What are the differences between the installation processes of NXLog on Windows and macOS?

The installation process of NXLog on Windows involves downloading an MSI package and can be done interactively or via command-line using Msiexec. Windows installations require running the executable to verify configuration and managing the service via Service Manager . For macOS, the installation requires a PKG file, and can be performed interactively by double-clicking the package or using the command line. For macOS, launchd is used to manage the NXLog service and changes require stopping the service with launchctl .

What steps should be considered for uninstalling NXLog on a Linux system to ensure all components are removed?

To uninstall NXLog on Linux, use the zypper remove command with the --clean-deps option to remove NXLog and its dependencies that are not used by other packages . Additionally, check and manually remove configuration or logging files in the installation directory (/opt/nxlog) to ensure all components related to NXLog are completely removed .

What are the implications of NXLog's ability to dynamically rotate and rename log filenames based on event attributes?

NXLog's capability to dynamically rotate and rename log filenames based on event attributes like $EventTime allows tailored and timely organization of logs. This ensures that logs reflect their temporal context, easing management and retrieval . However, using dynamic filenames can complicate systems that rely on static filenames for processing, and incorrect timestamps can result in logs being misfiled, making consistent and accurate parsing critical .

How can W3C formatted logs be parsed in NXLog, and what considerations are necessary for parsing?

In NXLog, W3C logs can be parsed using the xm_w3c or xm_csv modules. The xm_w3c module directly handles the W3C format, while xm_csv requires defining field names and types, delimiters, and ignoring headers marked with '#' . It's necessary to update field definitions to match the structure of the input log file, ensuring correct parsing and conversion into desired formats .

How can the xm_rewrite module be used to manipulate log fields in NXLog configurations?

The xm_rewrite module in NXLog allows the renaming or deletion of specific fields within a log entry. It supports directives like Rename, Delete, and Keep to manipulate event record fields. For instance, it can rename the $EventTime field to $Timestamp and delete all severity fields, which supports clean and purposeful log data presentation and prevents undesired data retention or processing .

What is the impact of enabling DNS Analytical logging on Windows, and how does it compare to DNS Debug Logging?

Enabling DNS Analytical logging on Windows can reduce performance by approximately 5% due to its high volume of events, as it logs detailed lookup and query activities . Compared to DNS Debug Logging, which records detailed transaction information, Analytical logging using ETW offers improved architecture, configurability, and direct event reading without disk writing. However, ETW lacks comprehensive event capture guarantees .

Explain the role of dynamic filenames in NXLog and how they are implemented.

Dynamic filenames in NXLog allow each log event to be assigned an individual file name based on attributes like timestamps. This method involves using expressions in the File directive of the om_file module, allowing filenames to be generated dynamically, for instance using $EventTime or now() functions . This approach is useful in organizing logs but may not be suitable for systems expecting static filenames .

How does NXLog manage alerts and what are the possible configurations for alert generation?

NXLog can generate alerts by piping messages to external programs or scripts using the om_exec module. Alerts are triggered based on specified conditions in the configuration, such as matching regular expressions in the logs. The configuration directs which messages to drop and which to forward for alerting, allowing flexible integration with custom alerting solutions .

Describe the benefits and limitations of using the im_etw module for DNS event logging in Windows.

The im_etw module allows NXLog to collect DNS logs directly via ETW, enabling high-performance, flexible, and real-time monitoring of DNS activities without writing events to disk . It is ideal for collecting Analytical and Audit logs with low overhead . However, ETW is unavailable on older Windows systems, and it does not guarantee capturing all events due to its best-effort design .

What are the steps involved in installing NXLog on FreeBSD and how is user management handled during installation?

Installing NXLog on FreeBSD involves downloading the correct package, transferring it securely to the target server, and using the `pkg add` command for installation . A new user and group can be specified via NXLOG_USER and NXLOG_GROUP environment variables, automatically created during installation for directory ownership and User/Group directive settings in nxlog.conf. These users are removed upon NXLog uninstallation .

Open navigation menu

Upload

0% found this document useful (0 votes)

2K views1,249 pages

Nxlog User Guide

nxlog-user-guide

Uploaded by

Mighty Text

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

2K views1,249 pages

Nxlog User Guide

nxlog-user-guide

Uploaded by

Mighty Text

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1249

NXLog User Guide

NXLog Ltd.

2020-06-15 11:36:36 UTC

Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1. About This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2. About NXLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1. NXLog Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2. Enterprise Edition Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3. What NXLog is Not . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3. System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.1. Event Records and Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.2. Modules and Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3. Buffering and Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.4. Log Processing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4. Available Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.1. Extension Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.2. Input Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.3. Processor Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.4. Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.5. Modules by Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.6. Modules by Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5. Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

6. Product Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

7. System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

8. Digital Signature Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

8.1. Signature Verification for RPM Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

8.2. Signature Verification for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

8.3. Signature Verification on macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

9. Red Hat Enterprise Linux & CentOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

9.1. Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

9.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

9.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

10. Debian & Ubuntu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

10.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

10.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

10.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

11. SUSE Linux Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

11.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

11.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

11.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

12. FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

12.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

12.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

12.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

13. OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

13.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

13.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

13.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

14. Microsoft Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

14.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

14.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

14.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

14.4. Configure With a Custom MSI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

15. Microsoft Nano Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

15.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

15.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

15.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

15.4. Custom Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

16. Apple macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

16.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

16.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

16.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

17. Docker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

17.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

17.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

17.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

18. IBM AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

18.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

18.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

18.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

19. Oracle Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

19.1. Installing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

19.2. Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

19.3. Uninstalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

20. Hardening NXLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

20.1. Running Under a Non-Root User on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

20.2. Configuring SELinux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

20.3. Running Under a Custom Account on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

21. Relocating NXLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

21.1. System V Init File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

21.2. Systemd Unit File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

21.3. NXLog Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

21.4. Modify rpath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

22. Monitoring and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

22.1. Monitoring on Unix Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

22.2. Monitoring on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

23. Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

23.1. Global Directives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

23.2. Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

23.3. Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

23.4. Constant and Macro Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

23.5. Environment Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

23.6. File Inclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

24. NXLog Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

24.1. Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

24.2. Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

24.3. Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

24.4. Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

24.5. Statistical Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

25. Reading and Receiving Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

25.1. Receiving over the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

25.2. Reading from a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

25.3. Reading from Files and Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

25.4. Receiving from an Executable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

26. Processing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

26.1. Parsing Various Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

26.2. Alerting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

26.3. Using Buffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

26.4. Character Set Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

26.5. Detecting a Dead Agent or Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

26.6. Event Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

26.7. Extracting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

26.8. Filtering Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

26.9. Format Conversion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

26.10. Log Rotation and Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

26.11. Message Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

26.12. Parsing Multi-Line Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

26.13. Rate Limiting and Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

26.14. Rewriting and Modifying Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

26.15. Timestamps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

27. Forwarding and Storing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

27.1. Generating Various Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

27.2. Forwarding Over the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

27.3. Sending to Files and Sockets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

27.4. Storing in Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

27.5. Sending to Executables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

28. Centralized Log Collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

28.1. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

28.2. Collection Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

28.3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

28.4. Data Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

29. Encrypted Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

29.1. SSL/TLS Encryption in NXLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

29.2. OpenSSL Certificate Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

30. Reducing Bandwidth and Data Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

30.1. Filtering Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

30.2. Trimming Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

30.3. Compressing During Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

31. Reliable Message Delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

31.1. Crash-Safe Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

31.2. Reliable Network Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

31.3. Protection Against Duplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

OS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

32. IBM AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

33. FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

34. OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

35. GNU/Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

36. Apple macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

37. Oracle Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

38. Microsoft Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

39. Amazon Web Services (AWS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

39.1. Amazon CloudWatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

39.2. Amazon EC2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

39.3. Amazon Simple Storage Service (S3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

40. Apache HTTP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

40.1. Error Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

40.2. Access Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

41. Apache Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

42. APC Automatic Transfer Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

42.1. Configuring via the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

42.2. Configuring via the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

43. Apple macOS Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

44. ArcSight Common Event Format (CEF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

44.1. Collecting and Parsing CEF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

44.2. Generating and Forwarding CEF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

44.3. Using xm_csv and xm_kvp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

45. Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

46. Brocade Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

47. Check Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

48. Cisco ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

49. Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

49.1. Forwarding Cisco ASA Logs Over TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

49.2. NetFlow From Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

50. Cisco FireSIGHT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

51. Cisco IPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

52. Cloud Instance Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

52.1. Amazon Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

52.2. Azure Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

52.3. Google Compute Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

53. Common Event Expression (CEE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

53.1. Collecting and Parsing CEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

53.2. Generating and Forwarding CEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

54. Dell EqualLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

54.1. Configuring via the Group Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

54.2. Configuring via the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

55. Dell iDRAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

55.1. Configuring via the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

55.2. Configuring via the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

56. Dell PowerVault MD Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

57. DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

57.1. ISC DHCP Server (DHCPd) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

57.2. ISC DHCP Client (dhclient) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

57.3. Windows DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

57.4. Windows DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

58. DNS Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

58.1. DNS Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

58.2. BIND 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

58.3. Windows DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

58.4. Passive DNS Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

59. Docker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

59.1. Configuring Logging in Docker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

59.2. Receiving Logs From Docker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

60. Elasticsearch and Kibana. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

60.1. Sending Logs to Elasticsearch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

60.2. Forwarding Logs to Logstash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

61. F5 BIG-IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

61.1. Collecting BIG-IP Logs via TCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

61.2. Collecting BIG-IP Logs via UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

61.3. Using SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

61.4. BIG-IP High Speed Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

62. File Integrity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

62.1. Monitoring on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Monitoring on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

63. FreeRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

64. Graylog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

64.1. Configuring GELF UDP Collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

64.2. Configuring GELF TCP or TCP/TLS Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

64.3. Collector Sidecar Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

65. HP ProCurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

66. IBM QRadar SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

66.1. Setting up the QRadar Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

66.2. Sending Generic Structured Logs to QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

66.3. Sending Specific Log Types for QRadar to Parse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

66.4. Forwarding Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

67. Linux Audit System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

67.1. Audit Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

67.2. Logging Audit Messages to Local Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

67.3. Using im_linuxaudit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

67.4. Using auditd Userspace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

68. Linux System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

68.1. Replacing Rsyslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

68.2. Forwarding Messages via Socket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

68.3. Reading Rsyslog Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

69. Log Event Extended Format (LEEF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

69.1. Collecting LEEF Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

69.2. Generating LEEF Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

70. McAfee Enterprise Security Manager (ESM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

70.1. Configuring McAfee ESM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

70.2. Sending Specific Log Types for ESM to Parse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

70.3. Forwarding Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

71. McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

71.1. Collecting ePO Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

71.2. Collecting VirusScan Enterprise (VSE) Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

71.3. Collecting Data Loss Prevention (DLP) Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

72. Microsoft Active Directory Domain Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

72.1. Active Directory Security Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

72.2. Advanced Security Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

72.3. Troubleshooting Domain Controller Promotions and Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

73. Microsoft Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

73.1. Azure Active Directory and Office 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

73.2. Azure Operations Management Suite (OMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

73.3. Azure SQL Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

74. Microsoft Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

74.1. Transport Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

74.2. EventLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

74.3. IIS Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

74.4. Audit Logs (nxlog-xchg) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

75. Microsoft IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

75.1. Configuring Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

75.2. W3C Extended Log File Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

75.3. Configuring IIS HTTP API Error logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

75.4. IIS Log File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

75.5. NCSA Common Log File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

75.6. SMTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

75.7. Automatic Retrieval of IIS Site Log Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

76. Microsoft SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

76.1. Diagnostic Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

76.2. Usage and Health Data Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

76.3. Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

76.4. Windows EventLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

76.5. IIS Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

77. Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

77.1. Error Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

77.2. Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

77.3. Reading Logs From a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

77.4. Writing Logs to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

77.5. Setting up ODBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

78. Microsoft System Center Endpoint Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

78.1. EventData Field from Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

78.2. Collecting and Parsing SCEP Data from Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

78.3. Collecting and Parsing SCEP Data from an SQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

79. Microsoft System Center Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

79.1. SCCM Log Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

79.2. Collecting from Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

79.3. Collecting from a Microsoft SQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

80. Microsoft System Center Operations Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

80.1. Log Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

80.2. Collecting Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

81. MongoDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

82. Nagios Log Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

82.1. Installation and Configuration of Nagios Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

82.2. NXLog Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

82.3. Verifying Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

83. Nessus Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

84. NetApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

84.1. Sending Logs in Syslog Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

84.2. Sending Logs to a Remote File Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

85. .NET Application Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

86. Nginx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

86.1. Error Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

86.2. Access Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

87. Okta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

88. Osquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

88.1. Using Osquery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

88.2. Configuring Osquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

88.3. Log Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559

88.4. Configuring NXLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561

89. Postfix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

89.1. Configuring Postfix Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

89.2. Collecting and Processing Postfix Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

90. Promise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

90.1. Configuring via Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

90.2. Configuring via Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568

91. Rapid7 InsightIDR SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

91.1. Configuring InsightIDR for Log Collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

91.2. Configuring NXLog for Log Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

91.3. Verifying Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

92. RSA NetWitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

92.1. Configuring NetWitness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

92.2. Configuring NXLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

92.3. Verifying Collection on NetWitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

93. SafeNet KeySecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

93.1. Configuring via the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

93.2. Configuring via the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588

94. Salesforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

95. Snare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

95.1. Collecting Snare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

95.2. Generating Snare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

96. Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

97. Splunk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

97.1. An Alternative to the Splunk Universal Forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

97.2. Configuring Splunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605

97.3. Sending Generic Structured Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

97.4. Sending Specific Log Types for Splunk to Parse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

98. Symantec Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

98.1. MSSQL Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

98.2. Embedded Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

99. Synology DiskStation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

100. Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622

100.1. BSD Syslog (RFC 3164) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622

100.2. IETF Syslog (RFCs 5424-5426) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624

100.3. Collecting and Parsing Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

100.4. Filtering Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629

100.5. Generating Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631

100.6. Extending Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

101. Sysmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

101.1. Setting up Sysmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

101.2. Collecting Sysmon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

101.3. Filtering Sysmon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

102. Ubiquiti UniFi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

103. VMware vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

103.1. Local vCenter Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

103.2. Remote vCenter Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

104. Windows AppLocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

105. Windows Command Line Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652

105.1. Enabling Command Line Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652

106. Windows Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

106.1. About Windows Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

106.2. Collecting Event Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

106.3. Filtering Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661

106.4. Event IDs to Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664

106.5. Forwarding Event Log Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

107. Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

107.1. Traffic Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

107.2. Change Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

107.3. Event Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673

108. Windows Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675

109. Windows Management Instrumentation (WMI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677

109.1. Reading WMI Events From the EventLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677

109.2. Reading WMI Events via ETW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678

109.3. Reading From WMI Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679

110. Windows PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

110.1. Using PowerShell Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

110.2. Logging PowerShell Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

111. Microsoft Windows Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694

112. Windows USB Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696

112.1. USB Events in Windows Event Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696

112.2. USB Events Available via ETW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

112.3. USB Events in Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700

112.4. USB Events logged into a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

113. Zeek (formerly Bro) Network Security Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703

113.1. About Zeek Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703

113.2. Parsing Zeek Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708

114. Internal Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

114.1. Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

114.2. Enable Internal Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

114.3. Raise the Severity Level of Logged Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

114.4. Send Customized Log Messages to the Internal Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

114.5. Send All Fields to the Internal Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710

114.6. Send Debug Dump to the Internal Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711

114.7. Send Internal Log to STDOUT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712

114.8. Send Internal Log to an Existing Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712

114.9. Send Information to an External File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712

115. Common Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714

115.1. NXLog Fails to Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714

115.2. Permission Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714

115.3. Connection Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714

115.4. Log Format Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

115.5. Data Missing Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

115.6. Processing Unexpectedly Paused or Stopped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

116. Debugging NXLog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718

116.1. Generate Core Dumps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718

116.2. Inspect Memory Leaks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718

Enterprise Edition Reference Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720

117. Man Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

117.1. nxlog(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

117.2. nxlog-processor(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723

118. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

118.1. General Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725

118.2. Global Directives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727

118.3. Common Module Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730

118.4. Route Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738

119. Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

119.1. Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

119.2. Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

119.3. Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

119.4. Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753

119.5. Statistical Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753

119.6. Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753

119.7. Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754

119.8. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759

120. Extension Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762

120.1. Remote Management (xm_admin) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762

120.2. AIX Auditing (xm_aixaudit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769

120.3. Apple System Logs (xm_asl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771

120.4. Basic Security Module Auditing (xm_bsm) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773

120.5. Common Event Format (xm_cef) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778

120.6. Character Set Conversion (xm_charconv) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782

120.7. Delimiter-Separated Values (xm_csv) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784

120.8. Encryption (xm_crypto) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788

120.9. External Programs (xm_exec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792

120.10. File Lists (xm_filelist) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794

120.11. File Operations (xm_fileop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795

120.12. GELF (xm_gelf) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798

120.13. Go (xm_go) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803

120.14. Grok (xm_grok) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806

120.15. Java (xm_java) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808

120.16. JSON (xm_json) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814

120.17. Key-Value Pairs (xm_kvp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817

120.18. LEEF (xm_leef) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825

120.19. Microsoft DNS Server (xm_msdns) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828

120.20. Multi-Line Parser (xm_multiline) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831

120.21. NetFlow (xm_netflow) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839

120.22. Radius NPS (xm_nps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841

120.23. Pattern Matcher (xm_pattern) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842

120.24. Perl (xm_perl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846

120.25. Python (xm_python). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849

120.26. Resolver (xm_resolver) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852

120.27. Rewrite (xm_rewrite) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854

120.28. Ruby (xm_ruby). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857

120.29. SNMP Traps (xm_snmp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859

120.30. Remote Management (xm_soapadmin) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863

120.31. Syslog (xm_syslog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863

120.32. W3C (xm_w3c). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875

120.33. WTMP (xm_wtmp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879

120.34. XML (xm_xml) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880

120.35. Compression (xm_zlib) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884

121. Input Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890

121.1. Process Accounting (im_acct) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890

121.2. AIX Auditing (im_aixaudit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892

121.3. Azure (im_azure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893

121.4. Batched Compression (im_batchcompress). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896

121.5. Basic Security Module Auditing (im_bsm). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898

121.6. Check Point OPSEC LEA (im_checkpoint) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899

121.7. DBI (im_dbi) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903

121.8. Event Tracing for Windows (im_etw) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905

121.9. External Programs (im_exec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908

121.10. Files (im_file) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909

121.11. File Integrity Monitoring (im_fim). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913

121.12. Go (im_go) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 916

121.13. HTTP(s) (im_http) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919

121.14. Internal (im_internal) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922

121.15. Java (im_java). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924

121.16. Kafka (im_kafka) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929

121.17. Kernel (im_kernel) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930

121.18. Linux Audit System (im_linuxaudit) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931

121.19. Mark (im_mark) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938

121.20. EventLog for Windows XP/2000/2003 (im_mseventlog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940

121.21. EventLog for Windows 2008/Vista and Later (im_msvistalog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943

121.22. Null (im_null) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950

121.23. Oracle OCI (im_oci). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950

121.24. ODBC (im_odbc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951

121.25. Packet Capture (im_pcap) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954

121.26. Perl (im_perl). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972

121.27. Named Pipes (im_pipe) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975

121.28. Python (im_python) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 976

121.29. Redis (im_redis) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 978

121.30. Windows Registry Monitoring (im_regmon) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979

121.31. Ruby (im_ruby) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983

121.32. TLS/SSL (im_ssl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984

121.33. Systemd (im_systemd). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987

121.34. TCP (im_tcp). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991

121.35. Test Generator (im_testgen) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993

121.36. UDP (im_udp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994

121.37. Unix Domain Sockets (im_uds). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996

121.38. Windows Performance Counters (im_winperfcount) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997

121.39. Windows Event Collector (im_wseventing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999

121.40. ZeroMQ (im_zmq) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014

122. Processor Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016

122.1. Blocker (pm_blocker) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016

122.2. Buffer (pm_buffer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017

122.3. Event Correlator (pm_evcorr) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1019

122.4. Filter (pm_filter) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027

122.5. HMAC Message Integrity (pm_hmac) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028

122.6. HMAC Message Integrity Checker (pm_hmac_check) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030

122.7. De-Duplicator (pm_norepeat). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032

122.8. Null (pm_null) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034

122.9. Pattern Matcher (pm_pattern) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1034

122.10. Format Converter (pm_transformer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1037

122.11. Timestamping (pm_ts). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039

123. Output Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043

123.1. Batched Compression (om_batchcompress) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043

123.2. Blocker (om_blocker) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1045

123.3. DBI (om_dbi) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1046

123.4. Elasticsearch (om_elasticsearch) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1049

123.5. EventDB (om_eventdb) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053

123.6. Program (om_exec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055

123.7. Files (om_file) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056

123.8. Go (om_go) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059

123.9. HTTP(s) (om_http). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1062

123.10. Java (om_java) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066

123.11. Kafka (om_kafka) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1069

123.12. Null (om_null) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071

123.13. Oracle OCI (om_oci) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071

123.14. ODBC (om_odbc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072

123.15. Perl (om_perl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074

123.16. Named Pipes (om_pipe) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076

123.17. Python (om_python) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077

123.18. Raijin (om_raijin). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1079

123.19. Redis (om_redis) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1082

123.20. Ruby (om_ruby) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083

123.21. TLS/SSL (om_ssl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1084

123.22. TCP (om_tcp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088

123.23. UDP (om_udp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1090

123.24. UDP with IP Spoofing (om_udpspoof). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092

123.25. Unix Domain Sockets (om_uds) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1095

123.26. WebHDFS (om_webhdfs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096

123.27. ZeroMQ (om_zmq) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099

NXLog Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1101

124. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102

124.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102

124.2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1102

125. System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1103

126. Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104

127. Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105

127.1. Installing on Debian Wheezy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105

127.2. Installing on RHEL 6 & 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105

127.3. Installing as Docker Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105

127.4. Deploying on AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1106

127.5. Configuring NXLog Manager for Standalone Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1110

127.6. Configuring NXLog Manager for Cluster Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1111

127.7. Database Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114

127.8. Starting NXLog Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115

127.9. NXLog Agent Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1115

127.10. NXLog Manager Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116

127.11. Enabling HTTPS for NXLog Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126

127.12. Increasing the Open File Limit for NXLog Manager Using systemd . . . . . . . . . . . . . . . . . . . . . . . . . . 1131

127.13. Upgrading NXLog Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1132

127.14. Host Setup Common Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1133

128. Dashboard and Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135

128.1. Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135

128.2. The Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1135

128.3. Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136

129. Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1139

130. Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142

130.1. Pattern Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1142

130.2. Creating a Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1144

130.3. Message Classification with Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1146

130.4. Searching Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1147

130.5. Exporting and Importing Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148

130.6. Using Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1148

131. Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1149

131.1. Correlation Rulesets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1149

131.2. Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1149

131.3. Exporting and Importing Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1151

131.4. Using Correlation Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1152

132. Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1153

132.1. Managing Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1153

133. Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1168

133.1. Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1168

133.2. Template Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169

134. Agent Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1172

134.1. Agent Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1172

134.2. Agent List in a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1172

135. Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1174

135.1. Listing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1174

135.2. Creating a CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1174

135.3. Creating a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175

135.4. Exporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1176

135.5. Importing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1177

135.6. Revoking and Deleting Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1177

135.7. Renewing a Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1177

135.8. Certificates Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1177

135.9. Reset Certificates and Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1178

136. Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179

136.1. Agent Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1179

136.2. Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1181

136.3. Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1183

136.4. Config Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1183

136.5. License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184

136.6. User Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185

137. Users, Roles, and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186

137.1. Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1186

137.2. Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1188

137.3. Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1191

138. RESTful Web Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193

138.1. agentmanager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193

138.2. appinfo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1193

138.3. agentinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1194

138.4. addagent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1195

138.5. modifyagent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196

138.6. deleteagent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196

138.7. certificateinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196

138.8. createfield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197

NXLog Add-Ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1198

139. Amazon S3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199

139.1. Setting Up Boto3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199

139.2. AWS S3 Buckets, Objects, Keys, and Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1199

139.3. Sending Events to S3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1200

139.4. Retrieving Events From S3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1201

140. Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203

141. Cisco FireSIGHT eStreamer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205

141.1. Configuring the Cisco Defense Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205

141.2. Configuring the eStreamer Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1206

141.3. Configuring NXLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1206

142. Cisco Intrusion Prevention Systems (CIDEE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1208

142.1. Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1208

142.2. NXLog Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1208

143. Exchange (nxlog-xchg) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1211

143.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1211

143.2. Exchange Server Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1211

143.3. nxlog-xchg (Client) Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1212

143.4. Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215

143.5. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215

144. Microsoft Azure and Office 365 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1216

144.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1216

144.2. Setup Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217

144.3. Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221

144.4. NXLog Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223

144.5. Running in Standalone Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225

145. MSI for NXLog Agent Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1227

146. Okta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1228

147. Perlfcount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229

148. Salesforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1230

148.1. General Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1230

148.2. Authentication and Data Retrieval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1231

148.3. Local Storage and Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1231

148.4. Data Format and Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1232

148.5. Configuring NXLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1232

Introduction

1
Chapter 1. About This Guide
This Guide is designed to give you all the information and skills you need to successfully deploy and configure
NXLog in your organization. The following chapters provide detailed information about NXLog, including
features, architecture, configuration, and integration with other software and devices. An NXLog Enterprise
Edition Reference Manual is included, as well as documentation for the NXLog Manager.

NXLog is available in two versions, the Community Edition and the Enterprise Edition. Features that are unique to
the Enterprise Edition are noted as such, except in the Reference Manual (the Community Edition Reference
Manual is published separately). For more details about the functionality provided by these two NXLog editions,
see the following chapters (in particular, About NXLog and Available Modules).

This Guide was last updated at 2020-06-15 11:36:36 UTC.

Though most of the content applies to all versions of NXLog Community Edition and NXLog
Enterprise Edition, this Guide was written specifically for NXLog Enterprise Edition version
WARNING
5.0.5876. Some features covered by this book may not be available in earlier versions of
NXLog, and earlier versions of NXLog may behave differently than documented here.

If you would like to copy/paste configuration content from the Guide, please do so using
WARNING the HTML format. It is not possible to guarantee appropriate selection behavior with the
PDF format.

2
Chapter 2. About NXLog
Modern IT infrastructure produces large volumes of event logging data. In a single organization, hundreds or
thousands of different devices, applications, and appliances generate event log messages. These messages
require many log processing tasks, including filtration, classification, correlation, forwarding, and storage. In most
organizations these requirements are met with a collection of scripts and programs, each with its custom format
and configuration. NXLog provides a single, high-performance, multi-platform product for solving all of these
tasks and achieving consistent results.

At NXLog’s inception, there were various logging solutions available, but none with the required features. Most
were single-threaded and Syslog-oriented, without native support for Windows. Work on NXLog began with the
goal of building a modern logger with a multi-threaded design, a clear configuration syntax, multi-platform
support, and clean source code. NXLog was born in 2009 as a closed source product heavily used in several
production deployments. The source code of NXLog Community Edition was released in November 2011.

NXLog can process event logs from thousands of different sources with volumes over 100,000 events per second.
It can accept event logs over TCP, TLS/SSL, and UDP; from files and databases; and in Syslog, Windows EventLog,
and JSON formats. NXLog can also perform advanced processing on log messages, such as rewriting, correlating,
alerting, pattern matching, scheduling, and log file rotation. It supports prioritized processing of certain log
messages, and can buffer messages on disk or in memory to work around problems with input latency or
network congestion. After processing, NXLog can store or forward event logs in any of many supported formats.
Inputs, outputs, log formats, and complex processing are implemented with a modular architecture and a
powerful configuration language.

2.1. NXLog Features

This section gives an overview of some of the key advantages of NXLog over alternative systems.

Multi-platform deployment
Installer packages are provided for multiple platforms, including Linux, Windows, and Android. You can use
NXLog across your entire infrastructure, without resorting to different tools for different platforms.

Client or server operation

Depending on the configuration, NXLog will run as a server, a client, or a combination of both. You have the
freedom to choose the deployment architecture that best meets your needs. For example, NXLog can collect
local log data and forward it, relay data without storing it locally, or save incoming log data to disk.

Many input and output types and formats

NXLog can accept data from many different sources, convert the data internally, and output it to other
destinations. You can use NXLog as a single tool to process all of the different types of logs in your
organization. For example, logs can be collected from files, databases, Unix domain sockets, network
connections, and other sources. BSD Syslog, IETF Syslog, the Snare Agent format, Windows EventLog, JSON,
and other formats are supported. NXLog can likely be configured to read or write logs in your custom
application format, using the NXLog language and provided extension modules.

High performance, scalable architecture

With an event-based architecture for processing tasks in parallel, non-blocking input and output where
possible, and a worker thread pool for incoming log messages, NXLog is designed for high performance on
modern multi-core and multi-processor systems. The input/output readiness notifications provided by most
operating systems are used to efficiently handle large numbers of open files and network connections.

Security
NXLog provides features throughout the application to maintain the security of your log data and systems.
The core can be configured to run as an unprivileged user, and special privileges (such as binding to ports
below 1024) are accessed through Linux capabilities rather than requiring the application to run as root.
TLS/SSL is supported for encrypted, authenticated communications and to prevent data interception or
alteration during transmission.

3
Modular architecture
NXLog has a lightweight, modular architecture, providing a reduced memory footprint and increased
flexibility for different uses. The core handles files, events, and sockets, and provides the configuration
language; modules provide the input, output, and processing capabilities. Because modules use a common
API, you can write new modules to extend the features of NXLog.

Message buffering
Log messages can be buffered in memory or on disk. This increases reliability by holding messages in a
temporary cache when a network connectivity issue or dropout occurs. Conditional buffering can be
configured by using the NXLog language to define relevant conditions. For example, UDP messages may
arrive faster than they can be processed, and NXLog can buffer the messages to disk for processing when the
system is under less load. Conditional buffering can be used to explicitly buffer log messages during certain
hours of the day or when the system load is high.

Prioritized processing
NXLog can be configured to separate high-priority log processing from low-priority log processing, ensuring
that it processes the most important data first. When the system is experiencing high load, NXLog will avoid
dropping important incoming messages. For example, incoming UDP messages can be prioritized to prevent
dropped logs if a high volume of TCP messages overloads the system.

Message durability
Built-in flow control ensures that a blocked output does not cause dropped log messages when buffers are
full. In combination with the previously mentioned parallel processing, buffering, and prioritization, the
possibility of message loss is greatly reduced.

Familiar and powerful configuration syntax

NXLog uses an Apache-style configuration syntax that is easy to read and can be parsed or generated with
scripts. The NXLog language supports advanced scripting and processing capabilities that are usually only
found in full-fledged scripting languages. The syntax is similar to Perl, so users familiar with that language can
learn it easily. It supports polymorphic functions and procedures and regular expressions with captured sub-
strings. Modules can register additional functions and procedures to further extend the capabilities of the
language.

Scheduled tasks and log rotation

NXLog includes a scheduler service. A task can be scheduled from any module without requiring an external
tool such as Cron. Log files can be rotated automatically, on a time-based schedule or according to file size.
The file reader and writer modules in NXLog can detect when an input or output file moves or changes its
name, and re-open the file automatically.

Advanced message processing

NXLog can perform advanced processing actions on log messages, in addition to the core features already
mentioned. By using additional modules, NXLog can solve many related tasks such as message classification,
event correlation, pattern matching, message filtering, message rewriting, and conditional alerting. You can
use a single tool for all log processing functionality.

Offline processing
Sometimes log messages need to be processed in batches for conversion, filtering, or analysis. NXLog
provides an offline mode in which it processes all input and then exits. Because NXLog does not assume that
the event time and processing time are identical, time-based correlation features can be used even during
offline log processing.

International character and encoding support

NXLog supports explicit character set conversion and automatic character set detection. Log messages
received in different character sets can be automatically normalized to a common standard, allowing
messages to be compared across different sources.

4
2.2. Enterprise Edition Features
While the NXLog Community Edition provides all the flexibility and performance of the NXLog engine, the NXLog
Enterprise Edition provides additional enhancements, including modules and core features, as well as regular
hot-fixes and updates. The Enterprise Edition provides the following enhancements.

Additional platform support

In addition to Linux, Windows, and Android, installer packages are provided for the BSDs and the major
variants of Unix (AIX, Solaris, and macOS).

Signed installer packages

Installer packages are certificate signed to ensure that the binaries are not corrupted or compromised.

On-the-wire compression
Log data can be transferred in compressed batches with the im_batchcompress and om_batchcompress
input/output modules. This can help in limited bandwidth scenarios.

UDP source IP address spoofing

Some SIEM and log collection systems use the IP address of the UDP Syslog packet sent by the client. When
used as a server or relay, the om_udpspoof output module can be configured to retain the original IP address
of the sender.

Better control over SSL and TLS

Due to vulnerabilities discovered in the SSL protocols, some protocols may need to be disabled. The various
SSL/TLS networking modules in NXLog Enterprise Edition can be configured to allow only specific protocols
via the SSLProtocol directive. On Windows, NXLog Enterprise Edition can utilize TLSv1.2 while NXLog
Community Edition supports TLSv1.0 only.

ODBC input and output

The ODBC input and output modules, im_odbc and om_odbc, allow log data to be read from or inserted into
any ODBC compliant database. The primary purpose of the im_odbc module is native Windows MSSQL
support to enable log collection from Windows applications that write logs to MSSQL. The om_odbc output
module can be used to insert data into an ODBC database. These modules are available on Windows as well
as Linux.

Remote management
The dedicated xm_admin extension module enables NXLog agents to be managed remotely over a secure
SOAP/JSON SSL connection or to be integrated with existing monitoring and management tools. The
configuration, correlation rules, patterns, and certificates can all be updated remotely from the NXLog
Manager web interface or from scripts. In addition, the NXLog agent and the individual modules can be
stopped/started and log collection statistics can be queried for real-time statistics.

Crash recovery
Additional functionality is provided to guarantee a clean recovery in the case of a system crash, ensuring that
no messages are lost or duplicated.

Event correlation
The pm_evcorr processor module can efficiently solve complex event correlation tasks, with capabilities
similar to what the open-source SEC tool provides.

HTTP(S) protocol support

RESTful services are becoming increasingly popular, even for logging. The im_http and om_http input and
output modules make it possible to send or receive log message data over HTTP or HTTPS.

File integrity and registry monitoring

Several compliance standards mandate file integrity monitoring. With the im_fim input module, NXLog
Enterprise Edition can be used to detect modifications to files or directories. This module is available on

5
Windows as well as Linux. The im_regmon module provides monitoring of the Windows Registry.

Structured data formats

The xm_xml extension module can parse nested XML and data stored in XML attributes. Parsing of nested
JSON has also been implemented in xm_json, and UTF-8 validation can be enforced to avoid parser failures
caused by invalid UTF-8 from other tools.

Native W3C parser

The W3C format is widely used in various Microsoft products and perhaps IIS is the most well-known
producer. Parsing of W3C is possible with the xm_csv extension module, but that requires defining the fields
in the configuration and adjustment when the IIS configuration is changed. The xm_w3c extension module
can automatically parse the logs using the field information stored in the headers. It also supports automatic
parsing of the data format produced by BRO.

More support for SIEM products

The xm_cef and xm_leef modules provide parsing and generation of CEF and LEEF formatted data. CEF
(Common Event Format) was introduced by HP ArcSight and LEEF (Log Event Extended Format) is used by IBM
Security QRadar.

Simplified data processing configuration

Two extension modules help simplify the configuration. The xm_rewrite module allows fields to be renamed,
kept (whitelisted), or deleted (blacklisted). It also supports the Exec directive so log processing logic can be
localized and to avoid duplicated statements. The xm_filelist module provides two functions, contains() and
matches(), which can be invoked to check whether a string is present in a text file. This can be a username, IP
address, or similar. The files are cached in memory and any changes are automatically picked up without the
need to reload NXLog.

Custom input and output modules in Perl

Perl has a vast number of libraries that can be used to easily implement integration with various APIs,
formats, and protocols. The im_perl and om_perl input and output modules make it possible to utilize Perl to
collect and output data without the need to run the code as an external script.

Name resolution
The xm_resolver extension module provides cached DNS lookup functions for translating between IP
addresses and host names. User and group names can also be mapped to/from user and group ids.

Elasticsearch integration
The om_elasticsearch output module allows log data to be loaded directly into an Elasticsearch server without
requiring Logstash.

Check Point LEA input

The im_checkpoint input module enables the remote collection of Check Point firewall logs over the
OPSEC/LEA protocol. This feature is only available in the Linux version.

Redis Support
Redis is often used as an intermediate queue for log data. Two native modules, im_redis and om_redis, are
available to push data to and pull data from Redis servers.

SNMP input
The xm_snmp extension module can be used to parse SNMP traps. The traps can then be handled like regular
log messages: converted to Syslog, stored, forwarded, etc.

Multi-platform support for Windows Event Forwarding

The im_wseventing input module can be used to collect forwarded events from Windows hosts. The Windows
clients can be configured from Group Policy to send Windows EventLog using Windows Event Forwarding.
While NXLog Enterprise Edition can collect Windows EventLog remotely over WMI and MSRPC, this module
provides improved security for collecting from Windows machines in agent-less mode, with support for both
Kerberos and HTTPS data transfer. The im_wseventing module is platform independent and available on Linux

6
as well as Windows.

HDFS output
The om_webhdfs output module is available to support the Hadoop ecosystem.

Windows Performance Counters

The im_winperfcount input module can collect metrics from Windows Performance Counters such as CPU,
disk, and memory statistics.

Reading Windows EventLog files directly

The im_msvistalog module can read .evt, .evtx, and .etl EventLog files directly; this is particularly useful
for forensics purposes.

Additional Windows EventLog data

The im_msvistalog module retrieves the EventData and UserData parts which can contain important data in
some log sources. In addition, SID values in the EventLog Message can be resolved to account names to
produce the same output that EventViewer gives.

Netflow support
The xm_netflow extension module can parse Netflow packets received over UDP. It supports Netflow v1, v5,
v7, v9, and IPFIX.

ZeroMQ support
ZeroMQ is a popular high performance messaging library. The im_zmq and om_zmq modules provide input
and output support for the ZeroMQ protocol.

Regular hot fixes

Unlike NXLog Community Edition which is a volunteer effort, NXLog Enterprise Edition receives regular hot
fixes and enhancements.

2.3. What NXLog is Not

NXLog provides a broad range of features for collecting, processing, forwarding, and storing log data. However,
NXLog is not a SIEM product and does not provide:

• a graphical interface (or "dashboard") for searching logs and displaying reports,
• vulnerability detection or integration with external threat data,
• automatic analysis and correlation algorithms, or
• pre-configured compliance and retention policies.

NXLog does provide processing features that can be used to set up analysis, correlation, retention, and alerting;
NXLog can be integrated with many other products to provide a complete solution for aggregation, analysis, and
storage of log data.

7
Chapter 3. System Architecture
3.1. Event Records and Fields
In NXLog, a log message is an event, and the data relating to that event is collectively an event record. When NXLog
processes an event record, it stores the various values in fields. The following sections describe event records and
fields in the context of NXLog processing.

3.1.1. Event Records

There are many kinds of event records. A few important ones are listed here.

• The most common event record is a single line. Thus the default is LineBased for the InputType and
OutputType directives.
• It is also common for an event record to use a single UDP datagram. NXLog can send and receive UDP events
with the im_udp and om_udp modules.
• Some event records are generated using multiple lines. These can be joined into a single event record with
the xm_multiline module.
• Event records may be stored in a database. Each row in the database represents an event. In this case the
im_odbc and om_odbc modules can be used.
• It is common for structured event records to be formatted in CSV, JSON, or XML formats. The xm_csv,
xm_json, and xm_xml modules provide functions and procedures for parsing these.
• NXLog provides a Binary InputType and OutputType for use when compatibility with other logging software
is not required. This format preserves parsed fields and their types.

In NXLog, each event record consists of the raw event data (in a field named $raw_event) and additional fields
generated during processing and parsing.

3.1.2. Fields
All event log messages contain important data such as user names, IP addresses, and application names.
Traditionally, these logs have been generated as free form text messages prepended by basic metadata like the
time of the event and a severity value.

While this format is easy for humans to read, it is difficult to perform log analysis and filtering on thousands of
free-form logs. In contrast, structured logging provides means for matching messages based on key-value pairs.
With structured logging, an event is represented as a list of key-value pairs. The name of the field is the key and
the field data is the value. NXLog’s core design embraces structured logging. Using various features provided by
NXLog, a message can be parsed into a list of key-value pairs for processing or as part of the message sent to the
destination.

When a message is received by NXLog, it creates an internal representation of the log message using fields. Each
field is typed and represents a particular attribute of the message. These fields passes through the log route, and
are available in each successive module in the chain, until the log message has been sent to its destination.

1. The special $raw_event field contains the raw data received by the input module. Most input and output
modules only transfer $raw_event by default.
2. The core adds a few additional fields by default:
a. $EventReceivedTime (type: datetime) The time when the event is received. The value is not modified if
the field already exists.
b. $SourceModuleName (type: string) The name of the module instance, for input modules. The value is not
modified if the field already exists.

8
c. $SourceModuleType (type: string) The type of module instance (such as im_file), for input modules.
The value is not modified if the field already exists.
3. The input module may add other fields. For example, the im_udp module adds a $MessageSourceAddress
field.
4. Some input modules, such as im_msvistalog and im_odbc, map fields from the source directly to fields in the
NXLog event record.
5. Parsers such as the parse_syslog() procedure will add more fields.
6. Custom fields can be added by using the NXLog language and an Exec directive.
7. The NXLog language or the pm_pattern module can be used to set fields using regular expressions. See
Extracting Data.

When the configured output module receives the log message, in most cases it will use the contents of the
$raw_event field only. If the event’s fields have been modified, it is therefore important to update $raw_event
from the other fields. This can be done with the NXLog language, perhaps using a procedure like to_syslog_bsd().

A field is denoted and referenced in the configuration by a preceding dollar sign ($). See the Fields section in the
Reference Manual for more information.

