SolarWinds Event Log Forwarder for Windows

I have been using KiwiSys Logs for some time now for network logging.

I'd like to send Windows Event Logs to KiwiSysLog server BUT i cannot get the "Security" to populate in the "matching events records" section.

I'd like to log event 4624 which is for logins .. when I select "Security" from my tree on the left and all default values on the right -- I get nothing populating in the preview of matching event records.

I untick security, tick "System" and that loads events? Maybe I'm missing something but any help is much appreciated.

Thank you
LVL 1
SysAdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter SarabySenior IT ProCommented:
Unfortunately I don't have an answer as I have very limited experience with Kiwi, but I've heard from many peers that KiwiSyslog is more or less a deprecated product now and hasn't seen much innovation. Most people either have already moved away from it or considering it.

Furthermore, converting Windows security events (especially security events) to Syslog is not a good way to consolidate audit logs for a few reasons, including:

* Syslog uses UDP by default, not a reliable transport protocol
* Potentially sensitive events are transmitted in clear text
* Converting Security events, which contain a wealth of meta data to Syslog, strips all that valuable information out, the result being that you will have limited reporting available

There are a number of more suitable products on the market, both free, open source and commercial (and not from Solarwinds). I'd be happy to suggest a few if you are open to change.
0
SysAdminAuthor Commented:
Hey Peter thanks for your advice -- I'm open to change so if you know some newer, more modern Log servers.

Something that's not hard on the pocket change either!
1
btanExec ConsultantCommented:
Probably has to review steps again
  1. Create subscriptions. See Adding Subscriptions. http://www.kiwisyslog.com/help/logforwarder/html/index.html?adding_subscriptions.htm
  2. Add the Syslog server. This is where the events will be forwarded to. See Adding Syslog Server in the same link (content page on left).
  3. Send a test event. Refer to Overview of Test Screen. However, you can only perform a test on Events Logs that are included in your Subscriptions and those that are configured with a Syslog Server where messages will be forwarded to.
There are also other sharing that the server is running some program e.g. Websense (or similar) for network monitoring and uses two NICs. One for monitoring and one for notifications. And that is found to be probably causing the issue.
0
Peter SarabySenior IT ProCommented:
As far as suggestions - if you're going for something free then people usually go with either ELK or Graylog. I don't have experience with ELK, but played around a bit with Graylog. It's a very flexible product but will require a large time commitment on your end if you've never tried it. I found it somewhat cumbersome and shelved it again after a few days. It has a lot of moving parts and I didn't have time to understand it all - lack of resources didn't help either. It's a product I would personally only recommend for larger teams / networks where investing a few weeks of time into the product pay off in the long term. They offer support services, but they are very pricey - the jump from free to commercial is a big one.

As far as commercial products go, I usually recommend EventSentry, especially for Windows-based networks. It includes event log, log file monitoring as well as system health monitoring (services, disk space, performance, etc etc). It's significantly easier to setup, deploy & manage than Graylog. All of their pricing is online on their web site, in my opinion one of the more affordable monitoring products on the market. You really get a lot of visibility with it. It's a pretty flexible product so it will require a small time commitment, but you should be able to get the hang of it if you devote a little bit of time to it every day for a week.

You also have products from ManageEngine & Solarwinds, but I'm personally not a big fan of them. They are very fragmented (since they offer countless products that supplement each other) and usually overpriced for what they offer (especially Solarwinds that will set you back $5k just to get started).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For flexibility in monitoring of multiple platform and not be tied on licencing due to platform, there is another commercial candidate, I.e. eG innovation worthy a look for single pane-of-glass.

The learning curve is not steep but if you need more than offered suite baseline, it is not an issure an challenge as it is just having more time for custom changes. It is also able to drill into application, dependencies and user monitoring if you are going to venture into more analytics, deeper diagnostic checks and future planning in health scorecard reporting - most will go towards that direction ...

https://www.eginnovations.com/product/server-monitoring
0
SysAdminAuthor Commented:
Thanks for the help .. I think I'm going to demo EventSentry.  I like their pricing on the site and for the large amount of devices I have it seems super affordable -- especially the renewal rate after 1st year.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SolarWinds

From novice to tech pro — start learning today.