Syslog is a UDP protocol that sends messages from Cisco routers and other network devices. These log messages are invaluable for troubleshooting network problems; they are particularly useful for detecting security breaches. The free trial download of Kiwi Syslog Server captures these datagrams and analyzes their log messages so that you can ‘see’ what’s happening inside your network cables.
Review of Kiwi Syslog Server Version 9
- How a Syslog Analyzer Works
- Getting Started with SolarWinds Syslog Server
- The Actual Kiwi Syslog Install
- Guy’s Panic – No Messages
- Guy’s Disappointment – No Network Messages
- Decisions At Install
- Extra Features in the Licensed Version
- A Brief Review of Syslog’s History and Terminology
- Free Trial Download of the Kiwi Syslog Server
Screenshot of the Kiwi Syslog Service Manager
You only have to see the word Daemon, as in Syslog Daemon, to realize that this UDP protocol originated in UNIX. I say protocol, but all that syslog does is transport event messages from routers and other network hardware. Syslog’s success and universal adoption is based on simplicity, it’s just not fussy about what sort of event log messages it carries. As a result syslog has become the de-facto standard for system management and event reporting in heterogeneous networks.
A syslog daemon is merely a device / program / entity that listens for the UDP syslog packets. Thus the skill lies in what you do with the information in these message logs, and this where a Windows syslog analyser comes into play. Actually, the manufacturer SolarWinds, call it the Kiwi Syslog Server.
The next problem is how to interpret the data as displayed by the Kiwi Daemon. Analyzing logs is part art, part science. As with other facets of life, the more you work with logging the better you get. Thanks to all the articles on the internet, learning how to filter the syslog data has never been easier. My mission is simply to get you up and running with Kiwi Syslog Server.
Nobody ever says: ‘Our software is difficult to setup’. In fact many say, ‘This product is easy to install’, but Guy says most of them lie, or the statement only applies if you are already an expert in that type of software.
Guy says: That if you take 100 experts on routers, then 90 will get the Kiwi Syslog Server up and running without even reading the instructions. The other 10 will succeed with a quick glance at the help files.
Guy says: That if you take 100 good computer techies / administrators, who have no knowledge of routers, then only 33 will get the Kiwi Syslog Server working, even if they digest the manual. The aim of this article is to get that figure up to 75 by giving you a few tips based on my experience. My whole rational is to get people to the point where the product is working, and they can now enjoy discovering for themselves all about the advanced features.
Guy’s Review of the Actual Kiwi Syslog Install
The actual Kiwi install was easy. I extracted the files from the zip, ran setup noting that the program’s files were copied to the Program Files\syslogd\ (The last ‘d’ is not a typo, but ‘d’ for daemon). The hardest decision during install is whether to opt for the Daemon Service, or to select the (Daemon) Windows Application mode. If you change your mind about Windows syslog, just run setup again.
Test Button It seems obvious to me now, but to access the ‘Test Button’ you must to go via the File Menu, Send Test Message. It may just be me, but when I called for File Menu, Setup, the ‘Test Message’ Button was always ‘Greyed out’, making me worry needlessly that Kiwi Syslog was not installed properly.
Restart Service The first problem with checking any Windows service is finding its correct name, here the full name is Kiwi Syslog Daemon (Not plain Syslog Daemon). Snare (see more later) is easier to spot amongst the list of services, it too is found under the letter ‘S’. My point is that a quick restart of the service may get it working without the hassle of a reboot.
Close then Reopen the Kiwi Manger My message here is have faith that Syslog will work. My tip is to cultivate a positive attitude. If you come across a glitch think ‘100s others have got this working, so what am I doing wrong?’ Or say to yourself, ‘It’s working Ok, but I cannot see what I am looking for right now.’
If no messages appear immediately after install, the best thing to do is close, then reopen, the Kiwi Syslog Manger. Incidentally, for some strange reason, it always helps me to walk away from the computer make a cup of coffee and try again, whereas before I was pressing the wrong buttons, and going around in ever decreasing circles, miraculously after a break things now seem to work perfectly.
The distress I felt at not seeing any network messages reminded me of God’s reply when Seamus complained that he never won the lottery. God said: ‘Give me a chance Seamus, and at least buy a ticket’.
Guy says: ‘If you have no messages, give Kiwi a chance and show it a router!’ Alternatively, install ‘Snare’, so that you divert the Windows Server log messages to the Kiwi Syslog application and get some action.