9
Example 1. Processing a Syslog Message

This example shows a Syslog event and its corresponding fields as processed by NXLog. A few fields are
omitted for brevity.

1. NXLog receives an event:

<38>Nov 22 10:30:12 myhost sshd[8459]: Failed password for invalid user linda from
192.168.1.60 port 38176 ssh2↵

2. The raw event data is stored in the $raw_event field when NXLog receives a log message. The NXLog
core and input module add additional fields.

{
"raw_event": "<38>Nov 22 10:30:12 myhost sshd[8459]: Failed password for invalid user
linda from 192.168.1.60 port 38176 ssh2",
"EventReceivedTime": "2019-11-22 10:30:13",
"MessageSourceAddress": "192.168.1.1",

3. The xm_syslog parse_syslog() procedure parses the basic format of the Syslog message, reading from
$raw_event by default. This procedure adds a few more fields:

"SyslogFacility": "USER",
"SyslogSeverity": "NOTICE",
"EventTime": "2019-11-22 10:30:12",
"Hostname": "myhost",
"SourceName": "sshd",
"ProcessID": 8459,
"Message": "Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2",

4. Further metadata can be extracted from the free-form $Message field with regular expressions or other
methods; see Extracting Data.

"Status": "failed",
"AuthenticationMethod": "password",
"Reason": "invalid user",
"User": "linda",
"SourceIPAddress": "192.168.1.60",
"SourcePort": 38176,
"Protocol": "ssh2"
}

3.2. Modules and Routes

While the NXLog core is responsible for managing the overall log processing operation, NXLog’s architecture
utilizes loadable modules that provide input, output, and parsing functionality. Different modules can be used
together to create log data routes that meet the requirements of the logging environment. Each route accepts log
messages in a particular format, processes or transforms them, and then outputs them in one of the supported
formats.

Files and sockets are added to the core by the various modules, and the core delegates events when necessary.
Modules also dispatch log events to the core, which passes each one to the appropriate module. In this way, the
core can centrally control all events and the order of their execution making prioritized processing possible. Each
event belonging to the same module instance is executed in sequential order, not concurrently. This ensures that
message order is kept and allows modules to be written without concern for concurrency. Yet because the
modules and routes run concurrently, the global log processing flow remains parallelized.

10
3.2.1. Modules
A module is a foo.so or foo.dll that can be loaded by the NXLog core and provides a particular capability. A
module instance is a configured module that can be used in the configured data flow. For example, the
configuration block for an input module instance begins with <Input instancename>. See the Instance examples
below. A single module can be used in multiple instances. With regard to configuration, a module instance is
often referred to as simply a module.

There are four types of modules.

Input
Functionality for accepting or retrieving log data is provided by input modules. An input module instance is a
source or producer. It accepts log data from a source and produces event records.

An Input Module Instance

1 <Input foo_in>
2 Module im_foo
3 ...
4 </Input>

Output
Output modules provide functionality for sending log data to a local or remote destination. An output module
instance is a sink, destination, or consumer. It is responsible for consuming event records produced by one or
more input module instances.

An Output Module Instance

1 <Output foo_out>
2 Module om_foo
3 ...
4 </Output>

Extension
The NXLog language can be extended with extension modules. Extension module instances do not process
log data directly. Instead, they provide features (usually functions and procedures) that can be used from
other parts of the processing pipeline. Many extension module instances require no directives other than the
Module directive.

Example 2. Using an Extension Module

In this example, the xm_syslog module is loaded by the Extension block. This module provides the
parse_syslog() procedure, in addition to other functions and procedures. In the following Input
instance, the Exec directive calls parse_syslog() to parse the Syslog-formatted event.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File '/var/log/messages'
8 Exec parse_syslog();
9 </Input>

Processor
Processor modules offer features for transforming, filtering, or converting log messages. One or more

11
processor module instances can be used in a route between input and output module instances.

A Processor Module Instance

1 <Processor foo>
2 Module pm_foo
3 ...
4 </Processor>

Many processing functions and procedures are available through the NXLog language and
can be accessed through the Exec directive in an Input or Output block without using a
NOTE
separate processor module instance. However, a separate processor module (pm_null,
perhaps) will use a separate worker thread, providing additional processing parallelization.

For a list of available modules, see Available Modules.

3.2.2. Routes
Most log processing solutions are built around the same concept. The input is read from a source, log messages
are processed, and then log data is written to a destination. In NXLog, this path is called a "route" and is
configured with a Route block.

Routes are made up of one or more inputs, zero or more processors, and one or more outputs.

Example 3. A Simple Route

This route accepts input with the in module and sends it to the out module. This is the simplest functional
route.

nxlog.conf
1 <Route r1>
2 Path in => out
3 </Route>

12
Example 4. A Route With a Processor

This route extends the previous example by adding an intermediate processing module proc.

nxlog.conf
1 <Route r2>
2 Path in => proc => out
3 </Route>

Example 5. Advanced Route With Multiple Input/Output Modules

This route uses two input modules and two output modules. Input from in1 and in2 will be combined and
sent to both out1 and out2.

nxlog.conf
1 <Route r3>
2 Path in1, in2 => out1, out2
3 </Route>

13
Example 6. Branching: Two Routes Using One Input Module

A module can be used by multiple routes simultaneously, as in this example. The in1 module instance is
only declared once, but is used by both routes.

nxlog.conf
1 <Route r1>
2 Path in => out1
3 </Route>
4
5 <Route r2>
6 Path in => proc => out2
7 </Route>

3.3. Buffering and Flow Control

NXLog implements several buffering features. Of these, two are particularly important and are enabled by
default: log queues and flow control.

Log Queues
Every processor and output module instance has an input log queue for events that have not yet been
processed by that module instance. When the preceding module has processed an event, it is placed in this
queue. Log queues are enabled by default for all processor and output module instances; adjusting log
queue sizes is the preferred way to control buffering behavior.

Flow Control
NXLog’s flow control functionality provides automatic, zero-configuration handling of many cases where
buffering would otherwise be required. Flow control takes effect when the following sequence of events
occurs in a route:

1. a processor or output module instance is not able to process log data at the incoming rate,
2. that module instance’s log queue becomes full, and

14
3. the preceding input or processor module instance has flow control enabled (which is the default).

In this case, flow control will cause the input or processor module instance to suspend processing until the
succeeding module instance is ready to accept more log data.

For more information about these and other buffering features, including log queue persistence, disabling flow
control, read/write buffers, and examples for specific scenarios, see Using Buffers.

3.4. Log Processing Modes

NXLog can process logs in three modes. Each mode has different characteristics, and you can use any
combination of modes for your overall logging infrastructure.

• Agent-Based Collection: NXLog runs on the system that is generating the log data.
• Agent-Less Collection: Hosts or devices generate log data and send it over the network to NXLog.
• Offline Log Processing: The nxlog-processor(8) tool performs batch log processing.

3.4.1. Agent-Based Collection

With agent-based collection, NXLog runs as an agent on the system that is generating the log data. It collects the
log data and sends it to another NXLog instance over the network.

We recommend agent-based log collection for most use cases. In particular, we recommend this
NOTE mode if you need strong security and reliability or need to transform log data before it leaves
the system on which it was generated.

Agent-based log collection offers several important advantages over agent-less collection.

• Log data can be collected from more sources. For example, you can collect logs directly from files, instead of
relying on a logging process to send log data across the network.
• NXLog’s processing features are available. You can filter, normalize, and rewrite log data before sending it to
a destination, whether a NXLog instance or a log aggregation system. This includes the ability to send
structured log data, such as JSON and key-value pairs.
• You have full control over the transfer of the log data. Messages can be sent using a variety of protocols,
including over TLS/SSL encrypted connections for security. Log data can be sent in compressed batches and
can be buffered if necessary.
• Log collection in this mode is more reliable. NXLog includes delivery guarantees and flow control systems
which ensure your log data reaches its destination. You can monitor the health of the NXLog agent to verify
its operational integrity.

Although agent-based collection has many compelling advantages, it is not well suited to some use cases.

• Many network and embedded systems, such as routers and firewalls, do not support installing third-party
software. In this case it would not be possible to install the NXLog agent.
• Installing the NXLog agent on each system in a large-scale deployment may not be practical compared to
reading from the existing logging daemon on each system.

15
3.4.2. Agent-Less Collection
With this mode of log collection, a server or device sends log data to an NXLog instance over the network, using
its native protocols. NXLog collects and processes the information that it receives.

We recommend agent-less log collection in cases where agent-based log collection is not
NOTE feasible, for example from legacy or embedded systems that do not support installing the
NXLog agent.

Agent-less log collection has the following advantages.

• It is not necessary to install an NXLog agent application on the target system to collect log data from it.
• Generally, a device or system requires only minimal configuration to send log data over the network to an
NXLog instance in its native format.

Agent-less log collection has some disadvantages that should be taken into consideration.

• Agent-less log collection may provide lower performance than agent-based collection. On Windows systems,
the Windows Management Instrumentation process can consume more system resources than the NXLog
agent.
• Reliability is also a potential issue. Since most Syslog log forwarders use UDP to transfer log data, some data
could be lost if the server restarts or becomes unreachable over the network. Unlike agent-based log
collection, you often cannot monitor the health of the logging source.
• Data transfers are less secure when using agent-less collection since most Syslog sources transfer data over
unencrypted UDP.

Agent-less collection is commonly used with the following protocols.

• BSD Syslog (RFC 3164) and IETF Syslog (RFC 5424) sources (see Collecting and Parsing Syslog)
• Windows EventLog sources (with NXLog Enterprise Edition):
◦ The MSRPC protocol, using the im_msvistalog module (see Remote Collection With im_msvistalog)

◦ Windows Event Forwarding, using the im_wseventing module (see Remote Collection With
im_wseventing)

3.4.3. Offline Log Processing

While the other modes process log data in real-time, NXLog can also be used to perform batch log processing.
This is provided by the nxlog-processor(8) tool, which is similar to the NXLog daemon and uses the same
configuration file. However, it runs in the foreground and exits after all input log data has been processed.

Common input sources are files and databases. This tool is useful for log processing tasks such as:

• loading a group of files into a database,

• converting between different formats,
• testing patterns,
• doing offline event correlation, or
• checking HMAC message integrity.

16
Chapter 4. Available Modules
The following modules are provided with NXLog. Modules which are only available in NXLog Enterprise Edition
are noted. For detailed information about which modules are available for specific platforms, see the Modules by
Platform and Modules by Package sections.

4.1. Extension Modules

The following extension (xm_*) modules are available.

Table 1. Available Extension Modules

Module Description
xm_admin — Remote Management Adds secure remote administration capabilities to NXLog using
(Enterprise Edition only) SOAP or JSON over HTTP/HTTPS.

xm_aixaudit — AIX Auditing (Enterprise Parses AIX audit events that have been written to file.
Edition only)

xm_asl — Apple System Logs (Enterprise Parses events in the Apple System Log (ASL) format.
Edition only)

xm_bsm — Basic Security Module Auditing Supports parsing of events written to file in Sun’s Basic Security
(Enterprise Edition only) Module (BSM) Auditing binary format.

xm_cef — CEF (Enterprise Edition only) Provides functions for generating and parsing data in the
Common Event Format (CEF) used by HP ArcSight™ products.

xm_charconv — Character Set Conversion Provides functions and procedures to help you convert strings
between different character sets (code pages).

xm_csv — CSV Provides functions and procedures to help you process data

formatted as comma-separated values (CSV), and to convert CSV
data into fields.

xm_exec — External Program Execution Passes log data through a custom external program for
processing, either synchronously or asynchronously.

xm_filelist — File Lists (Enterprise Edition Implements file-based blacklisting or whitelisting.

only)

xm_fileop — File Operations Provides functions and procedures to manipulate files.

xm_gelf — GELF Provides an output writer function which can be used to generate

output in Graylog Extended Log Format (GELF) for Graylog2 or
GELF compliant tools.

xm_grok — Grok Patterns (Enterprise Edition Provides support for parsing events with Grok patterns.
only)

xm_json — JSON Provides functions and procedures to generate data in JSON

(JavaScript Object Notation) format or to parse JSON data.

xm_kvp — Key-Value Pairs Provides functions and procedures to parse and generate data
that is formatted as key-value pairs.

xm_leef — LEEF (Enterprise Edition only) Provides functions for parsing and generating data in the Log
Event Extended Format (LEEF), which is used by IBM Security
QRadar products.

xm_msdns — DNS Server Debug Log Parses Microsoft Windows DNS Server debug logs
Parsing (Enterprise Edition only)

xm_multiline — Multi-Line Message Parser Parses log entries that span multiple lines.

17
Module Description
xm_netflow — NetFlow (Enterprise Edition Provides a parser for NetFlow payload collected over UDP.
only)

xm_nps — NPS (Enterprise Edition only) Provides functions and procedures for processing data in NPS
Database Format stored in files by Microsoft Radius services.

xm_pattern — Pattern Matcher (Enterprise Applies advanced pattern matching logic to log data, which can
Edition only) give greater performance than normal regular expression
statements. Replaces pm_pattern.

xm_perl — Perl Processes log data using Perl.

xm_python — Python (Enterprise Edition Processes log data using Python.

only)

xm_resolver — Resolver (Enterprise Edition Resolves key identifiers that appear in log messages into more
only) meaningful equivalents, including IP addresses to host names, and
group/user IDs to friendly names.

xm_rewrite — Rewrite (Enterprise Edition Transforms event records by modifying or discarding specific

only) fields.

xm_ruby — Ruby (Enterprise Edition only) Processes log data using Ruby.

xm_snmp — SNMP Traps (Enterprise Edition Parses SNMPv1 and SNMPv2c trap messages.
only)

xm_stdinpw — Passwords on standard Reads passwords on standard input.

input (Enterprise Edition only)

xm_syslog — Syslog Provides helpers that let you parse and output the BSD Syslog
protocol as defined by RFC 3164.

xm_w3c — W3C (Enterprise Edition only) Parses data in the W3C Extended Log File Format, the BRO format,
and Microsoft Exchange Message Tracking logs.

xm_wtmp — WTMP Provides a parser function to process binary wtmp files.

xm_xml — XML Provides functions and procedures to process data that is

formatted as XML.

4.2. Input Modules

The following input (im_*) modules are available.

Table 2. Available Input Modules

Module Description
im_acct — BSD/Linux Process Accounting Collects process accounting logs from a Linux or BSD kernel.
(Enterprise Edition only)

im_aixaudit — AIX Auditing (Enterprise Collects AIX audit events directly from the kernel.
Edition only)

im_azure — Azure (Enterprise Edition only) Collects logs from Microsoft Azure applications.

im_batchcompress — Batched Compression Provides a compressed network transport for incoming messages

over TCP or SSL (Enterprise Edition only) with optional SSL/TLS encryption. Pairs with the
om_batchcompress output module.

im_bsm — Basic Security Module Auditing Collects audit events directly from the kernel using Sun’s Basic
(Enterprise Edition only) Security Module (BSM) Auditing API.

im_checkpoint — Check Point OPSEC Provides support for collecting logs remotely from Check Point
(Enterprise Edition only) devices over the OPSEC LEA protocol.

18
Module Description
im_dbi — DBI Collects log data by reading data from an SQL database using the
libdbi library.

im_etw — Event Tracing for Windows (ETW) Implements ETW controller and consumer functionality in order to
(Enterprise Edition only) collect events from the ETW system.

im_exec — Program Collects log data by executing a custom external program. The

standard output of the command forms the log data.

im_file — File Collects log data from a file on the local file system.

im_fim — File Integrity Monitoring Scans files and directories and reports detected changes.
(Enterprise Edition only)

im_http — HTTP/HTTPS (Enterprise Edition Accepts incoming HTTP or HTTPS connections and collects log
only) events from client POST requests.

im_internal — Internal Collect log messages from NXLog.

im_kafka — Apache Kafka (Enterprise Edition Implements a consumer for collecting from a Kafka cluster.
only)

im_kernel — Kernel (Enterprise Edition only Collects log data from the kernel log buffer.
for some platforms)

im_linuxaudit — Linux Audit System Configures and collects events from the Linux Audit System
(Enterprise Edition only)

im_mark — Mark Outputs 'boilerplate' log data periodically to indicate that the

logger is still running.

im_mseventlog — Windows EventLog for Collects EventLog messages on the Windows platform.

Windows XP/2000/2003

im_msvistalog — Windows EventLog for Collects EventLog messages on the Windows platform.

Windows 2008/Vista and later

im_null — Null Acts as a dummy log input module, which generates no log data.
You can use this for testing purposes.

im_oci — OCI (Enterprise Edition only) Reads log messages from an Oracle database.

im_odbc — ODBC (Enterprise Edition only) Uses the ODBC API to read log messages from database tables.

im_perl — Perl (Enterprise Edition only) Captures event data directly into NXLog using Perl code.

im_pipe — Named Pipes (Enterprise Edition This module can be used to read log messages from named pipes
only) on UNIX-like operating systems.

im_python — Python (Enterprise Edition only) Captures event data directly into NXLog using Python code.

im_redis — Redis (Enterprise Edition only) Retrieves data stored in a Redis server.

im_regmon — Windows Registry Monitoring Periodically scans the Windows registry and generates event
(Enterprise Edition only) records if a change in the monitored registry entries is detected.

im_ruby — Ruby (Enterprise Edition only) Captures event data directly into NXLog using Ruby code.

im_ssl — SSL/TLS Collects log data over a TCP connection that is secured with
Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

im_tcp — TCP Collects log data over a TCP network connection.

im_testgen — Test Generator Generates log data for testing purposes.

im_udp — UDP Collects log data over a UDP network connection.

im_uds — Unix Domain Socket Collects log data over a Unix domain socket (typically /dev/log).

19
Module Description
im_winperfcount — Windows Performance Periodically retrieves the values of the specified Windows
Counters (Enterprise Edition only) Performance Counters to create an event record.

im_wseventing — Windows Event Collects EventLog from Windows clients that have Windows Event
Forwarding (Enterprise Edition only) Forwarding configured.

im_zmq — ZeroMQ (Enterprise Edition only) Provides incoming message transport over ZeroMQ, a scalable
high-throughput messaging library.

4.3. Processor Modules

The following processor (pm_*) modules are available.

Table 3. Available Processor Modules

Module Description
pm_blocker — Blocker Blocks log data from progressing through a route. You can use this
module for testing purposes, to simulate when a route is blocked.

pm_buffer — Buffer Caches messages in an in-memory or disk-based buffer before

forwarding it. This module is useful in combination with UDP data
inputs.

pm_evcorr — Event Correlator Perform log actions based on relationships between events.

pm_filter — Filter Forwards the log data only if the condition specified in the Filter
module configuration evaluates to true. This module has been
deprecated. Use the NXLog language drop() procedure
instead.

pm_hmac — HMAC Message Integrity Protect messages with HMAC cryptographic checksumming. This
(Enterprise Edition only) module has been deprecated.

pm_hmac_check — HMAC Message Integrity Check HMAC cryptographic checksums on messages. This module
Checker (Enterprise Edition only) has been deprecated.

pm_norepeat — Message De-Duplicator Drops messages that are identical to previously-received

messages. This module has been deprecated. This
functionality can be implemented with module variables.

pm_null — Null Acts as a dummy log processing module, which does not

transform the log data in any way. You can use this module for
testing purposes.

pm_pattern — Pattern Matcher Applies advanced pattern matching logic to log data, which can
give greater performance than normal regular expression
statements in Exec directives. This module has been
deprecated. Use the xm_pattern module instead.

pm_transformer — Message Format Provides parsers for various log formats, and converts between
Converter them. This module has been deprecated. Use the xm_syslog,
xm_csv, xm_json, and xm_xml modules instead.

pm_ts — Timestamping (Enterprise Edition Add cryptographic Time-Stamp signatures to messages. This

only) module has been deprecated.

4.4. Output Modules

The following output (om_*) modules are available.

Table 4. Available Output Modules

20
Module Description
om_batchcompress — Batched Provides a compressed network transport for outgoing messages
Compression over TCP or SSL (Enterprise with optional SSL/TLS encryption. Pairs with the
Edition only) im_batchcompress input module.

om_blocker — Blocker Blocks log data from being written. You can use this module for
testing purposes, to simulate when a route is blocked.

om_dbi — DBI Stores log data in an SQL database using the libdbi library.

om_elasticsearch — Elasticsearch (Enterprise Stores logs in an Elasticsearch server.

Edition only)

om_eventdb — EventDB (Enterprise Edition Uses libdrizzle to insert log message data into a MySQL database
only) with a special schema.

om_exec — Program Writes log data to the standard input of a custom external

program.

om_file — File Writes log data to a file on the file system.

om_http — HTTP/HTTPS Send events over HTTP or HTTPS using POST requests.

om_kafka — Apache Kafka (Enterprise Implements a producer for publishing to a Kafka cluster.

Edition only)

om_null — Null Acts as a dummy log output module. The output is not written or
sent anywhere. You can use this module for testing purposes.

om_oci — OCI (Enterprise Edition only) Writes log messages to an Oracle database.

om_odbc — ODBC (Enterprise Edition only) Uses the ODBC API to write log messages to database tables.

om_perl — Perl (Enterprise Edition only) Uses Perl code to handle output log messages from NXLog.

om_pipe — Named Pipes (Enterprise Edition This module allows log messages to be sent to named pipes on
only) UNIX-like operating systems.

om_python — Python (Enterprise Edition Uses Python code to handle output log messages from NXLog.
only)

om_raijin — Raijin (Enterprise Edition only) Stores log messages in a Raijin server.

om_redis — Redis (Enterprise Edition only) Stores log messages in a Redis server.

om_ruby — Ruby (Enterprise Edition only) Uses Ruby code to handle output log messages from NXLog.

om_ssl — SSL/TLS Sends log data over a TCP connection that is secured with
Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

om_tcp — TCP Sends log data over a TCP connection to a remote host.

om_udp — UDP Sends log data over a UDP connection to a remote host.

om_udpspoof — UDP with IP Spoofing Sends log data over a UDP connection, and spoofs the source IP
(Enterprise Edition only) address to make packets appear as if they were sent from another
host.

om_uds — UDS Sends log data to a Unix domain socket.

om_webhdfs — WebHDFS (Enterprise Edition Stores log data in Hadoop HDFS using the WebHDFS protocol.
only)

om_zmq — ZeroMQ (Enterprise Edition only) Provides outgoing message transport over ZeroMQ, a scalable
high-throughput messaging library.

4.5. Modules by Platform

21
4.5.1. AIX 7.1
Table 5. Available Modules in nxlog-5.0.5874-1.aix7.1.ppc.rpm

Package Input Output Processor Extension

nxlog-5.0.5874-1.aix7.1.ppc.rpm im_acct om_batchcom pm_blocker xm_admin
im_aixaudit press pm_buffer xm_aixaudit
im_azure om_blocker pm_evcorr xm_asl
im_batchcomp om_elasticsear pm_filter xm_cef
ress ch pm_hmac xm_charconv
im_exec om_exec pm_hmac_che xm_crypto
im_file om_file ck xm_csv
im_fim om_go pm_norepeat xm_exec
im_go om_http pm_null xm_filelist
im_http om_java pm_pattern xm_fileop
im_internal om_null pm_transform xm_gelf
im_java om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_java
im_pipe om_ssl xm_json
im_redis om_tcp xm_kvp
im_ssl om_udp xm_leef
im_tcp om_udpspoof xm_msdns
im_testgen om_uds xm_multiline
im_udp om_webhdfs xm_netflow
im_uds xm_nps
im_wseventing xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_syslog
xm_w3c
xm_xml
xm_zlib

4.5.2. AmazonLinux 2
Table 6. Available Modules in nxlog-5.0.5874_amzn2_aarch64.tar.bz2

22
Package Input Output Processor Extension
nxlog-5.0.5874_amzn2_aarch64.rpm im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog-dbi-5.0.5874_amzn2_aarch64.rpm im_dbi om_dbi

nxlog-java-5.0.5874_amzn2_aarch64.rpm im_java om_java xm_java

nxlog-kafka-5.0.5874_amzn2_aarch64.rpm im_kafka om_kafka

nxlog-odbc-5.0.5874_amzn2_aarch64.rpm im_odbc om_odbc

nxlog-pcap-5.0.5874_amzn2_aarch64.rpm im_pcap

nxlog-perl-5.0.5874_amzn2_aarch64.rpm im_perl om_perl xm_perl

nxlog-python-5.0.5874_amzn2_aarch64.rpm im_python om_python xm_python

nxlog-ruby-5.0.5874_amzn2_aarch64.rpm im_ruby om_ruby xm_ruby

nxlog-systemd-5.0.5874_amzn2_aarch64.rpm im_systemd

nxlog-wseventing- im_wseventing
5.0.5874_amzn2_aarch64.rpm

nxlog-zmq-5.0.5874_amzn2_aarch64.rpm im_zmq om_zmq

4.5.3. CentOS 6, RHEL 6

Table 7. Available Modules in nxlog-5.0.5874_rhel6_x86_64.tar.bz2

23
Package Input Output Processor Extension
nxlog-5.0.5874_rhel6_x86_64.rpm im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog-checkpoint-5.0.5874_rhel6_x86_64.rpm im_checkpoint

nxlog-dbi-5.0.5874_rhel6_x86_64.rpm im_dbi om_dbi

nxlog-java-5.0.5874_rhel6_x86_64.rpm im_java om_java xm_java

nxlog-kafka-5.0.5874_rhel6_x86_64.rpm im_kafka om_kafka

nxlog-odbc-5.0.5874_rhel6_x86_64.rpm im_odbc om_odbc

nxlog-perl-5.0.5874_rhel6_x86_64.rpm im_perl om_perl xm_perl

nxlog-wseventing-5.0.5874_rhel6_x86_64.rpm im_wseventing

4.5.4. CentOS 7, RHEL 7

Table 8. Available Modules in nxlog-5.0.5874_rhel7_x86_64.tar.bz2

24
Package Input Output Processor Extension
nxlog-5.0.5874_rhel7_x86_64.rpm im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog-checkpoint-5.0.5874_rhel7_x86_64.rpm im_checkpoint

nxlog-dbi-5.0.5874_rhel7_x86_64.rpm im_dbi om_dbi

nxlog-java-5.0.5874_rhel7_x86_64.rpm im_java om_java xm_java

nxlog-kafka-5.0.5874_rhel7_x86_64.rpm im_kafka om_kafka

nxlog-odbc-5.0.5874_rhel7_x86_64.rpm im_odbc om_odbc

nxlog-pcap-5.0.5874_rhel7_x86_64.rpm im_pcap

nxlog-perl-5.0.5874_rhel7_x86_64.rpm im_perl om_perl xm_perl

nxlog-python-5.0.5874_rhel7_x86_64.rpm im_python om_python xm_python

nxlog-ruby-5.0.5874_rhel7_x86_64.rpm im_ruby om_ruby xm_ruby

nxlog-systemd-5.0.5874_rhel7_x86_64.rpm im_systemd

nxlog-wseventing-5.0.5874_rhel7_x86_64.rpm im_wseventing

nxlog-zmq-5.0.5874_rhel7_x86_64.rpm im_zmq om_zmq

4.5.5. CentOS 8, RHEL 8

Table 9. Available Modules in nxlog-5.0.5874_rhel8_x86_64.tar.bz2

25
Package Input Output Processor Extension
nxlog-5.0.5874_rhel8_x86_64.rpm im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog-checkpoint-5.0.5874_rhel8_x86_64.rpm im_checkpoint

nxlog-java-5.0.5874_rhel8_x86_64.rpm im_java om_java xm_java

nxlog-kafka-5.0.5874_rhel8_x86_64.rpm im_kafka om_kafka

nxlog-odbc-5.0.5874_rhel8_x86_64.rpm im_odbc om_odbc

nxlog-pcap-5.0.5874_rhel8_x86_64.rpm im_pcap

nxlog-perl-5.0.5874_rhel8_x86_64.rpm im_perl om_perl xm_perl

nxlog-python-5.0.5874_rhel8_x86_64.rpm im_python om_python xm_python

nxlog-ruby-5.0.5874_rhel8_x86_64.rpm im_ruby om_ruby xm_ruby

nxlog-systemd-5.0.5874_rhel8_x86_64.rpm im_systemd

nxlog-wseventing-5.0.5874_rhel8_x86_64.rpm im_wseventing

nxlog-zmq-5.0.5874_rhel8_x86_64.rpm im_zmq om_zmq

4.5.6. DEB Generic

Table 10. Available Modules in nxlog-5.0.5874_generic_deb_amd64.deb

26
Package Input Output Processor Extension
nxlog-5.0.5874_generic_deb_amd64.deb im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_java om_java pm_transform xm_gelf
im_kafka om_kafka er xm_go
im_kernel om_null pm_ts xm_grok
im_linuxaudit om_pipe xm_java
im_mark om_raijin xm_json
im_null om_redis xm_kvp
im_pipe om_ssl xm_leef
im_redis om_tcp xm_msdns
im_ssl om_udp xm_multiline
im_tcp om_udpspoof xm_netflow
im_testgen om_uds xm_nps
im_udp om_webhdfs xm_pattern
im_uds xm_resolver
im_wseventing xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

4.5.7. Debian Buster

Table 11. Available Modules in nxlog-5.0.5874_debian10_amd64.tar.bz2

27
Package Input Output Processor Extension
nxlog-5.0.5874_debian10_amd64.deb im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog- im_checkpoint
checkpoint_5.0.5874_debian10_amd64.deb

nxlog-dbi_5.0.5874_debian10_amd64.deb im_dbi om_dbi

nxlog-java_5.0.5874_debian10_amd64.deb im_java om_java xm_java

nxlog-kafka_5.0.5874_debian10_amd64.deb im_kafka om_kafka

nxlog-odbc_5.0.5874_debian10_amd64.deb im_odbc om_odbc

nxlog-pcap_5.0.5874_debian10_amd64.deb im_pcap

nxlog-perl_5.0.5874_debian10_amd64.deb im_perl om_perl xm_perl

nxlog-python_5.0.5874_debian10_amd64.deb im_python om_python xm_python

nxlog-ruby_5.0.5874_debian10_amd64.deb im_ruby om_ruby xm_ruby

nxlog-systemd_5.0.5874_debian10_amd64.deb im_systemd

nxlog- im_wseventing
wseventing_5.0.5874_debian10_amd64.deb

nxlog-zmq_5.0.5874_debian10_amd64.deb im_zmq om_zmq

4.5.8. Debian Jessie

Table 12. Available Modules in nxlog-5.0.5874_debian8_amd64.tar.bz2

28
Package Input Output Processor Extension
nxlog-5.0.5874_debian8_amd64.deb im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog- im_checkpoint
checkpoint_5.0.5874_debian8_amd64.deb

nxlog-dbi_5.0.5874_debian8_amd64.deb im_dbi om_dbi

nxlog-java_5.0.5874_debian8_amd64.deb im_java om_java xm_java

nxlog-kafka_5.0.5874_debian8_amd64.deb im_kafka om_kafka

nxlog-odbc_5.0.5874_debian8_amd64.deb im_odbc om_odbc

nxlog-pcap_5.0.5874_debian8_amd64.deb im_pcap

nxlog-perl_5.0.5874_debian8_amd64.deb im_perl om_perl xm_perl

nxlog-python_5.0.5874_debian8_amd64.deb im_python om_python xm_python

nxlog-ruby_5.0.5874_debian8_amd64.deb im_ruby om_ruby xm_ruby

nxlog-systemd_5.0.5874_debian8_amd64.deb im_systemd

nxlog- im_wseventing
wseventing_5.0.5874_debian8_amd64.deb

nxlog-zmq_5.0.5874_debian8_amd64.deb im_zmq om_zmq

4.5.9. Debian Stretch

Table 13. Available Modules in nxlog-5.0.5874_debian9_amd64.tar.bz2

29
Package Input Output Processor Extension
nxlog-5.0.5874_debian9_amd64.deb im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog- im_checkpoint
checkpoint_5.0.5874_debian9_amd64.deb

nxlog-dbi_5.0.5874_debian9_amd64.deb im_dbi om_dbi

nxlog-java_5.0.5874_debian9_amd64.deb im_java om_java xm_java

nxlog-kafka_5.0.5874_debian9_amd64.deb im_kafka om_kafka

nxlog-odbc_5.0.5874_debian9_amd64.deb im_odbc om_odbc

nxlog-pcap_5.0.5874_debian9_amd64.deb im_pcap

nxlog-perl_5.0.5874_debian9_amd64.deb im_perl om_perl xm_perl

nxlog-python_5.0.5874_debian9_amd64.deb im_python om_python xm_python

nxlog-ruby_5.0.5874_debian9_amd64.deb im_ruby om_ruby xm_ruby

nxlog-systemd_5.0.5874_debian9_amd64.deb im_systemd

nxlog- im_wseventing
wseventing_5.0.5874_debian9_amd64.deb

nxlog-zmq_5.0.5874_debian9_amd64.deb im_zmq om_zmq

4.5.10. FreeBSD 11
Table 14. Available Modules in nxlog-5.0.5874_fbsd_x86_64.tgz

30
Package Input Output Processor Extension
nxlog-5.0.5874_fbsd_x86_64.tgz im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_bsm
im_bsm ch pm_hmac xm_cef
im_exec om_exec pm_hmac_che xm_charconv
im_file om_file ck xm_crypto
im_fim om_go pm_norepeat xm_csv
im_go om_http pm_null xm_exec
im_http om_java pm_pattern xm_filelist
im_internal om_null pm_transform xm_fileop
im_java om_pipe er xm_gelf
im_kernel om_raijin pm_ts xm_go
im_mark om_redis xm_grok
im_null om_ssl xm_java
im_pcap om_tcp xm_json
im_pipe om_udp xm_kvp
im_redis om_udpspoof xm_leef
im_ssl om_uds xm_msdns
im_tcp om_webhdfs xm_multiline
im_testgen xm_netflow
im_udp xm_nps
im_uds xm_pattern
im_wseventing xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_xml
xm_zlib

4.5.11. MacOS
Table 15. Available Modules in nxlog-5.0.5874_macos.pkg

31
Package Input Output Processor Extension
nxlog-5.0.5874_macos.pkg im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_bsm
im_bsm ch pm_hmac xm_cef
im_exec om_exec pm_hmac_che xm_charconv
im_file om_file ck xm_crypto
im_fim om_go pm_norepeat xm_csv
im_go om_http pm_null xm_exec
im_http om_java pm_pattern xm_filelist
im_internal om_kafka pm_transform xm_fileop
im_java om_null er xm_gelf
im_kafka om_pipe pm_ts xm_go
im_kernel om_raijin xm_grok
im_mark om_redis xm_java
im_null om_ssl xm_json
im_pcap om_tcp xm_kvp
im_pipe om_udp xm_leef
im_redis om_udpspoof xm_msdns
im_ssl om_uds xm_multiline
im_tcp om_webhdfs xm_netflow
im_testgen xm_nps
im_udp xm_pattern
im_uds xm_resolver
im_wseventing xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_xml
xm_zlib

4.5.12. Microsoft Windows 64bit

Table 16. Available Modules in nxlog-5.0.5874_windows_x64.msi

32
Package Input Output Processor Extension
nxlog-5.0.5874_windows_x64.msi im_azure om_batchcom pm_blocker xm_admin
im_batchcomp press pm_buffer xm_aixaudit
ress om_blocker pm_evcorr xm_asl
im_etw om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_exec pm_hmac_che xm_crypto
im_fim om_file ck xm_csv
im_go om_go pm_norepeat xm_exec
im_http om_http pm_null xm_filelist
im_internal om_java pm_pattern xm_fileop
im_java om_kafka pm_transform xm_gelf
im_kafka om_null er xm_go
im_mark om_odbc pm_ts xm_grok
im_mseventlo om_perl xm_java
g om_raijin xm_json
im_msvistalog om_redis xm_kvp
im_null om_ssl xm_leef
im_odbc om_tcp xm_msdns
im_perl om_udp xm_multiline
im_redis om_udpspoof xm_netflow
im_regmon om_webhdfs xm_nps
im_ssl xm_pattern
im_tcp xm_perl
im_testgen xm_resolver
im_udp xm_rewrite
im_winperfcou xm_snmp
nt xm_soapadmi
im_wseventing n
xm_syslog
xm_w3c
xm_xml
xm_zlib

4.5.13. Microsoft Windows Nano

Table 17. Available Modules in nxlog-5.0.5874_nano.zip

33
Package Input Output Processor Extension
nxlog-5.0.5874_nano.zip im_azure om_batchcom pm_blocker java/jni/libjava
im_batchcomp press pm_buffer nxlog
ress om_blocker pm_evcorr xm_admin
im_etw om_elasticsear pm_filter xm_aixaudit
im_exec ch pm_hmac xm_asl
im_file om_exec pm_hmac_che xm_cef
im_fim om_file ck xm_charconv
im_go om_go pm_norepeat xm_crypto
im_http om_http pm_null xm_csv
im_internal om_java pm_pattern xm_exec
im_java om_kafka pm_transform xm_filelist
im_kafka om_null er xm_fileop
im_mark om_odbc pm_ts xm_gelf
im_mseventlo om_perl xm_go
g om_raijin xm_grok
im_msvistalog om_redis xm_java
im_null om_ssl xm_json
im_odbc om_tcp xm_kvp
im_perl om_udp xm_leef
im_redis om_udpspoof xm_msdns
im_regmon om_webhdfs xm_multiline
im_ssl xm_netflow
im_tcp xm_nps
im_testgen xm_pattern
im_udp xm_perl
im_winperfcou xm_resolver
nt xm_rewrite
im_wseventing xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_xml
xm_zlib

4.5.14. RPM Generic

Table 18. Available Modules in nxlog-5.0.5874_generic_rpm_x86_64.rpm

34
Package Input Output Processor Extension
nxlog-5.0.5874_generic_x86_64.rpm im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_java om_java pm_transform xm_gelf
im_kafka om_kafka er xm_go
im_kernel om_null pm_ts xm_grok
im_linuxaudit om_pipe xm_java
im_mark om_raijin xm_json
im_null om_redis xm_kvp
im_pipe om_ssl xm_leef
im_redis om_tcp xm_msdns
im_ssl om_udp xm_multiline
im_tcp om_udpspoof xm_netflow
im_testgen om_uds xm_nps
im_udp om_webhdfs xm_pattern
im_uds xm_resolver
im_wseventing xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

4.5.15. SLES 12
Table 19. Available Modules in nxlog-5.0.5874_sles12_x86_64.tar.bz2

35
Package Input Output Processor Extension
nxlog-5.0.5874_sles12_x86_64.rpm im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog-checkpoint-5.0.5874_sles12_x86_64.rpm im_checkpoint

nxlog-dbi-5.0.5874_sles12_x86_64.rpm im_dbi om_dbi

nxlog-java-5.0.5874_sles12_x86_64.rpm im_java om_java xm_java

nxlog-kafka-5.0.5874_sles12_x86_64.rpm im_kafka om_kafka

nxlog-odbc-5.0.5874_sles12_x86_64.rpm im_odbc om_odbc

nxlog-pcap-5.0.5874_sles12_x86_64.rpm im_pcap

nxlog-perl-5.0.5874_sles12_x86_64.rpm im_perl om_perl xm_perl

nxlog-python-5.0.5874_sles12_x86_64.rpm im_python om_python xm_python

nxlog-systemd-5.0.5874_sles12_x86_64.rpm im_systemd

nxlog-wseventing-5.0.5874_sles12_x86_64.rpm im_wseventing

nxlog-zmq-5.0.5874_sles12_x86_64.rpm im_zmq om_zmq

4.5.16. SLES 15
Table 20. Available Modules in nxlog-5.0.5874_sles15_x86_64.tar.bz2

36
Package Input Output Processor Extension
nxlog-5.0.5874_sles15_x86_64.rpm im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog-checkpoint-5.0.5874_sles15_x86_64.rpm im_checkpoint

nxlog-dbi-5.0.5874_sles15_x86_64.rpm im_dbi om_dbi

nxlog-java-5.0.5874_sles15_x86_64.rpm im_java om_java xm_java

nxlog-kafka-5.0.5874_sles15_x86_64.rpm im_kafka om_kafka

nxlog-odbc-5.0.5874_sles15_x86_64.rpm im_odbc om_odbc

nxlog-pcap-5.0.5874_sles15_x86_64.rpm im_pcap

nxlog-perl-5.0.5874_sles15_x86_64.rpm im_perl om_perl xm_perl

nxlog-python-5.0.5874_sles15_x86_64.rpm im_python om_python xm_python

nxlog-ruby-5.0.5874_sles15_x86_64.rpm im_ruby om_ruby xm_ruby

nxlog-systemd-5.0.5874_sles15_x86_64.rpm im_systemd

nxlog-wseventing-5.0.5874_sles15_x86_64.rpm im_wseventing

nxlog-zmq-5.0.5874_sles15_x86_64.rpm im_zmq om_zmq

4.5.17. Solaris 10 i386

Table 21. Available Modules in nxlog-5.0.5874_solaris_x86.pkg.gz

37
Package Input Output Processor Extension
nxlog-5.0.5874_solaris_x86.pkg.gz im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_bsm
im_bsm ch pm_hmac xm_cef
im_exec om_exec pm_hmac_che xm_charconv
im_file om_file ck xm_crypto
im_fim om_go pm_norepeat xm_csv
im_go om_http pm_null xm_exec
im_http om_java pm_pattern xm_filelist
im_internal om_null pm_transform xm_fileop
im_java om_pipe er xm_gelf
im_mark om_raijin pm_ts xm_go
im_null om_redis xm_grok
im_pipe om_ssl xm_java
im_redis om_tcp xm_json
im_ssl om_udp xm_kvp
im_tcp om_udpspoof xm_leef
im_testgen om_uds xm_msdns
im_udp om_webhdfs xm_multiline
im_uds xm_netflow
im_wseventing xm_nps
xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_xml
xm_zlib

