I discovered this morning (only because I didn't receive the nightly report) that two of our Syslog servers stopped logging yesterday afternoon. The nightly archiving and cleanup jobs did not run. The service did not crash. The drive has 63 GB of free space. There are no entries under the Application or System logs in Windows. Under the Errorlog I see this for all of the reporting nodes ("ip.address.#" is placeholder for the actual values in the logs):

2015-05-28 15:38:59    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:38:59    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:38:59    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address1.txt

2015-05-28 15:39:00    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:00    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:00    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1..txt

2015-05-28 15:39:02    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:02    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:02    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.2.txt

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.3.txt

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:03    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:06    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:06    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:06    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:07    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:07    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:07    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.4.txt

2015-05-28 15:39:08    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:08    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:08    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:11    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:11    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:11    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:16    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:16    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\Firewalls\ip.address.1.txt

2015-05-28 15:39:16    Log to file action - Error: Win32File Object [45600] Unknown error.

2015-05-28 15:39:16    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\Syslogs\ESX\ip.address.5.txt

     The log stops there. When I restart the service I see these additional entries in the Error log:

2015-05-29 07:17:16    Unable to open InterApp listening socket on TCP port 3300

2015-05-29 07:17:16    Unable to open UDP socket on port 514

2015-05-29 07:19:08    Service running, but Service/Manager comm link is not connecting.

2015-05-29 07:19:28    Unable to connect to Service socket on TCP port 3300

2015-05-29 07:19:38    Service running, but Service/Manager comm link is not connecting.

Any ideas?

Hi All,

Help in fixing the below error.case raised with Solarwinds still waiting for the solution

2019-11-14 13:52:20    Unable to query the table:  Syslogd in the database specified by the DSN.Error -2147217871: Query timeout expired

2019-11-14 13:55:54    Unable to open InterApp listening socket on TCP port 3300

2019-11-14 13:55:54    Source: C:\Windows\SYSTEM32\mswinsck.ocx Error: Connection is aborted due to timeout or other failure

2019-11-14 13:55:56    Unable to open InterApp listening socket on TCP port 3300

2019-11-14 13:55:56    Source: C:\Windows\SYSTEM32\mswinsck.ocx Error: Connection is aborted due to timeout or other failure

2019-11-14 13:57:14    WebAccess.Data: Error while trying to read Event Db properties from the system database.There is not enough memory on the device running SQL Server Compact to complete this operation.

2019-11-14 13:58:43    Log to file action - Error: Win32File Object [45600] Unknown error.

2019-11-14 13:58:43    Log to file action - Error: Win32File Object [45600] Unknown error.

2019-11-14 13:58:43    Log to file action - Error: FlushCacheLines <Encoding_Failed> - File: E:\KIWISyslog\Syslogd\IP Based Logs\xxx.xxx.xxx.xxxSyslogCatchAll-2019-11-14.txt

2019-11-14 13:59:02    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***

2019-11-14 13:59:02    Service Version =9.6.7.1 | Error Number: 14 | Description: Out of string space | Module Name: Syslogd.frm | Procedure Name: TabSafeDBCacheItem | Line Number: 20 | Date and time: 11/14/2019 1:59:02 PM

Hi,

I have a "log to file" action and it works normally, but another "display" action doesn't work, I selected display number "Display 01" and selected it in the visualization, but even if the test returns me a green tick, the visualization is empty.

I followed the troubleshooting but it didn't help, any idea?

https://documentation.solarwinds.com/en/Success_Center/KSS/Content/KSS_GSG_troubleshooting.htm#NoTestMessage

Hi All,

I would like to create an alert (using Kiwi Syslog server) on a syslog message if an OSPF adjacency goes down, but I prefer to add (or replace) the neighbor (in this example 172.31.0.136) with a custom string.

Nov 18 10:27:40: %OSPF-5-ADJCHG: Process 1, Nbr 172.31.0.136 on GigabitEthernet1/0/23 from FULL to DOWN, Neighbor Down: Interface down or detached

Any ideas if it's possibile and how?

Many thanks!

Luca

Hi!

