This page provides instructions on how to setup the Kiwi Syslog server in order to generate logs compatible with the Firegen Log Analyzer
|1.||Download the Kiwi Syslog server from Kiwi Enterprises. Kiwi is currently (Oct 2011) available as a freeware as well as a registered version (with some advanced features like logging to a database or compressing the logs for archiving purposes). These instructions work with Kiwi Syslog versions 7.x and 8.x. The screenshots are for Kiwi Syslog version 7.2.27 but for 8.x they are quite similar.|
|2.||Install the Kiwi Syslog server software. This will create a Kiwi Syslog Daemon on the desktop.|
|3.||Open the Kiwi Syslog Daemon application. You will get to a screen that looks like this:|
|4.||From the File menu, select Setup (or Properties for older versions of Kiwi) to get to the Setup screen:|
|5.||In the left panel select the Log to file action:|
|6.||To configure Kiwi to create a new log every day using a yyyy-mm-dd naming convention follow these steps:|
- In the Path and file name of log file box enter the location where you want to store the log (you may leave the default C:\Program Files\Syslogd\Logs\) followed by the log prefix you want to use, for example syslog, a dash (-) then click on "Insert AutoSplit value" and select Date, ISO Date (YYYY-MM-DD) and then add the log extension (i.e. .log). If using the example here, the Setup window should look like this:
The black Example of actual path and file name contains the log that will be created (C:\Program Files\Syslogd\Logs\syslog-2005-11-17.log). You may actually copy this path and log name to use it when you configure the Firegen Log Host profile.
Leave the log file format as Kiwi format ISO yyyy-mm-dd (Tab delimited).
|7.||Click on Apply and then on Test to have Kiwi write a sample log entry in the newly created log. Open the log in a text editor to confirm that there are log entries there.|
|8.||Before trying to analyze the logs with Firegen make sure there are entries from the Cisco Pix firewall in the newly created log. If you have a fairly active firewall there should
be entries there in a matter of seconds. If the Cisco Pix firewall is not configured to log to the syslog server follow the steps described in
FAQ No. 12. Once you confirm that there are log entries from the Pix firewall (log entries containing the %PIX keyword)
you can proceed to the Firegen configuration. One common issue in analyzing logs that contain a timestamp from both the syslog server and the Pix firewall is a potential
time discrepancy between the syslog server and the Pix firewall. Firegen will give priority to the Pix timestamp. For example:|
2005-08-03 22:00:03 Local4.Info 192.168.103.27 Aug 03 2005 23:47:22: %PIX-6-302015: Built outbound UDP connection 80420 for outside:220.127.116.11/53 (18.104.22.168/53) to inside:192.168.103.28/4288 (22.214.171.124/4288)
This log entry contains the Kiwi timestamp 2005-08-03 22:00:03 and the Pix timestamp Aug 03 2005 23:47:22. As one can see, there is a difference between the times: Kiwi shows 10:00:03 PM while Pix has 11:47:22 PM. This happens because the Pix time is not set properly or is using a different timezone. If you would want to analyze the log entries between 9:00:00 PM and 10:30:00 PM Firegen will skip this line as it will use the Pix timestamp (and that's beyond the analysis interval - 11:47 PM). Just to avoid this type of mix-ups, please make sure that the times are synchronized between the firewall and the syslog server.
|9.||To configure Firegen to analyze the new logs, use the instructions provided on FAQ No. 1. As Sample log for the Log Host Profile use the Example of actual path and file name mentioned at step 6.|