4.5.18. Solaris 10 sparc

Table 22. Available Modules in nxlog-5.0.5874_solaris_sparc.pkg.gz

38
Package Input Output Processor Extension
nxlog-5.0.5874_solaris_sparc.pkg.gz im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_bsm
im_bsm ch pm_hmac xm_cef
im_exec om_exec pm_hmac_che xm_charconv
im_file om_file ck xm_crypto
im_fim om_go pm_norepeat xm_csv
im_go om_http pm_null xm_exec
im_http om_java pm_pattern xm_filelist
im_internal om_null pm_transform xm_fileop
im_java om_pipe er xm_gelf
im_mark om_raijin pm_ts xm_go
im_null om_redis xm_grok
im_pipe om_ssl xm_java
im_redis om_tcp xm_json
im_ssl om_udp xm_kvp
im_tcp om_udpspoof xm_leef
im_testgen om_uds xm_msdns
im_udp om_webhdfs xm_multiline
im_uds xm_netflow
im_wseventing xm_nps
xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_xml
xm_zlib

4.5.19. Ubuntu 16.04

Table 23. Available Modules in nxlog-5.0.5874_ubuntu16_amd64.tar.bz2

39
Package Input Output Processor Extension
nxlog-5.0.5874_ubuntu16_amd64.deb im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog- im_checkpoint
checkpoint_5.0.5874_ubuntu16_amd64.deb

nxlog-dbi_5.0.5874_ubuntu16_amd64.deb im_dbi om_dbi

nxlog-java_5.0.5874_ubuntu16_amd64.deb im_java om_java xm_java

nxlog-kafka_5.0.5874_ubuntu16_amd64.deb im_kafka om_kafka

nxlog-odbc_5.0.5874_ubuntu16_amd64.deb im_odbc om_odbc

nxlog-pcap_5.0.5874_ubuntu16_amd64.deb im_pcap

nxlog-perl_5.0.5874_ubuntu16_amd64.deb im_perl om_perl xm_perl

nxlog-python_5.0.5874_ubuntu16_amd64.deb im_python om_python xm_python

nxlog-ruby_5.0.5874_ubuntu16_amd64.deb im_ruby om_ruby xm_ruby

nxlog-systemd_5.0.5874_ubuntu16_amd64.deb im_systemd

nxlog- im_wseventing
wseventing_5.0.5874_ubuntu16_amd64.deb

nxlog-zmq_5.0.5874_ubuntu16_amd64.deb im_zmq om_zmq

4.5.20. Ubuntu 18.04

Table 24. Available Modules in nxlog-5.0.5874_ubuntu18_amd64.tar.bz2

40
Package Input Output Processor Extension
nxlog-5.0.5874_ubuntu18_amd64.deb im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog- im_checkpoint
checkpoint_5.0.5874_ubuntu18_amd64.deb

nxlog-dbi_5.0.5874_ubuntu18_amd64.deb im_dbi om_dbi

nxlog-java_5.0.5874_ubuntu18_amd64.deb im_java om_java xm_java

nxlog-kafka_5.0.5874_ubuntu18_amd64.deb im_kafka om_kafka

nxlog-odbc_5.0.5874_ubuntu18_amd64.deb im_odbc om_odbc

nxlog-pcap_5.0.5874_ubuntu18_amd64.deb im_pcap

nxlog-perl_5.0.5874_ubuntu18_amd64.deb im_perl om_perl xm_perl

nxlog-python_5.0.5874_ubuntu18_amd64.deb im_python om_python xm_python

nxlog-ruby_5.0.5874_ubuntu18_amd64.deb im_ruby om_ruby xm_ruby

nxlog-systemd_5.0.5874_ubuntu18_amd64.deb im_systemd

nxlog- im_wseventing
wseventing_5.0.5874_ubuntu18_amd64.deb

nxlog-zmq_5.0.5874_ubuntu18_amd64.deb im_zmq om_zmq

4.5.21. Ubuntu 20.04

Table 25. Available Modules in nxlog-5.0.5874_ubuntu20_amd64.tar.bz2

41
Package Input Output Processor Extension
nxlog-5.0.5874_ubuntu20_amd64.deb im_acct om_batchcom pm_blocker xm_admin
im_azure press pm_buffer xm_aixaudit
im_batchcomp om_blocker pm_evcorr xm_asl
ress om_elasticsear pm_filter xm_cef
im_exec ch pm_hmac xm_charconv
im_file om_eventdb pm_hmac_che xm_crypto
im_fim om_exec ck xm_csv
im_go om_file pm_norepeat xm_exec
im_http om_go pm_null xm_filelist
im_internal om_http pm_pattern xm_fileop
im_kernel om_null pm_transform xm_gelf
im_linuxaudit om_pipe er xm_go
im_mark om_raijin pm_ts xm_grok
im_null om_redis xm_json
im_pipe om_ssl xm_kvp
im_redis om_tcp xm_leef
im_ssl om_udp xm_msdns
im_tcp om_udpspoof xm_multiline
im_testgen om_uds xm_netflow
im_udp om_webhdfs xm_nps
im_uds xm_pattern
xm_resolver
xm_rewrite
xm_snmp
xm_soapadmi
n
xm_syslog
xm_w3c
xm_wtmp
xm_xml
xm_zlib

nxlog- im_checkpoint
checkpoint_5.0.5874_ubuntu20_amd64.deb

nxlog-dbi_5.0.5874_ubuntu20_amd64.deb im_dbi om_dbi

nxlog-java_5.0.5874_ubuntu20_amd64.deb im_java om_java xm_java

nxlog-kafka_5.0.5874_ubuntu20_amd64.deb im_kafka om_kafka

nxlog-odbc_5.0.5874_ubuntu20_amd64.deb im_odbc om_odbc

nxlog-pcap_5.0.5874_ubuntu20_amd64.deb im_pcap

nxlog-perl_5.0.5874_ubuntu20_amd64.deb im_perl om_perl xm_perl

nxlog-python_5.0.5874_ubuntu20_amd64.deb im_python om_python xm_python

nxlog-ruby_5.0.5874_ubuntu20_amd64.deb im_ruby om_ruby xm_ruby

nxlog-systemd_5.0.5874_ubuntu20_amd64.deb im_systemd

nxlog- im_wseventing
wseventing_5.0.5874_ubuntu20_amd64.deb

nxlog-zmq_5.0.5874_ubuntu20_amd64.deb im_zmq om_zmq

4.6. Modules by Package

Table 26. Input Modules

42
im_acct nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_aixaudit nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

im_azure nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

43
im_batchcompress nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_bsm nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)

nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)

im_checkpoint nxlog-checkpoint-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)

nxlog-checkpoint-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-checkpoint-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-checkpoint_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-checkpoint_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-checkpoint_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-checkpoint-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-checkpoint-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-checkpoint_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-checkpoint_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-checkpoint_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_dbi nxlog-dbi-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-dbi-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-dbi-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-dbi_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-dbi_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-dbi_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-dbi-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-dbi-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-dbi_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-dbi_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-dbi_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_etw nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)

nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)

44
im_exec nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_file nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

45
im_fim nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_go nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

46
im_http nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_internal nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

47
im_java nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-java-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-java-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-java-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-java-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-java_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-java_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-java_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-java-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-java-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-java_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-java_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-java_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_kafka nxlog-kafka-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-kafka-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-kafka-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-kafka-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-kafka_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-kafka_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-kafka_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-kafka-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-kafka-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-kafka_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-kafka_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-kafka_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_kernel nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

48
im_linuxaudit nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_mark nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

im_mseventlog nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)

nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)

im_msvistalog nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)

nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)

49
im_null nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_odbc nxlog-odbc-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-odbc-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-odbc-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-odbc-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-odbc_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-odbc_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-odbc_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-odbc-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-odbc-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-odbc_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-odbc_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-odbc_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_pcap nxlog-pcap-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-pcap-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-pcap-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-pcap_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-pcap_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-pcap_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-pcap-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-pcap-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-pcap_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-pcap_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-pcap_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

50
im_perl nxlog-perl-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-perl-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-perl-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-perl-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-perl_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-perl_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-perl_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-perl-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-perl-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-perl_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-perl_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-perl_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_pipe nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_python nxlog-python-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-python-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-python-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-python_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-python_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-python_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-python-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-python-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-python_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-python_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-python_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

51
im_redis nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_regmon nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)

nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)

im_ruby nxlog-ruby-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-ruby-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-ruby-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-ruby_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-ruby_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-ruby_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-ruby-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-ruby_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-ruby_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-ruby_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_ssl nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

52
im_systemd nxlog-systemd-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-systemd-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-systemd-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-systemd_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-systemd_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-systemd_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-systemd-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-systemd-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-systemd_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-systemd_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-systemd_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_tcp nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

im_testgen nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

53
im_udp nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_uds nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_winperfcount nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)

nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)

54
im_wseventing nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-wseventing-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-wseventing-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-wseventing-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-wseventing-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-wseventing_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-wseventing_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-wseventing_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-wseventing-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-wseventing-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-wseventing_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-wseventing_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-wseventing_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

im_zmq nxlog-zmq-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-zmq-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-zmq-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-zmq_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-zmq_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-zmq_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-zmq-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-zmq-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-zmq_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-zmq_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-zmq_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

Table 27. Output Modules

om_batchcompress nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

55
om_blocker nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_dbi nxlog-dbi-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

om_elasticsearch nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

56
om_eventdb nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_exec nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

om_file nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

57
om_go nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_http nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

58
om_java nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-java-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-java-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-java-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-java-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-java_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-java_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-java_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-java-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-java-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-java_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-java_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-java_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_kafka nxlog-kafka-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

59
om_null nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_odbc nxlog-odbc-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

om_perl nxlog-perl-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-perl-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-perl-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-perl-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-perl_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-perl_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-perl_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-perl-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-perl-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-perl_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-perl_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-perl_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

60
om_pipe nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_python nxlog-python-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

om_raijin nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

61
om_redis nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_ruby nxlog-ruby-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

om_ssl nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

62
om_tcp nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_udp nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

63
om_udpspoof nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_uds nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

64
om_webhdfs nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

om_zmq nxlog-zmq-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

Table 28. Extension Modules

[[modules_by_package_jav nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
a/jni/libjavanxlog]]java/jni/l
ibjavanxlog

65
xm_admin nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_aixaudit nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

66
xm_asl nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_bsm nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)

nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)

xm_cef nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

67
xm_charconv nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_crypto nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

68
xm_csv nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_exec nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

69
xm_filelist nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_fileop nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

70
xm_gelf nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_go nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

71
xm_grok nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_java nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

nxlog-java-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-java-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-java-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-java-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-java_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-java_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-java_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-java-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-java-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-java_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-java_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-java_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

72
xm_json nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_kvp nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

73
xm_leef nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_msdns nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

74
xm_multiline nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_netflow nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

75
xm_nps nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_pattern nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

xm_perl nxlog-perl-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

76
xm_python nxlog-python-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-python-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-python-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-python_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-python_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-python_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-python-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-python-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-python_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-python_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-python_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_resolver nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

xm_rewrite nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

77
xm_ruby nxlog-ruby-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-ruby-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-ruby-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-ruby_5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-ruby_5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-ruby_5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-ruby-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-ruby_5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-ruby_5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-ruby_5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_snmp nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

xm_soapadmin nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

78
xm_syslog nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_w3c nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

xm_wtmp nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)

79
xm_xml nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

xm_zlib nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

Table 29. Processor Modules

80
pm_blocker nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

pm_buffer nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

81
pm_evcorr nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

pm_filter nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

82
pm_hmac nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

pm_hmac_check nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

83
pm_norepeat nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

pm_null nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

84
pm_pattern nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

pm_transformer nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)

85
pm_ts nxlog-5.0.5874-1.aix7.1.ppc.rpm (AIX 7.1)
nxlog-5.0.5874_amzn2_aarch64.rpm (AmazonLinux 2)
nxlog-5.0.5874_rhel6_x86_64.rpm (CentOS 6, RHEL 6)
nxlog-5.0.5874_rhel7_x86_64.rpm (CentOS 7, RHEL 7)
nxlog-5.0.5874_rhel8_x86_64.rpm (CentOS 8, RHEL 8)
nxlog-5.0.5874_generic_deb_amd64.deb (DEB Generic)
nxlog-5.0.5874_debian10_amd64.deb (Debian Buster)
nxlog-5.0.5874_debian8_amd64.deb (Debian Jessie)
nxlog-5.0.5874_debian9_amd64.deb (Debian Stretch)
nxlog-5.0.5874_fbsd_x86_64.tgz (FreeBSD 11)
nxlog-5.0.5874_macos.pkg (MacOS)
nxlog-5.0.5874_windows_x64.msi (Microsoft Windows 64bit)
nxlog-5.0.5874_nano.zip (Microsoft Windows Nano)
nxlog-5.0.5874_generic_x86_64.rpm (RPM Generic)
nxlog-5.0.5874_sles12_x86_64.rpm (SLES 12)
nxlog-5.0.5874_sles15_x86_64.rpm (SLES 15)
nxlog-5.0.5874_solaris_x86.pkg.gz (Solaris 10 i386)
nxlog-5.0.5874_solaris_sparc.pkg.gz (Solaris 10 sparc)
nxlog-5.0.5874_ubuntu16_amd64.deb (Ubuntu 16.04)
nxlog-5.0.5874_ubuntu18_amd64.deb (Ubuntu 18.04)
nxlog-5.0.5874_ubuntu20_amd64.deb (Ubuntu 20.04)

86
Deployment

87
Chapter 5. Supported Platforms
The following operating systems and architectures are fully supported, except as noted. For more information
about types of log collection that are available for specific platforms, see the corresponding chapter in OS
Support.

Table 30. Supported GNU/Linux Platforms

Operating System Architectures

RedHat Enterprise Linux 6 x86 (see note), x86_64

RedHat Enterprise Linux 7 x86 (see note), x86_64

CentOS Linux 6 x86 (see note), x86_64

CentOS Linux 7 x86 (see note), x86_64

Debian GNU/Linux 8 (Jessie) x86 (see note), x86_64

Debian GNU/Linux 9 (Stretch) x86 (see note), x86_64

Ubuntu 14.04 (Trusty Tahr) x86 (see note), x86_64

Ubuntu 16.04 (Xenial Xerus) x86 (see note), x86_64

Ubuntu 18.04 (Bionic Beaver) x86 (see note), x86_64

SUSE Linux Enterprise Server 11 x86 (see note), x86_64

SUSE Linux Enterprise Server 12 x86 (see note), x86_64

SUSE Linux Enterprise Server 15 x86 (see note), x86_64

Other distributions (See note)

NXLog also provides generic packages compiled against glibc 2.5 to support RPM based legacy
distributions such as Redhat 5.11 and SLES 11 on both 32 and 64 bit hardware.

NOTE
The packages are named as nxlog-X.XX.XXXX_generic_glibc2.5_rpm_x86_64.rpm and
nxlog-X.XX.XXXX_generic_glibc2.5_rpm_i386.rpm respectively and available in the beta
version as well.

For a listing of GNU/Linux-related log sources, see GNU/Linux.

Table 31. Supported BSD Platforms

Operating System Architectures

FreeBSD 11 x86 (see note), x86_64

OpenBSD 6.0 x86 (see note), x86_64

OpenBSD 6.2 x86 (see note), x86_64

For listings of BSD-related log sources, see FreeBSD and OpenBSD.

Under the Technical Support Services Agreement, Linux and BSD binary packages may be provided
NOTE upon request for operating systems that have reached their end-of-life date (like RHEL 5), for
legacy 32-bit hardware, or for less common distributions (such as Linux Mint).

Table 32. Supported Windows Platforms

Operating System Architectures

Microsoft Windows Server 2008 x86_64

88
Operating System Architectures
Microsoft Windows Server 2012 x86_64

Microsoft Windows Server 2016 (Certified) x86_64

Microsoft Windows Server 2019 (Certified) x86_64

Microsoft Windows Nano Server x86_64 (see note)

Microsoft Windows Vista x86_64

Microsoft Windows 7 x86_64

Microsoft Windows 8 x86_64

Microsoft Windows 10 x86_64

For a listing of Windows-related log sources, see Microsoft Windows.

While the im_odbc input module is included in the Windows Nano Server package, currently
NOTE
Microsoft does not provide a reverse forwarder to support the ODBC API.

Table 33. Other Supported Platforms

Operating System Architectures

Apple OS X 10.11 (El Capitan) x86_64

Apple macOS 10.12 (Sierra) x86_64

Apple macOS 10.13 (High Sierra) x86_64

Apple macOS 10.14 (Mojave) x86_64

Docker x86_64

IBM AIX 7.1 PowerPC

IBM AIX 7.2 PowerPC

Oracle Solaris 10 x86, SPARC

Oracle Solaris 11 x86, SPARC

For log sources of the above platforms, see Apple macOS, IBM AIX, and Oracle Solaris.

The following Microsoft Windows operating systems are unsupported due to having reached end-of-life status,
but are known to work with NXLog.

Table 34. End-of-Life Windows Platforms

Operating System Architectures

Microsoft Windows XP x86, x86_64

Microsoft Windows Server 2000 x86

Microsoft Windows Server 2003 x86, x86_64

89
Chapter 6. Product Life Cycle
NXLog Enterprise Edition, NXLog Community Edition, and NXLog Manager all use the versioning scheme X.Y.Z.

• X denotes the MA JOR release version. Long-term support is provided for each major release when
applicable.
• Y denotes the MINOR version. Minor releases provide backward compatible enhancements and features
during the lifetime of a major release.
• Z denotes the REVISION NUMBER. Hot-fix revisions may be released within the same minor version.

Upgrades within the same major version are backward compatible. Features and changes that may not be
backward compatible are added to major releases only.

For supported products, the end-of-life (EOL) date is at least one year after the next major version is released.

Table 35. End-of-Life for NXLog Products

NXLog Product End-of-Life

NXLog Enterprise Edition 3.x 2019-01-01

NXLog Enterprise Edition 4.x One year after the release of NXLog Enterprise Edition 5.0

NXLog Manager 4.x 2019-01-01

NXLog Manager 5.x One year after the release of NXLog Manager 6.0

NXLog Community Edition No official support

90
Chapter 7. System Requirements
In order to function efficiently, each NXLog product requires a certain amount of available system resources on
the host system. The table below provides general guidelines to use when planning an NXLog deployment. Actual
system requirements will vary based on the configuration and event rate; therefore, both minimum and
recommended requirements are listed. Always thoroughly test a deployment to verify that the desired
performance can be achieved with the system resources available.

These requirements are in addition to the operating system’s requirements, and the
NOTE requirements should be combined with the NXLog Manager’s System Requirements
cumulatively for systems running both NXLog Enterprise Edition and NXLog Manager.

Table 36. NXLog Enterprise Edition Requirements

Minimum Recommende
d
Processor cores 1 2

Memory/RAM 60 MB 250 MB

Disk space 50 MB 150 MB

91
Chapter 8. Digital Signature Verification
Security regulations for organizations may require verifying the identity of software sources as well as the
integrity of the software obtained from those software sources. In order to facilitate such regulation compliance,
and to guarantee the authenticity and integrity of downloaded installer files, NXLog installer packages are
digitally signed.

In some cases, like with RPM packages, a public key is required to verify the digital signature. For this, the Public
PGP Key can be downloaded from NXLog’s public contrib repository.

8.1. Signature Verification for RPM Packages

The procedure is the same for SUSE Linux Enterprise Server, Red Hat Enterprise Linux, and CentOS. However,
there is a slight difference in the output messages as noted below.

This example uses the generic RPM package. Change the name of the package to match the
NOTE
package used in your environment.

1. Import the downloaded NXLog public key into the RPM with the following command:

# rpm --import nxlog-pubkey.asc

2. Verify the package signature with the imported public key using the following command:

# rpm --checksig nxlog-{productVersion}_generic_rpm_x86_64.rpm.

3. The output should look similar to the following examples.

On SUSE Linux Enterprise Server:

nxlog-{productVersion}_generic_rpm_x86_64.rpm: digests signatures OK

On Red Hat Enterprise Linux and CentOS:

nxlog-{productVersion}_generic_rpm_x86_64.rpm: rsa sha1 (md5) pgp md5 OK

8.2. Signature Verification for Windows

To verify the installer package for Windows before installing, follow these steps:

1. Right-click the downloaded installer file, then select Properties.

2. Select the Digital Signatures tab.

NXLog is displayed as a signer for the installer. The algorithm used for the signature and the timestamp is
also visible.

3. In the Signature list, select NXLog, then click Details to display additional information about the signature.

In the General tab, the signer information and countersignatures are displayed. Click on View Certificate to
display the certificate or select the Advanced tab to display signature details.

8.3. Signature Verification on macOS

To verify the installer package for macOS before installing, follow these steps:

92
1. Double-click the installer package.
2. Click on the padlock icon in the upper-right corner of the installer window to display information about the
certificate.

For valid packages a green tick is displayed, indicating the validity of the certificate.

3. Click on the triangle next to Details to display additional information about the certificate.

93
Chapter 9. Red Hat Enterprise Linux & CentOS
9.1. Installing
1. Download the appropriate NXLog installation file from the NXLog website.
a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › NXLog Enterprise Edition files tab, choose the correct file for the target
platform.

Table 37. Available RHEL/CentOS Files

Platform Archive
RHEL 6 or CentOS 6 nxlog-5.0.5876_rhel6_x86_64.tar.bz2

RHEL 7 or CentOS 7 nxlog-5.0.5876_rhel7_x86_64.tar.bz2

Generic RPM nxlog-5.0.5876_generic_rpm_x86_64.rpm

The RHEL 6 and RHEL 7 archives above each contain several RPMs (see Packages in a
RHEL Archive below). These RPMs have dependencies on system-provided RPMs.

NOTE The generic RPM above contains all the libraries (such as libpcre and libexpat) that are
needed by NXLog. The only dependency is libc. However, some modules are not
available (im_checkpoint, for example). The advantage of the generic RPM is that it can
be installed on most RPM-based Linux distributions.

2. Transfer the file to the target server using SFTP or a similar secure method.
3. Log in to the target server and extract the contents of the archive (unless you are using the generic package):

# tar -xf nxlog-5.0.5876_rhel7.x86_64.tar.bz2

Table 38. Packages in a RHEL Archive

Package Description
nxlog-5.0.5876_rhel7.x86_64.rpm The main NXLog package

nxlog-checkpoint-5.0.5876_rhel7.x86_64.rpm Provides the im_checkpoint module

nxlog-dbi-5.0.5876_rhel7.x86_64.rpm Provides the im_dbi and om_dbi modules

nxlog-odbc-5.0.5876_rhel7.x86_64.rpm Provides the im_odbc and om_odbc modules

nxlog-perl-5.0.5876_rhel7.x86_64.rpm Provides the xm_perl, im_perl, and om_perl modules

nxlog-wseventing-5.0.5876_rhel7.x86_64.rpm Provides the im_wseventing module

nxlog-zmq-5.0.5876_rhel7.x86_64.rpm Provides the im_zmq and om_zmq modules

4. Install the NXLog package(s) and their dependencies.

a. Optional: To change the NXLog user and group for the installation, set the NXLOG_USER and
NXLOG_GROUP environment variables. During installation a new user and and a new group will be created
based on these environment variables. They will be used for User and Group directives in nxlog.conf,
and for the ownership of some directories under /opt/nxlog. Specifying an already existing user or
group is not supported. The created user and group will be deleted on NXLog removal.

# export NXLOG_USER=nxlog2
# export NXLOG_GROUP=nxlog2

94
b. If you are installing the nxlog-zmq package, enable the EPEL repository so ZeroMQ dependencies will be
available:

# yum install -y epel-release

c. Use yum to install the required NXLog packages (or the generic package) and dependencies.

# yum install nxlog-5.0.5876_rhel7.x86_64.rpm

5. Configure NXLog by editing /opt/nxlog/etc/nxlog.conf. General information about configuring NXLog

can be found in Configuration. For more details about configuring NXLog to collect logs on Linux, see the
GNU/Linux summary.
6. Verify the configuration file syntax.

# /opt/nxlog/bin/nxlog -v
2017-03-17 08:05:06 INFO configuration OK

7. Start the service using the service command:

# service nxlog start

8. Check that the NXLog service is running.

# service nxlog status

nxlog (pid 9218) is running...

9.2. Upgrading
To upgrade an NXLog installation to the latest release, use yum as in the installation instructions above.

# yum install nxlog-5.0.5876_rhel7.x86_64.rpm

To replace a trial installation of NXLog Enterprise Edition with a licensed copy of the same version, follow the
installation instructions.

The same user and group will be used for the upgrade as was used for the original installation
NOTE (see installation step 4 above). Changing to a different user and group during upgrade is not
supported.

9.3. Uninstalling
To uninstall NXLog, use yum remove. To remove any packages that were dependencies of NXLog but are not
required by any other packages, include the --setopt=clean_requirements_on_remove=1 option. Verify the
operation before confirming!

# yum remove 'nxlog-*'

This procedure may not remove all files that were created while configuring NXLog. Likewise,
any files created as a result of NXLog’s logging operations will not be removed. To find these
NOTE
files, examine the configuration files that were used with NXLog and check the installation
directory (/opt/nxlog).

95
Chapter 10. Debian & Ubuntu
10.1. Installing
1. Download the appropriate NXLog installation file from the NXLog website.
a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › NXLog Enterprise Edition files tab, download the correct file for the target
platform.

Table 39. Available Debian/Ubuntu Archives

Platform Archive
Debian 8 (Jessie) nxlog-5.0.5876_debian8_amd64.tar.bz2

Debian 9 (Stretch) nxlog-5.0.5876_debian9_amd64.tar.bz2

Ubuntu 14.04 (Trusty Tahr) nxlog-5.0.5876_ubuntu14_amd64.tar.bz2

Ubuntu 16.04 (Xenial Xerus) nxlog-5.0.5876_ubuntu16_amd64.tar.bz2

Ubuntu 18.04 (Bionic Beaver) nxlog-5.0.5876_ubuntu18_amd64.tar.bz2

Generic DEB nxlog-5.0.5876_generic_deb_amd64.deb

2. Transfer the file to the target server using SFTP or a similar secure method.
3. Log in to the target server and extract the contents of the archive (unless you are using the generic package):

# tar -xjf nxlog-5.0.5876_debian9_amd64.tar.bz2

Table 40. Packages in a Debian/Ubuntu Archive

Package Description
nxlog-5.0.5876_amd64.deb The main NXLog package

nxlog-checkpoint-5.0.5876_amd64.deb Provides the im_checkpoint module

nxlog-dbi-5.0.5876_amd64.deb Provides the im_dbi and om_dbi modules

nxlog-odbc-5.0.5876_amd64.deb Provides the im_odbc and om_odbc modules

nxlog-perl-5.0.5876_amd64.deb Provides the xm_perl, im_perl, and om_perl modules

nxlog-wseventing-5.0.5876_amd64.deb Provides the im_wseventing module

nxlog-zmq-5.0.5876_amd64.deb Provides the im_zmq and om_zmq modules

4. Install the NXLog package(s) and their dependencies.

# export NXLOG_USER=nxlog2
# export NXLOG_GROUP=nxlog2

b. Use dpkg to install the required NXLog packages (or the generic package, if you are using that).

# dpkg -i nxlog-5.0.5876_amd64.deb

96
c. If dpkg returned errors about uninstalled dependencies, use apt-get to install them and complete the
NXLog installation.

# apt-get -f install

5. Configure NXLog by editing /opt/nxlog/etc/nxlog.conf. General information about configuring NXLog

can be found in Configuration. For more details about configuring NXLog to collect logs on Linux, see the
GNU/Linux summary.
6. Verify the configuration file syntax.

# /opt/nxlog/bin/nxlog -v
2017-03-17 08:05:06 INFO configuration OK

7. Start the service using the service command:

# service nxlog start

8. Check that the NXLog service is running with the service command.

# service nxlog status

● nxlog.service - LSB: logging daemon
Loaded: loaded (/etc/init.d/nxlog)
Active: active (running) since Wed 2016-10-19 22:21:36 BST; 3h 49min ago
Process: 518 ExecStart=/etc/init.d/nxlog start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/nxlog.service
└─6297 /opt/nxlog/bin/nxlog
[...]

10.2. Upgrading
To upgrade an NXLog installation to the latest release, or to replace a trial installation of NXLog Enterprise Edition
with a licensed copy, use dpkg as explained in the installation instructions above.

# dpkg -i nxlog-5.0.5876_amd64.deb

When upgrading to a licensed copy with additional NXLog trial packages installed, such as nxlog-
trial-python, use dpkg -i --auto-configure.

NOTE # dpkg -i --auto-configure nxlog-5.0.5876_amd64.deb \

nxlog-python_5.0.5876_amd64.deb

Make sure to edit this example to include all nxlog-trial packages that are actually installed.

If dpkg returns errors about uninstalled dependencies, resolve with apt-get.

# apt-get -f install

The same user and group will be used for the upgrade as was used for the original installation
NOTE (see installation step 4a above). Changing to a different user and group during upgrade is not
supported.

10.3. Uninstalling
To uninstall NXLog, use apt-get. To remove any unused dependencies (system-wide), include the --auto
-remove option. Verify the operation before confirming!

97
# apt-get remove '^nxlog*'

Use apt-get purge instead to also remove configuration files. But in either case, this
procedure may not remove all files that were created in order to configure NXLog, or that were
NOTE
created as a result of NXLog’s logging operations. To find these files, consult the configuration
files that were used with NXLog and check the installation directory (/opt/nxlog).

98
Chapter 11. SUSE Linux Enterprise Server
11.1. Installing
1. Download the appropriate NXLog install archive from the NXLog website.
a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › NXLog Enterprise Edition files tab, choose the correct archive for your system.

Table 41. Available SLES Files

Platform Archive
SUSE Linux Enterprise Server 11 nxlog-5.0.5876_sles11_x86_64.tar.bz2

SUSE Linux Enterprise Server 12 nxlog-5.0.5876_sles12_x86_64.tar.bz2

SUSE Linux Enterprise Server 15 nxlog-5.0.5876_sles15_x86_64.tar.bz2

The SLES 11, SLES 12 and SLES 12 archives above each contain several RPMs (see
NOTE Packages in an SLES Archive below). These RPMs have dependencies on system-
provided RPMs.

2. Use SFTP or a similar secure method to transfer the archive to the target server.
3. Log in to the target server and extract the contents of the archive.

# tar xjf nxlog-5.0.5876_sles12_x86_64.tar.bz2

Table 42. Packages in an SLES Archive

Package Description
nxlog-5.0.5876_sles12.x86_64.rpm The main NXLog package

nxlog-dbi-5.0.5876_sles12.x86_64.rpm Provides the im_dbi and om_dbi modules

nxlog-odbc-5.0.5876_sles12.x86_64.rpm Provides the im_odbc and om_odbc modules

nxlog-perl-5.0.5876_sles12.x86_64.rpm Provides the xm_perl, im_perl, and om_perl modules

nxlog-wseventing-5.0.5876_sles12.x86_64.rpm Provides the im_wseventing module

4. Optional: To change the NXLog user and group for the installation, set the NXLOG_USER and NXLOG_GROUP
environment variables. During installation a new user and and a new group will be created based on these
environment variables. They will be used for User and Group directives in nxlog.conf, and for the
ownership of some directories under /opt/nxlog. Specifying an already existing user or group is not
supported. The created user and group will be deleted on NXLog removal.

# export NXLOG_USER=nxlog2
# export NXLOG_GROUP=nxlog2

5. Install the required NXLog packages and their dependencies (this example installs the main NXLog package
only).

# zypper install nxlog-5.0.5876_sles12.x86_64.rpm

6. Configure NXLog by editing /opt/nxlog/etc/nxlog.conf. General information about configuring NXLog

can be found in Configuration. For more details about configuring NXLog to collect logs on Linux, see the
GNU/Linux summary.
7. Verify the configuration file syntax.

99
# /opt/nxlog/bin/nxlog -v
2017-03-17 08:05:06 INFO configuration OK

8. Start the service using the service command:

# systemctl start nxlog.service

9. Check that the NXLog service is running with the systemctl command.

# systemctl | grep nxlog

nxlog.service loaded active running LSB: logging daemon

11.2. Upgrading
To update an NXLog installation to the latest release, use zypper as in the installation instructions above.

# zypper install nxlog-5.0.5876_sles12.x86_64.rpm

To replace a trial installation of NXLog Enterprise Edition with a licensed copy of the same version, follow the
installation instructions.

11.3. Uninstalling
To uninstall NXLog, use zypper remove. To remove any packages that were dependencies of NXLog but are not
required by any other packages, include the --clean-deps option. Verify the operation before confirming!

# zypper remove 'nxlog*'

100
Chapter 12. FreeBSD
12.1. Installing
NXLog is available as a precompiled package for FreeBSD. Follow these steps to install NXLog.

1. Download the appropriate NXLog install archive from the NXLog website.
a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › NXLog Enterprise Edition files tab, choose the nxlog-
5.0.5876_fbsd_x86_64.tgz package.

2. Use SFTP or a similar secure method to transfer the archive to the target server.
3. Log in to the target server as the root user.
4. Optional: To change the NXLog user and group for the installation, set the NXLOG_USER and NXLOG_GROUP
environment variables. During installation a new user and and a new group will be created based on these
environment variables. They will be used for User and Group directives in nxlog.conf, and for the
ownership of some directories under /opt/nxlog. Specifying an already existing user or group is not
supported. The created user and group will be deleted on NXLog removal.

# setenv NXLOG_USER nxlog2

# setenv NXLOG_GROUP nxlog2

5. Install NXLog with the pkg(7) utility.

# pkg add nxlog-5.0.5876_fbsd_x86_64.tgz

Installing nxlog-5.0.5876-fbsd...
Extracting nxlog-5.0.5876-fbsd: 100%

The installation path is /opt/nxlog. Configuration files are located in /opt/nxlog/etc. The rc init script is
placed in /etc/rc.d/ on installation. An nxlog user account is created, and NXLog will run under this user
by default.

6. Edit the configuration file.

# vi /opt/nxlog/etc/nxlog.conf

General information about configuring NXLog can be found in Configuration. For more details about
configuring NXLog to collect logs on BSD, see the FreeBSD summary.

7. Verify the configuration file syntax.

# /opt/nxlog/bin/nxlog -v
2017-03-17 08:05:06 INFO configuration OK

8. To enable NXLog, add the line nxlog_enable="YES" to /etc/rc.conf. Then manage the NXLog service with
the service(8) utility.

# service nxlog start

# service nxlog status
nxlog is running as pid 83708.
# service nxlog stop
process 83708 stopped

101
12.2. Upgrading
To upgrade NXLog, first remove the old version and then install the new version.

1. Remove the installed version of NXLog with the pkg(7) utility.

# pkg delete nxlog

Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages
in the universe):

Installed packages to be REMOVED:

nxlog-5.0.5876-fbsd

Number of packages to be removed: 1

The operation will free 39 MiB.

Proceed with deinstalling packages? [y/N]: y

[1/1] Deinstalling nxlog-5.0.5876-fbsd...
[1/1] Deleting files for nxlog-5.0.5876-fbsd: 100%

2. Install the new version as described in the installation instructions above.

# pkg add nxlog-5.0.5876_fbsd_x86_64.tgz

Installing nxlog-5.0.5876-fbsd...
Extracting nxlog-5.0.5876-fbsd: 100%

3. Restart the NXLog service.

# service nxlog restart

12.3. Uninstalling
1. Use the pkg(7) utility to uninstall the NXLog package.

# pkg delete nxlog

Updating database digests format: 100%
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages
in the universe):

Installed packages to be REMOVED:

nxlog-5.0.5876-fbsd

Number of packages to be removed: 1

The operation will free 92 MiB.

Proceed with deinstalling packages? [y/N]: y

[1/1] Deinstalling nxlog-5.0.5876-fbsd...
[1/1] Deleting files for nxlog-5.0.5876-fbsd: 100%

The uninstall script will remove NXLog along with the user, group, and files. The pkg utility will not remove
new or modified files.

2. Manually remove the base directory. This will remove any new or modified files left behind by the previous
step.

102
# rm -rf /opt/nxlog

103
Chapter 13. OpenBSD
13.1. Installing
NXLog is available as precompiled packages for OpenBSD. Follow these steps to install NXLog.

Table 43. Available OpenBSD Packages

Platform Package
OpenBSD 6.0 nxlog-5.0.5876-obsd6_0_x86_64.tgz

OpenBSD 6.2 nxlog-5.0.5876-obsd6_2_x86_64.tgz

# export NXLOG_USER=nxlog2
# export NXLOG_GROUP=nxlog2

5. Install NXLog with the pkg_add(1) utility. The OpenBSD package is currently unsigned, use the -D unsigned
flag to install.

# pkg_add -D unsigned nxlog-5.0.5876-obsd6_2_x86_64.tgz

nxlog-5.0.5876-obsd6_2: ok
The following new rcscripts were installed: /etc/rc.d/nxlog
See rcctl(8) for details.

The installation prefix is /opt/nxlog. Configuration files are located in /opt/nxlog/etc. The rc init script is
placed in /etc/rc.d on installation.

6. Edit the configuration file.

# vi /opt/nxlog/etc/nxlog.conf

General information about configuring NXLog can be found in Configuration. For more details about
configuring NXLog to collect logs on BSD, see the OpenBSD summary.

7. Verify the configuration file syntax.

# /opt/nxlog/bin/nxlog -v
2017-03-17 08:05:06 INFO configuration OK

8. Manage the service using the rcctl(8) utility.

104
# rcctl enable nxlog
# rcctl start nxlog
nxlog(ok)
# rcctl stop nxlog
nxlog(ok)
# rcctl disable nxlog

You can also use rcctl(8) to check and set the configuration flags.

# rcctl set nxlog flags -c /tmp/sample-nxlog.conf

# rcctl get nxlog
nxlog_class=daemon
nxlog_flags=-c /tmp/sample-nxlog.conf
nxlog_rtable=0
nxlog_timeout=30
nxlog_user=root
# rcctl reload nxlog

9. Check the NXLog service status using rcctl(8).

# rcctl check nxlog

nxlog(ok)

13.2. Upgrading
To upgrade from a previous NXLog version (whether a licensed copy or trial), use the pkg_add(1) utility. This
example shows an upgrade from version 3.0.1865 to 5.0.5876.

# pkg_add -U nxlog-5.0.5876-obsd6_2_x86_64.tgz
nxlog-3.0.1865-obsd6_2\->5.0.5876-obsd6_2: ok
Read shared items: ok

To replace a trial installation of NXLog Enterprise Edition with a licensed copy of the same version, use pkg_add
with the replace flag (-r).

# pkg_add -r nxlog-5.0.5876-obsd6_2_x86_64.tgz

13.3. Uninstalling
To uninstall NXLog, follow these steps.

1. Use the pkg_delete(1) utility to remove the nxlog package.

# pkg_delete nxlog
nxlog-5.0.5876-obsd6_2: ok
Read shared items: ok
--- -nxlog-5.0.5876-obsd6_2 -------------------

The uninstall script will remove NXLog along with the user, group, and files. The pkg_delete utility will not
remove new files or modified configuration files.

2. Manually remove the base directory. This will remove any new or modified files left behind by the previous
step.

105
# rm -rf /opt/nxlog

106
Chapter 14. Microsoft Windows
14.1. Installing
First, download the NXLog MSI file from the NXLog website.

1. Log in to your account, then click My account at the top of the page.
2. Under the Downloads › NXLog Enterprise Edition files tab, choose the correct package for your system.

Table 44. Available Windows Installers

Platform Package
Microsoft Windows, 32-bit nxlog-5.0.5876_windows_x86.msi

Microsoft Windows, 64-bit nxlog-5.0.5876_windows_x64.msi

Using the 32-bit installer to install NXLog on a 64-bit system is unsupported and not
recommended. To override the installer check and proceed anyway, use the
WARNING
SKIP_X64_CHECK=1 property (for example, msiexec /i nxlog-
5.0.5876_windows_x64.msi /q SKIP_X64_CHECK=1).

There are several ways that NXLog can be installed on Windows.

• Installing Interactively
• Installing with Msiexec
• Deploying via Group Policy

See also the MSI for NXLog Agent Setup add-on, which provides an example MSI package for bootstrapping
NXLog agents.

The service Startup type of newer versions of NXLog is set to Automatic (Delayed Start)
NOTE instead of Automatic. To change this option, open the service control manager and alter the
Startup type in the General tab.

14.1.1. Installing Interactively

1. Run the installer by double-clicking the MSI file. After accepting the license agreement an option for choosing
an alternate installation directory is presented. Click [ Install ], to start the installation. Click [ Finish ] once it
has completed which will result in the README.txt file being opened by Notepad.
2. Configure NXLog by editing nxlog.conf (by default, C:\Program Files\nxlog\conf\nxlog.conf). General
information about configuring NXLog can be found in Configuration. For more details about configuring
NXLog to collect logs on Windows, see the Microsoft Windows summary.
3. The configuration file syntax can be checked by running the NXLog executable with the -v (verify) option.

> "C:\Program Files\nxlog\nxlog.exe" -v

2017-03-17 08:05:06 INFO configuration OK

4. Start NXLog by opening the Service Manager, finding the nxlog service in the list, and starting it. To run it in
the foreground instead, invoke the nxlog.exe executable with the -f command line argument.
5. Open the NXLog log file (by default, C:\Program Files\nxlog\data\nxlog.log) with Notepad and check
for errors.

107
Some text editors (such as Wordpad) use exclusive locking and will refuse to open the log
NOTE
file while NXLog is running.

14.1.2. Installing with Msiexec

Msiexec can be used for performing an unattended installation of NXLog. This command does not prompt the
user at all, but it must be run as administrator.