We're planning to deploy Kiwi Syslog server to one of our customers. The OS standard for them is Windows Server 2019, so I'm wondering if that's ok to install Kiwi Syslog Server to Windows Server 2019 OS.

I know this OS is not listed in Kiwi Syslog Server 9.6.7 system requirements , but want to check anyway as it will take some efforts to prepare W2K16 Image just for one server

If the support for Windows Server 2019 is planned to be included for the next releases, please advise for approximate dates when it will be available.

Thank you!

I am evaluating Kiwi Syslogd to front-end and filter syslog traffic since we are having performance problems and service crashes using the NPM Syslog Service.  Here is the hardware platform:

HP DL385G7
2x AMD Opteron 6174 2.2GHz 12-core processors
32GB memory
RAID-1 for OS/Syslog
Windows Server 2008 R2 x64 Enterprise SP1

I installed Kiwi Syslogd and it ran for about an hour before it crashed with this failure:

Log Name:      Application
Source:        Application Error
Date:          3/15/2012 10:42:42 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      *********
Description:
Faulting application name: Syslogd_Service.exe, version: 9.2.0.1, time stamp: 0x4d069c0f
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000a
Faulting process id: 0x91d0
Faulting application start time: 0x01cd02c944ab6d53
Faulting application path: C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
Faulting module path: unknown
Report Id: 43e40d87-6ec6-11e1-a52f-3cd92b024752
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-03-15T17:42:42.000000000Z" />
    <EventRecordID>2945</EventRecordID>
    <Channel>Application</Channel>
    <Computer>************</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Syslogd_Service.exe</Data>
    <Data>9.2.0.1</Data>
    <Data>4d069c0f</Data>
    <Data>unknown</Data>
    <Data>0.0.0.0</Data>
    <Data>00000000</Data>
    <Data>c0000005</Data>
    <Data>0000000a</Data>
    <Data>91d0</Data>
    <Data>01cd02c944ab6d53</Data>
    <Data>C:\Program Files (x86)\Syslogd\Syslogd_Service.exe</Data>
    <Data>unknown</Data>
    <Data>43e40d87-6ec6-11e1-a52f-3cd92b024752</Data>
  </EventData>
</Event>

---------------------------

The following was in the Syslogd Errorlog.txt:

2012-03-15 09:32:52    Command line license key accepted.
2012-03-15 10:42:41    *** INTERNAL PROGRAM ERROR - Please contact http://www.kiwisyslog.com/support/ ***
2012-03-15 10:42:41    Service Version 9.2.1 | Error Number: 28 | Description: Out of stack space | Module Name: Syslogdsvc.frm | Procedure Name: SyslogSocket_DataArrival | Line Number: 260 | Date and time: 3/15/2012 10:42:41 AM
---------------------------

I have opened SolarWinds case #323438 regarding this.

Any idea how I can separate specific ip/devices to write to different folders without the logs getting duplicated to the default folder?

I have the default rules and filter setup which displays and logs all devices and other logs info in the default "log to file" folder structure. I now created other filters and rules to capture specific IP(s)/devices and have them written to a different folders. I would like to keep the default folder to capture all logs with the exception of a few.

New installation of Kiwi Syslog Service Manager (Free Version 9.6).

Test message to localhost works fine but is not receiving syslog messages from remote computer.

WireShark shows the syslogs but Kiwi is not picking them up. UDP/port 514

I've added the 2 IPs under Inputs in "Receive messages from below IP addresses".

Reading the documentation I am not able to find if I missed something.

Any assistance is appreciated.
i am going to try it on a different machine and see if maybe it's just this box that doesn't like it.

Hi,

is it possible to store logs in an encrypted way? I read that I can archive it in an encrypted zip file but I think I should do that upstream for legal reasons

Thanks

I discovered that one of the server running the Kiwi Syslog has its syslogd service stopped and not taking in logs from other servers. Checking Services.msc 'Kiwi Syslog Server' is still running while in Kiwi Syslog Service Manager showed 'The Kiwi Syslogd Service is stopped'. Checking Event Viewer found that the service stopped.Image may be NSFW.
Clik here to view.

