
Support Service Description - Office 365 Dedicated Plans - October 2011
No ratings yet
Support Service Description - Office 365 Dedicated Plans - October 2011
12 pages
B Qradar Admin Guide
No ratings yet
B Qradar Admin Guide
272 pages
FGT1 03 Firewall Policies PDF
No ratings yet
FGT1 03 Firewall Policies PDF
69 pages
Cisco Cyber Vision - GUI User Guide 3.2.0
No ratings yet
Cisco Cyber Vision - GUI User Guide 3.2.0
158 pages
Course List
No ratings yet
Course List
35 pages
Attivo Central Manager User Guide
No ratings yet
Attivo Central Manager User Guide
848 pages
Brksec 3697 PDF
No ratings yet
Brksec 3697 PDF
292 pages
Imsva 9.1 BPG 20160531
No ratings yet
Imsva 9.1 BPG 20160531
61 pages
FW2535 19.0v1 Getting Started With Security Heartbeat On Sophos Firewall
No ratings yet
FW2535 19.0v1 Getting Started With Security Heartbeat On Sophos Firewall
16 pages
Net Cool
100% (1)
Net Cool
32 pages
Palo Alto Syllabus
No ratings yet
Palo Alto Syllabus
1 page
Q42022 EURO Recommended Enduser PriceList 11072022
No ratings yet
Q42022 EURO Recommended Enduser PriceList 11072022
3,819 pages
CP R77.20 EndpointSecurity AdminGuide
No ratings yet
CP R77.20 EndpointSecurity AdminGuide
168 pages
Adobe Connect Installation and Configuration Guide
No ratings yet
Adobe Connect Installation and Configuration Guide
64 pages
Web Gateway 8.0.x Product Guide
No ratings yet
Web Gateway 8.0.x Product Guide
366 pages
Imperva Securesphere Database Security and Oracle Audit Vault Buyer'S Guide and Reviews July 2020
No ratings yet
Imperva Securesphere Database Security and Oracle Audit Vault Buyer'S Guide and Reviews July 2020
34 pages
Orion Administrator Guide
No ratings yet
Orion Administrator Guide
334 pages
HX DG V 5.3.0 PDF
No ratings yet
HX DG V 5.3.0 PDF
136 pages
Application Security - Unit 3 PDF
No ratings yet
Application Security - Unit 3 PDF
146 pages
KPMG Cyber Security Considerations For 2022 - Trust Through Security
No ratings yet
KPMG Cyber Security Considerations For 2022 - Trust Through Security
40 pages
Csam Qsc2021 Slides
No ratings yet
Csam Qsc2021 Slides
123 pages
SonicOS 6.2.5 LogEvents ReferenceGuide
No ratings yet
SonicOS 6.2.5 LogEvents ReferenceGuide
58 pages
1-IBM-RP - Sales - Midmarket SW For Buying Selling Guide
No ratings yet
1-IBM-RP - Sales - Midmarket SW For Buying Selling Guide
206 pages
ExaLINK User Guide
No ratings yet
ExaLINK User Guide
44 pages
Cisco Identity Services Engine Administrator Guide
No ratings yet
Cisco Identity Services Engine Administrator Guide
1,234 pages
Enterprise Security Biology Dissecting The Splunk Enterprise Security Threat Intelligence Framework
No ratings yet
Enterprise Security Biology Dissecting The Splunk Enterprise Security Threat Intelligence Framework
64 pages
What Is Pattern in SAP ETD
No ratings yet
What Is Pattern in SAP ETD
17 pages
Perform A Firewall Healthcheck
No ratings yet
Perform A Firewall Healthcheck
27 pages
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
VMware Horizon View Essentials
From Everand
VMware Horizon View Essentials
Peter von Oven
No ratings yet
Kss Installation Guide
No ratings yet
Kss Installation Guide
18 pages
Sophos Operating Instructions XG 310 330 Rev2 Oina
No ratings yet