> msiexec /i nxlog-5.0.5876_windows_x64.msi /q

To allow Windows to prompt for administrator privileges, but otherwise install unattended, use /qb instead.

> msiexec /i nxlog-5.0.5876_windows_x64.msi /qb

To specify a non-default installation directory, use the INSTALLDIR property.

> msiexec /i nxlog-5.0.5876_windows_x64.msi /q INSTALLDIR="C:\nxlog"

14.1.3. Deploying via Group Policy

For large deployments, it may be convenient to use Group Policy to manage the NXLog installation.

These steps were tested with a Windows Server 2016 domain controller and a Windows 7 client.
NOTE There are multiple ways to configure NXLog deployment with Group Policy. The required steps
for your network may vary from those listed below.

1. Log on to the server as an administrator.

2. Set up an Active Directory group for computers requiring an NXLog installation. NXLog will be automatically
installed and configured on each computer in this group.
a. Open the Active Directory Users and Groups console (dsa.msc).

b. Under the domain, right-click on Computers and click New › Group.

c. Provide a name for the group (for example, nxlog). Use the Security group type and Global context (or
the context suitable for your case).
d. Add computers to the group by selecting one or more, clicking Actions › Add to a group…, and entering
the group name (nxlog).
3. Create a network share for distributing the NXLog files.
a. Create a folder in the desired location (for example, C:\nxlog-dist).

b. Set up the folder as a share: right-click, select Properties, open the Sharing tab, and click [ Share… ].
c. Add the group (nxlog) and click [ Share ]. Take note of the share name provided by the wizard, it will be
needed later (for example, \\WINSERV1\nxlog-dist).
d. Copy the required files to the shared folder. If using NXLog Manager, this will include at least three files:
nxlog-5.0.5876_windows_x64.msi, managed.conf, and CA certificate agent-ca.pem. If not using
NXLog Manager, use a custom nxlog.conf instead of managed.conf, omit the CA certificate, and include
any other files required by the configuration.

NOTE
The file managed.conf is located in the C:\Program Files\nxlog\conf\nxlog.d\ directory. Prior
to NXLog version 5, it had the name log4ensics.conf and was located in the C:\Program
Files\nxlog\conf\ directory.

108
4. Create a Group Policy Object (GPO) for the NXLog deployment.
a. Open the Group Policy Management console (gpmc.msc).

b. In the console tree, under Domains, right-click on your domain and click Create a GPO in this domain,
and Link it here…; this will create a GPO under the Group Policy Objects folder and link it to the
domain.
c. Name the GPO (for example, nxlog) and click [ OK ].

d. Select the newly created GPO in the tree.

e. In the Security Filtering list, add the Active Directory group created in step 2 (nxlog). Remove anything
else.
f. Right-click on the GPO and click Edit. The Group Policy Management Editor console will be opened for
editing the GPO.
5. Add the NXLog MSI to the GPO.

Figure 1. Configured NXLog GPO

a. Under Computer Configuration › Policies › Software Settings, right-click Software installation. Click
New › Package… to create a deployment package for NXLog.
b. Browse to the network share and open the nxlog-5.0.5876_windows_x64.msi package. It is important
to use the Uniform Naming Convention (UNC) path (for example, \\WINSERV1\nxlog-dist) so the file
will be accessible by remote computers.
c. Select the Assigned deployment method.
6. Add the required files to the GPO by following these steps for each file.
a. Under Computer Configuration › Preferences › Windows Settings, right-click on Files. Click New ›
File.
b. Select the Replace action in the drop-down.
c. Choose the source file on the network share (for example, \\WINSERV1\nxlog-dist\managed.conf or
\\WINSERV1\nxlog-dist\agent-ca.pem).

d. Type in the destination path for the file (for example, C:\Program
Files\nxlog\conf\nxlog.d\managed.conf or C:\Program Files\nxlog\cert\agent-ca.pem).

e. Check Apply once and do not reapply under the Common tab for files that should only be deployed

109
once. This is especially important for managed.conf because NXLog Manager will write configuration
changes to that file.
f. Click [ OK ] to create the File in the GPO.
7. After the Group Policy is updated on the clients and NXLog is installed, one more reboot will be required
before the NXLog service starts automatically.

For more information about Group Policy, see the following TechNet and MSDN articles:

• Group Policy for Beginners,

• Group Policy Planning and Deployment Guide,
• Step-by-Step Guide to Understanding the Group Policy Feature Set, and
• Step-by-Step Guide to Software Installation and Maintenance.

14.2. Upgrading
To upgrade NXLog to the latest release, or to replace a trial installation of NXLog Enterprise Edition with a
licensed copy, follow these steps.

1. Run the new MSI installer as described in the Installing section (interactively, with Msiexec, or via Group
Policy). The installer will detect the presence of the previous version and perform the upgrade within the
current installation directory.

To upgrade from v3.x, uninstall the previous version before installing the new version (see
Uninstalling). This is necessary to transition from a per-user to a per-machine installation.
NOTE This check can be skipped by passing the SKIP_PERUSER_CHECK property (such as msiexec
/i nxlog-5.0.5876_windows_x64.msi /q SKIP_PERUSER_CHECK=1). Note that using
SKIP_PERUSER_CHECK is unsupported and not recommended.

If the Services console (services.msc) is running, the installer may request the computer
NOTE to be rebooted or display a permission denied error. Please ensure that the Services
console is not running before attempting an upgrade.

2. Start the upgraded NXLog service via the Services console (services.msc) or by rebooting the system.
Check the log file (by default, C:\Program Files\nxlog\data\nxlog.log) to verify logging is working as
expected.

For Group Policy deployments, follow these steps:

1. Download the new MSI package as described in the Installing introduction.

2. Place the new MSI in the distribution share (see Create a network share).
3. Add this MSI as a new package to the NXLog GPO (follow the steps under Add the NXLog MSI).
4. Right-click on the new package and click Properties. Open the Upgrades tab, click [ Add… ], select the
previous version from the list, and click [ OK ].

If you want to downgrade to a previous version of NXLog, you will need to manually uninstall the
NOTE
current version first. See Uninstalling.

14.3. Uninstalling
NXLog can be uninstalled in several different ways.

• From the Control Panel (not discussed here).

110
• By using msiexec and the original NXLog MSI.

• Via the GPO it was originally deployed with in an AD Domain environment.

• Via a downloadable batch script.

In addition to the above, NXLog provides a method to remove the Windows Registry traces after uninstalling.

NXLog v3.x installers will remove log4ensics.conf and nxlog.conf during the
WARNING uninstallation process, even if they have been modified. If these files need to be preserved,
they should be backed up to another location before uninstalling NXLog v3.x.

14.3.1. Uninstalling with msiexec

Uninstall NXLog using msiexec with the following command:

> msiexec /x nxlog-5.0.5876_windows_x64.msi /qb

This procedure may not remove all files that were created while configuring NXLog. Likewise,
any files created as a result of NXLog’s logging operations will not be removed (except for v3.x
NOTE
installers as noted above). You may wish to remove the installation directory (by default,
C:\Program Files\nxlog) once the uninstallation process has completed.

14.3.2. Uninstalling via Group Policy

For Group Policy deployments, follow these steps:

1. Open the Group Policy Object (GPO) originally created for installation (see Create a Group Policy Object).
2. For each NXLog version that has been deployed, right-click the package and either:
◦ click All Tasks › Remove…, and choose the Immediately uninstall removal method; or

◦ click Properties, open the Deployment tab, and check Uninstall this application when it falls out of
the scope of management.

In this case, NXLog will be uninstalled when the GPO is no longer applied to the
NOTE computer. An additional action will be required, such as removing the selected
computer(s) from the nxlog group created in Set up an Active Directory group.

14.3.3. Remove the Traces of NXLog

After uninstalling NXLog there will be some traces left in the Windows Registry. NXLog provides a list of Windows
Registry entries to be removed in a form of a .reg file. Download the reg-entries.reg file from the public contrib
repository of NXLog. It needs to be used as an argument for the Registry Editor regedit.exe.

To remove the possibly left Windows Registry entries, use the following command:

> regedit.exe /S reg-entries.reg

14.3.4. Uninstalling With the uninstall-x64.bat Script

The script combines the steps of the Uninstalling with msiexec and Remove the Traces of NXLog procedures as
well as prompts for the removal of the installation directory.

To complete the procedure, the following files need to be present in the same directory:

111
• uninstall-x64.bat - The main script.

• reg-entries.reg - The list of Windows Registry entries to remove.

• The exact version of the MSI installer, with which NXLog was installed.

The necessary files can be downloaded from the windows-uninstall directory of NXLog’s public contrib repository.

To start the automatic uninstall and trace removal procedure, use the following command:

> uninstall-x64.bat nxlog-{productVersion}_windows_x64.msi

The Readme.MD file in the public contrib repository explains details of the script operation.

14.4. Configure With a Custom MSI

NXLog can be configured using a custom built MSI package. The MSI will install the CA certificate and chosen
custom configuration files. The package can be deployed alongside the NXLog MSI. For more information, see
the MSI for NXLog Agent Setup add-on.

Deployment via Group Policy already provides a way to deploy the configuration files. For this
NOTE reason, it might be more preferable to configure NXLog via GPO instead of creating a custom
MSI as described in this section.

112
Chapter 15. Microsoft Nano Server
15.1. Installing
Follow these steps to deploy NXLog on a Nano Server system.

Microsoft Nano Server does not support the installation of MSI files. In its place, Microsoft
introduced the APPX format. The sandboxing and isolation imposed by the APPX format was
NOTE
found to be an unnecessary complication when deploying NXLog; therefore, users are provided
with a ZIP file that allows for manual installation instead.

1. Download the NXLog ZIP archive from the NXLog website.

a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › NXLog Enterprise Edition files tab, download nxlog-5.0.5876_nano.zip.

2. Transfer the NXLog ZIP file to the Microsoft Nano Server. One way to do so is to use WinRM and the Copy-
Item cmdlet. Uncompress the ZIP file at C:\Program Files\nxlog using the Expand-Archive cmdlet as
shown below.

PS C:\tmp> Expand-Archive -Path nxlog-5.0.5876_nano.zip -DestinationPath 'C:\Program

Files\nxlog'

3. To register NXLog as a service, navigate to the installation directory and execute the following.

PS C:\Program Files\nxlog> .\nxlog.exe -i

4. Configure NXLog by editing the C:\Program Files\nxlog\nxlog.conf file. General information about
configuring NXLog can be found in Configuration. For more details about configuring NXLog to collect logs on
Windows, see the Microsoft Windows summary.

Because Microsoft Nano Server does not have a native console editor, the configuration file
NOTE must be edited on a different system and then transferred to the Nano Server. Alternatively,
a third party editor could be installed.

5. Verify the configuration file syntax.

PS C:\Program Files\nxlog> .\nxlog.exe -v -c nxlog.conf

2018-09-12 19:15:55 INFO configuration OK

NXLog in now installed, registered, and configured. The NXLog service can be started by running Start-Service
nxlog.

15.2. Upgrading
To upgrade NXLog to the latest release, follow these steps.

1. Stop the NXLog service by issuing the command Stop-Service nxlog.

2. Back up any configuration files that have been altered, such as nxlog.conf, managed.conf, and any
certificates.
3. Either delete the nxlog directory and follow the installation procedure again or use the -Force parameter
when extracting the NXLog ZIP file. There is no need to register the service again.

PS C:\tmp> Expand-Archive -Force -Path nxlog-5.0.5876_nano.zip -DestinationPath 'C:\Program

Files\nxlog'

113
4. Restore any configuration files and certificates.
5. Start the NXLog service by running Start-Service nxlog.

15.3. Uninstalling
To uninstall NXLog, follow this procedure.

1. Stop the NXLog service by issuing the command Stop-Service nxlog.

2. Unregister the NXLog service by navigating to the NXLog directory and running .\nxlog.exe -u.

3. Delete the NXLog directory.

15.4. Custom Installation Options

This section deals with installation options outside the typical scenario.

The following installation options require altering the Windows Registry. Incorrect modifications
NOTE could potentially render the system unusable. Always double check the commands and ensure
it will be possible to revert to a known working state before altering the registry.

15.4.1. Installing in a Custom Directory

NXLog can be installed in a non-default location on Nano Server.

1. Follow the same installation procedure outlined above, but choose a different DestinationPath when
expanding the ZIP file. Also register the NXLog service as shown above.
2. At this point the registry entry for the NXLog service needs to be altered. View the current setting:

PS C:\> Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\nxlog"

Type : 16
Start : 2
ErrorControl : 0
ImagePath : "c:\Program Files\nxlog\nxlog.exe" -c "c:\Program Files\nxlog\nxlog.conf"
DisplayName : nxlog
DependOnService : {eventlog}
ObjectName : LocalSystem
PSPath :
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nxlog
PSParentPath :
Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
PSChildName : nxlog
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry

3. The value of the ImagePath parameter needs to be modified in order to update the location of both the
NXLog executable and the configuration file. For example, if NXLog is installed in C:\nxlog, run the following
command to update the registry key.

PS C:\> Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\nxlog" -Name "ImagePath"

-Value '"C:\nxlog\nxlog.exe" -c "C:\nxlog\nxlog.conf"'

4. The configuration file (nxlog.conf) also needs to be edited to reflect this change to a non-default installation
directory. Make sure define ROOT points to the correct location.

114
15.4.2. Service Startup Type
The service Startup type of newer versions of NXLog defaults to Automatic (Delayed Start) instead of
Automatic. This is controlled by the DelayedAutostart parameter. To revert back to the old behavior, run the
following command.

PS C:\> Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\nxlog" -Name

"DelayedAutostart" -Value 0

115
Chapter 16. Apple macOS
16.1. Installing
To install NXLog under macOS, follow the steps below. You will need administrator privileges to complete the
installation process.

1. Download the appropriate NXLog install package from the NXLog website.
a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › NXLog Enterprise Edition files tab, choose the correct package for your
system.

Table 45. Available macOS Packages

Platform Package
macOS 10.14 and earlier (pre-Catalina) nxlog-5.0.5876_macos-precatalina.pkg

macOS 10.15 and later nxlog-5.0.5876_macos.pkg

2. Optional: To change the NXLog user and group for the installation, create a /tmp/.nxlog file with the
following command. During installation a new user and a new group will be created using the values
specified in this command. They will be used for User and Group directives in nxlog.conf, and for the
ownership of some directories under /opt/nxlog. Specifying an already existing user or group is not
supported. The created user and group will be deleted on NXLog removal.

$ echo 'nxlog2:nxlog2' > /tmp/.nxlog

3. Install the NXLog package. You can do the installation interactively or with the command line installer.

◦ To install interactively, double-click the NXLog package.

As of version 4.5 the installer should be signed with our developer certificate. If you see the following
message with an earlier version, go to System Preferences › Security & Privacy and click [ Open
Anyway ], then follow the instructions shown by the installer.

"nxlog-5.0.5876_macos.pkg" can’t be opened because it is from an

unidentified developer.

116
◦ To install the package using the command line installer, run the following command.

$ sudo installer -pkg nxlog-5.0.5876_macos.pkg -target /

Password:
installer: Package name is nxlog-5.0.5876-macos-x86
installer: Upgrading at base path /
installer: The upgrade was successful.

Upon installation, all NXLog files are placed under /opt/nxlog. The launchd(8) script is installed in
/Library/LaunchDaemons/com.nxlog.plist and has the KeepAlive flag set to true (launchd will
automatically restart NXLog). NXLog log files are managed by launchd and can be found in /var/log/.

4. Configure NXLog by editing /opt/nxlog/etc/nxlog.conf. General information about configuring NXLog

can be found in Configuration. For more details about configuring NXLog to collect logs on macOS, see the
Apple macOS summary.
5. Verify the configuration file syntax.

$ sudo /opt/nxlog/bin/nxlog -v
2017-03-17 08:05:06 INFO configuration OK

6. To apply your changes, stop NXLog with the following command. The launchd manager will restart the
daemon and the new configuration will be loaded.

$ sudo launchctl stop com.nxlog

7. To permanently stop NXLog, the service must be unloaded.

$ sudo launchctl unload /Library/LaunchDaemons/com.nxlog.plist

117
16.2. Upgrading
To upgrade NXLog, follow the installation instructions.

The installation script will not modify the existing configuration files. After the installation has completed, NXLog
will restart automatically.

The same user and group will be used for the upgrade that were used for the original
NOTE installation (see installation step 2 above). Changing to a different user and/or group during
upgrade is not supported.

16.3. Uninstalling
To properly uninstall NXLog, follow these steps.

1. Start the uninstaller script as user root.

This will remove custom configuration files, certificates, and any other files in the listed
WARNING
directories. Save these files to another location first if you do not wish to discard them.

$ sudo bash /opt/nxlog/bin/uninstaller -y

NOTE Use the -n switch (instead of -y) if you would like to preserve user data.

2. Delete user data if you are sure it will not be needed anymore.

$ sudo rm -rf /opt/nxlog

To manually uninstall NXLog, follow these steps below.

1. Unload the daemon.

$ sudo launchctl unload /Library/LaunchDaemons/com.nxlog.plist

2. Delete the nxlog user and group that were created during installation. If a non-default user/group were used
during installation (see installation step 2 above), remove those instead.

$ sudo dscl . -delete "/Groups/nxlog"

$ sudo dscl . -delete "/Users/nxlog"

3. Remove NXLog files.

This will remove custom configuration files, certificates, and any other files in the listed
WARNING
directories. Save these files to another location first if you do not wish to discard them.

$ sudo rm -rf /opt/nxlog /Library/LaunchDaemons/com.nxlog.plist \

/var/log/nxlog.std* && \
sudo pkgutil --forget com.nxlog.agent

118
Chapter 17. Docker
17.1. Installing
1. Download the appropriate NXLog install archive from the NXLog website.
a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › NXLog Enterprise Edition files tab, choose the nxlog-
5.0.5876_docker.tar.gz archive (which is based on CentOS 7).

2. Use SFTP or a similar secure method to transfer the archive to the target server.
3. Log in to the target server and extract the contents of the archive.

$ tar -xzf nxlog-5.0.5876_docker.tar.gz

Table 46. Files in the Docker Archive

Package Description
Dockerfile The main NXLog Docker definition file

README.md Readme for building NXLog Docker image

nxlog-5.0.5876_rhel7_x86_64.tar.bz2 The NXLog RHEL7 package

4. Configure NXLog. Custom configuration files can be placed in the build directory of the NXLog Docker
version, before the build. Every file ending with .conf will be copied into the Docker image and placed in the
/opt/nxlog/etc directory.

If there is already a configuration file inside the /opt/nxlog/etc directory, it will be

NOTE
overwritten with the custom one.

5. Build the NXLog Docker image.

◦ The standalone version of NXLog Docker image can be built with this command.

$ docker build -t nxlog .

◦ It is also possible to specify the IP address of an NXLog Manager instance at build time. In this case,
NXLog will connect automatically at startup. Before build, the CA certificate file, exported from NXLog
Manager in PEM format and named agent-ca.pem, must be placed in the Docker build directory.

$ docker build -t nxlog --build-arg NXLOG_MANAGER=<NXLOG-MANAGER-IP> .

6. Run the container using the docker command.

$ docker run -p <HostPort>:<ContainerPort> -d nxlog

7. Check that the NXLog container is running with the docker command.

$ docker ps | grep nxlog

a3b4d6240e9d nxlog "/opt/nxlog/bin/nx..." 7 seconds ago Up 6 seconds 0.0.0.0:1514->1514/tcp
cranky_perlman
[...]

17.2. Upgrading
The upgrade process consists of creating a new NXLog Docker image build and running a new container instance

119
with the newly built image.

1. Follow steps 1-5 above to build a new Docker image.

2. Get the container ID of the running NXLog instance and stop the running container.

$ docker ps | grep nxlog

$ docker stop <containerID>

3. Run the new container using the docker command.

$ docker run -p <HostPort>:<ContainerPort> -d nxlog

4. Check that the new NXLog container is running.

$ docker ps | grep nxlog

a3b4d6240e9d nxlog "/opt/nxlog/bin/nx..." 7 seconds ago Up 6 seconds 0.0.0.0:1514->1514/tcp
cranky_perlman
[...]

5. Any old containers and images that are no longer needed can be removed with docker rm -v
<containerID> and docker rmi <imageID>, respectively. See Uninstalling below for more information.

17.3. Uninstalling
The uninstallation process of the NXLog Docker version is simply removing the running container and the image.

1. Get the container ID of the running NXLog instance and stop the running container.

$ docker ps | grep nxlog

$ docker stop <containerID>

2. Remove the stopped container.

$ docker rm -v <containerID>

3. Any other remaining containers that are not running can be listed with docker ps -a, and removed.

$ docker ps -a | grep nxlog

$ docker rm -v <containerID>

4. Finally, list and remove NXLog Docker images.

$ docker images
$ docker rmi <containerID>

120
Chapter 18. IBM AIX
18.1. Installing
1. Download the appropriate NXLog installer package from the NXLog website.
a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › NXLog Enterprise Edition files tab, choose the nxlog-5.0.5876_aix_ppc.rpm
package.
2. Use SFTP or a similar secure method to transfer the archive to the target server.
3. Install the required NXLog package.
a. Optional: To change the NXLog user and group for the installation, set the NXLOG_USER and
NXLOG_GROUP environment variables. During installation a new user and and a new group will be created
based on these environment variables. They will be used for User and Group directives in nxlog.conf,
and for the ownership of some directories under /opt/nxlog. Specifying an already existing user or
group is not supported. The created user and group will be deleted on NXLog removal.

# export NXLOG_USER=nxlog2
# export NXLOG_GROUP=nxlog2

b. Use rpm to install the package.

# rpm -ivh nxlog-5.0.5876_aix_ppc.rpm

4. Configure NXLog by editing /opt/nxlog/etc/nxlog.conf. General information about configuring NXLog

can be found in Configuration. For more details about configuring NXLog to collect logs on AIX, see the IBM
AIX summary.
5. Verify the configuration file syntax.

# /opt/nxlog/bin/nxlog -v
2017-03-17 08:05:06 INFO configuration OK

6. Start the service using the init script in /opt/nxlog/etc:

# ./init start

18.2. Upgrading
To update an NXLog installation to the latest release, use rpm as in the installation instructions above.

# rpm -Uvh nxlog-5.0.5876_aix_ppc.rpm

The rpm package manager creates a backup of an existing nxlog.conf file as

NOTE
nxlog.conf.rpmsave under the /opt/nxlog/etc/ directory.

The same user and group will be used for the upgrade as was used for the original installation
NOTE (see installation step 3a above). Changing to a different user and group during upgrade is not
supported.

18.3. Uninstalling
To uninstall NXLog use rpm with the -e option.

121
# rpm -e nxlog

122
Chapter 19. Oracle Solaris
19.1. Installing
1. Download the appropriate NXLog install archive from the NXLog website.
a. Log in to your account, then click My account at the top of the page.
b. Under the Downloads › My downloads tab, choose the correct archive for your system.

Table 47. Available Solaris Files

Platform Archive
Solaris 10/11 x86 archive nxlog-5.0.5876_solaris_x86.pkg.gz

Solaris 10/11 SPARC archive nxlog-5.0.5876_solaris_sparc.pkg.gz

2. Use SFTP or a similar secure method to transfer the archive to the target server.
3. Log in to the target server and extract the contents of the archive.

$ gunzip nxlog-5.0.5876_solaris_sparc.pkg.gz

4. Optional: To change the NXLog user and group for the installation, create a
/var/sadm/install/admin/nxlog-user_group file with the following command. During installation a new
user and and a new group will be created based on the names specified. They will be used for User and
Group directives in nxlog.conf, and for the ownership of some directories under /opt/nxlog. Specifying an
already existing user or group is not supported. The created user and group will be deleted on NXLog
removal.

$ echo 'nxlog2:nxlog2' > /var/sadm/install/admin/nxlog-user_group

5. Install the NXLog package.

◦ For interactive installation, issue the following command and answer y (yes) to the questions.

$ sudo pkgadd -d nxlog-5.0.5876.pkg NXnxlog

◦ For a quiet install, use an administration file. Place the file (nxlog-adm in this example) in the
/var/sadm/install/admin/ directory.

$ sudo pkgadd -n -a nxlog-adm -d nxlog-5.0.5876.pkg NXnxlog

123
nxlog-adm
mail=
instance=overwrite
partial=nocheck
runlevel=nocheck
idepend=nocheck
rdepend=nocheck
space=quit
setuid=nocheck
conflict=nocheck
install
action=nocheck
basedir=/opt/nxlog
networktimeout=60
networkretries=3
authentication=quit
keystore=/var/sadm/security
proxy=

6. Configure NXLog by editing /opt/nxlog/etc/nxlog.conf. General information about configuring NXLog

can be found in Configuration. For more details about configuring NXLog to collect logs on Solaris, see the
Oracle Solaris summary.
7. Verify the configuration file syntax.

$ sudo /opt/nxlog/bin/nxlog -v
2017-03-17 08:05:06 INFO configuration OK

8. Check that the NXLog service is running with the svcs command.

$ svcs nxlog
online 12:40:37 svc:system/nxlog:default

9. Manage the NXLog service with svcadm (restart the service to load the edited configuration file).

$ sudo svcadm restart nxlog

$ sudo svcadm enable nxlog
$ sudo svcadm disable nxlog

To replace a trial installation of NXLog Enterprise Edition with a licensed copy of the same
NOTE
version, follow the same installation instructions (use instance=overwrite as shown).

19.2. Upgrading
19.2.1. Updating to a Minor Release
To update an NXLog installation to the latest minor release, remove the old version and then install the new
version.

1. Before removing the old version, run the backup script from /opt/nxlog/bin/backup. The backup script will
create a backup directory in /opt (the directory will be named according to this format: /opt/nxlog-
backup-YYYYMMDD_hhmmss).

$ sudo bash /opt/nxlog/bin/backup

2. To uninstall NXLog, use pkgrm as shown in the uninstallation instructions below.

124
$ sudo pkgrm NXnxlog

3. To install the new NXLog release, use pkgadd as in the installation instructions above.

$ sudo pkgadd -d nxlog-5.0.5876.pkg NXnxlog

4. After reinstalling NXLog, use the restore script from the latest backup directory to restore data to the new
NXLog installation.

$ sudo bash /opt/nxlog-backup-20180101_000001/restore

5. Optional: To discard the backup files, remove the backup directory.

$ sudo rm -rf /opt/nxlog-backup-20180101_000001

19.2.2. Upgrading 4.x to 5.x

To upgrade an NXLog 4.x installation to a 5.x release, remove the old version, install the new version, and
perform additional manual configuration steps.

1. Perform steps 1-3 from Updating to a Minor Release. Do not use restore (step 4).

2. Manually migrate the necessary parts of the backup content to the new installation.

From NXLog version 5.0, the configuration file log4ensics.conf changed to managed.conf and it is in a
different location. This file contains NXLog Manager related configuration.

NOTE nxlog.conf shipped with v5.0 has NXLog Manager integration disabled by default.

Table 48. Configuration to migrate

v 4.x v 5.0

/opt/nxlog-backup- /opt/nxlog/etc/nxlog.d/managed.con
date_time/lib/nxlog/log4ensics.conf f

/opt/nxlog-backup-date_time/nxlog/cert/* /opt/nxlog/var/lib/nxlog/cert/

3. Optional: To discard the backup files, remove the backup directory.

$ sudo rm -rf /opt/nxlog-backup-20180101_000001

19.3. Uninstalling
To uninstall NXLog, use pkgrm. To remove the package files from the client’s file system, include the -A option.

$ sudo pkgrm NXnxlog

125
Chapter 20. Hardening NXLog
20.1. Running Under a Non-Root User on Linux
NXLog can be configured to improve security by running as a non-root user. The User and Group global
directives specify the user and group for the NXLog process to run as. On Linux installations, NXLog is configured
by default to run as the nxlog user and nxlog group as shown below.

Running as nxlog:nxlog
1 User nxlog
2 Group nxlog

Some operations require privileges that are normally not available to the nxlog user. In this case, the simplest
solution is to configure NXLog to retain full root privileges by removing the User and Group directives from the
configuration. This is not recommended, however; it is more secure to grant only the required privileges and to
avoid running NXLog as root. See the following sections for more information.

20.1.1. Reading From /var/log

By default, the nxlog user will not have access to files in /var/log. If your Linux distribution uses a group other
than root for the log files, you can use that group with the Group directive. Otherwise, reconfigure your system
logger (Rsyslog for example) to create files with the necessary ownership. See Reading Rsyslog Log Files for more
information.

20.1.2. UDP Spoofing and Binding to Ports Below 1024

NXLog requires special privileges if configured to perform UDP source address spoofing (with om_udpspoof) or
to bind to a port below 1024 (for example to accept incoming Syslog messages on port 514). Consider the
following solutions.

Use built-in capability support

NXLog will automatically set the corresponding Linux capability before dropping root privileges.

Set the capability manually

For binding to ports below 1024, use the CAP_NET_BIND_SERVICE capability. For the UDP source address
spoofing, use the CAP_NET_RAW capability.

Example 7. Setting Linux Capabilities

This command sets the CAP_NET_BIND_SERVICE capability for the NXLog executable.

# setcap cap_net_bind_service+ep /opt/nxlog/bin/nxlog

This command sets both the CAP_NET_BIND_SERVICE and the CAP_NET_RAW capabilities.

# setcap cap_net_bind_service,cap_net_raw=+ep /opt/nxlog/bin/nxlog

Verify with this command, or by adding the -v (verify) flag to the setcap command.

# getcap /opt/nxlog/bin/nxlog

20.1.3. Reading the Kernel Log

NXLog requires special privileges to read from the Linux kernel log with the im_kernel module. Consider the
following solutions.

126
Use built-in capability support
NXLog will automatically set the Linux CAP_SYS_ADMIN capability before dropping root privileges.

Set the capability manually

Use the CAP_SYS_ADMIN capability or the CAP_SYSLOG capability (since Linux 2.6.37). See Setting Linux
Capabilities.

20.2. Configuring SELinux

To further harden NXLog, SELinux can optionally be used. SELinux improves security by providing mandatory
access controls on Linux. This section provides an overview for creating an SELinux policy for NXLog. The
resulting policy will provide the permissions necessary for the NXLog deployment to operate as configured, with
SELinux enabled on the host.

The process is divided into two parts. First, a base policy is created. Then the policy is deployed and tailored to
the specific requirements of the current NXLog configuration.

20.2.1. Base Policy

The base policy file can be generated with the SELinux Policy Generation Tool (which requires a graphical
environment) or with the SELinux CLI development utilities.

In either case, the following policy files are generated:

nxlog.te
Base policy information; this file defines all the types and rules for a particular domain.

nxlog.fc
File system information; this file defines he security contexts that are applied to files when the policy is
installed.

nxlog.if
Interface information; this file defines the default file context for the system.

nxlog.sh
A helper shell script for compiling and deploying the policy module and fixing the labeling on the system; for
use only on the target system.

nxlog_selinux.spec
A specification file that can be used to generate an RPM package from the policy, useful for deploying the
policy on another system later. This spec file is generated on RPM-based systems only.

20.2.1.1. Base Policy Using Policy Generation Tool (GUI)

1. Install the SELinux Policy Generation Tool package.

On Red Hat based systems run the following command:

$ sudo yum install rpm-build policycoreutils-gui

On Debian based systems run the following command:

$ sudo apt-get install policycoreutils-gui

2. Start the SELinux Policy Generation Tool from the system launcher.
3. In the first screen, select Standard Init Daemon for the policy type, then click [ Forward ].

127
4. On the second screen, enter the following details for the application and user role, then click [ Forward ].

Name
A custom name for the role (for example, nxlog)

Executable
The path to the NXLog executable (for example, /opt/nxlog/bin/nxlog)

Init script
The path of the NXLog system init script (for example, /etc/rc.d/init.d/nxlog)

5. On the third screen, enter the TCP and UDP used by the NXLog deployment, then click [ Forward ]. If the
ports are unknown or not yet determined, then leave these fields blank; they can be customized later.

128
6. On the fourth screen, select the appropriate application traits for NXLog, then click [ Forward ]. The default
configuration requires only the Interacts with the terminal trait. For collecting Syslog messages or creating
files in /tmp, include the appropriate traits.

7. On the fifth screen, specify all the arbitrary files and directories that the NXLog installation should have
access to, then click [ Forward ]. The default configuration requires only the NXLog system directory,
/opt/nxlog. Include the paths of any custom log files that NXLog needs to access.

129
8. Additional SELinux configuration values can be set on the sixth screen. None of these are required for NXLog.
Click [ Forward ] to continue.
9. The policy files are generated on the final screen. Click [ Save ] to write the policy to disk.

20.2.1.2. Base Policy Using sepolicy (CLI)

1. Install the SELinux Policy Core Policy Devel Utilities package.

On Red Hat based systems run the following command:

$ sudo yum install rpm-build policycoreutils-devel

On Debian based systems run the following command:

$ sudo apt-get install policycoreutils-dev selinux-policy-default

2. The base policy can be generated with the following command.

$ sepolicy generate -n nxlog --init /opt/nxlog/bin/nxlog -w /opt/nxlog

Additional managed directories can be added to the policy by passing to the -w parameter
NOTE
the full directory paths separated by spaces (for example, -w /opt/nxlog /var/log).

3. The policy files are generated when the command exits successfully; the policy is written to the current
working directory.

20.2.2. Deploying and Customizing the Policy

In this section, the base policy generated in the previous section will be applied and then customized with
appropriate rules for NXLog operation as configured. To accomplish this, SELinux will be set to permissive mode
and then the audit2allow tool will be used to generate additional SELinux rules based on the resulting audit logs.

When set to permissive mode, SELinux generates alerts rather than actively blocking actions
WARNING as it does in enforcing mode. Because this reduces system security, it is recommended that
this be done in a test environment.

1. Make sure that NXLog is correctly configured with all required functionality.

130
2. Stop the NXLog service.
3. Transfer the files containing your SELinux base policy to the target system. All the files should be in the same
directory.
4. Apply the SELinux base policy by executing the policy script. This script will compile the policy module, set the
appropriate security flags on the directories specified, and install the policy.

$ sudo ./nxlog.sh

You may see the error message libsemanage.add_user: user system_u not in
password file. This is caused by a bug in the selinux-policy RPM or selinux-policy-
default DEB package and does not affect the policy at all. It has been fixed in later
releases.
NOTE

You may see the error message InvalidRBACRuleType: a is not a valid RBAC rule
type. This is from a bug in the policycoreutils package. It only affects man page
generation, which is not generated in this case. This has been fixed in later releases.

5. Verify that the new policy is installed.

$ sudo semodule -l | grep nxlog

6. Set SELinux to permissive mode. All events which would have been prevented by SELinux will now be
permitted and logged to /var/log/audit/audit.log (including events not related to NXLog).

$ sudo setenforce 0

7. Start and then stop the NXLog service. Any actions taken by NXLog that are not permitted by the policy will
result in events logged by the Audit system. Run audit2allow -a -l -w to view all policy violations (with
descriptions) since the last policy reload.

$ sudo systemctl start nxlog

$ sudo systemctl stop nxlog

Example 8. Audit Logs

If NXLog has been configured to listen on TCP port 1514, but the appropriate rules are not specified in
the current SELinux policy, then various audit events will be generated when the NXLog process
initializes and binds to that port. These events can be viewed from the Audit log file directly, with
ausearch, or with audit2allow (as shown below).

$ sudo audit2allow -a -l -w
type=AVC msg=audit(1524239322.612:473): avc: denied { listen } for pid=5697 comm="nxlog"
lport=1514 scontext=system_u:system_r:nxlog_t:s0 tcontext=system_u:system_r:nxlog_t:s0
tclass=tcp_socket
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

Additional log messages will be generated for any other file or network action not permitted by the
SELinux policy. These actions would all be denied by SELinux when set to enforcing mode.

8. Use the helper script --update option to add additional rules to the policy based on logged policy violations
with the nxlog context. Review the suggested changes and press y to update the policy. If no changes are
required, the script will exit zero.

131
$ sudo ./nxlog.sh --update

Example 9. Updating the Policy

The script will offer to add any required rules. The following output corresponds to the example in the
previous step.

$ sudo ./nxlog.sh --update

Found avc's to update policy with

require {
type nxlog_rw_t;
type nxlog_t;
class capability dac_override;
class tcp_socket { bind create listen setopt };
class file execute;
class capability2 block_suspend;
}

#============= nxlog_t ==============

allow nxlog_t nxlog_rw_t:file execute;
allow nxlog_t self:capability dac_override;
allow nxlog_t self:capability2 block_suspend;
allow nxlog_t self:tcp_socket { bind create listen setopt };
corenet_tcp_bind_generic_node(nxlog_t)
corenet_tcp_bind_unreserved_ports(nxlog_t)
Do you want these changes added to policy [y/n]?

9. Set the SELinux policy to enforcing mode. This can be set permanently in /etc/selinux/config.

$ sudo setenforce 1

10. Reboot the system.

20.3. Running Under a Custom Account on Windows

On Windows, the NXLog installer sets up the NXLog service to run under the local system account. This
procedure describes how to configure a system service for NXLog that runs under a dedicated svc-nxlog user
account. This approach can improve security by limiting the privileges that NXLog requires to run.

In enterprise environments managed by Group Policy, the dedicated user account and its
NOTE
permissions must be managed by the domain administrator.

1. Create a new user account. Open the Computer Management console (compmgmt.msc), expand Local
Users and Groups and right-click on Users. Select New User… from the context menu.

132
2. Enter the svc-nxlog user name, description, and password; enable the Password never expires check box;
and click [Create].

3. Open the Services console (services.msc), right-click the nxlog service, and select Properties.

4. Under the Log On tab, select the This Account radio button, click [Browse…], select the svc-nxlog user
account, and enter the password. Then click [OK]. Windows will warn you that the service must be restarted.

133
5. Open the Local Security Settings console (secpol.msc), expand Local Policies, then select User Rights
Assignment in the left pane.

6. Right-click the Log on as a service policy and click Properties.

134
7. Click [Add User or Group…] and select the new user. The new user should appear in the list. Click [OK].

8. Add the new user to the the Manage auditing and security log policy also.
9. In Windows Explorer, browse to the NXLog installation directory (by default, C:\Program Files
(x86)\nxlog on 64-bit systems), right-click, and select Properties. Under the Security tab, select the new
user from the Group or user names list. Check Allow for the following permissions, and then click [OK].

◦ Modify
◦ Read & Execute
◦ List Folder Contents
◦ Read
◦ Write

135
10. In the Services console (services.msc), right-click the nxlog service and select Restart.

11. Check the NXLog log files for start-up errors. Successful startup should look like this:

nxlog.log
2016-11-16 16:53:10 INFO nxlog-5.0.5876 started↵
2016-11-16 16:53:10 INFO connecting to 192.168.40.43↵
2016-11-16 16:53:12 INFO successfully connected to 192.168.40.43:1514↵
2016-11-16 16:53:12 INFO successfully connected to agent manager at 192.168.40.43:4041 in SSL
mode↵

On some Windows systems, this procedure may result in the following access denied error
when attempting to access the Windows EventLog:

WARNING ignoring source as it cannot be subscribed to (error code: 5)

NOTE

In this case, wevtutil can be used to set ACLs on the Windows EventLog. For more details, see
the Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
TechNet article.

136
Chapter 21. Relocating NXLog
While not officially supported, it is possible to relocate NXLog to a different directory than where it was installed
originally. The procedure shown below assumes that NXLog was installed normally, using the system’s package
manager. While it is also possible to manually extract the files from the package and perform a manual
installation in a custom directory, this is not covered here but the basic principals are the same. This procedure
has been tested in GNU/Linux systems and should work in any system that supports run-time search paths.

Both relocation and manual installation can result in a non-functional NXLog agent.
Furthermore, subsequent update and removal using the system’s package manager may
WARNING
not work correctly. Follow this procedure at your own risk. This is not recommended for
inexperienced users.

Move the NXLog directory structure to the new location. Though not required, it is best to keep the original
directory structure. Then proceed to the following sections.

NOTE In the examples that follow, NXLog is being relocated from /opt/nxlog to /opt/nxlog_new.

21.1. System V Init File

For systems that manage services with System V, edit the NXLog init file. This file can normally be found at
/etc/init.d/nxlog. Modify the init file so that the $BASE variable reflects the new directory. Update the
$pidfile, $nxlog, and $conf variables to reference $BASE. Finally, reassign the $nxlog variable to include the
configuration file. This must be done after any tests to the binary executable. The init file should look similar to
the following.

/etc/init.d/nxlog
BASE=/opt/nxlog_new

pidfile=$BASE/var/run/nxlog/nxlog.pid
nxlog=$BASE/bin/nxlog
conf=$BASE/etc/nxlog.conf

test -f $nxlog || exit 0

nxlog="$nxlog -c $conf"

On systems that use a hybrid System V and systemd, reload the init files by executing the following command.

# systemctl daemon-reload

21.2. Systemd Unit File

For systems using systemd, the /lib/systemd/system/nxlog.service unit file must be edited and the paths
updated.

137
nxlog.service
[Service]
Type=simple
User=root
Group=root
PIDFile=/opt/nxlog_new/var/run/nxlog/nxlog.pid
ExecStartPre=/opt/nxlog_new/bin/nxlog -v -c /opt/nxlog_new/etc/nxlog.conf
ExecStart=/opt/nxlog_new/bin/nxlog -f -c /opt/nxlog_new/etc/nxlog.conf
ExecStop=/opt/nxlog_new/bin/nxlog -s -c /opt/nxlog_new/etc/nxlog.conf
ExecReload=/opt/nxlog_new/bin/nxlog -r -c /opt/nxlog_new/etc/nxlog.conf
KillMode=process

Reload the modified unit files by executing the following command.