I've asked the server team if there was any activities during that period, there were SEP was being installed on all servers recently and scheduled full scanning were taking place. I've asked the server team to temporarily disabled scheduled full scanning and so far the service is running without any issues, however I do not want to conclude that SEP is the cause of the service to stop just yet. On average Kiwi Syslog pipes 1800K -  1900K MPH and at times can peak up to 2500K MPH. If it helps this is the hardware specs of the server.

Xeon E5-2680 2.40GHz

4GB RAM

Windows 2012 R2 64bit

1.5TB Storage

Does upgrading the RAM helps? Is there any other possible cause for the service stoppage?

Any and all help is greatly appreciated

Hello,

In the log forwarder, there are 2 kiwi syslog servers configured.
And we found that there is no syslog event receive on first syslog server.
What could be the root cause of this issue?

Thank you.

Sorry if this isn’t posted in the proper place, but I believe this is the most appropriate place to post my question. In short we are forwarding event viewer events via the aforementioned tool to a Sysco server. For the most part it works as intended but there are a handful of servers I don’t know how to tackle. In short a pair of servers has a single NIC and have their own unique IP address for management but there is a VIP that floats between them. The VIP is generated in a weird fashion where in the advanced properties of TCP/IP IPv4 they have the identical VIP IP assigned as a secondary. How can I specify in the log forwarder that a specific IP be used for log forwarding regardless? 

Similarly we have a handful of servers that have dual NICs. How can we specify a specific NIC be used for this function?  Thanks.

Hi, I'm new @ Kiwi Syslog and I want to detect in FILTER some critical logs entries and send them to a Telegram Group.

I don't know what action use to call the Telegram API.

Have anyone been dealing with something like this that could gimme a hand?

thank you in advance and sorry for my poor english

I was just wondering if there is a way to set filters for last 24-hours, 48-hours, or 7 days etc in the syslog web access?

What is the difference between the various licensing levels of the Kiwi Syslog server (server, site, country, global)?

I get the following error during the Web Access portion of the install of Kiwi Syslog 9.6.7.

Image may be NSFW.
Clik here to view.

The following is an exert from the installation log.

WriteRegistryValues: Key: \Software\SolarWinds\Syslogd\WebAccess, Name: DBPath, Value: C:\Program Files (x86)\SolarWinds\Kiwi Syslog Web Access\html\App_Data\Event.sdf

WriteRegistryValues: Key: \Software\SolarWinds\Syslogd\WebAccess, Name: InstPath, Value: E:\Program Files (x86)\SolarWinds\Kiwi Syslog Web Access\

WriteRegistryValues: Key: \Software\SolarWinds\Syslogd\WebAccess, Name: HttpPort, Value: 8088

WriteRegistryValues: Key: \Software\SolarWinds\Syslogd\WebAccess, Name: AdURL, Value:

WriteRegistryValues: Key: \Software\SolarWinds\Syslogd\WebAccess, Name: AdAuthType, Value: Secure

Action 15:47:22: AI_FwRollback. Rolling back Windows Firewall configurations.

Action 15:47:22: AI_FwConfig. Executing Windows Firewall configurations

AI_FwConfig: Configuring Windows Firewall rule: "Kiwi Syslog Web Access"

Action 15:47:22: Setup_Hosts. Configuring Windows Hosts...

Action 15:47:22: Setup_SQLCEDB. Configuring System Database...

Action 15:47:22: Setup_ASPNET. Configuring ASP.NET...

DEBUG: Error 2869:  The dialog ErrorDlg has the error style bit set, but is not an error dialog

The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2869. The arguments are: ErrorDlg, ,

MSI (c) (40:DC) [15:47:37:436]: Product: Kiwi Syslog Web Access -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2869. The arguments are: ErrorDlg, ,

Error 1001.

MSI (s) (BC!74) [15:47:37:436]:

DEBUG: Error 2769:  Custom Action Setup_ASPNET did not close 1 MSIHANDLEs.

The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: Setup_ASPNET, 1,

CustomAction Setup_ASPNET returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Action ended 15:47:37: InstallFinalize. Return value 3.

Action 15:47:37: Rollback. Rolling back action:

1: Configuring ASP.NET...

