Kiwi Syslog Server (KSS)
Posted by Vast-Eagle4632@reddit | sysadmin | View on Reddit | 6 comments
Question for anyone who’s familiar with kiwi. So I’m looking to install Kiwi but I have a couple questions. Basically I’m decommissioning Splunk and implementing KIWI. Essentially looking to have a primary & backup server. I know that Kiwi requires static IPs but would it be wise to have it on its own VLAN? And does it need a SQL server? And also what’s the best way to migrate data from Splunk to Kiwi.
Any advice and input is greatly appreciated!
tekkentuesdays@reddit
Stick Kiwi on the same management VLAN as your other monitoring boxes unless the log volume is huge or you must meet strict segmentation. A separate VLAN only helps if you need to throttle broadcast traffic or limit who can talk to UDP 514. KSS writes to its own flat file store so you don’t need SQL unless you want long-term trending reports; if you do, SQL Express is plenty.
For the Splunk data, I’ve had luck piping historic logs out of Splunk with splunk export to plain text and replaying them through Kiwi LogGen so the timestamps stay intact, keeping everything searchable in one spot.
Just keep daily rotation under 2 GB to stop the viewer from crawling. We later fed those Kiwi streams into Stellar Cyber Open XDR to kill the swivel-chair effect, but Kiwi alone is rock solid for pure syslog.
Canoe-Whisperer@reddit
I setup Kiwi at my work place and it does not have SQL. It writes to .log files. I use PowerShell and a scheduled task to keep the folder from getting too huge.
We are only monitoring 3 devices with it (free version) so we had no need to flip it to another VLAN.
Igot1forya@reddit
I have a nightly script to 7-Zip our previous days logs as we have a requirement to keep like 7 years of logs and we generate more than 50GB a day if we don't. Thankfully the compression is something like 96:1 ratio. Text compress so easy thankfully!
Forgery@reddit
This post hurts because Splunk is so useful and Kiwi Syslog is so useless.
Assuming the 500 MB/day Splunk Free is too little for you and something like ELK is too complicated, check Google for "rsyslog HA" and go that route instead. Don't give Solarwinds any money.
malikto44@reddit
At the minimum, a base Linux box with rsyslog and some tuning on log rotation.
One place I worked at had critical logs printed out on a dot matrix printer, which guarenteed that any logs would be in a secure place, barring a blackhat running the printer out of paper before starting in on the bad stuff.
admiralspark@reddit
If you were doing network segmentation correctly, to the standards of zero trust network access, you would make use of vlans and other controls to isolate systems like Kiwi so that the log source of truth can't be tampered with.
Does it technically require it? No, of course not.
To your question of migrating Splunk to Kiwi...I don't mean this to be harsh, but you're out of your depth if you're asking about vlans and you want to transition log history from splunk to Kiwi. The two products operate completely different and have vastly different throughput, if you expect Kiwi to do everything Splunk does you're in for a bad time. Aside from the ability to ingest syslog, the products are 100% different. It's like asking how I can get the motor from a Lamborghini to transition to a moped, it's just not the same and the work needed to make them the same is something specialist experts are needed for.
For the export, you'll likely have to build a custom exporter that can replay logs against Kiwi. Kiwi needs FAST disk because it is very I/O bound, so don't stick it on platters or you'll be dropping logs fast.
Good luck!