# systemctl daemon-reload

21.3. NXLog Configuration File

The configuration file of NXLog itself must be modified to reflect the directory relocation, as well as any changes
in the directory structure. For most cases, running the following command will update the configuration file.

# sed -i s,/opt/nxlog,/opt/nxlog_new,g /opt/nxlog_new/etc/nxlog.conf

Alternatively, the file can be manually edited as shown below.

nxlog.conf
1 define BASE /opt/nxlog_new
2 define CERTDIR %BASE%/var/lib/nxlog/cert
3 define CONFDIR %BASE%/etc/nxlog.d
4 define LOGDIR %BASE%/var/log/nxlog
5 define LOGFILE "%LOGDIR%/nxlog.log"
6
7 SpoolDir %BASE%/var/spool/nxlog
8
9 # default values:
10 PidFile %BASE%/var/run/nxlog/nxlog.pid
11 CacheDir %BASE%/var/spool/nxlog
12 ModuleDir %BASE%/lib/nxlog/modules

Depending on the architecture and whether system supplied libraries are used, NXLog will store
NOTE
the modules under a different directory such as %BASE%/libexec/nxlog/modules.

21.4. Modify rpath

Depending on the NXLog package used, the run-time search path of the binaries must be changed. This is
relevant for the generic versions of NXLog in which the libraries are statically linked against the binaries. To list
the shared libraries used by NXLog, use the ldd command with the full path to the nxlog binary

# ldd /opt/nxlog_new/bin/nxlog

The output should look similar to this:

138
linux-vdso.so.1 => (0x00007ffc15d36000)
libpcre.so.1 => /opt/nxlog/lib/libpcre.so.1 (0x00007ff7f311e000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007ff7f2f14000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007ff7f2d0f000)
libapr-1.so.0 => /opt/nxlog/lib/libapr-1.so.0 (0x00007ff7f2ad9000)
librt.so.1 => /lib64/librt.so.1 (0x00007ff7f28d0000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007ff7f2699000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff7f247d000)
libc.so.6 => /lib64/libc.so.6 (0x00007ff7f20bb000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff7f336d000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007ff7f1eb6000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007ff7f1cb3000)

Notice that libpcre and libapr are pointing to the included libraries in /opt/nxlog/lib/. To change the run-
time search path of the binaries, a tool such as chrpath or patchelf can be used.

Depending on the distribution, chrpath may have a limitation on the path length for the -r
<path> | --replace <path> option: "The new path must be shorter or the same length as the
current path."

NOTE # chrpath -r /opt/nxlog_new/lib /opt/nxlog_new/bin/nxlog

Returns this error:

/opt/nxlog_new/bin/nxlog: RUNPATH=/opt/nxlog/lib
new rpath '/opt/nxlog_new/lib' too large; maximum length 14

If your system has the chrpath limitation documented above, skip to Modifying rpath with patchelf.

21.4.1. Modifying rpath with chrpath

If the current rpath is longer than the new rpath, issue the following command if the nxlog binary is in your
current path. Otherwise, the final chrpath argument needs to include the appropriate relative or absolute path
to nxlog (as implemented in the example above).

# chrpath -r /opt/nxlog_new/lib nxlog

Upon success, a message similar to this will be output:

nxlog: RPATH=/opt/nxlog/lib:/home/builder/workspace/nxlog3-rpm-generic-amd64/rpmbuild/BUILD/nxlog-
deps/opt/nxlog/lib
nxlog: new RPATH: /opt/nxlog_new/lib

# chrpath -r /opt/nxlog_new/lib *

NXLog is now successfully relocated to a new directory.

21.4.2. Modifying rpath with patchelf

If chrpath is not an option for modifying rpath, using patchelf as follows will achieve the same goal:

# patchelf --set-rpath /opt/nxlog_new/lib /opt/nxlog_new/bin/nxlog

139
On success the command prompt returns with no message, or if this is the first time patchelf has been run
after installation, the following warning will be shown:

warning: working around a Linux kernel bug by creating a hole of 1748992 bytes in ‘nxlog’

To confirm the modification of rpath, run ldd again on the binary. The new path should displayed in the output:

# ldd /opt/nxlog_new/bin/nxlog
linux-vdso.so.1 => (0x00007ffc15d36000)
libpcre.so.1 => /opt/nxlog_new/lib/libpcre.so.1 (0x00007ff7f311e000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007ff7f2f14000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007ff7f2d0f000)
libapr-1.so.0 => /opt/nxlog_new/lib/libapr-1.so.0 (0x00007ff7f2ad9000)
librt.so.1 => /lib64/librt.so.1 (0x00007ff7f28d0000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007ff7f2699000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff7f247d000)
libc.so.6 => /lib64/libc.so.6 (0x00007ff7f20bb000)
/lib64/ld-linux-x86-64.so.2 (0x00007ff7f336d000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007ff7f1eb6000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007ff7f1cb3000)

NXLog modules are also linked against statically included libraries. Therefore, if the run-time search path of the
binaries required a change, then the rpath of the modules needs updated as well. Unlike chrpath which accepts
a (*) wildcard for all modules (or binaries) in a given directory, patchelf can only be run on a single file. To
automate the process of changing rpath on multiple files, a shell script will need to be written if relocating
NXLog will need to be done on a regular basis, or on more than one installation.

140
Chapter 22. Monitoring and Recovery
Considerable resources continue to be invested in maintaining the quality and reliability of NXLog. However, due
to the complexity of modern software, producing bug-free software is practically impossible. This section
describes potential ways to automatically recover from an NXLog crash. Note that there are other monitoring
solutions besides these presented here which may also be of interest.

22.1. Monitoring on Unix Platforms

Monit can both monitor and recover NXLog after a crash. It supports macOS, Solaris, and several Linux
distributions. Monit can be installed directly from your distribution’s package manager—see Installation on the
Monit wiki for more information about the various installation options. Precompiled binaries can also be found
here.

While Monit can monitor and react to several conditions, the configuration presented here instructs Monit to
restart NXLog after a crash. To do so, include the following in the Monit configuration. It may be necessary to edit
the paths to match your installation. Then restart Monit.

/etc/monit/monitrc
check process nxlog with pidfile /opt/nxlog/var/run/nxlog/nxlog.pid
start program = "/etc/init.d/nxlog start"
stop program = "/etc/init.d/nxlog stop"

On recent Linux distributions employing systemd, the start and stop directives should use
NOTE
systemd calls instead (for example, /bin/systemctl start nxlog).

To simulate an NXLog crash, terminate the nxlog process by issuing the following command (where <PID>
represents the current nxlog process ID).

# kill -9 <PID>

22.2. Monitoring on Windows

The Service Control Manager (SCM) in Microsoft Windows includes recovery options for each service. In the list of
available services, find nxlog and right-click it. Select Properties and then choose the Recovery tab. As shown
below, there are a number of different recovery options which can be configured.

141
Figure 2. Recovery settings in the SCM

Newer versions of NXLog enable automatic recovery during installation. For older versions,
NOTE automatic recovery can be enabled by manually editing the values under the Recovery tab of
the SCM.

To simulate an NXLog crash, execute the following in PowerShell (where <PID> represents the process ID of
NXLog).

PS> Taskkill /PID <PID> /F

142
Configuration

143
Chapter 23. Configuration Overview
NXLog uses Apache style configuration files. The configuration file is loaded from its default location, or it can be
explicitly specified with the -c command line argument.

The configuration file is comprised of blocks and directives. Blocks are similar to XML tags containing multiple
directives. Directive names are not case-sensitive but arguments sometimes are. A directive and its argument
must be specified on the same line. Values spanning multiple lines must have the newline escaped with a
backslash (\). A typical case for this is the Exec directive. Blank lines and lines starting with the hash mark (#) are
ignored. Configuration directives referring to a file or a path can be quoted with double quotes (") or single
quotes ('). This applies to both global and module directives.

The configuration file can be logically divided into three parts: global parameters, module instances, and route
instances.

Example 10. Configuration File Structure

This configuration exemplifies the logical structure. The global parameters section contains two directives.
The modules section contains both an input and output instance. The route section contains a single route
with a path directing a single input to a single output.

nxlog.conf
1 # Global section
2 User nxlog
3 Group nxlog
4
5 # Modules section
6 <Input in>
7 Module im_null
8 </Input>
9
10 <Output out>
11 Module om_null
12 </Output>
13
14 # Route section
15 <Route r>
16 Path in => out
17 </Route>

23.1. Global Directives

The global section contains directives that control the overall behavior of NXLog.

The LogFile directive sets a destination file for NXLog internal logs. If this directive is unset, the log file is disabled
and internal NXLog logs are not written to file (unless configured via the im_internal module). See also Rotating
the Internal Log File.

With the User and Group directives set, NXLog will drop root privileges after starting and run under the specified
user and group. These directives are ignored if running on Windows.

After starting, NXLog will change its working directory to the directory specified by the SpoolDir directive. Non-
absolute paths in the configuration will be relative to this directory.

See the Reference Manual for a complete list of available global directives.

144
23.2. Modules
NXLog will only load modules which are specified in the configuration file and used in an active route. A module
instance is specified according to its corresponding module type (Extension, Input, Processor, or Output).
Each module instance must have a unique name and a Module directive. The following is a skeleton
configuration block for an input module.

nxlog.conf
1 <Input instancename>
2 Module im_module
3 ...
4 </Input>

For more details about module instance names, see Configuration in the Reference Manual.

23.3. Routes
Routes define the flow and processing order of the log messages. Each route instance must have a unique name
and a Path.

Example 11. Route Block

This Route instance, named example, takes logs from Input module instances named in1 and in2,
processes the logs with the proc Processor module instance, and sends the resulting logs to both Output
module instances out1 and out2. These named module instances must be defined elsewhere in the
configuration file.

nxlog.conf
1 <Route example>
2 Path in1, in2 => proc => out1, out2
3 </Route>

For more details about route instance names, see Configuration in the Reference Manual.

If no Route block is specified in the configuration, NXLog will automatically generate a route, with all the Input
and Output instances specified in a single path.

145
Example 12. An Automatic Route Block

NXLog can use a configuration with no Route block, such as the following.

nxlog.conf
1 <Input in1>
2 Module im_null
3 </Input>
4
5 <Input in2>
6 Module im_null
7 </Input>
8
9 <Output out1>
10 Module om_null
11 </Output>
12
13 <Output out2>
14 Module om_null
15 </Output>

The following Route block will be generated automatically.

nxlog.conf (Generated Route)

1 <Route r>
2 Path in1, in2 => out1, out2
3 </Route>

23.4. Constant and Macro Definitions

A define is useful if there are many instances in the configuration where the same value must be used. Typically,
defines are used for directories and hostnames. In such cases the value can be configured with a single
definition. In addition to constants, other strings like code snippets or parser rules can be defined in this way.

An NXLog define works in a similar way to the C language, where the pre-processor substitutes the value in
places where the macro is used. The NXLog configuration parser replaces all occurrences of the defined name
with its value, and then after this substitution the configuration check occurs.

146
Example 13. Using Defines

This example shows the use of two defines: BASEDIR and IGNORE_DEBUG. The first is a simple constant, and
its value is used in two File directives. The second is an NXLog language statement, it is used in an Exec
directive.

nxlog.conf
1 define BASEDIR /var/log
2 define IGNORE_DEBUG if $raw_event =~ /debug/ drop();
3
4 <Input messages>
5 Module im_file
6 File '%BASEDIR%/messages'
7 </Input>
8
9 <Input proftpd>
10 Module im_file
11 File '%BASEDIR%/proftpd.log'
12 Exec %IGNORE_DEBUG%
13 </Input>

The define directive can be used for statements as shown above, but multiple statements should be specified
using a code block, with curly braces ({}), to result in the expected behavior.

Example 14. Incorrect Use of a Define

The following example shows an incorrect use of the define directive. After substitution, the drop()
procedure will always be executed; only the warning message will be logged conditionally.

nxlog.conf (incorrect)
1 define ACTION log_warning("dropping message"); drop();
2
3 <Input in>
4 Module im_file
5 File '/var/log/messages'
6 Exec if $raw_event =~ /dropme/ %ACTION%
7 </Input>

To avoid this problem, the action should be defined using a code block.

1 define ACTION { log_warning("dropping message"); drop(); }

23.5. Environment Variables

The envvar directive works like define except that the value is retrieved from the environment. This makes it
possible to reference the environment variable as if it was a define. This directive is only available in NXLog
Enterprise Edition.

147
Example 15. Using Environment Variables

This is similar to the previous example using a define, but here the value is fetched from the environment.

nxlog.conf
1 envvar BASEDIR
2
3 <Input in>
4 Module im_file
5 File '%BASEDIR%/messages'
6 </Input>

23.6. File Inclusion

NXLog provides several features for including configuration directives and blocks from separate files or from
executables.

The SpoolDir directive does not take effect until after the configuration has been parsed, so
relative paths specified with these directives are relative to the working directory where NXLog
NOTE was started from. Generally, it is recommended to use absolute paths. If desired, define
directives can be used to simulate relative paths (see Using Defines to Include a Configuration
File).

With the include directive it is possible to specify a file or set of files to be included in the current NXLog
configuration.

Example 16. Including a Configuration File

This example includes the contents of the /opt/nxlog/etc/syslog.conf file in the current configuration.

nxlog.conf
1 include /opt/nxlog/etc/syslog.conf

Example 17. Using Defines to Include a Configuration File

In this example, two define directives are used to include an eventlog.conf configuration file on Windows
by defining parts of the path to this file.

nxlog.conf
1 define ROOT C:\Program Files (x86)\nxlog
2 define CONFDIR %ROOT%\conf
3 include %CONFDIR%\eventlog.conf

The include directive also supports filenames containing the wildcard character (*). For example, multiple .conf
files could be saved in the nxlog.d directory—or some other custom configuration directory—and then
automatically included in the NXLog configuration in ascending alphabetical order along with the nxlog.conf
file.

Each included file might contain a small set of configuration information focused exclusively on a single log
source. This essentially establishes a modular design for maintaining larger configurations. One benefit of this
modular configuration approach is the ability to add/remove .conf files to/ from such a directory for
enabling/disabling specific log sources without ever needing to modify the main nxlog.conf configuration.

148
This solution could be used to specify OS-specific configuration snippets (like windows2003.conf) or application-
specific snippets (such as syslog.conf).

Including subdirectories inside the configuration directory is not supported, neither are wildcarded directories.

Example 18. Including a Configuration Directory on Linux

This example includes all .conf files located under the /opt/nxlog/etc/nxlog.d path.

nxlog.conf
1 include /opt/nxlog/etc/nxlog.d/*.conf

The files can also be included using the define directive.

nxlog.conf
define CONFDIR /opt/nxlog/etc/nxlog.d
include %CONFDIR%/*.conf

Example 19. Including a Configuration Directory on Windows

This example includes all .conf files from the nxlog.d folder on Windows.

nxlog.conf
1 include C:\Program Files\nxlog\conf\nxlog.d\*.conf

The files can also be included using the define directive.

nxlog.conf
1 define CONFDIR C:\Program Files\nxlog\conf\nxlog.d
2 include %CONFDIR%\*.conf

With the include_stdout directive, an external command can be used to provide configuration content. There are
many ways this could be used, including fetching, decrypting, and validating a signed configuration from a
remote host, or generating configuration content dynamically.

Example 20. Using an Executable to Generate Configuration

Here, a separate script is responsible for fetching the NXLog configuration.

nxlog.conf
1 include_stdout /opt/nxlog/etc/fetch_conf.sh

149
Chapter 24. NXLog Language
The NXLog core has a built-in interpreted language. This language can be used to make complex decisions or
build expressions in the NXLog configuration file. Code written in the NXLog language is similar to Perl, which is
commonly used by developers and administrators for log processing tasks. When NXLog starts and reads its
configuration file, directives containing NXLog language code are parsed and compiled into pseudo-code. If a
syntax error is found, NXLog will print the error. This pseudo-code is then evaluated at run-time, as with other
interpreted languages.

The features of the NXLog language are not limited to those in the NXLog core: modules can register functions
and procedures to supplement built-in functions and procedures (see the xm_syslog functions, for example).

Due to the simplicity of the language there is no error handling available to the user, except for
function return values. If an error occurs during the execution of the NXLog pseudo-code,
usually the error is printed in the NXLog logs. If an error occurs during log message processing it
NOTE is also possible that the message will be dropped. If sophisticated error handling or more
complex processing is required, additional message processing can be implemented in an
external script or program via the xm_exec module, in a dedicated NXLog module, or in Perl via
the xm_perl module.

The NXLog language is described in five sections.

Types
All fields and other expressions in the NXLog language are typed.

Expressions
An expression is evaluated to a value at run-time and the value is used in place of the expression. All
expressions have types. Expressions can be used as arguments for some module directives.

Statements
The evaluation of a statement will cause a change in the state of the NXLog engine, the state of a module
instance, or the current event. Statements often contain expressions. Statements are used as arguments for
the Exec module directive, where they are then executed for each event (unless scheduled).

Variables
Variables store data persistently in a module instance, across multiple event records.

Statistical Counters
NXLog provides statistical counters with various algorithms that can be used for realtime analysis.

150
Example 21. Statements vs. Configurations

While this Guide provides many configuration examples, in some cases only statement examples are given.
Statements must be used with the Exec directive (or Exec block). The following statement example shows
one way to use the parsedate() function.

1 if $raw_event =~ /^(\w{3} \d{2} \d{2}:\d{2}:\d{2})/

2 $EventTime = parsedate($1);

The following configuration example uses the above statement in an Exec block.

nxlog.conf
1 <Input in>
2 Module im_file
3 File '/var/log/app.log'
4 <Exec>
5 if $raw_event =~ /^(\w{3} \d{2} \d{2}:\d{2}:\d{2})/
6 $EventTime = parsedate($1);
7 </Exec>
8 </Input>

24.1. Types
The NXLog language is a typed language. Fields, literals, and other expressions evaluate to values with specific
types. This allows for stricter type-safety syntax checking when parsing the configuration. Note that fields and
some functions can return values with types that can only be determined at run-time.

The language provides only simple types. Complex types such as arrays and hashes (associative
NOTE arrays) are not supported. The language does support the undefined value similar to that in
Perl. See the xm_perl module if you require more complex types.

A log’s format must be parsed before its individual parts can be used for processing (see Fields). But even after
the message has been parsed into its parts, additional processing may still be required, for example, to prepare a
timestamp for comparison with another timestamp. This is a situation where typing is helpful: by converting all
timestamps to the datetime type they can be easily compared—and converted back to strings later if required—
using the functions and procedures provided. The same applies to other types.

151
Example 22. Typed Fields in a Syslog Event Record

The following illustrates the four steps NXLog performs with this configuration as it manually processes a
Syslog event record using only regular expressions on the core field $raw_event and the core function
parsedate().

nxlog.conf
1 <Input in>
2 # 1. New event record created
3 Module im_udp
4 Host 0.0.0.0
5 Port 514
6 <Exec>
7 # 2. Timestamp parsed from Syslog header
8 if $raw_event =~ /^(\w{3} \d{2} \d{2}:\d{2}:\d{2})/
9 {
10 # 3. parsedate() function converts from string to datetime
11 $EventTime = parsedate($1);
12 # 4. Datetime fields compared
13 if ( $EventReceivedTime - $EventTime ) > 60000000
14 log_warning('Message delayed more than 1 minute');
15 }
16 </Exec>
17 </Input>

1. NXLog creates a new event record for the incoming log message. The new event record contains the
$raw_event string type field, with the contents of the entire Syslog string.

2. A regular expression is used to parse the timestamp from the event. The captured sub-string is a string
type, not a datetime type.
3. The parsedate() function converts the captured string to a datetime type.
4. Two datetime fields are compared to determine if the message was delayed during delivery. The
datetime type $EventReceivedTime field is added by NXLog to each event when it is received.

Normally the parse_syslog() procedure (provided by the xm_syslog extension module)

would be used to parse a Syslog event. It will create fields with the appropriate types
NOTE
during parsing, eliminating the need to directly call the parsedate() function. See Collecting
and Parsing Syslog.

For a full list of types, see the Reference Manual Types section. For NXLog language core functions that can be
used to work with types, see Functions. For functions and procedures that can work with types related to a
particular format, see the module corresponding to the required format.

24.2. Expressions
An expression is a language element that is dynamically evaluated to a value at run-time. The value is then used
in place of the expression. Each expression evaluates to a type, but not always to the same type.

The following language elements are expressions: literals, regular expressions, fields, operations, and functions.

Expressions can be bracketed by parentheses ( ) to help improve code readability.

152
Example 23. Using Parentheses (Round Brackets) Around Expressions

There are three statements below, one per line. Each statement contains multiple expressions, with
parentheses added in various ways.

1 if 1 + 1 == (1 + 1) log_info("2");
2 if (1 + 1) == (1 + 1) log_info("2");
3 if ((1 + 1) == (1 + 1)) log_info("2");

Expressions are often used in statements.

Example 24. Using an Expression in a Statement

This simple statement uses the log_info() procedure with an expression as its argument. In this case the
expression is a literal.

1 log_info('This message will be logged.');

Here is a function (also an expression) that is used in the same procedure. It generates an internal event
with the current time when each event is processed.

1 log_info(now());

Expressions can be used with module directives that support them.

Example 25. Expressions for Directives

The File directive of the om_file module supports expressions. This allows the output filename to be set
dynamically for each individual event.

nxlog.conf
1 <Output out>
2 Module om_file
3 File "/var/log/nxlog/out_" + strftime($EventTime, "%Y%m%d")
4 </Output>

See Using Dynamic Filenames for more information.

24.2.1. Literals
A literal is a simple expression that represents a fixed value. Common literals include booleans, integers, and
strings. The type of literal is detected by the syntax used to declare it.

NOTE This section demonstrates the use of literals by using examples with assignment statements.

Boolean literals can be declared using the constants TRUE or FALSE. Both are case-insensitive.

Setting Boolean Literals

1 $Important = FALSE;
2 $Local = true;

Integer literals are declared with an unquoted integer. Negative integers, hexademical notation, and base-2
modifiers (Kilo, Mega, and Giga) are supported.

153
Setting Integer Literals
1 $Count = 42;
2 $NegativeCount = -42;
3 $BigCount = 42M;
4 $HexCount = 0x2A;

String literals are declared by quoting characters with single or double quotes. Escape sequences are available
when using double quotes.

Setting String Literals

1 $Server = 'Alpha';
2 $Message = 'This is a test message.';
3 $NumberAsString = '12';
4 $StringWithNewline = "This is line 1.\nThis is line 2.";

For a list of all available literals, see the Reference Manual Literals section.

24.2.2. Regular Expressions

NXLog supports regular expressions for matching, parsing, and modifying event records. In the context of the
NXLog language, a regular expression is an expression that is evaluated to a boolean value at run-time. Regular
expressions can be used to define complex search and replacement patterns for text matching and substitution.

Examples in this section use only simple patterns. See Extracting Data and other topic-specific
NOTE
sections for more extensive examples.

Matching can be used with an if statement to conditionally execute a statement.

Example 26. Matching a Field With a Regular Expression

The event record will be discarded if the $raw_event field matches the regular expression.

1 if $raw_event =~ /TEST: / drop();

Regular expression matching can also be used for extensive parsing, by capturing sub-strings for field
assignment.

Example 27. Parsing Fields With a Regular Expression

If the $raw_event field contains the regular expression, the two fields will be set to the corresponding
captured sub-strings.

1 if $raw_event =~ /TEST(\d): (.+)/

2 {
3 $TestNumber = $1;
4 $TestName = $2;
5 }

Regular expression matching also supports named capturing groups. This can be useful when writing long
regular expressions. Each captured group is automatically added to the event record as a field with the same
name.

154
Example 28. Named Capturing Groups

This regular expression uses the named groups TestNumber and TestName to add corresponding
$TestNumber and $TestName fields to the event record.

1 if $raw_event =~ /TEST(?<TestNumber>\d): (?<TestName>.+)/

2 {
3 $Message = $TestNumber + ' ' + $TestName;
4 }

Regular expression substitution can be used to modify a string. In this case, the regular expression follows the
form s/pattern/replace/. The result of the expression will be assigned to the field to the left of the operator.

Example 29. Performing Substitution Using a Regular Expression

The first regular expression match will be removed from the $raw_event field.

1 $raw_event =~ s/TEST: //;

Global substitution is supported with the /g modifier. Without the /g modifier, only the first match in the string
will be replaced.

Example 30. Global Regular Expression Substitution

Every whitespace character in the $AlertType field will be replaced with an underscore (_).

1 $AlertType =~ s/\s/_/g;

A statement can be conditionally executed according to the success of a regular expression substitution.

Example 31. Regular Expression Substitution With Conditional Execution

If the substitution succeeds, an internal log message will also be generated.

1 if $Hostname =~ s/myhost/yourhost/ log_info('Updated hostname');

For more information, see the following sections in the Reference Manual: Regular Expressions, =~, and !~.

24.2.3. Fields
When NXLog receives a log message, it creates an event record for it. An event record is a set of fields (see Fields
for more information). A field is an expression which evaluates to a value with a specific type. Each field has a
name, and in the NXLog language it is represented with the dollar sign ($) prepended to the name of the field,
like Perl’s scalar variables.

Fields are only available in an evaluation context which is triggered by a log message. For example, using a value
of a field in the Exec directive of a Schedule block will result in a run-time error because the scheduled execution
is not triggered by a log message.

Because it is through fields that the NXLog language accesses the contents of an event record, they are
frequently referenced. The following examples show some common ways that fields are used in NXLog
configurations.

155
Example 32. Assigning a Value to a Field

This statement uses assignment to set the $Department field on log messages.

1 $Department = 'customer-service';

Example 33. Testing a Field Value

If the $Hostname field does not match, the message will be discarded with the drop() procedure.

1 if $Hostname != 'webserver' drop();

Example 34. Using a Field in a Procedure

This statement will generate an internal event if $SeverityValue integer field is greater than 2 (NXLog
INFO severity). The generated event will include the contents of the $Message field.

1 if $SeverityValue > 2 log_warning("ALERT: " + $Message);

24.2.4. Operations
Like other programming languages and especially Perl, the NXLog language has unary operations, binary
operations, and the conditional ternary operation. These operations are expressions and evaluate to values.

Unary Operations
Unary operations work with a single operand and evaluate to a boolean value.

Example 35. Using a Unary Operation

This statement uses the defined operator to log a message only if the $Hostname field is defined in the
event record.

1 if defined $Hostname log_info('Event received');

Binary Operations
Binary operations work with two operands and evaluate to a value. The type of the evaluated value depends
on the type of the operands. Execution might result in a run-time error if the type of the operands are
unknown at compile time and then evaluate to types which are incompatible with the binary operation when
executed.

Example 36. Using Binary Operations

This statement uses the == operator to drop the event if the $Hostname field matches.

1 if $Hostname == 'testbox' drop();

Here, the + operator is used to concatenate two strings.

1 log_info('Event received from ' + $Hostname);

Ternary Operation
The conditional or ternary operation requires three operands. The first is an expression that evaluates to a

156
boolean. The second is an expression that is evaluated if the first expression is TRUE. The third is an
expression that is evaluated if the first expression is FALSE.

Example 37. Using the Ternary Operation

This statement sets the $Important field to TRUE if $SeverityValue is greater than 2, or FALSE
otherwise. The parentheses are optional and have been added here for clarity.

1 $Important = ( $SeverityValue > 2 ? TRUE : FALSE );

For a full list of supported operations, see the Reference Manual Operations section.

24.2.5. Functions
A function is an expression which always returns a value. A function cannot be used without using its return
value. Functions can be polymorphic: the same function can take different argument types.

Many NXLog language features are provided through functions. As with other types of expressions, and unlike
procedures, a function never modifies the state of the NXLog engine, the state of the module, or the current
event.

See the list of core functions. Modules can provide additional functions for use with the NXLog language.

Example 38. Function Calls

These statements use the now() function (returning the current time) and the hostname() function
(returning the hostname of the system running NXLog) to set fields.

1 $EventTime = now();
2 $Relay = hostname();

Here, any event with a $Message field over 4096 bytes causes an internal log to be generated.

1 if size($Message) > 4096 log_info('Large message received.');

24.3. Statements
The evaluation of a statement will usually result in a change in the state of the NXLog engine, the state of a
module, or the log message.

Statements are used with the Exec module directive. A statement is terminated by a semicolon (;).

Example 39. Using a Statement with Exec

With this input configuration, an internal NXLog log message will be generated for each message received.

nxlog.conf
1 <Input in>
2 Module im_udp
3 Host 0.0.0.0
4 Port 514
5 Exec log_info("Message received on UDP port 514");
6 </Input>

Multiple statements can be specified, these will be evaluated and executed in order. Statements can also be

157
given on multiple lines by using line continuation or by enclosing the statements in an Exec block.

Example 40. Using Multiple Statements with Exec

This configuration generates an internal log message and sets the $File field.

nxlog.conf
1 <Input in1>
2 Module im_file
3 File '/var/log/app.log'
4 Exec log_info("App message read from log"); $File = file_name();
5 </Input>

This is the same, but the backslash (\) is used to continue the Exec directive to the next line.

nxlog.conf
1 <Input in2>
2 Module im_file
3 File '/var/log/app.log'
4 Exec log_info("App message read from log"); \
5 $File = file_name();
6 </Input>

The following configuration is functionally equivalent to the previous configuration above. However, by
creating an Exec block, multiple statements can be specified without the need for a backslash (\) line
continuation at the end of each line.

nxlog.conf
1 <Input in3>
2 Module im_file
3 File '/var/log/app.log'
4 <Exec>
5 log_info("App message read from log");
6 $File = file_name();
7 </Exec>
8 </Input>

Statements can also be executed based on a schedule by using the Exec directive of a Schedule block. The Exec
directive is slightly different in this example. Because its execution depends solely on a schedule instead of any
incoming log events, there is no event record that can be associated with it. The $File field assignment in the
example above would be impossible.

158
Example 41. Using a Statement in a Schedule

This input instance will generate an hourly internal log event.

nxlog.conf
1 <Input syslog_udp>
2 Module im_udp
3 Host 0.0.0.0
4 Port 514
5 <Schedule>
6 When @hourly
7 Exec log_info("The syslog_udp input module instance is active.");
8 </Schedule>
9 </Input>

NOTE Similar functionality is implemented by the im_mark module.

24.3.1. Assignment
Each event record is made up of fields, and assignment is the primary way that a value is written to a field in the
NXLog language. The assignment operation is declared with an equal sign (=). This operation loads the value
from the expression evaluated on the right into an event record field on the left.

Example 42. Using Field Assignment

This input instance uses assignment operations to add two fields to each event record.

nxlog.conf
1 <Input in>
2 Module im_file
3 File '/var/log/messages'
4 <Exec>
5 $Department = 'processing';
6 $Tier = 1;
7 </Exec>
8 </Input>

24.3.2. Block
Statements can be declared inside a block by surrounding them with curly braces ({}). A statement block in the
configuration is parsed as if it were a single statement. Blocks are typically used with conditional statements.

159
Example 43. Using Statement Blocks

This statement uses a block to execute two statements if the $Message field matches.

nxlog.conf
1 <Input in>
2 Module im_file
3 File '/var/log/messages'
4 <Exec>
5 if $Message =~ /^br0:/
6 {
7 log_warning('br0 interface state changed');
8 $Tag = 'network';
9 }
10 </Exec>
11 </Input>

24.3.3. Procedures
While functions are expressions that evaluate to values, procedures are statements that perform actions. Both
functions and procedures can take arguments. Unlike functions, procedures never return values. Instead, a
procedure modifies its argument, the state of the NXLog engine, the state of a module, or the current event.
Procedures can be polymorphic: the same procedure can take different argument types.

Many NXLog language features are provided through procedures. See the list of available procedures. Modules
can provide additional procedures for use with the NXLog language.

Example 44. Using a Procedure

This example uses the parse_syslog() procedure, provided by the xm_syslog module, to parse each Syslog-
formatted event record received via UDP.

nxlog.conf
1 <Input in>
2 Module im_udp
3 Host 0.0.0.0
4 Port 514
5 Exec parse_syslog();
6 </Input>

24.3.4. If-Else
The if or conditional statement allows a statement to be executed based on the boolean value of an expression.
When the boolean is TRUE, the statement is executed. An optional else keyword can be followed by another
statement to be executed if the boolean is FALSE.

160
Example 45. Using If Statements

This example uses an if statement and the drop() procedure to discard any event that matches the regular
expression.

nxlog.conf
1 <Input in1>
2 Module im_file
3 File '/var/log/messages'
4 Exec if $raw_event =~ /junk/ drop();
5 </Input>

Here, any event not matching the regular expression will be dropped.

nxlog.conf
1 <Input in2>
2 Module im_file
3 File '/var/log/messages'
4 Exec if not ($raw_event =~ /important/) drop();
5 </Input>

Finally, this statement shows more extensive use of the if statement, with an else clause and blocks defined
by curly braces ({}).

nxlog.conf
1 <Input in3>
2 Module im_file
3 File '/var/log/messages'
4 <Exec>
5 if $raw_event =~ /alert/
6 {
7 log_warning('Detected alert message');
8 }
9 else
10 {
11 log_info('Discarding non-alert message');
12 drop();
13 }
14 </Exec>
15 </Input>

24.4. Variables
While NXLog provides fields for storing data during the processing of an event, they are only available for the
duration of that event record and can not be used to store a value across multiple events. For this purpose,
module variables can be used. A variable stores a value for the module instance where it is set. It can only be
accessed from the same module where it was created: a variable with the same name is a different variable
when referenced from another module.

Each module variable can be created with an expiry value or an infinite lifetime. If an expiry is used, the variable
will be destroyed automatically when the lifetime expires. This can be used as a garbage collection method or to
reset variable values automatically.

A module variable is referenced by a string value and can store a value of any type. Module variables are
supported by all modules. See the create_var(), delete_var(), set_var(), and get_var() procedures.

161
Example 46. Using Module Variables

If the number of login failures exceeds 3 within 45 seconds, then an internal log message is generated.

nxlog.conf
1 <Input in>
2 Module im_file
3 File '/var/log/messages'
4 <Exec>
5 if $Message =~ /login failure/
6 {
7 if not defined get_var('login_failures')
8 { # create the variable if it doesn't exist
9 create_var('login_failures', 45);
10 set_var('login_failures', 1);
11 }
12 else
13 { # increase the variable and check if it is over the limit
14 set_var('login_failures', get_var('login_failures') + 1);
15 if get_var('login_failures') >= 3
16 log_warning(">= 3 login failures within 45 seconds");
17 }
18 }
19 </Exec>
20 </Input>

The pm_evcorr module is recommended instead for this case. This algorithm does not
reliably detect failures because the lifetime of the variable is not affected by set_var(). For
example, consider login failures at 0, 44, 46, and 47 seconds. The lifetime of the variable
will be set when the first failure occurs, causing the variable to be cleared at 45 seconds.
NOTE
The variable is created with a new expiry at 46 seconds, but then only two failures are
noticed. Also, this method can only work in real-time because the timing is not based on
values available in the log message (although the event time could be stored in another
variable).

24.5. Statistical Counters

Like variables, statistical counters provide data storage for a module instance. Counters only support integers, but
a counter can use an algorithm to recalculate its value every time it is updated or read. With NXLog Enterprise
Edition v4.x and earlier, a statistical counter will only return a value if the time specified in the interval argument
has elapsed since it was created. Statistical counters can also be created with a lifetime. When a counter expires,
it is destroyed, like module variables.

A statistical counter can be created with the create_stat() procedure call. After it is created, it can be updated with
the add_stat() procedure call. The value of the counter can be read with the get_stat() function call. Note that the
value of the statistical counter is only recalculated during these calls, rather than happening automatically. This
can result in some slight distortion of the calculated value if the add and read operations are infrequent.

A time value can also be specified during creation, updating, and reading. This makes it possible for statistical
counters to be used with offline log processing.

162
Example 47. Using Statistical Counters

This input configuration uses a Schedule block and a statistical counter with the RATEMAX algorithm to
calculate the maximum rate of events over a 1 hour period. An internal log message is generated if the rate
exceeds 500 events/second at any point during the 1 hour period.

nxlog.conf
1 <Input in>
2 Module im_tcp
3 Host 0.0.0.0
4 Port 1514
5 <Exec>
6 parse_syslog();
7 if defined get_stat('eps') add_stat('eps', 1, $EventReceivedTime);
8 </Exec>
9 <Schedule>
10 Every 1 hour
11 <Exec>
12 create_stat('eps', 'RATEMAX', 1, now(), 3600);
13 if get_stat('eps') > 500
14 log_info('Inbound TCP rate peaked at ' + get_stat('eps')
15 + ' events/second during the last hour');
16 </Exec>
17 </Schedule>
18 </Input>

163
Chapter 25. Reading and Receiving Logs
This chapter discusses log sources that you may need to use with NXLog, including:

• log data received over the network,

• events stored in databases,
• messages read from files, and
• data retrieved using executables.

25.1. Receiving over the Network

This section provides information and examples about receiving log messages from the network over various
protocols.

UDP
The im_udp module handles incoming messages over UDP.

Example 48. Using the im_udp Module

This input module instance shows the im_udp module configured with the default options: localhost
only and port 514.

nxlog.conf
1 <Input udp>
2 Module im_udp
3 Host localhost
4 Port 514
5 </Input>

The UDP protocol does not guarantee reliable message delivery. It is recommended to use
the TCP or SSL transport modules instead if message loss is a concern.
NOTE
Though NXLog was designed to minimize message loss even in the case of UDP, adjusting
the kernel buffers may reduce the likelihood of UDP message loss on a system under heavy
load. The Priority directive in the Route block can also help.

TCP
The im_tcp module handles incoming messages over TCP. For TLS/SSL, use the im_ssl module.

Example 49. Using the im_tcp Module

This input module instance accepts TCP connections from any host on port 1514.

nxlog.conf
1 <Input tcp>
2 Module im_tcp
3 Host 0.0.0.0
4 Port 1514
5 </Input>

SSL/TLS
The im_ssl module handles incoming messages over TCP with SSL/TLS security.

164
Example 50. Using the im_ssl Module

The following input module instance listens for SSL/TLS encrypted incoming logs on port 6514. The
certificate file paths are specified relative to a previously defined CERTDIR.

nxlog.conf
1 <Input in>
2 Module im_ssl
3 Host 0.0.0.0
4 Port 6514
5 CAFile %CERTDIR%/ca.pem
6 CertFile %CERTDIR%/client-cert.pem
7 CertKeyFile %CERTDIR%/client-key.pem
8 </Input>

Syslog
To receive Syslog over the network, use one of the network modules above, coupled with xm_syslog. Syslog
parsing is not required if you only need to forward or store the messages as they are. See also Accepting
Syslog via UDP, TCP, or TLS.

Example 51. Receiving Syslog over TCP with Octet-Framing

With this example configuration, NXLog listens for messages on TCP port 1514. The xm_syslog extension
module provides the Syslog_TLS InputType (for octet-framing) and the parse_syslog() procedure for
parsing Syslog messages.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_tcp
7 Host 0.0.0.0
8 Port 1514
9 # "Syslog_TLS" is for octet framing and may be used with TLS/SSL
10 InputType Syslog_TLS
11 Exec parse_syslog();
12 </Input>

25.2. Reading from a Database

With the im_dbi and im_odbc modules it is possible to read logs directly from database servers. The im_dbi
module can be used on POSIX systems where libdbi is available. The im_odbc module, available in NXLog
Enterprise Edition, can be used with ODBC compatible databases on Windows, Linux, and Unix.

165
Example 52. Using the im_dbi Module

This example uses libdbi and the MySQL driver to read records from the logdb database.

nxlog.conf
1 <Input in>
2 Module im_dbi
3 Driver mysql
4 Option host 127.0.0.1
5 Option username mysql
6 Option password mysql
7 Option dbname logdb
8 SQL SELECT id, facility, severity, hostname, timestamp, application, \
9 message FROM log
10 </Input>

Example 53. Using the im_odbc Module

Here, the mydb database is accessed via ODBC.

nxlog.conf
1 <Input in>
2 Module im_odbc
3 ConnectionString DSN=mssql;database=mydb;
4 SQL SELECT RecordNumber as id, DateOccured as EventTime, \
5 data as Message from logtable WHERE RecordNumber > ?
6 </Input>

25.3. Reading from Files and Sockets

Files
The im_file module can be used to read logs from files. See also Reading Syslog Log Files.

Example 54. Using the im_file Module

This example reads from the specified file without performing any additional processing.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "/var/log/messages"
4 </Input>

Unix Domain Socket

Use the im_uds module to read from a Unix domain socket. See also Accepting Syslog via /dev/log.

166
Example 55. Using the im_uds Module

With this configuration, NXLog will read messages from the /dev/log socket. NXLog’s flow control
feature must be disabled in this case (see the FlowControl directive in the Reference Manual).

nxlog.conf
1 <Input in>
2 Module im_uds
3 UDS /dev/log
4 FlowControl FALSE
5 </Input>

25.4. Receiving from an Executable

The im_exec module can be used to read logs from external programs and scripts over a pipe.

Example 56. Using the im_exec Module

This example uses the tail command to read messages from a file.

The im_file module should be used to read log messages from files. This example only
NOTE
demonstrates the use of the im_exec module.

nxlog.conf
1 <Input in>
2 Module im_exec
3 Command /usr/bin/tail
4 Arg -f
5 Arg /var/log/messages
6 </Input>

167
Chapter 26. Processing Logs
This chapter deals with various tasks that might be required after a log message is received by NXLog.

26.1. Parsing Various Formats

After an input module has received a log message and generated an event record for it, there may be additional
parsing required. This parsing can be implemented by a dedicated module, or in the NXLog language with
regular expression and other string manipulation functionality.

