Review of
Kiwi Syslog Server - Free Trial of Network Utility
What is Kiwi Syslog from SolarWinds?
Syslog is a UDP protocol that sends messages from Cisco routers and
other network devices. These log messages are invaluable for
troubleshooting network problems; they are particularly useful for
detecting security breaches. The
free
trial download of Kiwi Syslog Server captures these datagrams and analyzes their log
messages so that you can 'see'
what's happening inside your network cables.
You only have to see the word Daemon, as in Syslog Daemon, to realize
that this UDP protocol originated in UNIX. I say protocol, but all
that syslog does is transport event messages from routers and other
network hardware. Syslog's success and
universal adoption is based on simplicity, it's just not fussy about
what sort of event log messages it carries. As a result syslog has
become the de-facto standard for system management and event reporting
in heterogeneous networks.
A syslog daemon is merely a device / program / entity that
listens for the UDP syslog packets. Thus the skill lies in what
you do with the information in these message logs, and this where a
Windows syslog analyser comes into play. Actually, the manufacturer SolarWinds,
call it the Kiwi Syslog Server.
The next problem is how to interpret the data as displayed by the Kiwi
Daemon.
Analyzing logs is part art, part science. As with other facets of
life, the more you work with logging the better you get. Thanks
to all the articles on the internet, learning how to filter the syslog data
has
never been easier. My mission is simply to get you up and running
with Kiwi Syslog Server.
Nobody ever says: 'Our software is difficult to setup'. In fact many
say, 'This product is easy to install', but Guy says most of them lie,
or the statement only applies if you are already an expert in that type
of software.
Guy says: That if you take 100 experts on routers, then 90 will
get the Kiwi Syslog Server up and running without even reading the
instructions. The other 10 will succeed with a quick glance at the
help files.
Guy says: That if you take 100 good computer techies / administrators,
who have no knowledge of routers, then only 33 will get the Kiwi Syslog
Server working, even if they digest the manual. The aim of this
article is to
get that figure up to 75 by giving you a few tips based on
my experience. My whole
rational is to get people to the point where the product is working, and
they can now enjoy discovering for themselves all about the advanced
features.
The actual Kiwi install was easy. I extracted the files from the zip, ran setup
noting that the program's files were copied to the Program Files\syslogd\
(The last 'd' is not a typo, but 'd' for daemon). The hardest
decision during install is
whether to opt for the Daemon Service, or to select the (Daemon) Windows Application
mode. If you change your mind about Windows syslog, just run setup
again.
Test Button It seems obvious to me now, but to access
the 'Test Button' you must to go via the File Menu, Send Test Message.
It may just be me, but when I called for File Menu, Setup, the 'Test
Message' Button was always 'Greyed out', making me worry needlessly that
Kiwi Syslog was not installed properly.
Restart Service The first problem with checking any
Windows
service is finding its correct name, here the full name is Kiwi Syslog
Daemon (Not plain Syslog Daemon). Snare (see more later) is easier to spot amongst
the list of services, it too is found under the letter 'S'. My
point is that a quick restart of the service may get it working without
the hassle of a reboot.
Close then Reopen the Kiwi Manger My message here
is have faith that Syslog will work. My tip is to cultivate a
positive attitude. If you come across a glitch think '100s others
have got this working, so what am I doing wrong?' Or say to
yourself, 'It's working Ok, but I cannot see what I am looking for right
now.'
If no messages appear immediately after install, the best thing to do is close, then reopen, the Kiwi Syslog Manger.
Incidentally, for some strange
reason, it always helps me to walk away from the computer make a cup of
coffee and try again, whereas before I was pressing the wrong buttons,
and going around in ever decreasing circles, miraculously after a break
things now seem to work perfectly.
The distress I felt at not seeing any network messages reminded me of
God's reply when Seamus complained that he never won the lottery.
God said: 'Give me a chance Seamus, and at least buy a ticket'.
Guy says: 'If you have
no messages, give Kiwi a chance and show it a router!'
Alternatively, install
'Snare', so that you divert the Windows Server log messages to the Kiwi Syslog
application and get some action.
Solution: Get Snare and See Windows Event Logs with Kiwi
An ideal way of appraising Kiwi syslog is to
divert the built-in Windows event logs into the Kiwi Server running in Application
mode. This is especially useful
if you have a machine with no router available to test a Windows syslog
application. In this
scenario what you need is to download and install the
Snare program, then watch out for the setup menu which links the
Kiwi Daemon to
the native Windows system and application logs.
