Documentation forKiwi Syslog Server

Configure TCP input options — Legacy

This documentation is for legacy Kiwi Syslog Server versions 9.8.3 and older. See the KSSNG version of Configure TCP input options for the newest version of the following documentation.

By default, Kiwi Syslog Server does not listen for TCP messages, because syslog messages are traditionally sent using UDP.

If any of your network devices send syslog messages using TCP, complete the following steps to enable Kiwi Syslog Server to listen for TCP messages.

  1. Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
  2. Expand the Inputs node.
  3. Click TCP.
  4. Specify the following options:

    Listen for TCP Syslog messages

    Select this option to enable Kiwi Syslog Server to receive TCP messages.

    TCP Port

    The default port for TCP syslog messages is 1468. If you want to listen on a different port for TCP messages, you can enter any port value from 1 to 65535. If you change the port from 1468, the device sending the syslog message must also be able to support the alternate port number.

    Bind to address

    By default, the TCP socket listens for messages on all connected interfaces. To limit the binding to a single specific interface, you can specify the IP address in the Bind to address field. Otherwise, leave this field blank. (If the Bind to address field is left blank, it will listen on all interfaces. This is the best option in most cases.)

    For example, if you have two non-routed interfaces on the computer, 192.168.1.1 and 192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface. This will ignore any syslog messages sent to the other interface.

    The Cisco PIX uses port 1468. Its default behavior is that if it cannot connect to the syslog server, it blocks all network traffic through it. For more information on the Cisco Pix Firewall, please refer to Cisco website.

    Data encoding

    If you are receiving messages from systems that use different data encoding formats, you can specify the decoding method to apply to the incoming data. The default is to use the System code page.

    Select a commonly used encoding format from the drop-down menu. Or, to select a different encoding, choose "Other-->" and then enter the code page number into the field on the right.

    The various code pages available on most Windows systems can be found on the Microsoft website. Here are some common code page numbers that can be used.

    Name

    Code Page

    Number

    Description

    System

    1

    System Code Page

    ANSI

    0

    ANSI

    UTF-8

    65001

    Format

    Unicode Transformation

    8Shift-JIS

    932

    Japanese

    EUC-JP

    51932

    Japanese Extended Unix Code

    BIG5

    950

    Traditional Chinese

    Chinese

    936

    Simplified Chinese

    If the number you specify is not a valid Code Page on your system, the incoming data will not be decoded correctly and will be dropped. If in doubt, use UTF-8 encoding (65001) as it will handle all Unicode characters.

    Message delimiters

    Because Syslog messages that are sent via TCP are not necessarily contained in a single TCP packet, Kiwi Syslog Server has a buffering facility which accumulates sequential TCP packets in an internally. Because of this, Kiwi Syslog Server needs to know how to identify separate Syslog messages in a single TCP stream. It does this through the use of message delimiters (or separators). Each delimiter signifying the character (or sequence of characters) that will be used to split the stream into individual Syslog messages.

    The kind of delimiter to use depends very much on the client or device which is sending Syslog over TCP.

  5. Click Apply to save your changes.