The following sections provide configuration examples for parsing log formats commonly used by applications.

26.1.1. Common & Combined Log Formats

The Common Log Format (or NCSA Common Log Format) and Combined Log Format are access log formats used
by web servers. These are the same, except that the Combined Log Format uses two additional fields.

Common Log Format Syntax

host ident authuser [date] "request" status size↵

Combined Log Format Syntax

host ident authuser [date] "request" status size "referer" "user-agent"↵

If a field is not available, a hyphen (-) is used as a placeholder.

Table 49. Fields

Field Description
host IP address of the client

ident RFC 1413 identity of the client

authuser Username of the user accessing the document (not applicable for public documents)

date Timestamp of the request

request Request line received from the client

status HTTP status code returned to the client

size Size of the object returned to the client (measured in bytes)

referer URL from which the user was referred

user-agent User agent string sent by the client

168
Example 57. Parsing the Common Log Format

This configuration uses a regular expression to parse the fields in each record. The parsedate() function is
used to convert the timestamp string into a datetime type for later processing or conversion as required.

nxlog.conf
<Input access_log>
Module im_file
File "/var/log/apache2/access.log"
<Exec>
if $raw_event =~ /(?x)^(\S+)\ \S+\ (\S+)\ \[([^\]]+)\]\ \"(\S+)\ (.+)
\ HTTP\/\d\.\d\"\ (\S+)\ (\S+)/
{
$Hostname = $1;
if $2 != '-' $AccountName = $2;
$EventTime = parsedate($3);
$HTTPMethod = $4;
$HTTPURL = $5;
$HTTPResponseStatus = $6;
if $7 != '-' $FileSize = $7;
}
</Exec>
</Input>

169
Example 58. Parsing the Combined Log Format

This example is like the previous one, except it parses the two additional fields unique to the Combined Log
Format. An om_file instance is also shown here which has been configured to discard all events not related
to the user john and write the remaining events to a file in JSON format.

nxlog.conf
<Extension _json>
Module xm_json
</Extension>

<Input access_log>
Module im_file
File "/var/log/apache2/access.log"
<Exec>
if $raw_event =~ /(?x)^(\S+)\ \S+\ (\S+)\ \[([^\]]+)\]\ \"(\S+)\ (.+)
\ HTTP\/\d\.\d\"\ (\S+)\ (\S+)\ \"([^\"]+)\"
\ \"([^\"]+)\"/
{
$Hostname = $1;
if $2 != '-' $AccountName = $2;
$EventTime = parsedate($3);
$HTTPMethod = $4;
$HTTPURL = $5;
$HTTPResponseStatus = $6;
if $7 != '-' $FileSize = $7;
if $8 != '-' $HTTPReferer = $8;
if $9 != '-' $HTTPUserAgent = $9;
}
</Exec>
</Input>

<Output out>
Module om_file
File '/var/log/john_access.log'
<Exec>
if not (defined($AccountName) and ($AccountName == 'john')) drop();
to_json();
</Exec>
</Output>

For information about using the Common and Combined Log Formats with the Apache HTTP Server, see Apache
HTTP Server.

26.1.2. Parsing Syslog Events

The xm_syslog module provides the parse_syslog() procedure, which will parse a BSD or IETF Syslog formatted
raw event to create fields in the event record.

170
Example 59. Parsing a Syslog Event With parse_syslog()

This example shows a Syslog event as it is received via UDP and processed by the parse_syslog() procedure.

Syslog Message
<38>Nov 22 10:30:12 myhost sshd[8459]: Failed password for invalid user linda from 192.168.1.60
port 38176 ssh2↵

The following configuration loads the xm_syslog extension module and then uses the Exec directive to
execute the parse_syslog() procedure for each event.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input udp>
6 Module im_udp
7 Host 0.0.0.0
8 Port 514
9 Exec parse_syslog();
10 </Input>
11
12 <Output out>
13 Module om_null
14 </Output>

This results in the following fields being added to the event record by parse_syslog().

Table 50. Syslog Fields Added by parse_syslog()

Field Value
$Message Failed password for invalid user linda from 192.168.1.60 port 38176 ssh2

$SyslogSeverityValue 6

$SyslogSeverity INFO

$SeverityValue 2

$Severity INFO

$SyslogFacilityValue 4

$SyslogFacility AUTH

$EventTime 2016-11-22 10:30:12

$Hostname myhost

$SourceName sshd

$ProcessID 8459

26.1.3. Field Delimited Formats (CSV)

Files containing fields and their values delimited by commas, spaces, or semicolons are commonly created and
consumed using such formats. The xm_csv module can both generate and parse these formats. Multiple xm_csv
instances can be used to reorder, add, remove, or modify fields before outputting to a different CSV format.

171
Example 60. Complex CSV Format Conversion

This example reads from the input file and parses it with the parse_csv() procedure from the csv1 instance
where the field names, types, and order within the record are defined. The $date field is then set to the
current time and the $number field is set to 0 if it is not already defined. Finally, the to_csv() procedure from
the csv2 instance is used to generate output with the additional date field, a different delimiter, and a
different field order.

nxlog.conf
1 <Extension csv1>
2 Module xm_csv
3 Fields $id, $name, $number
4 FieldTypes integer, string, integer
5 Delimiter ,
6 </Extension>
7
8 <Extension csv2>
9 Module xm_csv
10 Fields $id, $number, $name, $date
11 Delimiter ;
12 </Extension>
13
14 <Input filein>
15 Module im_file
16 File "/tmp/input"
17 <Exec>
18 csv1->parse_csv();
19 $date = now();
20 if not defined $number $number = 0;
21 csv2->to_csv();
22 </Exec>
23 </Input>
24
25 <Output fileout>
26 Module om_file
27 File "/tmp/output"
28 </Output>

Input Sample
1, "John K.", 42
2, "Joe F.", 43

Output Sample
1;42;"John K.";2011-01-15 23:45:20
2;43;"Joe F.";2011-01-15 23:45:20

26.1.4. JSON
The xm_json module provides procedures for generating and parsing log data in JSON format.

172
Example 61. Using the xm_json Module for Parsing JSON

This example reads JSON-formatted data from file with the im_file module. Then the parse_json() procedure
is used to parse the data, setting each JSON field to a field in the event record.

nxlog.conf
1 <Extension _json>
2 Module xm_json
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/var/log/app.json"
8 Exec parse_json();
9 </Input>

Example 62. Using the xm_json Module for Generating JSON

Here, the to_json() procedure is used to write all the event record fields to $raw_event in JSON format. This
is then written to file using the om_file module.

nxlog.conf
1 <Extension _json>
2 Module xm_json
3 </Extension>
4
5 <Output out>
6 Module om_file
7 File "/var/log/json.log"
8 Exec to_json();
9 </Output>

26.1.5. W3C Extended Log File Format

See the specification draft of the W3C format. The dedicated xm_w3c parser module can be used to process W3C
formatted logs. See also the W3C section in the Microsoft IIS chapter.

Log Sample
#Version: 1.0↵
#Date: 2011-07-01 00:00:00↵
#Fields: date time cs-method cs-uri↵
2011-07-01 00:34:23 GET /foo/bar1.html↵
2011-07-01 12:21:16 GET /foo/bar2.html↵
2011-07-01 12:45:52 GET /foo/bar3.html↵
2011-07-01 12:57:34 GET /foo/bar4.html↵

173
Example 63. Parsing W3C Format With xm_w3c

This configuration reads the W3C format log file and parses it with the xm_w3c module. The fields in the
event record are converted to JSON and the logs are forwarded via TCP.

nxlog.conf
1 <Extension _json>
2 Module xm_json
3 </Extension>
4
5 <Extension w3c_parser>
6 Module xm_w3c
7 </Extension>
8
9 <Input w3c>
10 Module im_file
11 File '/var/log/httpd-log'
12 InputType w3c_parser
13 </Input>
14
15 <Output tcp>
16 Module om_tcp
17 Host 192.168.12.1
18 Port 1514
19 Exec to_json();
20 </Output>

The W3C format can also be parsed with the xm_csv module if using NXLog Community Edition.

174
Example 64. Parsing W3C Format With xm_csv

The following configuration reads a W3C file and tokenizes it with the CSV parser. Header lines starting with
a leading hash mark (#) are ignored. The $EventTime field is set from the parsed date and time fields.

The fields in the xm_csv module instance below must be updated to correspond with the
NOTE
fields in the W3C file to be parsed.

nxlog.conf
1 <Extension w3c_parser>
2 Module xm_csv
3 Fields $date, $time, $HTTPMethod, $HTTPURL
4 FieldTypes string, string, string, string
5 Delimiter ' '
6 EscapeChar '"'
7 QuoteChar '"'
8 EscapeControl FALSE
9 UndefValue -
10 </Extension>
11
12 <Extension _json>
13 Module xm_json
14 </Extension>
15
16 <Input w3c>
17 Module im_file
18 File '/var/log/httpd-log'
19 <Exec>
20 if $raw_event =~ /^#/ drop();
21 else
22 {
23 w3c_parser->parse_csv();
24 $EventTime = parsedate($date + " " + $time);
25 }
26 </Exec>
27 </Input>

26.1.6. XML
The xm_xml module can be used for generating and parsing structured data in XML format.

Example 65. Using the xm_xml Module for Parsing XML

This configuration uses the im_file module to read from file. Then the parse_xml() procedure parses the
XML into fields in the event record.

nxlog.conf
1 <Extension _xml>
2 Module xm_xml
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/var/log/app.xml"
8 Exec parse_xml();
9 </Input>

175
Example 66. Using the xm_xml Module for Generating XML

Here, the fields in the event record are used by the to_xml() procedure to generate XML, which is then
written to file by the om_file module.

nxlog.conf
1 <Extension _xml>
2 Module xm_xml
3 </Extension>
4
5 <Output out>
6 Module om_file
7 File "/var/log/logs.xml"
8 Exec to_xml();
9 </Output>

26.2. Alerting
NXLog can be configured to generate alerts when specific conditions are met. Here are some ways alerting could
be implemented.

26.2.1. Sending Messages to an External Program

The om_exec module can pipe messages to an external program or script, which will be executed once the
om_exec module has started. The external script is required to run continuously until the om_exec module is
stopped and the pipe is closed. This functionality can be used for alerting.

Example 67. Using om_exec with an External Alerter

In this example Output, all messages not matching the regular expression are dropped, and remaining
messages are piped to a custom alerter script.

nxlog.conf
1 <Output out>
2 Module om_exec
3 Command /usr/local/sbin/alerter
4 Arg -
5 Exec if not ($raw_event =~ /alertcondition/) drop();
6 </Output>

Without the Exec directive above, all messages received by the module would be passed to the alerter
script as defined by the Command directive. The optional Arg directive passes its value to the Command
script.

26.2.2. Invoking a Program for Each Message

The xm_exec module provides two procedures, exec() and exec_async(), for spawning an external program or
script. The script is executed once for each call, and is expected to terminate when it has finished processing the
message.

176
Example 68. Using xm_exec with an External Alerter

In this example Input, each message matching the regular expression is piped to a new instance of
alerter, which is executed asynchronously (does not block additional processing by the calling module).

nxlog.conf
1 <Extension _exec>
2 Module xm_exec
3 </Extension>
4
5 <Input in>
6 Module im_tcp
7 Host 0.0.0.0
8 Port 1514
9 <Exec>
10 if $raw_event =~ /alertcondition/
11 exec_async("/usr/local/sbin/alerter");
12 </Exec>
13 </Input>

Example 69. Using xm_exec to Send an Email

In this example, an email is sent using exec_async() when the regular expression condition is met.

nxlog.conf
1 <Extension _exec>
2 Module xm_exec
3 </Extension>
4
5 <Input in>
6 Module im_tcp
7 Host 0.0.0.0
8 Port 1514
9 <Exec>
10 if $raw_event =~ /alertcondition/
11 {
12 exec_async("/bin/sh", "-c", 'echo "' + $Hostname + '\n\nRawEvent:\n' +
13 $raw_event + '"|/usr/bin/mail ' +
14 '-a "Content-Type: text/plain; charset=UTF-8" ' +
15 '-s "ALERT" [email protected]');
16 }
17 </Exec>
18 </Input>

26.2.3. Generate an Internal NXLog Log Message

NXLog can be configured to generate an internal log event when a specific condition is met. Internal log events
can be generated with various severity levels using the log_error(), log_warning(), log_info(), and log_debug()
procedures. Internal log messages will be written to the file specified by the global LogFile directive (according to
the configured LogLevel) and will be generated by the im_internal module.

NOTE DEBUG level events are not generated by the im_internal module.

177
Example 70. Using log_warning() for Alerting

If a message matches the regular expression, an internal log event is generated with level WARNING.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "/var/log/app.log"
4 Exec if $raw_event =~ /alertcondition/ log_warning("ALERT");
5 </Input>

26.3. Using Buffers

The following sections describe the various types of buffering features provided by NXLog and give examples for
configuring buffering in specific scenarios.

26.3.1. Read and Write Buffers

Input and output module instances have read and write buffers, respectively. These buffers can be configured
for a particular module instance with the BufferSize directive.

Example 71. Read/Write Buffers in a Simple Route

This example shows the default read and write buffers used by NXLog for a simple route. Each buffer is
limited to 65,000 bytes.

nxlog.conf
1 <Input file>
2 Module im_file
3 File '/tmp/in.log'
4
5 # Set read buffer size, in bytes (default)
6 BufferSize 65000
7 </Input>
8
9 <Output tcp>
10 Module om_tcp
11 Host 192.168.1.1
12
13 # Set write buffer size, in bytes (default)
14 BufferSize 65000
15 </Output>
16
17 <Route r>
18 Path file => tcp
19 </Route>

178
26.3.2. Log Queues
Every processor and output module instance has an input log queue for events that have not yet been processed
by that module instance. When the preceding module has processed an event, it is placed in this queue. Because
log queues are enabled by default for all processor and output module instances, they are the preferred way to
adjust buffering behavior.

The size of a module instance’s log queue can be configured with the LogqueueSize directive.

Example 72. A Log Queue in a Basic Route

This example shows the default log queue used by NXLog in a simple route. Up to 100 events will be placed
in the queue to be processed by the om_batchcompress instance.

nxlog.conf
1 <Input eventlog>
2 Module im_msvistalog
3 </Input>
4
5 <Output batch>
6 Module om_batchcompress
7 Host 192.168.2.1
8
9 # Set log queue size, in events (default)
10 LogqueueSize 100
11 </Output>
12
13 <Route r>
14 Path eventlog => batch
15 </Route>

By default, log queues are stored in memory. NXLog can be configured to persist log queues to disk with the
PersistLogqueue directive. NXLog will further sync all writes to a disk-based queue with SyncLogqueue. These
directives can be used to prevent data loss in case of interrupted processing—at the expense of reduced
performance—and can be used both globally or for a particular module. For more information, see Reliable
Message Delivery.

Any events remaining in the log queue will be written to disk when NXLog is stopped, regardless
NOTE
of the value of PersistLogqueue.

179
Example 73. A Persistent Log Queue

In this example, the om_elasticsearch instance is configured with a persistent and synced log queue. Each
time an event is added to the log queue, the event will be written to disk and synced before processing
continues.

nxlog.conf
1 <Input acct>
2 Module im_acct
3 </Input>
4
5 <Output elasticsearch>
6 Module om_elasticsearch
7 URL http://192.168.2.2:9200/_bulk
8
9 # Set log queue size, in events (default)
10 LogqueueSize 100
11
12 # Use persistent and synced log queue
13 PersistLogqueue TRUE
14 SyncLogqueue TRUE
15 </Output>
16
17 <Route r>
18 Path acct => elasticsearch
19 </Route>

26.3.3. Flow Control

To effectively leverage buffering, it is important to understand NXLog’s flow control feature. Flow control has no
effect unless the following sequence of events occurs in a route:

1. a processor or output module instance is not able to process log data at the incoming rate,
2. that module instance’s log queue becomes full, and
3. the input or processor module instance responsible for feeding the log queue has flow control enabled.

In this case, flow control will cause the input or processor module instance to suspend processing until the
succeeding module instance is ready to accept more log data.

180
Example 74. Flow Control Enabled

This example shows the NXLog’s default flow control behavior with a basic route. Events are collected from
the Windows Event Log with im_msvistalog and forwarded with om_tcp. The om_tcp instance will be blocked
if the destination is unreachable or the network can not handle the events quickly enough.

nxlog.conf
1 <Input eventlog>
2 Module im_msvistalog
3
4 # Flow control enabled (default)
5 FlowControl TRUE
6 </Input>
7
8 <Output tcp>
9 Module om_tcp
10 Host 192.168.1.1
11 </Output>
12
13 <Route r>
14 Path eventlog => tcp
15 </Route>

The om_tcp instance is unable to connect to the destination host and its log queue is full. Because the
im_msvistalog instance has flow control enabled and the next module in the route is blocked, it has been
paused. No events will be read from the Event Log until the tcp instance becomes unblocked.

Flow control is enabled by default, and can be set globally or for a particular module instance with the
FlowControl directive. Generally, flow control provides automatic, zero-configuration handling of cases where
buffering would otherwise be required. However, there are some situations where flow control should be
disabled and buffering should be explicitly configured as required.

181
Example 75. Flow Control Disabled

In this example, Linux Audit messages are collected with im_linuxaudit and forwarded with om_http. Flow
control is disabled for im_linuxaudit to prevent processes from being blocked due to an Audit backlog. To
avoid loss of log data in this case, the LogqueueSize directive could be used as shown in Increasing the Log
Queue Size to Protect Against UDP Message Loss.

nxlog.conf
1 <Input audit>
2 Module im_linuxaudit
3 <Rules>
4 -D
5 -w /etc/passwd -p wa -k passwd
6 </Rules>
7
8 # Disable flow control to prevent Audit backlog
9 FlowControl FALSE
10 </Input>
11
12 <Output http>
13 Module om_http
14 URL http://192.168.2.1:8080/
15 </Output>
16
17 <Route r>
18 Path audit => http
19 </Route>

The om_http instance is unable to forward log data, and its log queue is full. Because it has flow control
disabled, the im_linuxaudit instance remains active and continues to process log data. However, all events
will be discarded until the om_http log queue is no longer full.

26.3.4. The pm_buffer Module

Log queues are enabled by default for processor and output modules instances, and are the preferred way to
configure buffering behavior in NXLog. However, for cases where additional features are required, the pm_buffer
module can be used to add a buffer instance to a route in addition to the above buffers normally used by NXLog.

Additional features provided by pm_buffer include:

• both memory- and disk-based buffering types,

• a buffer size limit measured in kilobytes,
• a WarnLimit threshold that generates a warning message when crossed, and
• functions for querying the status of a pm_buffer buffer instance.

182
In a disk-based pm_buffer instance, events are not written to disk unless the log queue of the
succeeding module instance is full. For this reason, a disk-based pm_buffer instance does not
NOTE reduce peformance in the way that a persistent log queue does. Additionally, pm_buffer (and
other processor modules) should not be used if crash-safe processing is required; see Reliable
Message Delivery.

Example 76. Using the pm_buffer Module

This example shows a route with a large disk-based buffer provided by the pm_buffer module. A warning
message will be generated when the buffer size crosses the threshold specified.

nxlog.conf
1 <Input udp>
2 Module im_udp
3 </Input>
4
5 <Processor buffer>
6 Module pm_buffer
7 Type Disk
8
9 # 40 MiB buffer
10 MaxSize 40960
11
12 # Generate warning message at 20 MiB
13 WarnLimit 20480
14 </Processor>
15
16 <Output ssl>
17 Module om_ssl
18 Host 10.8.0.2
19 CAFile %CERTDIR%/ca.pem
20 CertFile %CERTDIR%/client-cert.pem
21 CertKeyFile %CERTDIR%/client-key.pem
22 </Output>
23
24 <Route r>
25 Path udp => buffer => ssl
26 </Route>

The SSL/TLS destination is unreachable, and the disk-based buffer is filling.

26.3.5. Other Buffering Functionality

Buffering in NXLog is not limited to the functionality covered above. Other modules implement or provide
additional buffering-related features, such as the ones listed below. (This is not intended to be an exhaustive list.)

• The UDP modules (im_udp, om_udp, and om_udpspoof) can be configured to set the socket buffer size
(SO_RCVBUF or SO_SNDBUF) with the respective SockBufSize directive.

183
• The external program and scripting support found in some modules (like im_exec, im_perl, im_python,
im_ruby, om_exec, om_perl, om_python, and om_ruby) can be used to implement custom buffering
solutions.
• Some modules (such as om_batchcompress, om_elasticsearch, and om_webhdfs) buffer events internally in
order to forward events in batches.
• The pm_blocker module can be used to programmatically block or unblock the log flow in a route, and in this
way control buffering. Or it can be used to test buffering.
• The om_blocker module can be used to test buffering behavior by simulating a blocked output.

Example 77. All Buffers in a Basic Route

The following diagram shows all buffers used in a simple im_udp => om_tcp route. The socket buffers are
only applicable to networking modules.

26.3.6. Receiving Logs via UDP

Because UDP is connectionless, log data sent via plain UDP must be accepted immediately. Otherwise the log
data is lost. For this reason, it is important to add a buffer if there is any possibility of the route becoming
blocked. This can be done by increasing the log queue size of the following module instance or adding a
pm_buffer instance to the route.

184
Example 78. Increasing the Log Queue Size to Protect Against UDP Message Loss

In this configuration, log messages are accepted with im_udp and forwarded with om_tcp. The log queue
size of the output module instance is increased to 5000 events to buffer messages in case the output
becomes blocked. To further reduce the risk of data loss, the socket buffer size is increased with the
SockBufSize directive and the route priority is increased with Priority.

nxlog.conf
1 <Input udp>
2 Module im_udp
3
4 # Raise socket buffer size
5 SockBufSize 150000000
6 </Input>
7
8 <Output tcp>
9 Module om_tcp
10 Host 192.168.1.1
11
12 # Keep up to 5000 events in the log queue
13 LogqueueSize 5000
14 </Output>
15
16 <Route udp_to_tcp>
17 Path udp => tcp
18
19 # Process events in this route first
20 Priority 1
21 </Route>

The output is blocked because the network is not able to handle the log data quickly enough.

185
Example 79. Using a pm_buffer Instance to Protect Against UDP Message Loss

Instead of raising the size of the log queue, this example uses a memory-based pm_buffer instance to
buffer events when the output becomes blocked. A warning message will be generated if the buffer size
exceeds the specified WarnLimit threshold.

nxlog.conf
1 <Input udp>
2 Module im_udp
3
4 # Raise socket buffer size
5 SockBufSize 150000000
6 </Input>
7
8 <Processor buffer>
9 Module pm_buffer
10 Type Mem
11
12 # 5 MiB buffer
13 MaxSize 5120
14
15 # Warn at 2 MiB
16 WarnLimit 2048
17 </Processor>
18
19 <Output http>
20 Module om_http
21 URL http://10.8.1.1:8080/
22 </Output>
23
24 <Route udp_to_http>
25 Path udp => buffer => http
26
27 # Process events in this route first
28 Priority 1
29 </Route>

The HTTP destination is unreachable, the http instance log queue is full, and the buffer instance is filling.

26.3.7. Reading Logs From /dev/log

Syslog messages can be read from the /dev/log/ socket with the im_uds module. However, if the route
becomes blocked and the im_uds instance is suspended, the syslog() system call will cause blocking in programs
attempting to log a message. To prevent that, flow control should be disabled.

With flow control disabled, events will be discarded if the route becomes blocked and the route’s log queues
become full. To reduce the risk of lost log data, the log queue size of a succeeding module instance in the route
can be increased. Alternatively, a pm_buffer instance can be used as in the second UDP example above.

186
Example 80. Buffering Syslog Messages From /dev/log

This configuration uses the im_uds module to collect Syslog messages from the /dev/log socket, and the
xm_syslog parse_syslog() procedure to parse them.

To prevent the syslog() system call from blocking as a result of the im_uds instance being suspended, the
FlowControl directive is set to FALSE. The LogqueueSize directive raises the log queue limit of the output
instance to 5000 events. The Priority directive indicates that this route’s events should be processed first.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input dev_log>
6 Module im_uds
7 UDS /dev/log
8 Exec parse_syslog();
9
10 # This module instance must never be suspended
11 FlowControl FALSE
12 </Input>
13
14 <Output elasticsearch>
15 Module om_elasticsearch
16 URL http://192.168.2.1:9022/_bulk
17
18 # Keep up to 5000 events in the log queue
19 LogqueueSize 5000
20 </Output>
21
22 <Route syslog_to_elasticsearch>
23 Path dev_log => elasticsearch
24
25 # Process events in this route first
26 Priority 1
27 </Route>

The Elasticsearch server is unreachable and the log queue is filling. If the log queue becomes full, events
will be discarded.

26.3.8. Forwarding Logs From File

Because flow control will pause an im_file instance automatically, it is normally not necessary to use any
additional buffering when reading from files. If the route is blocked, the file will not be read until the route
becomes unblocked. If the im_file SavePos directive is set to TRUE (the default) and NXLog is stopped, the file
position of the im_file instance will be saved and used to resume reading when NXLog is started.

187
Example 81. Forwarding From File With Default Buffering

This configuration reads log messages from a file with im_file and forwards them with om_tcp. No extra
buffering is necessary because flow control is enabled.

nxlog.conf
1 <Input file>
2 Module im_file
3 File '/tmp/in.log'
4
5 # Enable flow control (default)
6 FlowControl TRUE
7
8 # Save file position on exit (default)
9 SavePos TRUE
10 </Input>
11
12 <Output tcp>
13 Module om_tcp
14 Host 10.8.0.2
15 </Output>
16
17 <Route r>
18 Path file => tcp
19 </Route>

The TCP destination is unreachable, and the im_file instance is paused. No messages will be read from the
source file until the om_tcp instance becomes unblocked.

Sometimes, however, there is a risk of the input log file becoming inaccessible while the im_file instance is
suspended (due to log rotation, for example). In this case, the tcp log queue size can be increased (or a
pm_buffer instance added) to buffer more events.

188
Example 82. Forwarding From File With Additional Buffering

In this example, log messages are read from a file with im_file and forwarded with om_tcp. The om_tcp log
queue size has been increased in order to buffer more events because the source file may be rotated away.

nxlog.conf
1 <Input file>
2 Module im_file
3 File '/tmp/in.log'
4 </Input>
5
6 <Output tcp>
7 Module om_tcp
8 Host 192.168.1.1
9
10 # Keep up to 2000 events in the log queue
11 LogqueueSize 2000
12 </Output>
13
14 <Route r>
15 Path file => tcp
16 </Route>

The TCP destination is unreachable and the om_tcp instance is blocked. The im_file instance will continue to
read from the file (and events will accumulate) until the tcp log queue is full; then it will be paused.

26.3.9. Discarding Events

NXLog’s flow control mechanism ensures that input module instances will pause until all output module
instances can write. This can be problematic in some situations when discarding messages is preferable to
blocking. For this case, flow control can be disabled or the drop() procedure can be used in conjunction with the
pm_buffer module. These two options differ somewhat in behavior, as described in the examples below.

189
Example 83. Disabling Flow Control to Selectively Discard Events

This example sends UDP input to two outputs, a file and an HTTP destination. If the HTTP transmission is
slower than the rate of incoming UDP packets or the destination is unreachable, flow control would
normally pause the im_udp instance. This would result in dropped UDP packets. In this situation it is better
to selectively drop log messages in the HTTP route than to lose them entirely. This can be accomplished by
simply disabling flow control for the input module instance.

This configuration will also continue to send events to the HTTP destination in the unlikely
event that the om_file output blocks. In fact, the input will remain active even if both
NOTE
outputs block (though in this particular case, because UDP is lossy, messages will be lost
regardless of whether the im_udp instance is suspended).

nxlog.conf
1 <Input udp>
2 Module im_udp
3
4 # Never pause this instance
5 FlowControl FALSE
6 </Input>
7
8 <Output http>
9 Module om_http
10 URL http://10.0.0.3:8080/
11
12 # Increase the log queue size
13 LogqueueSize 2000
14 </Output>
15
16 <Output file>
17 Module om_file
18 File '/tmp/out.log'
19 </Output>
20
21 <Route udp_to_tcp>
22 Path udp => http, file
23 </Route>

The HTTP destination cannot accept events quickly enough. The om_http instance is blocked and its log
queue is full. New events are not being added to the HTTP output queue but are still being written to the
output file.

Example 84. Selectively Discarding Events With pm_buffer and drop()

190
In this example, process accounting logs collected by im_acct are both forwarded via TCP and written to file.
A separate route is used for each output. A pm_buffer instance is used in the TCP route, and it is configured
to discard events with drop() if its size goes beyond a certain threshold. Thus, the pm_buffer instance will
never become full and will never cause the im_acct instance to pause—events will always be written to the
output file.

Because the im_acct instance has flow control enabled, it will be paused if the om_file
NOTE
output becomes blocked.

nxlog.conf
1 <Input acct>
2 Module im_acct
3
4 # Flow control enabled (default)
5 FlowControl TRUE
6 </Input>
7
8 <Processor buffer>
9 Module pm_buffer
10 Type Mem
11 MaxSize 1000
12 WarnLimit 800
13 Exec if buffer_size() >= 80k drop();
14 </Processor>
15
16 <Output tcp>
17 Module om_tcp
18 Host 192.168.1.1
19 </Output>
20
21 <Output file>
22 Module om_file
23 File '/tmp/out.log'
24 </Output>
25
26 <Route udp_to_tcp>
27 Path acct => buffer => tcp
28 </Route>
29
30 <Route udp_to_file>
31 Path acct => file
32 </Route>

The TCP destination is unreachable and the om_tcp log queue is full. Input accounting events will be added
to the buffer until it gets full, then they will be discarded. Input events will also be written to the output file,
regardless of whether the buffer is full.

191
26.3.10. Scheduled Buffering
While buffering is typically used when a log source becomes unavailable, NXLog can also be configured to buffer
logs programmatically. For this purpose, the pm_blocker module can be added to a route.

Example 85. Buffering Logs and Forwarding by Schedule

This example collects log messages via UDP and forwards them to a remote NXLog agent. However, events
are buffered with pm_buffer during the week and only forwarded on weekends.

• During the week, the pm_blocker instance is blocked and events accumulate in the large on-disk buffer.
• During the weekend, the pm_blocker instance is unblocked and all events, including those that have
accumulated in the buffer, are forwarded.

nxlog.conf (truncated)
1 <Input udp>
2 Module im_udp
3 Host 0.0.0.0
4 </Input>
5
6 <Processor buffer>
7 Module pm_buffer
8
9 # 500 MiB disk buffer
10 Type Disk
11 MaxSize 512000
12 WarnLimit 409600
13 </Processor>
14
15 <Processor schedule>
16 Module pm_blocker
17 <Schedule>
18 # Start blocking Monday morning
19 When 0 0 * * 1
20 Exec schedule->block(TRUE);
21 </Schedule>
22 <Schedule>
23 # Stop blocking Saturday morning
24 When 0 0 * * 6
25 Exec schedule->block(FALSE);
26 </Schedule>
27 </Processor>
28 [...]

192
It is currently a weekday and the schedule pm_blocker instance is blocked.

If it is possible to use flow control with the log sources, then it is not necessary to use extra buffering. Instead,
the inputs will be paused and read later when the route is unblocked.

193
Example 86. Collecting Log Data on a Schedule

This configuration reads events from the Windows Event Log and forwards them to a remote NXLog agent
in compressed batches with om_batchcompress. However, events are only forwarded during the night.
Because the im_msvistalog instance can be paused and events will still be available for collection later, it is
not necessary to configure any extra buffering.

• During the day, the pm_blocker instance is blocked, the output log queue becomes full, and the
eventlog instance is paused.

• During the night, the pm_blocker instance is unblocked. The events in the schedule log queue are
processed, the eventlog instance is resumed, and all pending events are read from the Event Log and
forwarded.

nxlog.conf
1 <Input eventlog>
2 Module im_msvistalog
3 </Input>
4
5 <Processor schedule>
6 Module pm_blocker
7 <Schedule>
8 # Start blocking at 7:00
9 When 0 7 * * *
10 Exec schedule->block(TRUE);
11 </Schedule>
12 <Schedule>
13 # Stop blocking at 19:00
14 When 0 19 * * *
15 Exec schedule->block(FALSE);
16 </Schedule>
17 </Processor>
18
19 <Output batch>
20 Module om_batchcompress
21 Host 10.3.0.211
22 </Output>
23
24 <Route scheduled_batches>
25 Path eventlog => schedule => batch
26 </Route>

The current time is within the specified "day" interval and pm_blocker is blocked.

194
26.4. Character Set Conversion
It is recommended to normalize logs to UTF-8. The xm_charconv module provides character set conversion: the
convert_fields() procedure for converting an entire message (all event fields) and a convert() function for
converting a string.

Example 87. Character Set Auto-Detection of Various Input Encodings

This configuration shows an example of character set auto-detection. The input file may contain differently
encoded lines, but by invoking the convert_fields() procedure, each message will have the character set
encoding of its fields detected and then converted to UTF-8 as needed.

nxlog.conf
1 <Extension _charconv>
2 Module xm_charconv
3 AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2
4 </Extension>
5
6 <Input filein>
7 Module im_file
8 File "tmp/input"
9 Exec convert_fields("auto", "utf-8");
10 </Input>
11
12 <Output fileout>
13 Module om_file
14 File "tmp/output"
15 </Output>
16
17 <Route r>
18 Path filein => fileout
19 </Route>

26.5. Detecting a Dead Agent or Log Source

It is a common requirement to detect conditions when there are no log messages coming from a source. This
usually indicates a problem such as network connectivity issues, a server which is down, or an unresponsive
application or system service. Usually this problem should be detected by monitoring tools (such as Nagios or
OpenView), but the absence of logs can also be a good reason to investigate.

The im_mark module is designed as means of monitoring the health of the NXLog agent by
NOTE
generating "mark" messages every 30 minutes. The message text and interval are configurable.

The solution to this problem is the combined use of statistical counters and Scheduled checks. The input module
can update a statistical counter configured to calculate events per hour. In the same input module a Schedule
block checks the value of the statistical counter periodically. When the event rate is zero or drops below a certain
limit, an appropriate action can be executed such as sending out an alert email or generating an internal warning
message. Note that there are other ways to address this issue and this method may not be optimal for all
situations.

195
Example 88. Alerting on Absence of Log Messages

The following configuration example creates a statistical counter in the context of the im_tcp module to
calculate the number of events received per hour. The Schedule block within the context of the same
module checks the value of the msgrate statistical counter and generates an internal error message when
no logs have been received within the last hour.

nxlog.conf
1 <Input in>
2 Module im_tcp
3 Port 2345
4 <Exec>
5 create_stat("msgrate", "RATE", 3600);
6 add_stat("msgrate", 1);
7 </Exec>
8 <Schedule>
9 Every 3600 sec
10 <Exec>
11 create_stat("msgrate", "RATE", 10);
12 add_stat("msgrate", 0);
13 if defined get_stat("msgrate") and get_stat("msgrate") <= 1
14 log_error("No messages received from the source!");
15 </Exec>
16 </Schedule>
17 </Input>

26.6. Event Correlation

It is possible to write correlation rules in the NXLog language using the built-in features such as variables and
statistical counters. While these features are quite powerful, some cases cannot be detected with them,
especially when conditions require a sliding window.

A dedicated NXLog module, pm_evcorr, is available for advanced correlation requirements. It provides features
similar to those of SEC and greatly enhances the correlation capabilities of NXLog.

196
Example 89. Correlation Rules

The following configuration provides samples for each type of rule: Absence, Pair, Simple, Suppressed, and
Thresholded.

nxlog.conf (truncated)
1 <Processor evcorr>
2 Module pm_evcorr
3 TimeField EventTime
4
5 <Simple>
6 Exec if $Message =~ /^simple/ $raw_event = "got simple";
7 </Simple>
8
9 <Suppressed>
10 # Match input event and execute an action list, but ignore the following
11 # matching events for the next t seconds.
12 Condition $Message =~ /^suppressed/
13 Interval 30
14 Exec $raw_event = "suppressing..";
15 </Suppressed>
16
17 <Pair>
18 # If TriggerCondition is true, wait Interval seconds for RequiredCondition
19 # to be true and then do the Exec. If Interval is 0, there is no window on
20 # matching.
21 TriggerCondition $Message =~ /^pair-first/
22 RequiredCondition $Message =~ /^pair-second/
23 Interval 30
24 Exec $raw_event = "got pair";
25 </Pair>
26
27 <Absence>
28 # If TriggerCondition is true, wait Interval seconds for RequiredCondition
29 [...]

26.7. Extracting Data

When NXLog receives an event, it creates an event record with a $raw_event field, other core fields like
$EventReceivedTime, and any fields provided by the particular module (see Fields for more information). This
section explores the various ways that NXLog can be configured to extract values from the raw event.

Some log sources (like Windows EventLog collected via im_msvistalog) already contain structured data. In this
case, there is often no additional extraction required; see Message Classification.

26.7.1. Regular Expressions via the Exec Directive

NXLog supports the use of regular expressions for parsing fields. For detailed information about regular
expressions in NXLog, see the Reference Manual Regular Expressions section.

197
Example 90. Parsing With Regular Expressions

Syslog Message
<38>Nov 22 10:30:12 myhost sshd[8459]: Failed password for invalid user linda from 192.168.1.60
port 38176 ssh2↵

With this configuration, the Syslog message shown above is first parsed with parse_syslog(). This results in a
$Message field created in the event record. Then, a regular expression is used to further parse the
$Message field and create additional fields if it matches.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input udp>
6 Module im_udp
7 Host 0.0.0.0
8 Port 514
9 <Exec>
10 parse_syslog();
11 if $Message =~ /(?x)^Failed\ (\S+)\ for(?:\ invalid user)?\ (\S+)\ from
12 \ (\S+)\ port\ \d+\ ssh2$/
13 {
14 $AuthMethod = $1;
15 $AccountName = $2;
16 $SourceIPAddress = $3;
17 }
18 </Exec>
19 </Input>

Named capturing is supported also. Each captured group is automatically added to the event record as a
field with the same name.

nxlog.conf
1 <Input in>
2 Module im_udp
3 Host 0.0.0.0
4 Port 514
5 <Exec>
6 parse_syslog();
7 $Message =~ /(?x)^Failed\ (?<AuthMethod>\S+)\ for(?:\ invalid\ user)?
8 \ (?<AccountName>\S+)\ from\ (?<SourceIPAddress>\S+)\ port
9 \ \d+\ ssh2$/;
10 </Exec>
11 </Input>

Table 51. Additional Fields Parsed by Regular Expression

Field Value
$AuthMethod password

$AccountName linda

$SourceIPAddress 192.168.1.60

198
26.7.2. Pattern Matching With Grok
The xm_grok module provides parsing for unstructured log messages with Grok patterns.

The examples below demonstrate how to parse Apache messages using Grok patterns.

Example 91. Creating the Pattern to Parse the Access Message

The message below is a sample of an Apache access message.

Apache Access Message

192.168.3.20 - - [28/Jun/2019] "GET /cgi-bin/try/ HTTP/1.0" 200 3395↵

The above Apache message can be parsed using the Grok pattern below.

Pattern for the Access Message

ACCESS_LOG %{IP:ip_address} - - \[%{TIMESTAMP_ACCESS:timestamp}\]
"%{METHOD:http_method} %{UNIXPATH:uri} HTTP/%{HTTP_VERSION:http_version}"
%{INT:http_status_code} %{INT:response_size}

Example 92. Creating the Pattern to Parse the Error Message

The message below is a sample of an Apache error message.

Apache Error Message

[Fri Dec 16 01:46:23 2019] [error] [client 1.2.3.4] Directory index forbidden↵
by rule: /home/test/↵

The above Apache message can be parsed using the Grok pattern below.

Pattern for the Error Message

ERROR_LOG \[%{TIMESTAMP_ERROR:timestamp}\] \[%{LOGLEVEL:severity}\]
\[client %{IP:client_address}\] %{GREEDYDATA:message}

Lists of Grok patterns are available in various repositories. As an example, see the logstash-plugin section on
Github.

199
Example 93. Configuring NXLog to Parse Apache Messages

The following configuration reads messages from the apache_entries.log file using the im_file module
and stores the result in the $raw_event field.

The match_grok() function reads patterns from the patterns.txt file and attempts a series of matches on
the $raw_event field. If none of the patterns match, an internal message is logged.

nxlog.conf
1 <Extension grok>
2 Module xm_grok
3 Pattern patterns.txt
4 </Extension>
5
6 <Input messages>
7 Module im_file
8 File "apache_entries.log"
9 <Exec>
10 if not ( match_grok($raw_event, "%{ACCESS_LOG}") or
11 match_grok($raw_event, "%{ERROR_LOG}"))
12 {
13 log_info('Event did not match any pattern');
14 }
15 </Exec>
16 </Input>

This example uses the patterns.txt file, which contains all necessary Grok patterns.

patterns.txt
INT (?:[+-]?(?:[0-9]+))
YEAR (?>\d\d){1,2}
MONTH
\b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i
)?|[Jj]un(?:e|i)?|[Jj]ul(?:y)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?
:ember)?|[Dd]e(?:c|z)(?:ember)?)\b
DAY
(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)
HOUR (?:2[0123]|[01]?[0-9])
MINUTE (?:[0-5][0-9])
SECOND (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)
UNIXPATH (/([\w_%!$@:.,+~-]+|\\.)*)+
GREEDYDATA .*
IP (?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-
9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-
5]))(?![0-9])
LOGLEVEL
([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WA
RN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]ever
e|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)
TIMESTAMP_ACCESS %{INT}\/%{MONTH}\/%{YEAR}(:%{HOUR}:%{MINUTE}:%{SECOND} %{GREEDYDATA})?
TIMESTAMP_ERROR %{DAY} %{MONTH} %{INT} %{HOUR}:%{MINUTE}:%{SECOND} %{YEAR}
METHOD (GET|POST|PUT|DELETE|HEAD|TRACE|OPTIONS|CONNECT|PATCH){1}
HTTP_VERSION 1.(0|1)

ACCESS_LOG %{IP:ip_address} - - \[%{TIMESTAMP_ACCESS:timestamp}\] "%{METHOD:http_method}

%{UNIXPATH:uri} HTTP/%{HTTP_VERSION:http_version}" %{INT:http_status_code} %{INT:response_size}
ERROR_LOG \[%{TIMESTAMP_ERROR:timestamp}\] \[%{LOGLEVEL:severity}\] \[client
%{IP:client_address}\] %{GREEDYDATA:message}

200
26.7.3. Pattern Matching With pm_pattern
Regular expressions are widely used in pattern matching. Unfortunately, using a large number of regular
expression based patterns does not scale well, because these need to be evaluated linearly. The pm_pattern
module implements a more efficient pattern matching than regular expressions used in Exec directives.

