Updated July 21, 2016
This will forward the received message to another Syslog host using the UDP or TCP syslog protocol.
Kiwi Syslog 9.x
Server: Windows Server 2012, 2012 R2, 2008, 2008 R2, 2003, 2003 R2
Workstation: Windows 8.1, 8, 7, Vista, XP
Destination IP address or hostname
This is where you specify the remote host IP address or hostname to forward the messages to.
You can send messages to multiple hosts by separating each hostname or IP address with a comma.
For example: Myhost.com, SecondHost.net, 188.8.131.52, ABC:567:0:0:8888:9999:1111:0
Syslog messages can be sent using UDP (default), TCP, or KRDP.
The Kiwi Reliable Delivery Protocol (KRDP) works between two Kiwi Syslog Servers to reliably deliver syslog messages over a TCP transport.
This specifies the port number to send the message to. Recommended values are:
UDP: Port 514
TCP: Port 1468 or port 601
KRDP: Port 1468
New Facility/New Level
This allows you to force all outgoing messages to use a new Facility or Level. In most cases this option should be set to "- No change -". This will forward messages with the same Facility and Level that they arrived with.
KRDP connection identifier
This specifies the unique name assigned to the KRDP connection. Each connection between the source and destination syslog Server needs to be identified. When the connection is broken and re-established, the sequence numbers can be exchanged and any lost messages can be resent. A separate set of message sequence numbers are kept against each connection identifier.
Examples are: Source:RemoteOffice1 or SyslogServer1
The string of text used will uniquely identify the source of the connection to the destination syslog Server.
If you have more than one "Forward to another host" action configured, you can use the same connection identifier on all actions. This will mean that only a single KRDP connection is made between the source and destination syslog Servers. If you specify a different connection identifier, multiple KRDP sessions will be created.
To ensure that the identifier is unique, we recommend the use of the %MACAddress variable. This variable will be replaced by the first MAC address of the machine.
Examples are: Source:RemoteOffice1-%MACAddress
When running, the ID would look like: Source:RemoteOffice1-AA-BB-CC-DD-EE-FF-00
The MAC Address is globally unique to each network card.
Send with RFC3164 header information
This will add the standard RFC3164 header information to the outgoing message. The format is:
<Priority>Date Hostname PID Message text
The Priority is a value between 0 and 191
The Date is in the format of Mmm DD HH:NN:SS (July 4 12:44:39). Note there is no year specified.
The PID is a program identifier up to 32 characters in length
Retain the original source address of the message
Normally, the syslog protocol is unable to maintain the original senders address when forwarding/relaying syslog messages. This is because the senders address is taken from the received UDP or TCP packet.
The way Kiwi Syslog gets around this problem is to place tags in the message text that contains the original senders address. By default, the tags looks like Original Address=192.168.1.1. That is, the "Original Address=" tag, followed by the IP address, followed by a space delimiter.
These tags are only inserted if the "Retain the original source address of the message" option is checked.
These tags can also be overidden by way of two registry settings, named OriginalAddressStartTag and OriginalAddressEndTag.
For more information on overiding the default originating address start and end tags, please see - Originating Address - Custom Start and End tags
Note: If the "Spoof Network Packet" option is used, then the "Original Address=" tag will not be used. The Syslog packet will be fowarded to the destination address as though it has been sent from the originating IP address.
Use a fixed source IP address
This option will use a fixed IP address in the Original Address= tag. This can be useful when you want to identify all outgoing messages as from a particular host. For example, if you have many remote syslog Servers sending messages to one central location. If each of the remote syslogs use the 10.0.0.x address range, all the received messages will appear from the same host. Specifying a different source IP address for each remote syslog could help in identifying the incoming messages better.
Note: If the "Spoof Network Packet" option is used, then the "Original Address=" tag will not be used. The Syslog packet will be fowarded to the destination address as though it has been sent from the specified fixed IP address.
Spoof Network Packet
This feature is only available in the licensed version, requires WinPcap 4.1+ installation.
This option only applies to syslog messages forwarded via UDP protocol with IPv4 address only.
This option only applies to syslog messages forwarded via UDP protocol.
The network packet will be spoofed to appear as though the fowarded message has come directly from the originating devices' IP address, and not the address of the Syslog Server. Kiwi Syslog Server will use the Selected Network Adapter to send the spoofed UDP/IP packet.
This option also requires that WinPcap version 4.1 and above is installed. WinPcap (Windows Packet Capture library) is available for download from: WinPcap, The Packet Capture and Network Monitoring Library for Windows (© 2016 VMware, Inc., available at http://www.winpcap.org/, obtained on July 21, 2016.)
Use the Test button to send a test Syslog message to the host(s) specified.
Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.