Sophos Operating Instructions XG 310 330 Rev2 Oina
12 pages
LANmark-OF Patch Panel Snap-In Sliding V2 2
No ratings yet
LANmark-OF Patch Panel Snap-In Sliding V2 2
26 pages
KSS 9.8.1 System Requirements
No ratings yet
KSS 9.8.1 System Requirements
2 pages
NetApp Resize Volume Steps
No ratings yet
NetApp Resize Volume Steps
5 pages
Automatic Packet Reporting System PDF
No ratings yet
Automatic Packet Reporting System PDF
7 pages
Cisco LAN Switch Configuration
No ratings yet
Cisco LAN Switch Configuration
673 pages
gc ٢٠٢٤ ١٢ ٢٥
No ratings yet
gc ٢٠٢٤ ١٢ ٢٥
26 pages
Network Transmission Devices - PreQuiz - Attempt Review
100% (1)
Network Transmission Devices - PreQuiz - Attempt Review
4 pages
Railway Operational Communication Solution OptiX OSN 1500 Product Overview (Hybrid)
No ratings yet
Railway Operational Communication Solution OptiX OSN 1500 Product Overview (Hybrid)
77 pages
CCNA 3 Final Exam (99%)
100% (1)
CCNA 3 Final Exam (99%)
23 pages
Console Output CLI Console
No ratings yet
Console Output CLI Console
20 pages
Telnet and SSH
No ratings yet
Telnet and SSH
5 pages
FortiOS-7.4.5-Administration - Guide (2) - Parte1
No ratings yet
FortiOS-7.4.5-Administration - Guide (2) - Parte1
300 pages
DTU-H10X User Manual V1.1 (20160706)
No ratings yet
DTU-H10X User Manual V1.1 (20160706)
79 pages
ZyWALL 2 Plus DataSheet
No ratings yet
ZyWALL 2 Plus DataSheet
2 pages
Cifs With Recommendations
No ratings yet
Cifs With Recommendations
13 pages
Intel
No ratings yet
Intel
12 pages
3adr020160k0201 - MTBF Ac500 S500 - 2023 09 08
No ratings yet
3adr020160k0201 - MTBF Ac500 S500 - 2023 09 08
15 pages
IS414 2020 Questions
No ratings yet
IS414 2020 Questions
3 pages
AXIS C3003-E Network Speaker: User Manual
No ratings yet
AXIS C3003-E Network Speaker: User Manual
40 pages
VXLAN Multipod Geographically Dispersed White Paper Final
No ratings yet
VXLAN Multipod Geographically Dispersed White Paper Final
58 pages
BGP States
No ratings yet
BGP States
1 page
Application Note - Techcomplete™ Test Productivity Pack & Dsam Secure Sync™
No ratings yet
Application Note - Techcomplete™ Test Productivity Pack & Dsam Secure Sync™
9 pages
Unified Sec Policy
No ratings yet
Unified Sec Policy
20 pages
Bts3900 V100R009C00Spc150 (Enodeb) Parameter List: Huawei Technologies Co., LTD
No ratings yet
Bts3900 V100R009C00Spc150 (Enodeb) Parameter List: Huawei Technologies Co., LTD
822 pages
Dynamic Host Configuration Protocol: Objective: Set Network Configuration in A Desktop PC
No ratings yet
Dynamic Host Configuration Protocol: Objective: Set Network Configuration in A Desktop PC
13 pages
Connection Less and Connection Oriented
No ratings yet
Connection Less and Connection Oriented
2 pages
Cisco Pass4sure 200-201 Exam Question 2022-Apr-30 by Lester 179q Vce
No ratings yet
Cisco Pass4sure 200-201 Exam Question 2022-Apr-30 by Lester 179q Vce
13 pages
Sip Cause Code
100% (2)
Sip Cause Code
4 pages
Week 9 Activities
No ratings yet
Week 9 Activities
5 pages
CN Lab File 2K21-SE-153
No ratings yet
CN Lab File 2K21-SE-153
29 pages
HP FlexNetwork
100% (1)
HP FlexNetwork
406 pages
CS NBNCo 74C0103
No ratings yet
CS NBNCo 74C0103
3 pages
Networking CSS 12
No ratings yet
Networking CSS 12
11 pages