Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > Set up and test Kiwi Syslog integration with LEM

Set up and test Kiwi Syslog integration with LEM

Created by Randall Harwood, last modified by Steve.Hawkins on Sep 29, 2016

Views: 355 Votes: 0 Revisions: 35

Overview

Kiwi Syslog® Server for Windows collects and forwards syslog files from various sources. This article describes how to set up your syslog server, filter events, and set up a connector on the LEM manager. It listens on UPD port 514 (default) for syslog messages. To capture syslog files from another device, configure your device to forward logs to the remote host (your Kiwi Syslog machine).

Environment

  • All Kiwi Syslog versions
  • All LEM versions

Steps

Install Kiwi Syslog Server

  1. Review the system requirements for Kiwi Syslog Server and ensure that your VM has sufficient resource allocations. 
  2. Set up a Windows Server virtual machine in your deployment. 
  3. Ensure that .NET Framework 3.5 SP1 is installed on the system hosting your syslog server. 
  4. Install Kiwi Syslog Server. Version 9.3.2 is recommended.

    You can download a trial license if you need to test a single task. This version has the same functionality as the full version.

  5. If you download the full version, download License Manager and activate your license use the licensing file included in the download. 
  6. Install Kiwi Syslog Generator on the same machine as Kiwi Syslog Generator (recommended) to send generated syslogs to the localhost.

    You can also install the software on or another machine. 

  7. Install the LEM Agent (if required).
  8. Start the Kiwi Syslog Server Console. 
  9. Click the shortcut on your desktop and select File > Setup (or press CTRL + P). 
  10. Set up your default settings. 

    The following settings also apply to the Kiwi Syslog Generator for testing specific messages for a single connector. These settings will not filter your data. Kiwi will forward all logs to the specified file. 

    1. Click Rules > Default Actions.
    2. Set up the Log to file action. Specify your desired path for logging captured syslogs. 
    3. Leave Log file format set to default (Kiwi format ISO yyyy-mm-dd, tab delimited).
    4. At the bottom of the tab, click Test in Test Setup to send a test message. When completed, the generated test line displays in the log file defined in Path and file name of log file. 
    5. If the test message fails, ensure that the Syslogd service is running.

      In the main Kiwi main console screen, Click Manage and select Ping the Syslogd service. Start the service, if required. 

    6. Click Inputs > UDP.
    7. Ensure that Listen for UDP is enabled, the port is set to port 514 (default), and Data encoding is set to System. 

      In Inputs > Setup, you can set the input to TCP, SNMP, or keep-alive, if required. 

    8. In the main Kiwi console screen, ensure that your chosen display (Display 00) is set as default and unlocked. 

Configure the software

You can configure your Kiwi Syslog Server to test various LEM syslog connectors. The server forwards messages to a specific file, as the LEM connectors use this specific file on the LEM agent side as the event source. 

In production environments, Kiwi Syslog Server can receive and forward logs from several devices. Be sure that you have the correct Rules (Filters + Actions) configured correctly on the syslog server. For best practice, filter out all incoming messages to separate files based on the message hostname or IP address range.

You can forward syslog files from all Cisco devices to a single file (such as CiscoSyslogs.log) or for ward syslogs from each Cisco device to a separate file (such as Cisco1.log, Cisco2.log, and so on).

Various LEM syslog connectors define different patterns that correspond with the expected message format in the Kiwi log file (the path that you define in the connector). The default is tab delimited Kiwi ISO format. For specific cases, you can define a custom output file format. Several connectors expect different delimiters such as time and date, formats, qualifiers, and so on. As a result, default formats are not sufficient for all syslog connector types. 

To set up a rule for one specific source or source type on your Kiwi Syslog Service Manager (Server Console), open Setup (CTRL + P) and create Rules (Filters + Actions) for your specific sources and connectors.

If you are using more than one source at once, repeat the steps below for all of your source devices so you can log them to different files. Each active syslog connector will have its own source. 

Rules

Rules are groups of Filters and corresponding actions. You can define more than one Filter and Action for a single rule.