Caution. By syslog standards, the Windows Event Logs are certainly
verbose, and maybe obscure. My point is that this configuration won't give
you the full flavour of
what logging syslog network messages from a router could achieve.
Run Kiwi Syslog Server Daemon as a Windows
Service, or a Stand-alone application. Decide upon the user to run
the Service, or the application. I choose the Local Account
for the service and logged on as an administrator to run the
service.
As an alternative to a Windows Server (2003 or 2008), install Kiwi Syslog on a Vista Machine.
Plan to protect your logs at least with a backup.
Decisions For Later
Identify threats you want to log, for example both hacker
activity and error messages from faulty network equipment.
Develop contingency plans for a virus attacks and the danger of being swamped by
messages.
Integration with SNMP (Optional)
Use MySQL or other database to manipulate the data (Licensed
version only)
I have to say that all SolarWinds products in general, and Kiwi Syslog
Server in particular, give-away a generous amount of features for free.
Naturally, they know their market, but for a small business the free
version maybe all that they need. This is all good news for we
users as
the features are all robust having been tested on the 'big brother' full
licensed version.
No Kiwi syslog assessment would be complete without a list of the extra features in the licensed version.
While my mission is over when you complete a real-life
set-up of this Windows syslog analyzer, I want to point out that this
Kiwi program has depth. For example, check out the scripts that come with Kiwi Syslog Server, you will see
a selection in \Syslogd\Scripts folder:
Here is a straightforward template to filter, then write the messages
that you are interested in to a file.
Function Main()
Main = "OK"
' Note: This script requires Read access to "Other fields"
variables. ' Ensure that the Fields read/write permissions are set
as below... ' ' Read | Write ' Common fields X | ' Other
fields X | ' Custom fields | X '
' This script will write to the specified filename using a tab
delimited format. ' AutoSplit syntax values can be used in the
filename if you want. ' To have the filename contain the current
hour of the day, use %TimeHH ' Example: Filename = "C:\Program
files\Syslogd\Logs\TestLog%TimeHH.txt"
Filename = "C:\Program files\Syslogd\Logs\TestLog.txt"
MsgPriority = "Local7.Info" MsgHostAddress =
Fields.VarPeerAddress ' Use the date and time from the current
message MsgDate = Fields.VarDate & " " & Fields.VarTime
MsgText = "This is a test message from the scripting action"
A company introduced a bonus system to induce techies to improve server
and network performance. Under the scheme the company gave the
techies a bonus of $500 a month, however, for each critical or error
message in the log they deducted $1. The concept was that techies
would work their socks off trying to find and eliminate network problems
and earn themselves a nice bonus.
At the end of the first month my friend 'Mad' Mick owed the
company $134 as he had 634 errors on his network. For the second
month 'Mad' Mick deleted the logs and claimed the entire $500 bonus.
In the third month the company sacked Mick.
What to do with the log information?
Testing the Kiwi Syslog provides a great opportunity to evaluate your overall strategy for
examining message logging.
I guarantee that just evaluating the logs will give you at least three good ideas
to improve your network.
The Kiwi analyzer receives, logs, from network devices, such as
routers, switches, Unix hosts, and other syslog-enabled devices.
Features include PIX, LinkSys firewall logging, SNMP trap and TCP
support
Kiwi has a 'Rules Engine' for filtering on time of day, queue
length and other criteria. It is also versatile, and co-operative
because it can send an SNMP trap to utility that collects and analyzes
Simple Network Management Protocol messages. Thus, all the tools are there in the Kiwi Windows Syslog application to
perform trend analysis of the log message statistics.
Types of Computer Logs
Syslog from routers and other network devices - Capture and
interpret with Kiwi Syslog
Server
Windows (System, Application, Security) - Inspect with Event Viewer
Database Logs. Many applications, for example Exchange and
SQL have one or more additional logs. Each database
application will have its own application for reading at least some
of these logs. Other database logs are only machine readable
and designed for checkpoint recovery.
Windows logs produce a text record of all manner of actions that the operating
system performs. What to do with all this information? How
much information to record? It can get to the ridiculous point
that the operating system slows down because it spends all its time
writing to the logs. It can get so sad that the operating system
keeps recording that a log is full. Funny, but only when it
happens to someone else.
