1

Server 2008 R2 Std
Kiwi Syslog Server 9.4.1 (Free version)

I have an older version of Kiwi installed on an old server that is being retired. I’ve installed it on the new server, but I cannot get it to display anything. I exported settings from the other server and imported on this one, then went to Inputs-UDP and set the correct IP to bind it to.

  • I’ve gone through ALL the steps at SolarWinds Knowledge Base :: Kiwi Syslog Daemon is not receiving messages and Kiwi Syslog Server but had no luck getting it to work.
  • I know for a fact that messages are being received – when I run WireShark with the filter, “udp port 514”, I see PLENTY of traffic from my firewall. Both my firewall and VPN device are sending syslog messages to the old server and the new one. The old server is still working just fine.
  • Windows Firewall on the new server is completely disabled.
  • I loaded the default rules and settings but still had no luck.
  • I disabled all DNS resolution - no luck.
  • There is no Errorlog.txt in C:\Program Files (x86)\Syslogd.
  • Test messages from within Kiwi work just fine.
  • I finally uninstalled Kiwi, rebooted the server, then reinstalled, and have the same problem.

Kiwi is running as LocalService – I wondered if that might be the problem, but that’s how it’s running on the old server as well.

I’m at a loss as to what to do now. I tried contacting support, but since I’m using the free version I was directed to their forums. My thread is here and as of this posting, still unanswered. I was hoping somebody here might have some ideas?

4 Spice ups
2

Try setting Kiwi to bind to all interfaces and see what happens. In order to do this leave the Bind to address blank. And OS are you running on the machine?

3

Server 2008 R2 Std

I had it bound to a specific IP b/c I have 2 NICs. I’ll try removing that…

4

I removed the IP and hit apply. Then I restarted the Kiwi Syslog Server service for kicks and giggles. Still nothing showing up. I did a netstat -a | find “:514” and it now shows “UDP 0.0.0.0:515”…

5

Please download and run TCPView. Maybe you can post a screenshot with what program is listening on port UDP 514.

6

When I do “Load default Rules and Settings” shouldn’t it display everything it’s receiving?

7

Yes it should, but maybe other software is listening on port UDP 514.

8

Also you could try running SyslogGen and first sending messages to localhost 127.0.0.1 and then to the IP you want to use.

9

I tried SyslogGen from a remote PC, but not the server I’m trying to get it working on. I’ll do that next.

I just used the built in Resource Monitor rather than TCPView - but you can see that syslogd_service.exe is listening on udp port 514 in the attached screenshot

Capture.PNG
Capture.PNG727×146 1.85 KB
10

I couldn’t get it to do anything with 127.0.0.1 specified in SyslogGen. Once I changed it to the desired IP, and changed the IP binding within Kiwi, then I could see the “messages sent” count increment. However, still absolutely nothing in Kiwi. After changing the binding within Kiwi, I can see that syslogd_service is listening on the correct IP, udp 514.

This is so frustrating lol. Migrating syslog over to this new server was supposed to be one of the simplest parts of the process!

11

Interesting… when I select the syslogd_service.exe image in the Resource Monitor, I can see that the receive count is incrementing. I’m just not getting anything in the console, or in the log file that the default settings are pointing to (C:\Program Files (x86)\Syslogd\Logs\SyslogCatchAll-2014-01-13.txt).

Capture.PNG
Capture.PNG871×448 6.75 KB
12

Can you try a lower version: 9.3 for example, or even 9.1?

13

Any idea where I could find an earlier version?

I’ve uninstalled again, and now I can’t get it to reinstall at all - either the “free” or “eval” version. It just goes through the unpacking, then disappears.

14

http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/Kiwi-Syslog-Server-9.3.4-Eval-p876.zip

15

Thanks! That actually installed, but the service wouldn’t start so the install failed.

I see the service there, so tried to start it manually, but got a message that it stopped working, with these details:

Problem signature:
Problem Event Name: APPCRASH
Application Name: Syslogd_Service.exe
Application Version: 9.3.0.4
Application Timestamp: 5099dfce
Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7601.18247
Fault Module Timestamp: 521ea8e7
Exception Code: c0000005
Exception Offset: 0002e17a
OS Version: 6.1.7601.2.1.0.272.7
Locale ID: 1033
Additional Information 1: e8ad
Additional Information 2: e8adce1c2b9e7be834b4063ac3c53863
Additional Information 3: e8ad
Additional Information 4: e8adce1c2b9e7be834b4063ac3c53863

Read our privacy statement online:

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

I got an email from somebody at Solarwinds saying they were arranging a support call since I’m using the Eval version. At this point I’m just going to wait.

Thanks for all your help! I’ll post an update if/when we make any progress.

16

I started working on this last Thu or Fri. Here we are a week later, and no progress has been made. Supposedly their support folks are going to be contact me today for a remote session to see what’s going on, but it’s noon and I haven’t heard anything yet.

What alternatives are people using? I tested Splunk, but it’s overkill – and the 500MB limit on the free version is a deal breaker. I need to be able to log to file, separately for each device; several of the options I’ve seen don’t offer that functionality.

At this point I’m willing to pay for Kiwi, but not if I can’t even get the eval version working.

17

Why don’t you install the free version of our monitoring solution EventSentry (EventSentry Light) which also includes a Syslog and SNMP trap daemon (that component is called “Network Services”).

The free version logs all incoming syslog messages (of course you can apply filters) to the Application event log - no limits.

There are no obligations, no registration required, and it doesn’t expire. It could possibly help narrow this down so you can see where the issue is.

If you like what you see then you can always download a 30-day trial which includes a web-based interface.

For basic network troubleshooting I’d also recommend our IPMon+ and ipmon utilities which are part of our free NTToolkit . With IPMon you can determine within a few seconds whether you are receiving certain traffic or no.

18

Finally got this resolved today - they had to get a developer in India to check things out via GoToMeeting. There was something jacked up with the licensing, so they sent me a tool to remove/reset. I’m up and running now - and this time it’s actually catching the syslog messages.

19

Interesting. I’m experiencing the exact same problem as you. It only works if I roll back to an older version 9.2. Free or not.

Arg. Do you have that tool by chance?

20

I have same problem (wireshark detected UDP log go inside the computer but not displaying to console) when tried to use kiwi 9.4.1 free and evaluation. Sometime, it will pop up with some errors from licensing. How the tools to remove/reset this? Plesae help.

1 Spice up