To add a new rule:

  1. Open the Kiwi Syslog Server Setup screen.
  2. In the left menu, right-click Rules and select Add rule.
  3. Enter a name for the rule that best describes the types of filtered messages and associated actions associated with the rule (such as Log to file for KIWI - LEM integration). When completed, the rule appears at the bottom of the rules list in the left menu.

    You can relocate the rule, as well as disable or enable the rule, from this menu. You can also right-click the rule and copy or export it to another location. 

Filters

Filters distinguish between all received messages on Kiwi Server side. You can assign specific Action only to specific messages (depending on their source IP, hostname, priority and so on.).

To create a new filter:

  1. Locate the targeted rule.
  2. Under the rule, right-click Filters and select Add filter.
  3. Enter an appropriate name for the rule.

    For example, if you have two Cisco devices that you cannot monitor by IP range, create a rule named Cisco and then create filters for each device (such as CiscoDev1 and CiscoDev2). 

  4. On the top panel of the Kiwi Syslog Server Setup window, select the Field and Filter Type.

    For example, you can select IP address for the field and Simple for the filter type to create a filter that selects a single IP address. If there is only one filter for the rule, associated actions will trigger only for messages received from the IP address specified for this filter.

Actions

Actions are used to trigger specific responses to received events that are refined by filters and defined for a parent rule. You can create a new action the same way as you create a filter.

To create an action:

  1. Under the new rule, right-click Actions and select Add action.
  2. Enter an appropriate name for the action.
  3. For example, for an action that forwards filtered messages from Cisco device 1 to a specific file, you could use Cis1-[filename substring \ identifier] for better navigation in case you have several rules, filters, and actions.

    Select the type of action. The most important actions for Kiwi Syslog - LEM integration testing are Display, Log to file, Forward to another host, and Send syslog message.

    Select Display to forward all unfiltered (if no filter is set) and filtered messages to the specified Display in the Kiwi Syslog Service Manager main screen. You can view all received messages immediately on the main screen to ensure that the message was delivered properly without checking additional resources (such as a log file).

  4. Select Log to file to configure the log file. Use this option in for cases when you collect syslog files using Kiwi Server and choose to use a syslog connector that reads from a remote (agent) log file. LEM can receive syslogs without Kiwi Server, as there is the syslog-ng service running by default on the LEM appliance.
  5. If you select Log to file: 

    1. Specify the path and file of the log file. This is the path to the target file where the received messages are parsed and forwarded. SolarWinds suggests setting a simple path because you will need to specify the path to this file in the connector configuration on the Kiwi agent node in your LEM appliance. 
    2. Specify the log file format. This defines the exact format that the forwarded messages are saved in the specified target file. 
    3. The required format can vary. It corresponds to the patterns defined in the connector (type of expected syslog). If you cannot find your desired file format (for example, if you are using unusual delimiters), you can define your own file format in the left menu. Right click Formatting, select Custom file formats, and click Add new custom file format. When completed, drag and drop the log file fields to add, delete, or change the field order, customize the date and time format, or specify the delimiter and qualifier. 

How to use Kiwi Syslog Message Generator

After you install and configure the software, you can start Kiwi Syslog Message Generator if you do not have a syslog source. 

After startup, enter the target IP address. If you installed the syslog message generator on the same machine hosting the syslog server, enter the localhost. Accept the default settings in the remaining fields (such as Destination port- 514 and Protocol- UDP).

If you are using custom message text (for example, from an NCD customer issue), see if the message text contains an RFC header. If so, select the Use Syslog RFC header checkbox. 

After you configure the settings, click Send. The generated logs appear in:

  • Kiwi Syslog Server (Syslog Service Manager - Display 00 as default)
  • Specified log file
  • LEM Manager

SolarWinds recommends configuring a new filter in the LEM Monitor tab to exclude non-syslog-related events, such as AnyAlert. 

 

 

 

Last modified
09:40, 29 Sep 2016

Tags

Classifications

Public