Net/Systems Management /

Down Under syslog

By Mark Gibbs
Network World, 06/24/02

Last week in our riveting exposition of syslog tools we discussed the excellent Kiwi Syslog Message Generator. From the same stable comes an equally excellent syslog server, Kiwi Syslog Daemon. This is a terrific syslog monitoring tool, perhaps the best we've seen so far!

The daemon features a grid display of syslog messages received. It has 10 "virtual" display screens, and you can create rules to send selected messages to a specific screen. This is a neat idea, as it provides an instant filtering capability. For example, you might show only emergency errors on the default page and notices and alerts on the next page.

The way you control how, where and which messages are handled is through rules. You can define up to 100 rules, and each rule can include up to 100 filters and 100 actions.

Filters specify which message attributes and values are to be handled. For example, if the priority field concerns a mail service notification that is received during working hours and it is from a device within a specific IP address range, then the actions associated with the rule can be performed.

The daemon's actions can sound audio alarms, send e-mail messages, forward syslog messages to another host, log the messages to a specific log file, run an external program, send a completely new syslog message to another host, log the messages to an Open Database Connectivity database or a Windows NT event log, or send an SNMP trap. There also are tests that generate e-mail notifications if disk space is running low.

The daemon can receive syslog messages over User Datagram Protocol (UDP) and TCP simultaneously, along with field SNMP traps. Using rules, you can convert SNMP traps to syslog messages and vice versa, or rewrite syslog and SNMP messages and forward them.

If you goof, as we did, you can create a rule that takes SNMP traps and resends them. If you broadcast the trap rather than sending it to a specific host, the daemon will receive the trap again and resend it. This scenario created an endless loop which, much to our pleasure, the daemon handled without dying.

Things slowed down when we switched on DNS resolution to replace the host and destination IP addresses with names - this can introduce significant delays in updating the display.

The daemon can run as a regular application under all versions of Windows or as a service under NT and 2000 (there are separate installers for each version).

There is so much to this product it is staggering, but we want to mention just three final features: First, archiving - the daemon can automatically create separate log files hourly, daily, weekly, monthly or on a custom schedule. Archives also can be split by priority, host name, host IP address, domain name and tags in the message text. Next, log file format - you can specify the order and format of syslog messages when they are written to a log file. Third, you can skin the daemon! You can make it look like whatever pleases you.

If you choose not to pay the reasonable price of $70, the software will run in "freeware mode" - basically a subset of the functionality (click here for a list of the free features and here for the full product).

Kiwi Syslog Daemon is outstanding and we award it 10 gearteeth out of 10!

In the course of testing the daemon, we used a number of tools we highly recommend: the Kiwi Logfile viewer, a Windows 9X, NT/2000 and ME application that displays tab-delimited log files created by the daemon (and any other application). This freeware supports filtering and exporting to HTML format. We also used SNMPtrap, freeware from BTT Software, a small, effective SNMP trap logger.

Following up on an excellent product, AmphetaDesk, which we reviewed a few weeks ago, Version 0.93 has just been released. AmphetaDesk's performance has improved and the templating system has been re-engineered so that custom layouts can be even more sophisticated.