More
Ideas for Reviewing Your Log Strategy
Here are questions to get you started on with your review of logging.
Do you check both security and application logs?
Should you filter logs for only critical and error messages, or
add all the information stuff?
Are you collecting logs for just the server, or also the
Network?
Is there an alert on changes to the security log?
To what extent does logging slow down the server?
Is logging by-passed when the system is under sever load.
What more do I need to know about your logging? For
example, control logging on the hardware device.
Much can be explained once you remember that syslog started life in the
Unix world. It
consists of the syslog protocol, which packages the log messages on the
client, and a syslogd daemon which collects the messages on the server.
Because syslog is such a simple open UDP protocol,
applications such as the Kiwi Syslog Server are able to capture the
messages and add value with sophisticated analysis and display features.
On the client side, today numerous network devices generate syslog messages, for example
Cisco routers, switches, and PIX Firewalls.
Logging Severity and Facility Values
As I keep emphasising in my review, syslog is a very simple but effective auditing
protocol. The headers have two pieces of vital information for the
receiving daemon, the severity level and the facility value.
Naturally, they also have the IP address or hostname of the sending
device. Apart from the message payload, the only other information
is the timestamp of when the message was sent.
One of the reasons that syslog has been such a success is that there are
so few restrictions. The disadvantage of lack of standardization
is that devices vary on what comprises an alert, and what is considered
a critical error, therefore, you have to spend time with the error
messages so that you can tune into each devices interpretation of
severity level.
Appraise the Severity Levels
This field determines the importance of the syslog message. It is up
to the devices, or who configures them, to set an appropriate level.
0 Emergency: System is unusable.
1 Alert: Action must be taken immediately.
2 Critical: Critical conditions.
3 Error: Error conditions.
4 Warning: Warning conditions.
5 Notice: Normal but significant condition.
6 Informational: Informational messages.
7 Debug: Debug-level messages.
Facility Values of the System Sending the Message
The value for the 'Facility' field identifies the source of the
syslog message, as you can see from the high numbers at the bottom, it
caters for non-Unix systems.
0 Kernel messages
1 User-level messages
2 Mail system
3 System daemons
4 Security/authorization messages
5 Messages generated internally by Syslogd
6 Line printer subsystem
7 Network news subsystem
8 UUCP subsystem
9 Clock daemon
10 Security/authorization messages
11 FTP daemon
12 NTP subsystem
13 Log audit
14 Log alert
15 Clock daemon
16 Local use 0 (local0)
17 Local use 1 (local1)
18 Local use 2 (local2)
19 Local use 3 (local3)
20 Local use 4 (local4)
21 Local use 5 (local5)
22 Local use 6 (local6)
23 Local use 7 (local7)
Cisco Routers
By default Cisco routers send syslog messages with a default facility of
local7. Other network devices use local7, or one of the other
facility numbers in the headers of their syslog messages. These
tables of severity and facility may give you ideas for filtering your
logs.
Troubleshooting Kiwi Syslog
Is the syslog daemon running on the local computer?
Is this computer able to receive syslog datagrams from syslog
devices on the network(s)?
Are there any hosts capable of sending syslog messages? If
it's a Unix system check the seek advice on the etc/syslog.conf
Check the Cisco or other vendors' documentation. In
particular, how if syslog is on or off by default.
If the application does not support syslog by default, is
there a setting to configure a logger to send data via syslog.
Serious Kit for the Kiwi Syslog Server
Fast CPU
RAID 0 + 1 Disk
Don't skimp on a fast proprietary NIC
Summary: Review of Kiwi Syslog Server
Logs are full of information for troubleshooting network problems.
When something really goes wrong then
surely there will be an error message in the log - if only we can find
that record and interpret the event. What will help to analyze such
network messages on a Windows computer is the Kiwi Syslog Server.
Finally, a great log analyzer, such as Kiwi, will anticipate problems
and make you a better administrator.
Additional Free and Trial SolarWinds Network Software
These are programs which I have enjoyed evaluating on my
network. Some are completely free, while other downloads are trial
versions of the full product. I think SolarWinds have a great
strategy, namely, supplying a free gadget, which may be all a small
company need, yet providing a big-brother suite of programs for
larger organizations.
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
