Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Kiwi Syslog Daemon Kiwi Syslog Daemon

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Kiwi Syslog Daemon is a program that captures logs from routers and firewalls. You configure your router/firewall to save its log files using a method that Kiwi can accept. Then install Kiwi and configure it to capture the logs from your router/firewall. Kiwi then saves the logs to disk. When you install CVTWIN, you configure it to use this log file.

Quick Docs

  1. Configure your router/firewall to broadcast its logs using Syslog or SMNP traps. Consult your router/firewall documentation
  2. Install and configure Kiwi so that it catchs these logs and writes them to disk.
  3. Install our CVTWIN so it can read the log that Kiwi writes to disk and convert to "DShield" format and send the log into DShield

Detailed Docs

Download Kiwi Syslog Daemon from the Kiwi site Be sure to download the KIWI Syslog SERVICE application (if you are using NT/2K/XP) which will run it as a service so no one has to be logged in. Note that Kiwi is available in both a free and a paid version. The free version will work for our purposes.

Install Kiwi and start it. You should see

Click on File/Properties

Click on Rules/Default/Actions/Log to file

It should be set to

Kiwi format ISO yyyy-mm-dd (Tab delimited)

Note the "Path and file name of log file" The default is

C:\Program files\Syslogd\logs\SyslogCatchAll.txt

Configure CVTWIN to use this log file.

Now check to see if Kiwi is set up to accept the log in the manner that your router/firewall is saving it. Check the router/firewalls documentation.

If your router/firewall saves in syslog format

If your router saves using SMNP traps. (The Linksys router does. Linksys users should also check Use Linksys display filter)

Click on Apply and OK. Kiwi should now be capturing your logs. You should see them in Kiwi's main screen.

Download and install the DShield Client as per DShield instructions.

Run the DShield Client to set it up (click Edit, Configure) Fill in the appropriate information. Select Kiwi {Your firewall/router} as the firewall and select the logfile (SystemCatchAll.txt, probably) you found above.

Perform a test conversion. (File->Convert) and examine the output. Check to see if any filtering needs to be done (Filters are on the the Edit menu.)

When you are satisfied that CVTWIN is converting properly, Open Control Panel, Open Scheduled tasks, Create a new task that runs every day as per the DShield instructions.

Important note: Kiwi Syslog Daemon is a general purpose tool that can capture logs from any firewall/router that can broadcast the logs as Syslog events or SMNP traps. CVTWIN needs to have a converter written for the specfic logs that you are converting. If you are using Kiwi to capture a firewall log, but CVTWIN doesn't support your log format, please contact Ditto if you have any other problem with CVTWIN.