1: Configuring System Database...

1: Configuring Windows Hosts...

1: Executing Windows Firewall configurations

1: Rolling back Windows Firewall configurations.

1: Kiwi Syslog Web Access

1: Writing system registry values

1: Creating shortcuts

1: Copying new files

Any help is very much appreciated.

Hello,

I just installed Syslog on a Windows 8 VM (ESXi 5.5).

However... I don't received any message from the router (Cisco RV042G) I want to log.

I tried the generic troubleshhoting :

• Check network connectivity by pinging from the sending device to the Syslog Server machine  => OK
• Check only one instance of Kiwi Syslog Server is running (Ctrl-Shift-Esc to get the task-list) => OK, only one
• Disable any personal firewall software such as ZoneAlarm or BlackIce => Disabled

• Use a sniffer to check if messages from the routing are reaching the PC => Yes, I can see them
• Check DNS resolution is working as expected by pinging a hostname from the Command Prompt => OK
• Check that there is a "Display" action setup for the facility and level you are expecting to receive messages on. => OK
• Send a test message to yourself by pressing Ctrl+T => Displayed
• Download a copy of the Free Syslog Server Message Generator (SyslogGen) from: www.kiwisyslog.com/downloads => Done
• Install SyslogGen and set it to send a message every second to the address 127.0.0.1 (local host). => Not displayed, and I don't see them in a local packet capture.
• Try sending messages with SyslogGen from another machine to the host running the Syslog Server => Not displayed, but see them on a packet capture (on Syslog PC)

Do you have any idea about the cause of this issue ?

Thanks in advance for your help.

I'm a newbie to the Orion world.  is it possible to forward NPM/NTA events to a Kiwi Syslog server?

Hey guys,

Wondering if someone can help as ive been pulling my hair out for 2 days with this;

Installed the EVAL 14 day Trial version of KIWI Syslog Server (9.6.7) and put it on a Windows Server 2016 VM. Server is setup to log messages to a file and display recieved messages to the default view. UDP and TCP ports are ticked and using standard port numbers for both protocols.

Unix and CISCO devices are coming up in the Syslog server nicely and are being displayed in console.

Windows is a no go - will not display messages in the console.

Installed Windows Log Forwarder on Win 10 and Sever 2012 machines - Set server IP and UDP port number which matches Syslog Server. Set a subscription up to look for application error event with an ID of 0 - Same ID the Test event for Solarwinds shows up as (this comes up in the event preview at the bottom so I know there are events to send to the syslog server). Then setting it to Kernal message.

Ran test on the applcation log as an error and this comes up in event viewer.

I am not seeing it come up in the Syslog console.

I can ping the syslog server from the client, firewalls are turned off on all client PCs AND on the server. AV has been uninstalled on one machine. No other blocking software exists.

I installed the log generator on the syslog server - set IP to client PC and syslog server IP and it generated message in the syslog console.

Installed log generator on client PC, with same settings, wont show up in Syslog console.

Am I doing something stupidly wrong here, ive tried all the forums, everything online, I even set the computer account of the syslog server in the Event Log Readers Group on one of the Windows boxes, no GPOs are blocking connection to port or blocking connection to the event logs themselves.

Need to confirm Windows sends logs before we buy this product and at the moment its not playing ball.

Any help would be hugely appreciated! Even some netstat type commands as ive tried the netstat -ano command on the client and UDP port isnt showing up anywhere (running the command on the syslog server does show UDP port assigned to syslog and no other process)

No error logs in syslog application

Regards,

Clare Martin

I use kiwi syslog server a lot for testing syslog.  It seems like in the latest version there are issues with TCP.  I'm verifying with the Kiwi Syslog Message Generator.  Seems like with syslog server version 9.4.1 TCP connects and works, but in latest version 9.6.3 it does not connect for some reason. When I try to connect TCP with message generator it says "TCP session remotely disconnected" using the same tool the same exact way, it works with version 9.4.1. I'm using the syslog message generator tool on the same machine as the syslog server.  Is this a known issue, or am I missing something?  Any suggestions or help would be much appreciated.  Thank you very much.