Example 94. Using Regular Expressions With pm_pattern

Syslog Message
<38>Nov 22 10:30:12 myhost sshd[8459]: Failed password for invalid user linda from 192.168.1.60
port 38176 ssh2↵

With this configuration, the above Syslog message is first parsed with parse_syslog(). This results in a
$Message field created in the event record. Then, the pm_pattern module is used with a pattern XML file to
further parse the record.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_udp
7 Host 0.0.0.0
8 Port 514
9 Exec parse_syslog();
10 </Input>
11
12 <Processor pattern>
13 Module pm_pattern
14 PatternFile /var/lib/nxlog/patterndb.xml
15 </Processor>
16
17 <Output out>
18 Module om_null
19 </Output>
20
21 <Route r>
22 Path in => pattern => out
23 </Route>

The patterns for the pm_pattern module instance above are declared in the following patterndb.xml file.

201
Pattern Database (patterndb.xml)
<?xml version='1.0' encoding='UTF-8'?>
<patterndb>
<created>2010-01-01 01:02:03</created>
<version>42</version>

<group>
<name>ssh</name>
<id>42</id>

<matchfield>
<name>SourceName</name>
<type>exact</type>
<value>sshd</value>
</matchfield>

<pattern>
<id>1</id>
<name>ssh auth failure</name>

<matchfield>
<name>Message</name>
<type>regexp</type>
<value>^Failed (\S+) for(?: invalid user)? (\S+) from (\S+) port \d+ ssh2</value>

<capturedfield>
<name>AuthMethod</name>
<type>string</type>
</capturedfield>
<capturedfield>
<name>AccountName</name>
<type>string</type>
</capturedfield>
<capturedfield>
<name>SourceIPAddress</name>
<type>string</type>
</capturedfield>
</matchfield>

<set>
<field>
<name>TaxonomyAction</name>
<value>Authenticate</value>
<type>string</type>
</field>
<field>
<name>TaxonomyStatus</name>
<value>Failure</value>
<type>string</type>
</field>
</set>
</pattern>
</group>
</patterndb>

Table 52. Fields Added by pm_pattern

Field Value
$AuthMethod password

202
Field Value
$AccountName linda

$SourceIPAddress 192.168.1.60

$TaxonomyAction Authenticate

$TaxonomyStatus Failure

NXLog Manager provides an interface for writing pattern files, and will also test sample events to aid in
establishing the correct match patterns. The pattern functions can be accessed from the PATTERNS menu in the
page header.

Example 95. Creating Patterns With NXLog Manager

The following instructions explain the steps required for creating the above pattern database with NXLog
Manager.

1. Open PATTERNS › CREATE GROUP. Enter a Name for the new pattern group, and optionally a
Description, in the Properties section. The name is used to refer to the pattern group later. The name
of the above pattern group is ssh.
2. Add a match field by clicking [ Add Field ] in the Match section. Only messages that match will be
further processed by this pattern group. In the above example, there is no reason to attempt any
matches if the $SourceName field does not equal sshd. The above pattern group uses Field name
=SourceName, Match=EXACT, and Value=sshd.

3. Save the new pattern group.

4. Open PATTERNS › CREATE FIELD to create a new field to be used when creating new patterns. For the
above example, the $AuthMethod field must be added because it is not in the default set provided by
NXLog Manager. Set Name=AuthMethod and Field Type=STRING, then click [ Save ].
5. Open PATTERNS › CREATE PATTERN. In the Pattern Info section, enter a Pattern Name and
optionally a Pattern Description. Select the correct Pattern Group from the list. In the above
example, the ssh pattern group is used.
6. In the Match section, set match values for the fields to be matched. If a regular expression match with
captured subgroups is detected, the interface will provide a Captured fields list where target fields can
be selected. The above example uses Field name=Message, Match=REGEXP, and Value=^Failed
(\S+) for(?: invalid user)? (\S+) from (\S+) port \d+ ssh2$. The three captured fields are
AuthMethod, AccountName, and SourceIPAddress.

203
7. The Set section allows fields to be set if the match is successful. Click [ Add Field ] for each field. The
above example sets $TaxonomyStatus to Failure and $TaxonomyAction to Authenticate.

8. The Action section accepts NXLog language statements like would be specified in an Exec directive.
Click [ Add action ], type in the statement, and click [ Verify ] to make sure the statement is valid. The
above example does not include any NXLog language statements.
9. The final tabbed section allows test messages to be entered to verify that the match works as expected.
Click the [ + ] to add a test case. To test the above example, add a Value for the Message field: Failed
password for invalid user linda from 192.168.1.60 port 38176 ssh2. Click [ Update Test
Cases ] in the Match section to automatically fill the captured fields. Verify that the fields are set as
expected. Additional test cases can be added to test other events.

10. Save the new pattern. Then click [ Export ] to download the pattern.xml file or use the pattern to
configure a managed agent.

See the NXLog Manager User Guide for more information.

204
26.7.4. Using the Extracted Fields
The previous sections explore ways that the log message can be parsed and new fields added to the event
record. Once the required data has been extracted and corresponding fields created, there are various ways to
use this new data.

• A field or set of fields can be matched by string or regular expression to trigger alerts, perform filtering, or
further classify the event.
• Fields in the event record can be renamed, modified, or deleted.
• Event correlation can be used to execute statements or suppress messages based on matching events inside
a specified window.
• Some output formats can be used to preserve the full set of fields in the event record (such as JSON and the
NXLog Binary format).

26.8. Filtering Messages

Message filtering is a process where only some of the received messages are kept. Filtering is possible using
regular expressions or other operators using any of the fields. See NXLog language for complete details on
expressions.

26.8.1. Using the drop() Procedure

Use the drop() procedure in an Exec directive to conditionally discard messages.

Example 96. Using drop() to Discard Unmatched Messages

In this example, any line that matches neither of the two regular expressions will be discarded with the
drop() procedure. Only lines that match at least one of the regular expressions will be kept.

nxlog.conf
1 <Input file>
2 Module im_file
3 File "/var/log/myapp/*.log"
4 Exec if not ($raw_event =~ /failed/ or $raw_event =~ /error/) drop();
5 </Input>

205
Example 97. Using drop() with $SourceName and $Message to Isolate Authentication Errors

In this example, events collected from multiple hosts and multiple sources by a centralized log server are
contained in an input file. By defining a list of targeted $SourceName values along with the presence of
certain keywords in the $Message field as criteria for authentication failures, the drop() procedure will
discard all non-matching events.

nxlog.conf
1 define AUTHSOURCES "su", "sudo", "sshd", "unix_chkpwd"
2
3 <Input combined>
4 Module im_file
5 File "tmp/central-logging"
6 <Exec>
7 if not (
8 defined($SourceName)
9 and $SourceName IN (%AUTHSOURCES%)
10 and (
11 $Message =~ /fail/
12 or $Message =~ /error/
13 or $Message =~ /illegal/
14 or $Message =~ /invalid/
15 )
16 ) drop();
17 </Exec>
18 </Input>

Example 98. Using drop() with $SourceName and $EventID to Collect all DNS Events

In this example events are to be collected from all DNS sources. Three of the four sources contain only
DNS-specific events which can be matched by their $SourceName value alone against the defined list, but
the Sysmon source can contain other non-DNS events as well. However, all Sysmon events with an Event ID
of 22 are DNS events. The conditional statement drops all events that do not have a $SourceName in the
defined list as well as those that match the Sysmon $SourceName but do not have a value of 22 for their
$EventID.

nxlog.conf
1 define DNSSOURCES "Microsoft-Windows-DNSServer", \
2 "Microsoft-Windows-DNS-Client", \
3 "systemd-resolved"
4
5 <Input combined>
6 Module im_file
7 File "tmp/central-logging"
8 <Exec>
9 if not (defined($SourceName)
10 and ($SourceName IN (%DNSSOURCES%)
11 or ($SourceName == "Microsoft-Windows-Sysmon"
12 and $EventID == 22)))
13 drop();
14 </Exec>
15 </Input>

206
Example 99. Filtering During the Output Phase to Create Multiple Event Logs from a Single Input

This example uses the same centralized log server events from the previous examples above as an input to
three outputs. Separate categories based on a single $SourceName are created and written to three
separate files. Each output instance defines a range of values for $EventId, the criteria for the
categorization into two groups: DNS Server Audit or DNS Server Analytical. The conditional statement in the
second instance uses $SeverityValue to keep only those audit events having a value greater than 2
(warnings or errors).

nxlog.conf (truncated)
1 <Input combined>
2 Module im_file
3 File "tmp/central-logging"
4 </Input>
5
6 <Output DNS_Audit>
7 Module om_file
8 File "tmp/DNS-Server-Audit"
9 <Exec>
10 if not (
11 defined($SourceName)
12 and $SourceName == "Microsoft-Windows-DNSServer"
13 and $EventId >= 513
14 and $EventId <= 582
15 ) drop();
16 </Exec>
17 </Output>
18
19 <Output DNS_Audit_Action_Required>
20 Module om_file
21 File "tmp/DNS-Server-Audit-Action-Required"
22 <Exec>
23 if not (
24 defined($SourceName)
25 and $SourceName == "Microsoft-Windows-DNSServer"
26 and $EventId >= 513
27 and $EventId <= 582
28 and $SeverityValue > 2 # Severity higher than INFO
29 [...]

26.8.2. Other Options for Filtering

The NXLog language also supports embedded XML queries in two input modules: Windows 2008/Vista and Later
(im_msvistalog) and Windows Event Collector (im_wseventing). For more detailed information about filtering
events from Windows Event Log see the Filtering Events section.

26.9. Format Conversion

The requirements and possibilities for format conversion are endless. NXLog provides a broad range of
functionality for conversion, including the NXLog language and dedicated modules. For special cases, a processor
or extension module can be crafted.

For converting between CSV formats, see Complex CSV Format Conversion.

207
Example 100. Converting from BSD to IETF Syslog

This configuration receives log messages in the BSD Syslog format over UDP and forwards the logs in the
IETF Syslog format over TCP.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input bsd>
6 Module im_udp
7 Port 514
8 Host 0.0.0.0
9 Exec parse_syslog_bsd(); to_syslog_ietf();
10 </Input>
11
12 <Output ietf>
13 Module om_tcp
14 Host 1.2.3.4
15 Port 1514
16 </Output>
17
18 <Route bsd_to_ietf>
19 Path bsd => ietf
20 </Route>

26.10. Log Rotation and Retention

NXLog can implement many kinds of log rotation and retention policies in order to prevent overuse of disk space
and to organize older logs. These policies can be applied based on file size, time intervals, or even event
attributes (such as severity). Log files can be rotated out to custom filenames and then compressed and/or
deleted after a specified time period. The configuration is very flexible and custom policies can be easily
implemented.

NXLog supports three main approaches to file rotation. In each case, policies should usually be implemented
using a Schedule block.

• Most policies are implemented within the scope of an om_file module instance, where output files are being
written.
• The im_file module can be configured to rotate log files after they have been fully read.
• Any log file on the system can be rotated under the scope of an xm_fileop module or any other module. This
includes the internal log file (specified by the LogFile directive).

208
Example 101. Rotating om_file Log Files

Log files written by an om_file module often need to be rotated regularly. This example uses the om_file
file_name() function and xm_fileop file_cycle() procedure to rotate the output file daily, keeping a total of 7
old log files.

nxlog.conf
1 <Extension _fileop>
2 Module xm_fileop
3 </Extension>
4
5 <Output out>
6 Module om_file
7 File '/var/log/out.log'
8 <Schedule>
9 When @daily
10 <Exec>
11 file_cycle(file_name(), 7);
12 reopen();
13 </Exec>
14 </Schedule>
15 </Output>

Example 102. Rotating the Internal Log File

NXLog will write its own logs to a file specified by the LogFile directive. It is good practice to set up rotation
of this file. This configuration uses the xm_fileop file_size() function. The file_cycle() procedure rotates the file
if it is larger than 5 MB. The file is also rotated weekly. No more than 8 past log files are retained.

nxlog.conf
1 define LOGFILE /opt/nxlog/var/log/nxlog/nxlog.log
2 LogFile %LOGFILE%
3
4 <Extension _fileop>
5 Module xm_fileop
6
7 # Check the log file size every hour and rotate if larger than 5 MB
8 <Schedule>
9 Every 1 hour
10 <Exec>
11 if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') >= 5M)
12 file_cycle('%LOGFILE%', 8);
13 </Exec>
14 </Schedule>
15
16 # Rotate log file every week on Sunday at midnight
17 <Schedule>
18 When @weekly
19 Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
20 </Schedule>
21 </Extension>

There are many other ways that rotation and retention can be implemented. See the following sections for more
details and examples.

209
26.10.1. Rotation Policies and Intervals
• The om_file reopen() procedure will cause NXLog to reopen the output file specified by the File directive.
• The rotate_to() procedure can be used to choose a name to rotate the current file to. This procedure will
reopen the output file automatically, so there is no need to use the the reopen() procedure.
• The file_cycle() procedure will move the selected file to "file.1". If "file.1" already exists, it will be moved to "
file.2", and so on. If an integer is used as a second argument, it specifies the maximum number of previous
files to keep.

If file_cycle() is used on a file that NXLog currently has open under the scope of an
om_file module instance, the reopen() procedure must be used to continue logging to
WARNING the file specified by the File directive. Otherwise, events will continue to be logged to
the rotated file ("file.1", for example). (This is not necessary if the rotated file is the
LogFile.)

26.10.1.1. Rotating by File Size

A log file can be rotated according to a pre-defined file size. This policy can be configured with the om_file
file_size() function or the xm_fileop file_size() function.

Example 103. Using the file_size() Function

This example uses the file_size() function to detect if a file has grown beyond a specified size. If it has, the
file_cycle() procedure is used to rotate it. The file size is checked hourly with the When directive.

nxlog.conf
1 <Extension _fileop>
2 Module xm_fileop
3 </Extension>
4
5 <Output out>
6 Module om_file
7 File '/var/log/out.log'
8 <Schedule>
9 When @hourly
10 <Exec>
11 if file_size(file_name()) >= 1M
12 {
13 file_cycle(file_name());
14 reopen();
15 }
16 </Exec>
17 </Schedule>
18 </Output>

26.10.1.2. Using Time-Based Intervals

For time interval based rotation policies NXLog provides two directives for use in Schedule blocks.

• The Every directive rotates log files according to a specific interval specified in seconds, minutes, days, or
weeks.
• The When directive provides crontab-style scheduling, including extensions like @hourly, @daily, and
@weekly.

210
Example 104. Using Every and When for Time-Based Rotation

This example shows the use of the Every and When directives. The output file is rotated daily using the
rotate_to() function. The name is generated in the YYYY-MM-DD format according to the current server time.

nxlog.conf
1 <Output out>
2 Module om_file
3 File '/var/log/out.log'
4 <Schedule>
5 # This can likewise be used for `@weekly` or `@monthly` time periods.
6 When @daily
7
8 # The following crontab-style is the same as `@daily` above.
9 # When "0 0 * * *"
10
11 # The `Every` directive could also be used in this case.
12 # Every 24 hour
13
14 Exec rotate_to(file_name() + strftime(now(), '_%Y-%m-%d'));
15 </Schedule>
16 </Output>

Example 105. Rotating Into a Nested Directory Structure

In this example, logs for each year and month are stored in separated sub-directories as shown below. The
log file is rotated daily.

.../logs/YEAR/MONTH/YYYY-MM-DD.log

This is accomplished with the xm_fileop dir_make() procedure, the core strftime() function, and the om_file
rotate_to() procedure.

nxlog.conf
1 <Extension _fileop>
2 Module xm_fileop
3 </Extension>
4
5 <Output out>
6 define OUT_DIR /srv/logs
7
8 Module om_file
9 File '%OUT_DIR%/out.log'
10 <Schedule>
11 When @daily
12 <Exec>
13 # Create year/month directories if necessary
14 dir_make('%OUT_DIR%/' + strftime(now(), '%Y/%m'));
15
16 # Rotate current file into the correct directory
17 rotate_to('%OUT_DIR%/' + strftime(now(), '%Y/%m/%Y-%m-%d.log'));
18 </Exec>
19 </Schedule>
20 </Output>

211
26.10.1.3. Using Dynamic Filenames
As an alternative to traditional file rotation, output filenames can be set dynamically, based on each log event
individually. This is possible because the om_file File directive supports expressions.

Because dynamic filenames result in events being written to multiple files with semi-arbitrary
NOTE names, they are not suitable for scenarios where a server or application expects events to be
written to a particular foo.log. In this case normal rotation should be used instead.

Often one of now(), $EventReceivedTime, and $EventTime are used for dynamic filenames. Consider the
following points.

• The now() function uses the current server time, not when the event was created or when it was received by
NXLog. If logs are delayed, they will be stored according to the time at which the NXLog output module
instance processes them. This will not work with nxlog-processor(8) (see Offline Log Processing).
• The $EventReceivedTime field timestamp is set by the input module instance when an event is received by
NXLog. This will usually be practically the same as using now(), except in cases where there are processing
delays in the NXLog route (such as when using buffering). This can be used with nxlog-processor(8) if the
$EventReceivedTime field was previously set in the logs.

• The $EventTime field is set from a timestamp in the event, so will result in correct value even if the event
was delayed before reaching NXLog. Note that some parsing may be required before this field is available
(for example, the parse_syslog() procedure sets the xm_syslog EventTime field). Note also that an incorrect
timestamp in an event record can cause the field to be unset or filled incorrectly resulting in data written into
the wrong file.

Example 106. Timestamp-Based Dynamic Filenames With om_file

This example accepts Syslog formatted messages via UDP. Each message is parsed by the parse_syslog()
procedure. The EventTime field is set from the timestamp in the syslog header. This field is then used by
the expression in the File directive to generate an output filename for the event.

Even if messages received from clients over the network are out of order or delayed, they will still be placed
in the appropriate output files according to the timestamps.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_udp
7 Port 514
8 Host 0.0.0.0
9 Exec parse_syslog();
10 </Input>
11
12 <Output out>
13 Module om_file
14 File '/var/log/nxlog/out_' + strftime($EventTime, '%Y-%m-%d')
15 Exec to_syslog_ietf();
16 </Output>

Dynamic filenames can be based on other fields also.

212
Example 107. Attribute-Based Dynamic Filenames With om_file

In this example, events are grouped by their source hostname.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_udp
7 Host 0.0.0.0
8 Port 514
9 Exec parse_syslog();
10 </Input>
11
12 <Output out>
13 Module om_file
14 File '/tmp/logs_by_host/' + $Hostname
15 </Output>

26.10.1.4. Rotating Input Files

An im_file module instance can be configured to manipulate files after they are fully processed. The im_file OnEOF
block can be used for this purpose.

When using OnEOF for rotation, the rotated files must be named (or placed in a directory)
WARNING
such that they will not be detected as new files and re-read by the module instance.

If a logging service keeps a log file open for writing, the xm_exec exec() procedure should be used
NOTE
to restart the service or otherwise instruct it to re-open the log file.

213
Example 108. Using im_file OnEOF for Input Files

In this example, files matching /var/log/app/*.log are read with an im_file module instance. When each
file has been fully read, it is rotated. The GraceTimeout directive will prevent NXLog from rotating the file
until after there have been no events for 10 seconds.

The input files are rotated by adding a timestamp suffix to the filename. For example, an input file named
/var/log/app/errors.log would be rotated to /var/log/app/errors.log_20180101T130100. The new
name does not match the wildcard specified by the File directive, so the file is not re-read.

nxlog.conf
1 <Extension _fileop>
2 Module xm_fileop
3 </Extension>
4
5 <Input app_logs_rotated>
6 Module im_file
7 File '/var/log/app/*.log'
8 <OnEOF>
9 <Exec>
10 file_rename(file_name(),
11 file_name() + strftime(now(), '_%Y%m%dT%H%M%S'));
12 </Exec>
13 GraceTimeout 10
14 </OnEOF>
15 </Input>

26.10.2. Retention Policies

NXLog can be configured to keep old log files according to a particular retention policy. Functions and
procedures for retention are provided by the xm_fileop module. Additional actions, such as compressing old log
files, can be implemented with the xm_exec extension module.

26.10.2.1. Using Simple File Cycling

The file_cycle() procedure provides simple numbered rotation and, optionally, retention.

214
Example 109. Cycling One Year of Logs With file_cycle()

This example demonstrates the use of the xm_fileop file_cycle() procedure for keeping a total of 12 log files,
one for each month. Log files older than 1 year will be automatically deleted.

This policy creates following log file structure: /var/log/foo.log for the current
month,/var/log/foo.log.1 for the previous month, and so on up to the maximum of 12 files.

nxlog.conf
1 <Extension _fileop>
2 Module xm_fileop
3 </Extension>
4
5 <Output out>
6 Module om_file
7 File '/var/logs/foo.log'
8 <Schedule>
9 When @monthly
10 <Exec>
11 file_cycle(file_name(), 12);
12 reopen();
13 </Exec>
14 </Schedule>
15 </Output>

Different policies for different events can be implemented in combination with dynamic filenames.

215
Example 110. Retaining Files According to Severity

This example uses the $Severity field (such as $Severity set by parse_syslog()) to filter events to separate
files. Then different retention policies are applied according to severity. Here, one week of debug logs, 2
weeks of informational logs, and 4 weeks of higher severity logs are retained.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Extension _fileop>
6 Module xm_fileop
7 </Extension>
8
9 <Input logs_in>
10 Module im_file
11 File "/var/log/messages"
12 Exec parse_syslog();
13 </Input>
14
15 <Output logs_out>
16 define OUT_DIR /opt/nxlog/var/log
17
18 Module om_file
19 File '%OUT_DIR%/' + $Severity + '.log'
20 <Schedule>
21 When @daily
22 <Exec>
23 file_cycle('%OUT_DIR%/DEBUG.log', 7);
24 file_cycle('%OUT_DIR%/INFO.log', 14);
25 file_cycle('%OUT_DIR%/WARNING.log', 28);
26 file_cycle('%OUT_DIR%/ERROR.log', 28);
27 file_cycle('%OUT_DIR%/CRITICAL.log', 28);
28 reopen();
29 </Exec>
30 </Schedule>
31 </Output>

26.10.2.2. Compressing Old Log Files

The xm_exec module can be used to compress old log files to reduce disk usage.

216
Example 111. Using bzip2 With exec_async()

In this example, the file size of the output file is checked hourly with the om_file file_size() function. If the
size is over the limit, then:

1. a newfile module variable is set to the name the current file will be rotated to,

2. the om_file rotate_to() procedure renames the current output file to the name set in newfile,

3. the module re-opens the original file specified by the File directive and continue logging, and
4. the xm_exec exec_async() procedure call bzip2 on the rotated-out file (without waiting for the command
to complete).

nxlog.conf (truncated)
1 <Input in>
2 Module im_null
3 </Input>
4
5 # tag::guide_include[]
6 <Extension _exec>
7 Module xm_exec
8 </Extension>
9
10 <Extension _fileop>
11 Module xm_fileop
12 </Extension>
13
14 <Output out>
15 Module om_file
16 File '/opt/nxlog/var/log/app.log'
17 <Schedule>
18 When @hourly
19 <Exec>
20 if out->file_size() > 15M
21 {
22 set_var('newfile', file_name() + strftime(now(), '_%Y%m%d%H%M%S'));
23 rotate_to(get_var('newfile'));
24 exec_async('/bin/bzip2', get_var('newfile'));
25 }
26 </Exec>
27 </Schedule>
28 [...]

26.10.2.3. Deleting Old Log Files

For retention policies where file deletion is not handled automatically by the xm_fileop file_cycle() procedure, the
xm_fileop file_remove() can be used to delete old files. This procedure can also delete files based on their creation
time.

217
Example 112. Using file_remove() to Delete Old Files

This example uses file_remove() to remove any files older than 30 days.

nxlog.conf
1 <Input in>
2 Module im_null
3 </Input>
4
5 <Output logs_out>
6 Module om_file
7 File '/var/log/'+ strftime(now(),'%Y%m%d') + '.log'
8 <Schedule>
9 When @daily
10
11 # Delete logs older than 30 days (24x60x60x30)
12 Exec file_remove('/var/log/*.log', now() - 2592000);
13 </Schedule>
14 </Output>

26.11. Message Classification

Pattern matching is commonly used for message classification. When certain strings are detected in a log
message, the message gets tagged with classifiers. Thus it is possible to query or take action based on the
classifiers only. There are several ways to classify messages based on patterns.

See also Extracting Data, a closely related topic, for more examples of classification.

26.11.1. Simple Matching on Fields

Often, message classification can be performed during parsing. However, if the required fields have already been
parsed or the input module provides structured data, then it is only necessary to match the relevant fields and
set classifiers.

218
Example 113. Classifying a Windows Security EventLog Message

This example classifies Windows Security login failure events with Event ID 4625 (controlled by the "Audit
logon events" audit policy setting). If a received event has that ID, it is classified as a failed authentication
attempt and the $AccountName field is set to the value of $TargetUserName.

Table 53. Sample Event via im_msvistalog (Excerpt)

Field Value
$EventType AUDIT_FAILURE

$EventID 4625

$SourceName Microsoft-Windows-Security-Auditing

$Channel Security

$Category Logon

$TargetUserSid S-1-0-0

$TargetUserName linda

$TargetDomainName WINHOST

$Status 0xc000006d

$FailureReason %%2313

$SubStatus 0xc000006a

$LogonType 2

nxlog.conf
1 <Input in>
2 Module im_msvistalog
3 <Exec>
4 if ($EventID == 4625) and
5 ($SourceName == 'Microsoft-Windows-Security-Auditing')
6 {
7 $TaxonomyAction = 'Authenticate';
8 $TaxonomyStatus = 'Failure';
9 $AccountName = $TargetUserName;
10 }
11 </Exec>
12 </Input>

Table 54. Fields Added to the Event Record

Field Value
$TaxonomyAction Authenticate

$TaxonomyStatus Failure

$AccountName linda

26.11.2. Regular Expressions via the Exec Directive

The =~ operator can be used for regular expression matching in an Exec directive.

219
Example 114. Regular Expression Message Classification

When the contents of the $Message field match against the regular expression, the $AccountName and
$AccountID fields are filled with the appropriate values from the referenced captured sub-strings.
Additionally the value LoginEvent is stored in the $Action field.

1 if $Message =~ /(?x)^pam_unix$sshd:session$:\ session\ opened\ for\ user\ (\S+)

2 \ by\ $uid=(\d+)$/
3 {
4 $AccountName = $1;
5 $AccountID = integer($2);
6 $Action = 'LoginEvent';
7 }

26.11.3. Using pm_pattern

When there are a lot of patterns, writing them all in the configuration file is inefficient. Instead, the pm_pattern
module can be used.

220
Example 115. Classifying With pm_pattern

The above pattern matching rule can be defined in the pm_pattern modules’s XML format in the following
way, which will accomplish the same result.

Pattern Database (patterndb.xml)

<pattern>
<id>42</id>
<name>ssh_pam_session_opened</name>
<description>ssh pam session opened</description>
<matchfield>
<name>Message</name>
<type>REGEXP</type>
<value>
^pam_unix$sshd:session$: session opened for user (\S+) by $uid=(\d+)$
</value>
<capturedfield>
<name>AccountName</name>
<type>STRING</type>
</capturedfield>
<capturedfield>
<name>AccountID</name>
<type>INTEGER</type>
</capturedfield>
</matchfield>
<set>
<field>
<name>Action</name>
<type>STRING</type>
<value>LoginEvent</value>
</field>
</set>
</pattern>

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input uds>
6 Module im_uds
7 UDS /dev/log
8 Exec parse_syslog_bsd();
9 </Input>
10
11 <Processor pattern>
12 Module pm_pattern
13 PatternFile /var/lib/nxlog/patterndb.xml
14 </Processor>
15
16 <Output file>
17 Module om_file
18 File "/var/log/messages"
19 Exec to_syslog_bsd();
20 </Output>
21
22 <Route uds_to_file>
23 Path uds => pattern => file
24 </Route>

221
26.12. Parsing Multi-Line Messages
Multi-line messages such as exception logs and stack traces are quite common in logs. Unfortunately these log
messages are often stored in files or forwarded over the network without any encapsulation. In this case, the
newline characters in the messages cannot be correctly parsed by simple line-based parsers, which treat every
line as a separate event.

Multi-line events may have one or more of:

• a header in the first line (with timestamp and severity field, for example),
• a closing character sequence marking the end, and
• a fixed line count.

Based on this information, NXLog can be configured to reconstruct the original messages, creating a single event
for each multi-line message.

26.12.1. xm_multiline
NXLog provides xm_multiline for multi-line parsing; this dedicated extension module is the recommended way to
parse multi-line messages. It supports header lines, footer lines, and fixed line counts. Once configured, the
xm_multiline module instance can be used as a parser via the input module’s InputType directive.

Example 116. Using the xm_multiline Module

This configuration creates a single event record with the matching HeaderLine and all successive lines until
an EndLine is received.

nxlog.conf
1 <Extension multiline_parser>
2 Module xm_multiline
3 HeaderLine "---------------"
4 EndLine "END------------"
5 </Extension>
6
7 <Input in>
8 Module im_file
9 File "/var/log/app-multiline.log"
10 InputType multiline_parser
11 </Input>

It is also possible to use regular expressions with the HeaderLine and EndLine directives.

222
Example 117. Using Regular Expressions With xm_multiline

Here, a new event record is created beginning with each line that matches the regular expression.

nxlog.conf
1 <Extension tomcat_parser>
2 Module xm_multiline
3 HeaderLine /^\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2},\d{3} \S+ \[\S+\] \- .*/
4 </Extension>
5
6 <Input log4j>
7 Module im_file
8 File "/var/log/tomcat6/catalina.out"
9 InputType tomcat_parser
10 </Input>

Because the EndLine directive is not specified in this configuration, the xm_multiline parser
cannot know that a log message is finished until it receives the HeaderLine of the next
NOTE message. The log message is kept in the buffers, waiting to be forwarded, until either a
new log message is read or the im_file module instance’s PollInterval has expired. See the
xm_multiline AutoFlush directive.

26.12.2. Module Variables

It is also possible to parse multi-line messages by using module variables, as shown below. However, it is
generally recommended to use the xm_multiline module instead, because it offers some significant advantages:

• more efficient message processing,

• a more readable configuration,
• correctly incremented module event counters (one increment per multi-line message versus one per line),
and
• operation on the message source level rather than the module instance level (each file for a wildcarded
im_file module instance or each TCP connection for an im_tcp/im_ssl instance).

223
Example 118. Parsing Multi-Line Messages with Module Variables

This example saves the matching line and successive lines in the saved variable. When another matching
line is read, an internal log message is generated with the contents of the saved variable.

nxlog.conf
1 <Input log4j>
2 Module im_file
3 File "/var/log/tomcat6/catalina.out"
4 <Exec>
5 if $raw_event =~ /(?x)^\d{4}\-\d{2}\-\d{2}\ \d{2}\:\d{2}\:\d{2},\d{3}\ \S+
6 \ \[\S+\]\ \-\ .*/
7 {
8 if defined(get_var('saved'))
9 {
10 $tmp = $raw_event;
11 $raw_event = get_var('saved');
12 set_var('saved', $tmp);
13 delete($tmp);
14 log_info($raw_event);
15 }
16 else
17 {
18 set_var('saved', $raw_event);
19 drop();
20 }
21 }
22 else
23 {
24 set_var('saved', get_var('saved') + "\n" + $raw_event);
25 drop();
26 }
27 </Exec>
28 </Input>

As with the previous example, a log message is kept in the saved variable, and not
NOTE
forwarded, until a new log message is read.

26.13. Rate Limiting and Traffic Shaping

Application of rate limiting and traffic shaping improves utilization of services which are running in parallel with
NXLog.

26.13.1. Rate Limiting

Rate limiting restricts the number of messages that can be read by NXLog within a given time unit.

The poor man’s tool for rate limiting is the sleep() procedure.

224
Example 119. Rate Limiting With the sleep() Procedure

In the following example, sleep() is invoked with 500 microseconds. This means that the input module will
be able to read at most 2000 messages per second.

nxlog.conf
1 <Input in>
2 Module im_tcp
3 Host 0.0.0.0
4 Port 1514
5 Exec sleep(500);
6 </Input>

This is not very precise because the module can do additional processing which can add to the total
execution time, but it gets fairly close.

WARNING It is not recommended to use rate limiting on a route that reads logs over UDP.

26.13.2. Traffic Shaping

Shaping the outgoing traffic of NXLog can guarantee that a required bandwidth remains for other running
services.

The traffic shaping script can be downloaded from the nxlog-public/contrib repository.

The script does not require configuring NXLog, but it needs to be configured to run at startup with tools like
crontab or rc.local.

To configure running the script with crontab, the @reboot task should be added to the /etc/crontab file.

/etc/crontab
1 @reboot /usr/local/sbin/traffic-shaper.sh

To configure running the script with rc.local, the script path should be added to the /etc/rc.local file.

/etc/rc.local
1 /usr/local/sbin/traffic-shaper.sh

The traffic shaper ties to the destination port on the network level and can shape traffic in accordance with
priorities. For example, high priority can be configured for a database server and low priority for a backup
system.

For more information about the Linux traffic control, see the Traffic Control HOWTO section on The Linux
Documentation Project website.

26.14. Rewriting and Modifying Messages

There are many ways to modify log messages.

26.14.1. Simple Rewrite

A simple rewrite can be done by modifying the $raw_event field without parsing the message (with Syslog, for
example). Regular expression capturing can be used for this.

225
Example 120. Simple Rewrite Statement

This statement, when used in an Exec directive, will apply the replacement directly to the $raw_event field.
In this case, a parsing procedure like parse_syslog() would not be used.

1 if $raw_event =~ /^(aaaa)(replaceME)(.+)/
2 $raw_event = $1 + 'replaceMENT' + $3;

Example 121. Converting a Timestamp Format

This example will convert a timestamp field to a different format. Like the previous example, the goal is to
modify the $raw_event field directly, rather than use other fields and then a procedure like to_json() to
update $raw_event.

The input log format is line-based, with whitespace-separated fields. The first field is a timestamp
expressed as seconds since the epoch.

Input Sample
1301471167.225121 AChBVvgs1dfHjwhG8 141.143.210.102 5353 224.0.0.251 5353 udp dns - - - S0 - -
0 D 1 73 0 0 (empty)↵

In the output module instance Exec directive, the regular expression will match and capture the first field
from the line, and remove it. This captured portion is parsed with the parsedate() function and used to set
the $EventTime field. This field is then prepended to the $raw_event field to replace the previously
removed field.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "conn.log"
4 </Input>
5
6 <Output out>
7 Module om_tcp
8 Host 192.168.0.1
9 Port 1514
10 <Exec>
11 if $raw_event =~ s/^(\S+)//
12 {
13 $EventTime = parsedate($1);
14 $raw_event = strftime($EventTime, 'YYYY-MM-DDThh:mm:ss.sTZ') +
15 $raw_event;
16 }
17 </Exec>
18 </Output>

Output Sample
2011-03-30T00:46:07.225121-07:00 AChBVvgs1dfHjwhG8 141.143.210.102 5353 224.0.0.251 5353 udp
dns - - - S0 - - 0 D 1 73 0 0 (empty)↵

26.14.2. Modifying Fields

A more complex method is to parse the message into fields, modify some fields, and finally reconstruct the
message from the fields. This method is much more versatile: it allows rewriting to be done regardless of input
and output formats.

226
Example 122. Rewrite Using Fields

In this example, each Syslog message is received via UDP and parsed with parse_syslog_bsd(). Then, if the
$Message field matches the regular expression, the $SeverityValue field is modified. Finally, the
to_syslog_bsd() procedure generates $raw_event from the fields.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input udp>
6 Module im_udp
7 Port 514
8 Host 0.0.0.0
9 Exec parse_syslog_bsd();
10 </Input>
11
12 <Output file>
13 Module om_file
14 File "/var/log/logmsg.txt"
15 <Exec>
16 if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");
17 to_syslog_bsd();
18 </Exec>
19 </Output>
20
21 <Route syslog_to_file>
22 Path udp => file
23 </Route>

26.14.3. Renaming and Deleting Fields

In some cases it may be necessary to rename or delete fields.

The simplest way is to use the NXLog language and the Exec directive.

Example 123. Simple Field Rename

This statement uses the rename_field() procedure to rename the $user field to $AccountName.

1 rename_field($user, $AccountName);

Example 124. Simple Field Deletion

This statement uses the delete() procedure to delete the $Serial field.

1 delete($Serial);

Alternatively, the xm_rewrite extension module (available in NXLog Enterprise Edition) can be used to rename or
delete fields.

227
Example 125. Using xm_rewrite to Whitelist and Rename Fields

This example uses the parse_syslog() procedure to create a set of Syslog fields in the event record. It then
uses the Keep directive to whitelist a set of fields, deleting any field that is not in the list. Finally the Rename
directive is used to rename the $EventTime field to $Timestamp. The resulting event record is converted to
JSON and sent out via TCP.

nxlog.conf
1 <Extension json>
2 Module xm_json
3 </Extension>
4
5 <Extension rewrite>
6 Module xm_rewrite
7 Keep EventTime, Severity, Hostname, SourceName, Message
8 Rename EventTime, Timestamp
9 </Extension>
10
11 <Input in>
12 Module im_file
13 File '/var/log/messages'
14 Exec parse_syslog(); rewrite->process();
15 </Input>
16
17 <Output out>
18 Module om_tcp
19 Host 10.0.0.1
20 Port 1514
21 Exec to_json();
22 </Output>
23
24 <Route r>
25 Path in => out
26 </Route>

Example 126. Using xm_rewrite to Remove Fields

Here is an example Extension block that uses the Delete directive to delete all the severity fields. This could
be used to prevent severity-based matching (during later processing) on an event source that does not set
severity values correctly.

nxlog.conf
1 <Extension rewrite>
2 Module xm_rewrite
3 Delete SyslogSeverityValue, SyslogSeverity, SeverityValue, Severity
4 </Extension>

26.15. Timestamps
The NXLog core provides functions for parsing timestamps that return datetime values, along with functions for
generating formatted timestamps from datetime values.

26.15.1. Parsing Timestamps

Most timestamps can be parsed with the parsedate() function, which will automatically parse any of the
supported formats.

228
Example 127. Parsing a Timestamp With parsedate()

Consider the following line-based input sample. Each record begins with a timestamp followed by a tab.

Input Sample
2016-10-11T22:14:15.003Z ⇥ machine.example.com ⇥ An account failed to log on.↵

This example configuration uses a regular expression to capture the string up to the first tab. Then the
parsedate() function is used to parse the resulting string and set the $EventTime field to the corresponding
datetime value. This value can be converted to a timestamp string as required in later processing, either
explicitly or as defined by the global DateFormat directive (see Formatting Timestamps).

nxlog.conf
1 <Input in>
2 Module im_file
3 File 'in.log'
4 Exec if $raw_event =~ /^([^\t])\t/ $EventTime = parsedate($1);
5 </Input>

The parsedate() function is especially useful if the timestamp format varies within the events
being processed. A timestamp of any supported format will be parsed. In this example, the
TIP
timestamp must be at the beginning of the event and followed by a tab character to be
matched by the regular expression.

Sometimes a log source will contain a few events with invalid or unexpected formatting. If parsedate() fails to
parse the input string, it will return an undefined datetime value. This allows the user to configure a fallback
timestamp.

Example 128. Using a Fallback Timestamp With parsedate()

This example statement uses a vague regular expression that may in some cases match an invalid string. If
parsedate() fails to parse the timestamp, it will return an undefined datetime value. In this case, the final
line below will set $EventTime to the current time.

1 if $raw_event =~ /^(\S+)\s+(\S+)/
2 $EventTime = parsedate($1 + " " + $2);
3
4 # Make sure $EventTime is set
5 if not defined($EventTime) $EventTime = now();

$EventTime = $EventReceivedTime could be used instead to set a timestamp according to

TIP
when the event was received by NXLog.

For parsing more exotic formats, the strptime() function can be used.

229
Example 129. Using strptime() to Parse Timestamps

In this input sample, the date and time are two distinct fields delimited by a tab. It also uses a non-standard
single digit format instead of fixed width with double digits.

Input Sample
2011-5-29 ⇥ 0:3:2 GMT ⇥ WINDOWSDC ⇥ An account failed to log on.↵

To parse this, a regular expression can be used to capture the timestamp string. This string is then parsed
with the strptime() function.

