Kaseya Community

Help Using Kiwi Syslog And Kaseya

  • Objective: I’m using Kiwi Syslog Service Manager (Free Version 8.3.25) to capture syslog messages from my FortiGate. I want Kaseya to alert me when a failed login attempt occurs.

    Problem: It’s not working and I’m sure it’s a silly oversight. Any help would be appreciated.Smile

    My Approach:
    -I created a new log parser definition
    -Entered the Log File Path which is a .txt file
    -I did not enter a Log Archive Path
    -Created the template:
    $date$ $time$ $devname$ $device_id$ $log_id$ $type$ $subtype$ $pri$ $vd$ $user$ $rip$ $action$ $status$ $reason$ $msg$
    -Set all log file parameters to string.
    -I then assigned the log parser to the machine in which the log file is kept.
    -I then created a parser set: status Equal failure
    (does failure need to be in quotes)Confused
    -I then assigned that set again to the same machine the log file is on.

    When I create failed logins they are recorded in the log file however Kaseya is not picking it up. I’m either missing a step somewhere or have goofed on a setting somewhere. Does anyone have any advice?

    Legacy Forum Name: Help Using Kiwi Syslog And Kaseya,
    Legacy Posted By Username: pbrophy
  • Configuring_Log_Parsers_Step-by-Step[1].pdf
    Here is the correct way to do this if anybody wants to know....

    --Please see this KB article that gives detailed instruction on the log parser--

    The trick to this is to give the parser as much information as you can - give it clues as to what to look for. You’re asking kaseya to look through this log and highlight the information that you want. Tell it to "look for the phrase 'user=' and write down the next 10 characters".

    Log example:
    2008-05-14 12:34:18 Example.Alert 000.000.0.0 date=2008-05-14 time=12:34:19 devname=KaseyaRouter device_id=KeyRou3574759764902 log_id=00000000001 type=error subtype=logon pri=error vd=root user=pb ui=0.0.0.000 action=login status=failure reason="username is invalid"

    Here is the template for the above example:
    $date time${tab}%{tab}%{tab}%device_id=$device_id$ %type=$type$ %user=$user$ %status=$status$

    datetime = Date Time - YYY-MM-DD hh:mm:ss
    device_id = string
    type = string
    user = string
    status = string

    Notice that I have used the {tab} to tell the parser that there are tabs in the line, and I have used % to say "ignore a block".
    So the parser will start at the start of the log and at the start of the line, and try to match what you have given it in the template with what it finds, it would go something like this.
    1. I am looking for a "Date Time" that looks like YYYY-MM-DD hh:mm:ss - ok, found it.
    2. Now a tab - found it
    3. Now skip until I see another tab – found it
    4. Now skip until I see another tab – found it
    5. Now skip until I see "device_id=”– found it and store everything until the next space as $device_id$
    6. Now skip until I see “type=” – found it and store everything until the next space as $type$
    7. Now skip until I see "user=– found it and store everything until the next space as $user$
    8. Now skip until I see "status=" – found it and store everything until the next space as $status$

    Kaseya email support pulled though for me on this one!Smile

    Legacy Forum Name: How-To,
    Legacy Posted By Username: pbrophy
  • Your note was great...superb. You help a lot ppl here. So with this compliment just now i wana take this opportunity to ask you something about parser. I really no idea how the parser works and for what purpose? Can you give me an idea? Is c:\logs\message.log need to create this file? coz no such file like this on my kserver.

    Somemore,

    Do you have a note with a screen shot like log parser for assign monitoring, system check and SNMP? if you don't have that, can you give me an example? so i can try it out. For your information, no server is around me and no nothing to test it out. I just got 5 agents and kserver which is run on VMware server.

    It's seems like many things i asked you out. Do i need to pay or something? haha...
    You always showed smile icon. it's seems like it's easy for ya. Do what you can do to help me out.... I finish study for all module except monitoring... argh.............. it make me sick!!!

    Legacy Forum Name: How-To,
    Legacy Posted By Username: tesvin
  • Thanks for the super-userful post, pbrophy.

    Using the instructions, I created one for Mozy:

    $Time$ mozyprobackup.exe: $Type$: $ErrorCode$

    Time - Date Time - DDMMMYYYY hh:mm:ss
    ErrorCode - String
    Type - String

    Thanks for laying out Kiwi. That will save me a ton of time, and I can finally start monitoring all my Linux boxes.

    Sidenote: It would be nice if we could somehow export our parsing templates.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: topdogpc
  • TestLogParserV2.zip
    Here is a really good tool to test templates against sample logs. It is great to test syslog events that you can’t re-create or just don't want to because your lazy like me.

    Tesvin -send me a private message and I'll try and help where I can / when I can.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: pbrophy
  • LegacyPoster.  I tried your Mozy log parser but cannot get it to give any alerts.  Is it working for you at all?