I have a Kiwi syslog server set up in MARS as a generic syslog relay.
According to the latest (Dec 06?) MARS docs, this is how the Kiwi server itself should be configured to then forward messages to MARS:
? Send with RFC 3164 header information ? Selected
? Retain the original source address of the message ? Cleared.
If I set veither (or both) of these options as outlined in the doc none of the syslog messages that arrive at Kiwi appear to get sent to / processed by MARS .
If I clear the RFC 3164 header field, and pick the option to retain the original source address, the messages show up on MARS when I query the device (i.e. the syslog relay).
I did set up the sender (a Cisco router) as a reporting device in MARS - the syslogs arrive at Kiwi, but I only see them on MARS if I do exactly the opposite of what the manual says on the Kiwi side.
what am I missing? What is MARS expecting to see from Kiwi?
That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.