Solution: Get Snare and See Windows Event Logs with Kiwi
An ideal way of appraising Kiwi syslog is to divert the built-in Windows event logs into the Kiwi Server running in Application mode. This is especially useful if you have a machine with no router available to test a Windows syslog application. In this scenario what you need is to download and install the Snare program, then watch out for the setup menu which links the Kiwi Daemon to the native Windows system and application logs.
Caution. By syslog standards, the Windows Event Logs are certainly verbose, and maybe obscure. My point is that this configuration won’t give you the full flavour of what logging syslog network messages from a router could achieve.
- Run Kiwi Syslog Server Daemon as a Windows Service, or a Stand-alone application. Decide upon the user to run the Service, or the application. I choose the Local Account for the service and logged on as an administrator to run the service.
- As an alternative to a Windows Server (2003 or 2008), install Kiwi Syslog on a Vista Machine.
- Plan to protect your logs at least with a backup.
Decisions For Later
- Identify threats you want to log, for example both hacker activity and error messages from faulty network equipment.
- Develop contingency plans for a virus attacks and the danger of being swamped by messages.
- Integration with SNMP (Optional)
- Use MySQL or other database to manipulate the data (Licensed version only)
I have to say that all SolarWinds products in general, and Kiwi Syslog Server in particular, give-away a generous amount of features for free. Naturally, they know their market, but for a small business the free version maybe all that they need. This is all good news for we users as the features are all robust having been tested on the ‘big brother’ full licensed version.
No Kiwi syslog assessment would be complete without a list of the extra features in the licensed version.
- Database Logging to SQL or MySQL
- Sophisticated Message Filtering
- Advanced Alerting
- Industrial Size Buffer for Messages
- Event Log Forwarder for Windows
- Free Kiwi CatTools
- See more about the Kiwi Syslog Sever
SolarWinds Kiwi Syslog Video
Here is a great way to review the Kiwi Syslog Server:
While my mission is over when you complete a real-life set-up of this Windows syslog analyzer, I want to point out that this Kiwi program has depth. For example, check out the scripts that come with Kiwi Syslog Server, you will see a selection in \Syslogd\Scripts folder:
Here is a straightforward template to filter, then write the messages that you are interested in to a file.
Main = "OK"
‘ Note: This script requires Read access to "Other fields" variables. ‘ Ensure that the Fields read/write permissions are set as below… ‘ ‘ Read | Write ‘ Common fields X | ‘ Other fields X | ‘ Custom fields | X ‘
‘ This script will write to the specified filename using a tab delimited format. ‘ AutoSplit syntax values can be used in the filename if you want. ‘ To have the filename contain the current hour of the day, use %TimeHH ‘ Example: Filename = "C:\Program files\Syslogd\Logs\TestLog%TimeHH.txt"
Filename = "C:\Program files\Syslogd\Logs\TestLog.txt" MsgPriority = "Local7.Info" MsgHostAddress = Fields.VarPeerAddress ‘ Use the date and time from the current message MsgDate = Fields.VarDate & " " & Fields.VarTime MsgText = "This is a test message from the scripting action"
Data = MsgDate & vbtab & MsgPriority & vbtab & MsgHostAddress & vbtab & MsgText
Call Fields.ActionLogToFile(Filename, Data)
An Amusing Case Study – How NOT to Motivate Staff
A company introduced a bonus system to induce techies to improve server and network performance. Under the scheme the company gave the techies a bonus of $500 a month, however, for each critical or error message in the log they deducted $1. The concept was that techies would work their socks off trying to find and eliminate network problems and earn themselves a nice bonus.
At the end of the first month my friend ‘Mad’ Mick owed the company $134 as he had 634 errors on his network. For the second month ‘Mad’ Mick deleted the logs and claimed the entire $500 bonus. In the third month the company sacked Mick.
What to do with the log information?
Testing the Kiwi Syslog provides a great opportunity to evaluate your overall strategy for examining message logging. I guarantee that just evaluating the logs will give you at least three good ideas to improve your network.
The Kiwi analyzer receives, logs, from network devices, such as routers, switches, Unix hosts, and other syslog-enabled devices. Features include PIX, LinkSys firewall logging, SNMP trap and TCP support
Kiwi has a ‘Rules Engine’ for filtering on time of day, queue length and other criteria. It is also versatile, and co-operative because it can send an SNMP trap to utility that collects and analyzes Simple Network Management Protocol messages. Thus, all the tools are there in the Kiwi Windows Syslog application to perform trend analysis of the log message statistics.
Types of Computer Logs
- Syslog from routers and other network devices – Capture and interpret with Kiwi Syslog Server
- Windows (System, Application, Security) – Inspect with Event Viewer
- Database Logs. Many applications, for example Exchange and SQL have one or more additional logs. Each database application will have its own application for reading at least some of these logs. Other database logs are only machine readable and designed for checkpoint recovery.
