Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

kiwi syslog forwarding making me crazy

hi -

I have a Kiwi syslog server set up in MARS as a generic syslog relay.

According to the latest (Dec 06?) MARS docs, this is how the Kiwi server itself should be configured to then forward messages to MARS:

? Send with RFC 3164 header information ? Selected

? Retain the original source address of the message ? Cleared.

If I set veither (or both) of these options as outlined in the doc none of the syslog messages that arrive at Kiwi appear to get sent to / processed by MARS .

If I clear the RFC 3164 header field, and pick the option to retain the original source address, the messages show up on MARS when I query the device (i.e. the syslog relay).

I did set up the sender (a Cisco router) as a reporting device in MARS - the syslogs arrive at Kiwi, but I only see them on MARS if I do exactly the opposite of what the manual says on the Kiwi side.

?????

what am I missing? What is MARS expecting to see from Kiwi?

thanks

-randy

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: kiwi syslog forwarding making me crazy

That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.

13 REPLIES
Gold

Re: kiwi syslog forwarding making me crazy

I didn't read your message well enough. It's probably normal that when you don't include the header field that the events show up as coming from the kiwi server. It looks like the header field is used by csmars to determine which reporting device originated the message.

Use the settings outline in the guide:

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008075038a.html#wp1275264

then start troubleshooting. make sure you "activate" any device changes (i.e. when modifying the kiwi reporting device or adding a router reporting device).

New Member

Re: kiwi syslog forwarding making me crazy

thanks - but that's the same doc I followed.

cannot seem to get MARS to accept / parse the events from Kiwi properly.

Gold

Re: kiwi syslog forwarding making me crazy

When you use the settings provided in the doc:

have you verified that the events are being forwarded? Log into the CSMARS via SSH and use tcpdump:

[pnadmin] tcpdump host and port 514

Do the events show up in an "unknown event report" query? What do they look like?

New Member

Re: kiwi syslog forwarding making me crazy

in the process of trying that now - thanks for the help....

New Member

Re: kiwi syslog forwarding making me crazy

got a couple events showing up with query on "unknown reporting device":

eg:

"unknown reporting IP: 172.22.0.49, <157>Mar 6 14:56:48 172.22.0.49 Ki?wi_Syslog_Daemon %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Ac?cess1, changed state to up"

so they are showing up at MARS as "unknowns" -- it appears that Kiwi adds the timestamp and hostname info e.g. "Mar 6 14:56:48 172.22.0.49 Ki?wi_Syslog_Daemon" to the message.

So defining a reporting device based on the IP shown in the add'l header (the original source IP) should be all I need to do (tried this but will have to troubleshoot some more...)

Gold

Re: kiwi syslog forwarding making me crazy

That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.

New Member

Re: kiwi syslog forwarding making me crazy

yeah not sure what's up with the add'l characters - hope that's not a symptom of some other weirdness on MARS

I'll try again to set up a source device and see what happens from there - I'll post the results here ASAP

many thanks for the help

New Member

Re: kiwi syslog forwarding making me crazy

I'm at the point where I have a single device (router) defined as the source - that router syslogs to Kiwi - Kiwi relays to MARS - MARS reports / alarms on the event with the origina source /reporting device info intact. Most excellent.

Last remaining issue is a bulk load of several (similar) source devices - this is now causing me grief - I started another thread hoping for some feedback.

thanks very much for your replies and your help with this one

-randy

New Member

Re: kiwi syslog forwarding making me crazy

Yeah I pretty much the same issue, I switched to SNARE and forwarded the logs without a hitch.

New Member

Re: kiwi syslog forwarding making me crazy

we use snare to push event logs from a couple of windows boxes but not (yet?) for relaying.

is this the same snare agent in both scenarios?

thanks

-randy

Gold

Re: kiwi syslog forwarding making me crazy

I would recommend opening a service request with Cisco and really trying to get this working before going the Snare route. I'm not exactly sure how that would work but either way it adds [what should be] unnecessary complexity. Snare itself has plenty of problems.

New Member

Re: kiwi syslog forwarding making me crazy

So are saying that kiwi is the best option and not snare? Please elaborate on specifics, becasue if thats the case then I would not mind using kiwki if he can get it to work properly also.

Gold

Re: kiwi syslog forwarding making me crazy

We're not on the same page. I'm not even sure what you're talking about with respect to Snare. Snare is typically used to forward [via syslog] events from a single reporting device, like a windows box. The OP is talking about forwarding events from an already existing syslog server (one that receives events from many devices already). AFAICT, Cisco only supports syslog forwarding from syslog-ng and kiwi.

590
Views
5
Helpful
13
Replies