Ezine 159 – Syslog and the Free Kiwi Utility

Guy’s Ezine 159 – Syslog and the Free Kiwi UtilityKiwi - Windows syslog

If you are even a minor expert on routers and the syslog protocols, then I suggest that you cut to the chase and download the free Kiwi Syslog Server.

As I write the rest of this ezine, I have in my mind a competent computer techie who has little knowledge of routing protocols.

My twin aims are to give you an introduction to syslog, and provide a good free analyzer so that you can investigate error messages that routers, switches and firewalls are already sending on your network.  Such knowledge is particularly useful for troubleshooting security breaches and virus attacks.

Guy’s Review of the Kiwi Syslog Server

What is Syslog and Why is it Important?

Syslog is a UDP protocol that transports messages from Cisco routers and other network devices.  These log messages are invaluable for troubleshooting network problems; they are particularly useful for detecting security breaches.  The free Kiwi Syslog Server captures these datagrams and analyzes their log messages so that you can ‘see’ what’s happening in your ethernet cables.

How the Syslog Analyzer Works

You only have to see the word Daemon, as in Syslog Daemon, to realize that this UDP protocol originated in UNIX.  I say protocol, but all that syslog does is transport event messages from routers and other network hardware.  Syslog’s success and universal adoption is based on simplicity, it’s just not fussy about what sort of event log messages it transports.  As a result syslog has become the de-facto standard for system management and event reporting in heterogeneous networks.

A syslog daemon is merely a device / program / entity that listens for the UDP syslog packets.  Thus the skill lies in what you do with the information in these message logs, and this where the Kiwi Syslog Server comes into play.

Free Download of Kiwi Syslog Server

Guy’s Review of the Actual Kiwi Install

The actual Kiwi install was easy.  I extracted the files from the zip, ran setup noting that the program’s files were copied to the Program Files\syslogd\ (The last ‘d’ is not a typo, but ‘d’ for daemon).  The hardest decision during install is whether to opt for the Daemon Service, or to select the (Daemon) Windows Application mode.  If you change your mind about Windows syslog, just run setup again.

Guy’s Disappointment – No Network Messages

The distress I felt at not seeing any proper network messages reminded me of God’s reply to Seamus when he complained that he never won the lottery.  ‘Give me a chance Seamus, and at least buy a ticket’.  If you have no messages, give Kiwi a chance and show it a router.  Alternatively, install ‘Snare’, so that you divert the Windows Server log messages to the Kiwi Syslog application and get some action.

Solution Get Snare and See Windows Event Logs with Kiwi

An ideal way of running Kiwi through its paces is to divert the built-in Windows event logs into the Kiwi Server running in Application mode.  This is especially useful if you have a machine with no router available to test a Windows syslog application.  In this scenario what you need is to download and install the Snare program, then watch out for the setup menu which links the Kiwi Daemon to the native Windows system and application logs.

Caution.  By syslog standards, the Windows Event Logs are certainly verbose and maybe obscure.  My point is that this configuration won’t give you the full flavour of what logging syslog network messages from a router could achieve.

Free Download of the Kiwi Syslog Server

An Amusing Case Study – How NOT to Motivate Staff

A company called RedPeril introduced a bonus system to persuade their techies to improve security on their network.  Under the scheme the company gave the techies a bonus of £300 a month, however, for each critical or error message in the log they deducted £1. 

RedPeril provided a Syslog Analyzer along with a day’s training, then the techies set about monitoring and tuning their networks.  The plan was that techies would now work intelligently trying to eliminate network problems, and in the process earn themselves a good bonus.

At the end of the first month my friend ‘Mad’ Mick owed the company £76 as he had 376 errors coming from his networks.  Sometime during the second month ‘Mad’ Mick deleted the logs and claimed the entire £300 bonus.  When the company found out in the third month they sacked Mick.

What to do with the log information?

Testing the Kiwi Syslog provides a great opportunity to evaluate your overall strategy for examining message logging.  I guarantee that just evaluating the logs will give you at least three good ideas to improve your network.

The Kiwi analyzer receives, logs, from network devices, such as routers, switches, Unix hosts, and other syslog-enabled devices.  Features include PIX, LinkSys firewall logging, SNMP trap and TCP support

Kiwi has a ‘Rules Engine’ for filtering on time of day, queue length and other criteria.  It is also versatile, and co-operative because it can send an SNMP trap to utility that collects and analyzes Simple Network Management Protocol messages.  Thus, all the tools are there in the Kiwi Windows Syslog application to perform trend analysis of the log message statistics.

Types of Computer Logs

  1. Syslog from routers and other network devices – Capture and interpret with Kiwi Syslog Server
  2. Windows (System, Application, Security) – Inspect with Event Viewer
  3. Database Logs.  Many applications, for example Exchange and SQL have one or more additional logs.  Each database application will have its own application for reading at least some of these logs. 

Windows logs produce a text record of all manner of actions that the operating system performs.  What to do with all this information?  How much information to record?  It can get to the ridiculous point that the operating system slows down because it spends all its time writing to the logs.  It can get so sad that the operating system keeps recording that a log is full.  Funny, but only when it happens to someone else.

More Ideas for Reviewing your Log Strategy

Here are questions to get you started on with your review of logging.

  • Do you check both security and application logs?
  • Should you filter logs for only critical and error messages, or add all the information stuff?
  • Are you collecting logs for just the server, or also the Network?
  • Is there an alert on changes to the security log?
  • To what extent does logging slow down the server?
  • Is logging by-passed when the system is under sever load.
  • What more do I need to know about your logging?  For example, control logging on the hardware device.
  • Free Download of the Kiwi Syslog Server

Summary of Windows Syslog Analyzing

Logs are full of information for troubleshooting network problems.  When something really goes wrong then surely there will be an error message in the log – if only we can find that record and interpret the event.  What will help to analyze such network messages on a Windows computer is the Kiwi Syslog Server.

A clever system such as the Kiwi Syslog server can provide extra vital information such as group events so that you can see how long the problem has existed, and gain valuable clues from the time patterns.

Finally, a great log analyzer, such as Kiwi, will anticipate problems and make you a better administrator.

Free Download of Kiwi Syslog Server

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Will and Guy’s Humour

This week Will and Guy offer an amusing review of safety at work, incidentally this has proved our most popular page for January.  

Safety is a major concern at the manufacturing company where I work. So I’m constantly preaching caution to the workers I supervise. ‘Does anyone know,’ I asked a few guys, ‘what the speed limit is in our parking lot?’

The long silence that followed was interrupted when one of them piped up. ‘That depends. Do you mean coming to work or leaving?’   See our PowerShell Presentation – Safety at work. 

See more interesting free computer utilities

Here are my reviews of more useful computer tools.  Most of these programs are free, while others are major applications, but time-limited.  One common theme is that Solarwinds give you a free specialist utility, and then supply a more comprehensive suite for larger organizations.  To let you into a secret; for small networks the free tool is all you’ll ever need.

E 202 Permissions Monitor  • E 190 Network Device Monitor   • E 181 Config Generator

E 166 IPAM  •E 161 OB IT  •E 159 Kiwi Syslog Review  • E 156 Windows Network Monitor

Real Time Netflow Analyzer  •Syslog Utility  • Ezines Home  • Ezines Home