Windows logs produce a text record of all manner of actions that the operating system performs. What to do with all this information? How much information to record? It can get to the ridiculous point that the operating system slows down because it spends all its time writing to the logs. It can get so sad that the operating system keeps recording that a log is full. Funny, but only when it happens to someone else.
More Ideas for Reviewing Your Log Strategy
Here are questions to get you started on with your review of logging.
- Do you check both security and application logs?
- Should you filter logs for only critical and error messages, or add all the information stuff?
- Are you collecting logs for just the server, or also the Network?
- Is there an alert on changes to the security log?
- To what extent does logging slow down the server?
- Is logging by-passed when the system is under sever load.
- What more do I need to know about your logging? For example, control logging on the hardware device.
Much can be explained once you remember that syslog started life in the Unix world. It consists of the syslog protocol, which packages the log messages on the client, and a syslogd daemon which collects the messages on the server. Because syslog is such a simple open UDP protocol, applications such as the Kiwi Syslog Server are able to capture the messages and add value with sophisticated analysis and display features.
On the client side, today numerous network devices generate syslog messages, for example Cisco routers, switches, and PIX Firewalls.
Logging Severity and Facility Values
As I keep emphasising in my review, syslog is a very simple but effective auditing protocol. The headers have two pieces of vital information for the receiving daemon, the severity level and the facility value. Naturally, they also have the IP address or hostname of the sending device. Apart from the message payload, the only other information is the timestamp of when the message was sent.
One of the reasons that syslog has been such a success is that there are so few restrictions. The disadvantage of lack of standardization is that devices vary on what comprises an alert, and what is considered a critical error, therefore, you have to spend time with the error messages so that you can tune into each devices interpretation of severity level.
Appraise the Severity Levels
This field determines the importance of the syslog message. It is up to the devices, or who configures them, to set an appropriate level.
- 0 Emergency: System is unusable.
- 1 Alert: Action must be taken immediately.
- 2 Critical: Critical conditions.
- 3 Error: Error conditions.
- 4 Warning: Warning conditions.
- 5 Notice: Normal but significant condition.
- 6 Informational: Informational messages.
- 7 Debug: Debug-level messages.
Facility Values of the System Sending the Message
The value for the ‘Facility’ field identifies the source of the syslog message, as you can see from the high numbers at the bottom, it caters for non-Unix systems.
- 0 Kernel messages
- 1 User-level messages
- 2 Mail system
- 3 System daemons
- 4 Security/authorization messages
- 5 Messages generated internally by Syslogd
- 6 Line printer subsystem
- 7 Network news subsystem
- 8 UUCP subsystem
- 9 Clock daemon
- 10 Security/authorization messages
- 11 FTP daemon
- 12 NTP subsystem
- 13 Log audit
- 14 Log alert
- 15 Clock daemon
- 16 Local use 0 (local0)
- 17 Local use 1 (local1)
- 18 Local use 2 (local2)
- 19 Local use 3 (local3)
- 20 Local use 4 (local4)
- 21 Local use 5 (local5)
- 22 Local use 6 (local6)
- 23 Local use 7 (local7)
By default Cisco routers send syslog messages with a default facility of local7. Other network devices use local7, or one of the other facility numbers in the headers of their syslog messages. These tables of severity and facility may give you ideas for filtering your logs.
Troubleshooting Kiwi Syslog
- Is the syslog daemon running on the local computer?
- Is this computer able to receive syslog datagrams from syslog devices on the network(s)?
- Are there any hosts capable of sending syslog messages? If it’s a Unix system check the seek advice on the etc/syslog.conf
- Check the Cisco or other vendors’ documentation. In particular, how if syslog is on or off by default.
- If the application does not support syslog by default, is there a setting to configure a logger to send data via syslog.
Serious Kit for the Kiwi Syslog Server
- Fast CPU
- RAID 0 + 1 Disk
- Don’t skimp on a fast proprietary NIC
Logs are full of information for troubleshooting network problems. When something really goes wrong then surely there will be an error message in the log – if only we can find that record and interpret the event. What will help to analyze such network messages on a Windows computer is the Kiwi Syslog Server.
Finally, a great log analyzer, such as Kiwi, will anticipate problems and make you a better administrator.
Additional Free and Trial SolarWinds Network Software
These are programs which I have enjoyed evaluating on my network. Some are completely free, while other downloads are trial versions of the full product. I think SolarWinds have a great strategy, namely, supplying a free gadget, which may be all a small company need, yet providing a big-brother suite of programs for larger organizations.