1 if $raw_event =~ /^(\d+-\d+-\d+\t\d+:\d+:\d+ \w+)/

2 $EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S %Z');

26.15.2. Adjusting Timestamps

Sometimes a log source sends events with incorrect or incomplete timestamps. For example, some network
devices may not have the correct time (especially immediately after rebooting); also, the BSD Syslog header
provides neither the year nor the timezone. NXLog can be configured to apply timestamp corrections in various
ways.

Reliably applying timezone offsets is difficult due to complications like daylight savings time
(DST) and networking and processing delays. For this reason, it is best to use clock
WARNING
synchronization (such as NTP) and timezone-aware timestamps at the log source when
possible.

The simplest solution for incorrect timestamps is to replace them with the time when the event was received by
NXLog. This is a good option for devices with untrusted clocks on the local network that send logs to NXLog in
real-time. The $EventReceivedTime field is automatically added to each event record by NXLog; this field can be
stored alongside the event’s own timestamp (normally $EventTime) if all fields are preserved when the event is
stored/forwarded. Alternatively, this field can be used as the event timestamp as shown below. This would have
the effect of influencing the timestamp used on most outputs, such as with the to_syslog_ietf() procedure.

Example 130. Using $EventReceivedTime as the Event Timestamp

This configuration accepts Syslog messages via UDP with the im_udp module. Events are parsed with the
parse_syslog() procedure, which adds an EventTime field from the Syslog header timestamp. The
$EventTime value, however, is replaced by the timestamp set by NXLog in the $EventReceivedTime field.
Any later processing that uses the $EventTime field will operate on the updated timestamp. For example, if
the to_syslog_ietf() procedure is used, the resulting IETF Syslog header will contain the
$EventReceivedTime timestamp.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input syslog>
6 Module im_udp
7 <Exec>
8 parse_syslog();
9 $EventTime = $EventReceivedTime;
10 </Exec>
11 </Input>

In some edge cases, a UTC timestamp that does not have the timezone specified is parsed as local time. This can

230
happen if BSD Syslog timestamps are in UTC, or when reading a non-timezone-aware ID timestamp with
im_odbc. In this case, it is necessary to either manually re-parse (see Parsing Timestamps) or apply a
corresponding reverse offset.

Example 131. Reversing an Incorrect Local-to-UTC Timezone Offset

This statement uses the parsedate() and strftime() functions to apply a reverse offset after an incorrect
local-to-UTC timezone conversion. To reduce the likelihood of an incorrect offset during the daylight saving
time (DST) transition, this should be done in the Input module instance which is collecting the events (see
the warning above).

1 $EventTime = parsedate(strftime($EventTime, '%Y-%m-%d %H:%M:%SZ'));

For the general case of adjusting timestamps, the plus (+) and minus (-) operators can be used to adjust a
timestamp by a specified number of seconds.

Example 132. Adjusting a Datetime Value by Seconds

This statement adds two hours to the $EventTime field.

This simple method may not be suitable for correction of a timezone that uses
WARNING daylight saving time (DST). In that case the required offset may change based on
whether DST is in effect.

1 $EventTime = $EventTime + (2 * 3600);

26.15.3. Formatting Timestamps

After a timestamp has been parsed to a datetime value, it will usually need to be converted back to a string at
some point before being sent to the output. This can be done automatically by the output configuration.

231
Example 133. Using the Default Timestamp Formatting

Consider an event record with an $EventTime field (as a datetime value) and a $Message field. Note that
the table below shows the $EventTime value as it is stored internally: as microseconds since the epoch.

Table 55. Sample Event Record

Field Value
$EventTime 1493425133541851

$Message EXT4-fs (dm-0): mounted filesystem with ordered data mode.

The following output module instance uses the to_json() procedure without specifying the timestamp
format.

nxlog.conf
1 <Output out>
2 Module om_file
3 File 'out.log'
4 Exec to_json();
5 </Output>

The output of the $EventTime field in this case will depend on the DateFormat directive. The default
DateFormat is YYYY-MM-DD hh:mm:ss (local time).

Output Sample
{
"EventTime": "2017-01-02 15:19:22",
"Message": "EXT4-fs (dm-0): mounted filesystem with ordered data mode."
}

A different timestamp may be used in some cases, depending on the procedure used to
convert the field and the output module. The to_syslog_bsd() procedure, for example, will
NOTE
use the $EventTime value to generate a RFC 3164 format timestamp regardless of how the
DateFormat directive is set.

Alternatively, the strftime() function can be used to explicitly convert a datetime value to a string with the
required format.

232
Example 134. Using strftime() to Format Timestamps

Again, consider an event record with an $EventTime field (as a datetime value) and a $Message field. In this
example, the strftime() function is used with a format string (see the strftime(3) manual) to convert
$EventTime to a string in the local time zone. Then the to_json() procedure is used to set the $raw_event
field.

nxlog.conf
1 <Output out>
2 Module om_file
3 File 'out.log'
4 <Exec>
5 $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%S%z');
6 to_json();
7 </Exec>
8 </Output>

Output Sample
{
"EventTime": "2017-04-29T02:18:53+0200",
"Message": "EXT4-fs (dm-0): mounted filesystem with ordered data mode."
}

NXLog Enterprise Edition supports a few additional format strings for formats that the stock C strftime() does not
offer, including formats with fractional seconds and in UTC time. See the Reference Manual strftime()
documentation for the list.

Example 135. Using strftime() Special Formats in NXLog Enterprise Edition

The following statement will convert $EventTime to a timestamp format with fractional seconds and in UTC
(regardless of the current time zone).

1 $EventTime = strftime($EventTime, 'YYYY-MM-DDThh:mm:ss.sUTC');

The resulting timestamp string in this case would be 2017-04-29T00:18:53.541851Z.

233
Chapter 27. Forwarding and Storing Logs
This chapter discusses the configuration of NXLog outputs, including:

• converting log messages to various formats,

• forwarding logs over the network,
• writing logs to files and sockets,
• storing logs in databases,
• sending logs to an executable, and
• forwarding raw data over TCP, UDP, and TLS/SSL protocols.

27.1. Generating Various Formats

The data format used in an outgoing log message must be considered in addition to the transport protocol. If the
message cannot be parsed by the receiver, it may be discarded or improperly processed. See also Parsing
Various Formats.

Syslog
There are two Syslog formats, the older BSD Syslog (RFC 3164) and the newer IETF Syslog (RFC 5424). The
transport protocol in Syslog can be UDP, TCP, or SSL. The xm_syslog module provides procedures for
generating Syslog messages. For more information, see Generating Syslog.

Example 136. Generating Syslog and Sending via TCP

This configuration uses the to_syslog_ietf() procedure to convert the corresponding fields in the event
record to a Syslog message in IETF format. The result is forwarded via TCP by the om_tcp module.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Output out>
6 Module om_tcp
7 Host 192.168.1.1
8 Port 1514
9 Exec to_syslog_ietf();
10 </Output>

Syslog Snare
The Snare agent format is a special format on top of BSD Syslog which is used and understood by several
tools and log analyzer frontends. This format is most useful when forwarding Windows EventLog data in
conjunction with im_mseventlog and/or im_msvistalog. The to_syslog_snare() procedure can construct Syslog
Snare formatted messages. For more information, see Generating Snare.

234
Example 137. Generating Syslog Snare and Sending via UDP

In this example, the to_syslog_snare() procedure converts the corresponding fields in the event record to
Snare format. The messages are then forwarded via UDP by the om_udp module.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Output out>
6 Module om_udp
7 Host 192.168.1.1
8 Port 514
9 Exec to_syslog_snare();
10 </Output>

NXLog Binary format

The Binary format is only understood by NXLog. All the fields are preserved when the data is sent in this
format, so there is no need to parse it again. The output module instance must contain OutputType Binary.
The receiver NXLog module instance can be set to InputType Binary.

Graylog Extended Log Format (GELF)

The xm_gelf module can be used to generate GELF output.

Example 138. Generating GELF Output

With this configuration, NXLog will send the fields in the event record via UDP in GELF format.

nxlog.conf
1 <Extension _gelf>
2 Module xm_gelf
3 </Extension>
4
5 <Output out>
6 Module om_udp
7 Host 127.0.0.1
8 Port 12201
9 OutputType GELF_UDP
10 </Output>

JSON
This is one of the most popular formats for interchanging data between various systems. The xm_json
module provides procedures for generating JSON messages by using data from the event record.

235
Example 139. Generating JSON and sending via TCP

With this configuration, NXLog will send the fields of the event record via TCP in JSON format.

nxlog.conf
1 <Extension json>
2 Module xm_json
3 </Extension>
4
5 <Output out>
6 Module om_tcp
7 Host 192.168.1.1
8 Port 1514
9 Exec to_json();
10 </Output>

27.2. Forwarding Over the Network

After the data are converted to the required format as described in the Generating Various Formats section, they
can be forwarded using various protocols in different formats, including raw data. For each protocol, there is a
trade-off between speed, reliability, compatibility, and security.

UDP
To send logs as UDP datagrams, use the om_udp module.

UDP packets can be dropped by the operating system because the protocol does not
WARNING guarantee reliable message delivery. It is recommended to use TCP or TLS/SSL instead if
message loss is a concern.

236
Example 140. Using the om_udp Module

This example provides configurations to forward data to the specified host via UDP.

The configuration below converts and forwards log messages in Graylog Extended Log Format (GELF).

nxlog.conf
1 <Extension gelf>
2 Module xm_gelf
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/tmp/input"
8 </Input>
9
10 <Output out>
11 Module om_udp
12 Host 192.168.1.1
13 Port 514
14 OutputType GELF_UDP
15 </Output>

The below configuration sample forwards data via UDP in JSON format.

nxlog.conf
1 <Extension json>
2 Module xm_json
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/tmp/input"
8 </Input>
9
10 <Output out>
11 Module om_udp
12 Host 192.168.1.1
13 Port 514
14 Exec to_json();
15 </Output>

TCP
To send logs over TCP, use the om_tcp module.

237
Example 141. Using the om_tcp Module

In this example, log messages are forwarded to the specified host via TCP.

The configuration below provides forwarding data as a Syslog message in IETF format.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/tmp/input"
8 </Input>
9
10 <Output out>
11 Module om_tcp
12 Host 192.168.1.1
13 Port 1514
14 Exec to_syslog_ietf();
15 </Output>

The below configuration sample forwards messages without transforming them.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "/tmp/input"
4 </Input>
5
6 <Output out>
7 Module om_tcp
8 Host 192.168.0.127
9 Port 10500
10 </Output>

SSL/TLS
To send logs over a trusted, secure SSL connection, use the om_ssl module.

238
Example 142. Using the om_ssl Module

This example provides nearly identical behavior to the TCP example above, but in this case SSL is used
to securely transmit the data.

The configuration below enables forwarding raw data over SSL/TLS using a self-signed certificate.

nxlog.conf
1 <Input in>
2 Module im_file
3 File '/tmp/input'
4 </Input>
5
6 <Output out>
7 Module om_ssl
8 Host 192.168.0.127
9 Port 10500
10 OutputType Binary
11 # Allows using self-signed certificates
12 AllowUntrusted TRUE
13 # Certificate from the peer host
14 CAFile /tmp/peer_cert.pem
15 # Certificate file
16 CertFile /tmp/cert.pem
17 # Keypair file
18 CertKeyFile /tmp/key.pem
19 </Output>

The below configuration sample forwards data over SSL/TLS in JSON format using a trusted CA
certificate.

nxlog.conf
1 <Input in>
2 Module im_file
3 File '/tmp/input'
4 </Input>
5
6 <Extension json>
7 Module xm_json
8 </Extension>
9
10 <Output out>
11 Module om_ssl
12 Host 192.168.0.127
13 Port 10500
14 # Allows using self-signed certificates
15 AllowUntrusted FALSE
16 # Certificate from the peer host
17 CAFile /tmp/peer_cert.pem
18 # Certificate file
19 CertFile /tmp/cert.pem
20 # Keypair file
21 CertKeyFile /tmp/key.pem
22 Exec to_json();
23 </Output>

HTTP(S)
To send logs over an HTTP or HTTPS connection, use the om_http module.

239
Example 143. Using the om_http Module

This example provides configurations for forwarding data via HTTP to the specified HTTP address.

Using the below configuration sample, NXLog will send raw data in text form using a POST request for
each log message.

nxlog.conf
1 <Input in>
2 Module im_file
3 File '/tmp/input'
4 </Input>
5
6 <Output out>
7 Module om_http
8 URL http://server:8080/
9 </Output>

The configuration below will forward data in Graylog Extended Log Format (GELF) over HTTPS using a
trusted certificate.

nxlog.conf
1 <Extension gelf>
2 Module xm_gelf
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/tmp/input"
8 </Input>
9
10 <Output out>
11 Module om_http
12 URL http://server:8080/
13 # Allows using self-signed certificates
14 HTTPSAllowUntrusted FALSE
15 # Certificate from the peer host
16 HTTPSCAFile /tmp/peer_cert.pem
17 # Certificate file
18 HTTPSCertFile /tmp/cert.pem
19 # Keypair file
20 HTTPSCertKeyFile /tmp/key.pem
21 OutputType GELF_UDP
22 </Output>

27.3. Sending to Files and Sockets

Files
To store logs in local files, use the om_file module. See also Writing Syslog to File.

240
Example 144. Using the om_file Module

This configuration writes log messages to the specified file. No additional processing is performed by
the output module instance.

nxlog.conf
1 <Output out>
2 Module om_file
3 File "/var/log/out.log"
4 </Output>

Unix Domain Socket

To send logs to a Unix domain socket, use the om_uds module. See also Sending Syslog to the Local Syslog
Daemon via /dev/log.

Example 145. Using the om_uds Module

With this configuration, log messages are written to the specified socket without any additional
processing.

nxlog.conf
1 <Output out>
2 Module om_uds
3 UDS /dev/log
4 </Output>

27.4. Storing in Databases

The om_dbi and om_odbc modules can be used to store logs in databases. The om_dbi module can be used on
POSIX systems where libdbi is available. The om_odbc module, available in NXLog Enterprise Edition, can be used
with ODBC compatible databases on Windows, Linux, and Unix.

Example 146. Using the om_dbi Module

This configuration uses libdbi and the pgsql driver to insert events into the specified database. The SQL
statement references fields in the event record to be added to the database.

nxlog.conf
1 <Output out>
2 Module om_dbi
3 SQL INSERT INTO log (facility, severity, hostname, timestamp, application, \
4 message) \
5 VALUES ($SyslogFacility, $SyslogSeverity, $Hostname, '$EventTime', \
6 $SourceName, $Message)
7 Driver pgsql
8 Option host 127.0.0.1
9 Option username dbuser
10 Option password secret
11 Option dbname logdb
12 </Output>

241
Example 147. Using the om_odbc Module

This example inserts events into the database specified by the ODBC connection string. In this case, the
sql_exec() and sql_fetch() functions are used to interact with the database.

nxlog.conf
1 <Output out>
2 Module om_odbc
3 ConnectionString DSN=mysql_ds;username=mysql;password=mysql;database=logdb;
4 <Exec>
5 if ( sql_exec("INSERT INTO log (facility, severity, hostname, timestamp,
6 application, message) VALUES (?, ?, ?, ?, ?, ?)",
7 1, 2, "host", now(), "app", $raw_event) == TRUE )
8 {
9 if ( sql_fetch("SELECT max(id) as id from log") == TRUE )
10 {
11 log_info("ID: " + $id);
12 if ( sql_fetch("SELECT message from log WHERE id=?", $id) == TRUE )
13 log_info($message);
14 }
15 }
16 </Exec>
17 </Output>

27.5. Sending to Executables

Using the om_exec module, all messages can be piped to an external program or script which will run until the
module (or NXLog) is stopped.

Example 148. Using the om_exec Module

This configuration executes the specified command and writes log messages to its standard input.

nxlog.conf
1 <Output out>
2 Module om_exec
3 Command /usr/bin/someprog
4 Arg -
5 </Output>

242
Chapter 28. Centralized Log Collection
Centralized log collection, log aggregation, or log centralization is the process of sending event log data to a
dedicated server or service for storage, and optionally for search and analytics. Storing logs on a centralized
system offers several benefits over storing the data locally.

• Event data can be accessed even if the originating server is offline, compromised, or decommissioned.
• Data can be analyzed and correlated across more than one system.
• It is more difficult for malicious actors to remove evidence from logs that have already been forwarded.
• Incident investigation and auditing is easier because all event data is collected in a single location.
• Scalable, high-availability, and redundancy solutions are easier to implement and maintain since they can be
implemented at the point of the collection server.
• Compliance with internal and external standards for log data retention only need to be to managed at a
single point.

28.1. Architecture
The following diagram depicts an example of centralized log collection architecture. The single, central server
collects logs from other servers, applications, and network devices. After collection, the logs can be forwarded as
required for further analysis or storage.

This chapter is concerned with the left half of the diagram: collecting logs from clients.

In practice, network topology and other requirements may dictate that additional servers such as relays be
added for log handling. For those cases, other functionality may be necessary than what is covered here (such as
buffering).

243
28.2. Collection Modes
In the context of clients generating logs, NXLog supports both agent-based and agent-less log collection, and it is
possible to configure a system to use both in mixed mode. In brief, these modes differ as follows (see the Log
Processing Modes section for more details).

Agent-based log collection requires that an NXLog agent be installed on the client. With a local agent, collection is
much more flexible, providing features such as filtering on the source system to send only the required data,
format conversion, compression, encryption, and delivery reliability, among others. It is generally recommended
that NXLog be deployed as an agent wherever possible.

Example 149. Transporting Batch-Compressed Logs in Agent-Based Mode

With agent-based log collection, NXLog agents are installed on both the client and the central server. Here,
the im_batchcompress and om_batchcompress modules are used to transport logs both compressed and
encrypted. These modules preserve all the fields in the event record.

nxlog.conf (Client)
1 <Output batch>
2 Module om_batchcompress
3 Host 192.168.56.101
4 Port 2514
5 UseSSL TRUE
6 CAFile /opt/openssl_rootca/rootCA.pem
7 CertFile /opt/openssl_server/server.crt
8 CertKeyFile /opt/openssl_server/server.key
9 </Output>

nxlog.conf (Log Server)

1 <Input batch>
2 Module im_batchcompress
3 ListenAddr 0.0.0.0
4 Port 2514
5 CAFile /opt/openssl_rootca/rootCA.pem
6 CertFile /opt/openssl_server/central.crt
7 CertKeyFile /opt/openssl_server/central.key
8 </Input>

In agent-less mode, there is no NXLog agent installed on the client. Instead, the client forwards events to the
central server in a native format. On the central server, NXLog accepts and parses the logs received. Often there
is limited control over the log format used, and it may not be possible to implement encryption, compression,
delivery reliability, or other features.

244
Example 150. Collecting UDP Syslog Logs in Agent-Less Mode

With agent-less collection, NXLog is installed on the central server but not on the client. Clients can be
configured to send UDP Syslog messages to the central server using their native logging functionality. The
im_udp module below could be replaced with im_tcp or im_ssl according to what protocol is supported by
the clients.

UDP transport does not provide any guarantee of delivery. Network congestion or
WARNING
other issues may result in lost log data.

nxlog.conf (Log Server)

1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input input_udp>
6 Module im_udp
7 Host 0.0.0.0
8 Port 514
9 Exec parse_syslog();
10 </Input>

It is common for logs to be collected using both modes among the various clients, network devices, relays, and
log servers in a network. For example, an NXLog relay may be configured to collect logs from both agents and
agent-less sources and perform filtering and processing before forwarding the data to a central server.

28.3. Requirements
Various logging requirements may dictate particular details about the chosen logging architecture. The following
are important things to consider when deciding how to set up centralized log collection. In some cases, these
requirements can only be met by using agent-based collection.

Reliability
UDP does not guarantee message delivery, and should be avoided if log data loss is not acceptable. Instead,
TCP (and therefore TLS as well) offers guaranteed packet delivery. Furthermore, with agent-based collection
NXLog can provide application-level, guaranteed delivery. See Reliable Network Delivery for more
information.

Structured data
Correlating data across multiple log sources requires parsing event data into a common set of fields. Event
fields are a core part of NXLog processing, and an NXLog agent can be configured to parse events at any point
along their path to the central server. Often, parsing is done as early as possible (at the source, for agent-
based collection) to simplify later categorization and to reduce processing load on log servers as logs are
received. See Parsing Various Formats and Message Classification.

Encryption
To maintain confidentiality of log data, TLS can be used during transport.

Compression
If bandwidth is a concern, log data compression may be desirable. Most event data is highly compressible,
allowing bandwidth requirements to be reduced significantly. The im_batchcompress and om_batchcompress
modules provide batched, compressed transport of log data between NXLog agents.

Storage format
Normally, data should be converted to, and stored in, a common format when dealing with heterogeneous
logs sources.

245
28.4. Data Formats
When using agent-based collection, it is often desirable to convert the data prior to transfer. In this case,
structured data is often sent using one of these formats.

Batch compression modules

The im_batchcompress and om_batchcompress modules can be used to send logs in compressed, and
optionally encrypted, batches. All fields in the event record are preserved.

NXLog binary format

NXLog has its own binary format (see Binary InputType and Binary OutputType) that retains all the fields of an
event and can be used to send logs via TCP, UDP, or TLS (or with other stream-oriented modules).

JSON
JSON is easy to generate and parse and has become a de-facto standard for logging as well. It has some
limitations, such as the missing datetime format. See the JSON section.

Agent-less collection is restricted to formats supported by the clients. The following are a few common formats,
but many more are supported. See also the OS Support chapters.

Syslog
Using Syslog has become a common practice and many SIEM vendors and products support (or even require)
Syslog. See the Syslog chapter for more details. Syslog contains free form message data that typically needs
to be parsed to extract more information for further analysis. Syslog often uses UDP, TCP, or TLS for
transport.

Snare
The Snare format is commonly used to transport Windows EventLog, with or without Syslog headers.

Windows Event Forwarding (WEF)

Windows EventLog can be forwarded over HTTPS with Windows Event Forwarding. See the Windows Event
Log chapter.

246
Chapter 29. Encrypted Transfer
In order to protect log data in transit from being modified or viewed by an attacker, NXLog provides SSL/TLS data
encryption support in many input and output modules. Benefits of using SSL/TLS encrypted log transfer include:

• strong authentication,
• message integrity (assures that the logs are not changed), and
• message confidentiality (assures that the logs cannot be viewed by an unauthorized party).

It is important that certificates be renewed before expiration. The NXLog Manager

WARNING dashboard can be configured with a "Certificate summary" which lists soon-to-expire
certificates in a separate group.

29.1. SSL/TLS Encryption in NXLog

The SSL/TLS protocol encrypts log data on the client side and then decrypts it on the server side. It’s
recommended to use 2048-bit keys or larger.

There are several modules in NXLog Enterprise Edition that support SSL/TLS encryption:

• im_ssl and om_ssl support secure TCP connections,

• im_http and om_http support secure HTTP connections, and
• im_batchcompress and om_batchcompress support encryption of compressed log batches transferred
between NXLog instances.

When using the SSL/TLS, there are two ways to handle authentication.

• With mutual authentication, both client and log server agents are authenticated, and certificates/keys must
be deployed for both agents. This is the most secure and prevents log collection if the client’s certificate is
untrusted or has expired.
• With server-side authentication only, authentication takes place only via a certificate/key deployed on the
server. On the log server, the im_ssl AllowUntrusted directive (or corresponding directive for im_http or
im_batchcompress) must be set to TRUE. The client is prevented from sending logs to an untrusted server
but the server accepts logs from untrusted clients.

247
Example 151. Client/Server Encrypted Transfer

With the following configurations, a client reads logs from all log files under the /var/log directory, parses
the events with parse_syslog(), converts to JSON with to_json(), and forwards them over a secure connection
to the central server.

These configurations use mutual authentication: both agents are authenticated and certificates must be
created for both agents.

nxlog.conf (Client)
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Extension _json>
6 Module xm_json
7 </Extension>
8
9 <Input messages>
10 Module im_file
11 File "/var/log/*"
12 Exec parse_syslog();
13 </Input>
14
15 <Output central_ssl>
16 Module om_ssl
17 Host 192.168.56.103
18 Port 516
19 CAFile /opt/ssl/rootCA.pem
20 CertFile /opt/ssl/client.crt
21 CertKeyFile /opt/ssl/client.key
22 KeyPass password
23 Exec to_json();
24 </Output>

The server receives the logs on port 516 and writes them to /var/log/logmsg.log.

nxlog.conf (Central Server)

1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input input_ssl>
6 Module im_ssl
7 Host 0.0.0.0
8 Port 516
9 CAFile /opt/ssl/rootCA.pem
10 CertFile /opt/ssl/central.crt
11 CertKeyFile /opt/ssl/central.key
12 KeyPass password
13 </Input>
14
15 <Output fileout>
16 Module om_file
17 File "/var/log/logmsg.log"
18 </Output>

248
29.2. OpenSSL Certificate Creation
NXLog Manager provides various features for creating, deploying, and managing SSL/TLS certificates, and is
especially helpful when managing many NXLog agents across an organization. This section, however, provides
steps for creating self-signed certificates with OpenSSL, a Linux-based SSL/TLS cryptography toolkit.

1. Generate the private root key for your Certification Authority (CA).

$ openssl genrsa -out rootCA.key 2048

2. Self-sign the key and create a CA certificate.

$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 730 -out rootCA.pem

3. Create a certificate for each server.

a. Generate a private key for the server.

$ openssl genrsa -out server.key 2048

b. Generate the certificate signing request for the CA. When prompted for the Common Name, enter the
server’s name or IP address.

$ openssl req -new -key server.key -out server.csr

c. Sign the request.

$ openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key \

-CAcreateserial -out server.crt -days 500 -sha256

249
Chapter 30. Reducing Bandwidth and Data Size
There are several ways that NXLog can be configured to reduce the size of log data. This can help lower
bandwidth requirements during transport, storage requirements for log data storage, and licensing costs for
commercial SIEM systems that charge based on data volume.

The three main strategies for achieving this goal are covered in the following sections:

• Filtering Events by removing unnecessary or duplicate events at the source so that less data needs to be
transported and stored—reducing the data size during all subsequent stages of processing.
• Trimming Events by removing extra content or fields from event records which can reduce the total volume
of log data.
• Compressing During Transport can drastically reduce bandwidth requirements for events being forwarded.

To achieve the best results, it is important to understand how fields work in NXLog and which fields are being
transferred or stored. For example, removing or modifying fields without modifying $raw_event will not reduce
data requirements at all for an output module instance that uses only $raw_event. See Event Records and Fields
for details, as well as the explanation in Compressing During Transport below.

30.1. Filtering Events

Depending on the logging requirements and the log source, it may be possible to simply discard certain events.
NXLog can be configured to filter events based on nearly any set of criteria. See also Filtering Messages.

Example 152. Dropping Unnecessary Events

In this example, an NXLog agent is configured to collect Syslog messages from devices on the local network.
Events are parsed with the xm_syslog parse_syslog() procedure, which sets the SeverityValue field. Any event
with a normalized severity lower than 3 (warning) is discarded.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input syslog>
6 Module im_udp
7 Host 0.0.0.0
8 Port 514
9 Exec parse_syslog(); if $SeverityValue < 3 drop();
10 </Input>

Similarly, the pm_norepeat module can be used to detect, count, and discard duplicate events. In their place,
pm_norepeat generates a single event with a last message repeated n times message.

250
Example 153. Dropping Duplicate Events

With this configuration, NXLog collects Syslog messages from hosts on the local network with im_udp and
parses them with the xm_syslog parse_syslog() procedure. Events are then routed through a pm_norepeat
module instance, where the $Hostname, $Message, and $SourceName fields are checked to detect duplicate
messages. Last, events are sent to a remote host with om_batchcompress.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input syslog_udp>
6 Module im_udp
7 Host 0.0.0.0
8 Port 514
9 Exec parse_syslog();
10 </Input>
11
12 <Processor norepeat>
13 Module pm_norepeat
14 CheckFields Hostname, Message, SourceName
15 </Processor>
16
17 <Output out>
18 Module om_batchcompress
19 Host 10.2.0.2
20 Port 2514
21 </Output>
22
23 <Route r>
24 Path syslog_udp => norepeat => out
25 </Route>

30.2. Trimming Events

NXLog can be configured to parse events into various fields in the event record. In this case, a whitelist can be
used to retain a set of important fields. See Rewriting and Modifying Messages for more information about
modifying events.

251
Example 154. Discarding Extra Fields via Whitelist

This configuration reads from the Windows EventLog with im_msvistalog and uses an xm_rewrite module
instance to discard any fields in the event record that are not included in the whitelist. The xm_rewrite
instance below could be used with multiple sources; for example, the whitelist would also be suitable for
the xm_syslog fields.

NOTE The xm_rewrite module does not remove the $raw_event field.

nxlog.conf
1 <Extension whitelist>
2 Module xm_rewrite
3 Keep AccountName, Channel, EventID, EventReceivedTime, EventTime, Hostname, \
4 Severity, SeverityValue, SourceName
5 </Extension>
6
7 <Input eventlog>
8 Module im_msvistalog
9 <QueryXML>
10 <QueryList>
11 <Query Id='0'>
12 <Select Path='Security'>*[System/Level<=4]</Select>
13 </Query>
14 </QueryList>
15 </QueryXML>
16 Exec whitelist->process();
17 </Input>

In some cases, event messages contain a lot of extra data that is duplicated across multiple events of the same
time. One example of this is the "descriptive event data" which has been introduced by Microsoft for the
Windows EventLog. By removing this verbose text from common events, event sizes can be reduced significantly
while still preserving all the forensic details of the event.

Example 155. Removing Descriptive Data From Event Messages

The following configuration collects events from the Application, Security, and System channels. Rules are
included for truncating the messages of Security events with IDs 4688 and 4769.

In this example, the $Message field is truncated. However, the $raw_event field is not. For
most input modules, $raw_event will include the contents of $Message and other fields
NOTE (see the im_msvistalog $raw_event field). To update the $raw_event field, include a
statement for this (see the comment in the configuration example). See also Compressing
During Transport below for more details.

252
Input Sample (Event ID 4769)
A Kerberos service ticket was requested.

Account Information:
Account Name: [email protected]
Account Domain: TEST.COM
Logon GUID: {55a7f67c-a32c-150a-29f1-7e173ff130a7}

Service Information:
Service Name: WINAD$
Service ID: TEST\WINAD$

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services: -

This event is generated every time access is requested to a resource such as a computer or a
Windows service. The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in
each event. The logon event occurs on the machine that was accessed, which is often a
different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

nxlog.conf
1 <Input eventlog>
2 Module im_msvistalog
3 <QueryXML>
4 <QueryList>
5 <Query Id="0">
6 <Select Path="Application">
7 *[System[(Level<=4)]]</Select>
8 <Select Path="Security">
9 *[System[(Level<=4)]]</Select>
10 <Select Path="System">
11 *[System[(Level<=4)]]</Select>
12 </Query>
13 </QueryList>
14 </QueryXML>
15 <Exec>
16 if ($Channel == 'Security') and ($EventID == 4688)
17 $Message =~ s/\s*Token Elevation Type indicates the type of .*$//s;
18 else if $(Channel == 'Security') and ($EventID == 4769)
19 $Message =~ s/\s*This event is generated every time access is .*$//s;
20 # Additional rules can be added here
21 # ...
22 # Optionally, update the $raw_event field
23 #$raw_event = $EventTime + ' ' + $Message;
24 </Exec>
25 </Input>

253
Output Sample
A Kerberos service ticket was requested.

Account Information:
Account Name: [email protected]
Account Domain: TEST.COM
Logon GUID: {55a7f67c-a32c-150a-29f1-7e173ff130a7}

Service Information:
Service Name: WINAD$
Service ID: TEST\WINAD$

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services: -

30.3. Compressing During Transport

There are several ways that event data can be transported between NXLog agents, including the *m_tcp and
*m_ssl modules. However, those modules do not provide data compression. The im_batchcompress and
om_batchcompress modules, available in NXLog Enterprise Edition, can be used to transfer events in
compressed (and optionally, encrypted) batches.

The following chart compares the data requirements for the *m_tcp, *m_ssl (with TLSv1.2), and *m_batchcompress
module pairs. It is based on a sample of BSD Syslog records parsed with parse_syslog(). The values shown reflect
the total bi-directional bytes transferred at the packet level. Of course, ratios will vary from this in practice based
on network conditions and the compressibility of the event data.

Note that the om_tcp and om_ssl modules (among others) transfer only the $raw_event field by default, but can
be configured to transfer all fields with OutputType Binary. The om_batchcompress module transfers all fields
in the event record, but it is possible to send only the $raw_event field by first removing the other fields (see
Generating $raw_event and Removing Other Fields below).

254
Simply configuring the *m_batchcompress modules for the transfer of event data between NXLog agents can
significantly reduce the bandwidth requirements for that part of the log path.

The table below displays the comparison of sending the same data set using different methods and modules:

Table 56. Data Transfer Comparison

Compressi Modules Event size Diff vs Sender Receiver EPS sender EPS
on method used baseline CPU usage CPU usage receiver
None om_tcp, 112 0.00% 141 215.07 83091.8 84169.9
im_tcp

None om_ssl, 301.7 +169.38% 141.34 191.9 33161.4 47482.9

im_ssl

SSLCompre om_ssl, 293.2 +161.79% 138.98 190.69 34497.7 47128.5

ssion im_ssl

Batch om_batchco 18.4 -83.57% 119.69 181.1 36252.1 77491.8

compressio mpress,
n im_batchco
mpress

Compression ratios show that enabling SSLCompression yields only a minimal improvement in message size.

Batch compression fares much better, because it compresses data in batches leading to better compression
ratios.

Example 156. Batched Log Transfer

With the following configuration, an NXLog agent uses om_batchcompress to send events in compressed
batches to a remote NXLog agent.

The *m_batchcompress modules also support SSL/TLS encryption; see the im_batchcompress
TIP
and om_batchcompress configuration details.

nxlog.conf (Sending Agent)

1 <Output out>
2 Module om_batchcompress
3 Host 10.2.0.2
4 Port 2514
5 </Output>

The remote NXLog agent receives and decompresses the received batches with im_batchcompress. All
fields in an event are available to the receiving agent.

nxlog.conf (Receiving Agent)

1 <Input in>
2 Module im_batchcompress
3 ListenAddr 10.2.0.2
4 Port 2514
5 </Input>

To further reduce the size of the batches transferred by the *m_batchcompress modules, and if only the
$raw_event field will be needed later in the log path, the extra fields can be removed from the event record prior
to transfer. This can be done with an xm_rewrite instance for multiple fields or with the delete() procedure (see
Renaming and Deleting Fields).

255
Example 157. Generating $raw_event and Removing Other Fields

In this configuration, events are collected from the Windows EventLog with im_msvistalog, which sets the
$raw_event and many other fields. To reduce the size of the events, only the $raw_event field is retained;
all the other fields in the event record are removed by the xm_rewrite module instance (called by clean-
>process()).

Rather than using the default im_msvistalog $raw_event field, it would also be possible to
NOTE customize it with something like $raw_event = $EventTime + ' ' + $Message or
to_json().

nxlog.conf
1 <Extension clean>
2 Module xm_rewrite
3 Keep raw_event
4 </Extension>
5
6 <Input eventlog>
7 Module im_msvistalog
8 <QueryXML>
9 <QueryList>
10 <Query Id='0'>
11 <Select Path='Security'>*[System/Level<=4]</Select>
12 </Query>
13 </QueryList>
14 </QueryXML>
15 </Input>
16
17 <Output out>
18 Module om_batchcompress
19 Host 10.2.0.2
20 Exec clean->process();
21 </Output>

Alternatively, if the various fields in the event record will be handled later in the log path, the $raw_event field
can be set to an empty string (but see the warning below).

256
Example 158. Emptying $raw_event and Sending Other Fields

This configuration collects events from the Windows EventLog with im_msvistalog, which writes multiple
fields to the event record. In this case, the $raw_event field contains the same data as other fields. Because
the om_batchcompress module instance will send all the fields in the event record, the $raw_event field
can be emptied.

Many output modules operate on the $raw_event field only. It should not be set to
an empty string unless the output module sends all the event fields
(om_batchcompress or a module using the Binary OutputType) and so on for all
WARNING
subsequent agents and modules. Otherwise, a module instance will encounter an
empty $raw_event. For this reason, the following example is in general not
recommended.

nxlog.conf
1 <Input eventlog>
2 Module im_msvistalog
3 <QueryXML>
4 <QueryList>
5 <Query Id='1'>
6 <Select Path='Security'>*[System/Level<=4]</Select>
7 </Query>
8 </QueryList>
9 </QueryXML>
10 </Input>
11
12 <Output out>
13 Module om_batchcompress
14 Host 10.2.0.2
15 Exec $raw_event = '';
16 </Output>

257
Chapter 31. Reliable Message Delivery
Sometimes regulatory compliance or other requirements mandate that the logging infrastructure function in an
ultra-reliable manner. NXLog Enterprise Edition can be configured to guarantee that:

• log data is safe even in case of a crash,

• no messages are lost due to intermittent network issues, and
• there is no message duplication.

31.1. Crash-Safe Operation

A host or NXLog crash can happen for various reasons, including power failures without a UPS, kernel panics,
and software bugs. To protect against data loss in these situations, the following techniques are implemented in
NXLog Enterprise Edition.

• Log messages are buffered in various places in NXLog, and buffered messages can be lost in the case of a
crash. Persistent module message queues can be enabled so that these messages are stored on disk instead
of in memory. Each log message is removed from the queue only after successful delivery. See the
PersistLogqueue and SyncLogqueue global configuration directives, and the PersistLogqueue and
SyncLogqueue module directives.

Log message removal from queues in processor modules happens before delivery. This
WARNING can result in potential data loss. Do not use processor modules when high reliability
operation is required.

• Input positions (for im_file and other modules) are saved in the cache file, and by default this file is only
saved to disk on shutdown. In case of a crash some events may be duplicated or lost depending on the value
of the ReadFromLast directive. This data can be periodically flushed and synced to disk using the
CacheFlushInterval and CacheSync directives.

Example 159. Configuration for Crash-Safe Operation

In this example, the log queues are synced to disk after each successful delivery. The cache file containing
the current event ID is also flushed and synced to disk after each event is read from the database. Note that
these reliability features, when enabled, significantly reduce the processing speed.

nxlog.conf
1 PersistLogqueue TRUE
2 SyncLogqueue TRUE
3 CacheFlushInterval always
4 CacheSync TRUE
5
6 <Input in>
7 Module im_file
8 File 'input.log'
9 </Input>
10
11 <Output out>
12 Module om_tcp
13 Host 10.0.0.1
14 Port 1514
15 </Output>

258
31.2. Reliable Network Delivery
The TCP protocol provides guaranteed packet delivery via packet level acknowledgment. Unfortunately, if the
receiver closes the TCP connection prematurely while messages are being transmitted, unsent data stored in the
socket buffers will be lost since this is handled by the operating system instead of the application (NXLog). This
can result in message loss and affects im_tcp, om_tcp, im_ssl, and om_ssl. See the diagram in All Buffers in a
Basic Route.

The solution to this unreliability in the TCP protocol is application-level acknowledgment. NXLog provides two
pairs of modules for this purpose.

• NXLog can use the HTTP/HTTPS protocol to provide guaranteed message delivery over the network,
optionally with TLS/SSL. The client (om_http) sends the event in a HTTP POST request. The server (im_http,
only available in NXLog Enterprise Edition) responds with a status code indicating successful message
reception.

Example 160. HTTPS Log Transfer

In the following configuration example, a client reads logs from a file and transmits the logs over an
SSL-secured HTTP connection.

nxlog.conf (Client/Sending)
1 <Input in>
2 Module im_file
3 File 'input.log'
4 </Input>
5
6 <Output out>
7 Module om_http
8 URL https://10.0.0.1:8080/
9 HTTPSCertFile %CERTDIR%/client-cert.pem
10 HTTPSCertKeyFile %CERTDIR%/client-key.pem
11 HTTPSCAFile %CERTDIR%/ca.pem
12 </Output>

The remote NXLog agent accepts the HTTPS connections and stores the received messages in a file. The
contents of input.log will be replicated in output.log.

nxlog.conf (Server/Receiving)
1 <Input in>
2 Module im_http
3 ListenAddr 0.0.0.0
4 Port 8080
5 HTTPSCertFile %CERTDIR%/server-cert.pem
6 HTTPSCertKeyFile %CERTDIR%/server-key.pem
7 HTTPSCAFile %CERTDIR%/ca.pem
8 </Input>
9
10 <Output out>
11 Module om_file
12 File 'output.log'
13 </Output>

• The om_batchcompress and im_batchcompress modules, available in NXLog Enterprise Edition, also provide
acknowledgment as part of the batchcompress protocol.

259
Example 161. Batched Log Transfer

With the following configuration, a client reads logs from a file and transmits the logs in compressed
batches to a remote NXLog agent.

nxlog.conf (Client/Sending)
1 <Input in>
2 Module im_file
3 File 'input.log'
4 </Input>
5
6 <Output out>
7 Module om_batchcompress
8 Host 10.0.0.1
9 UseSSL true
10 CertFile %CERTDIR%/client-cert.pem
11 CertKeyFile %CERTDIR%/client-key.pem
12 CAFile %CERTDIR%/ca.pem
13 </Output>

The remote NXLog agent receives and decompresses the received message batches and stores the
individual messages in a file. The contents of input.log will be replicated in output.log.

nxlog.conf (Server/Receiving)
1 <Input in>
2 Module im_batchcompress
3 ListenAddr 0.0.0.0
4 CertFile %CERTDIR%/server-cert.pem
5 CertKeyFile %CERTDIR%/server-key.pem
6 CAFile %CERTDIR%/ca.pem
7 </Input>
8
9 <Output out>
10 Module om_file
11 File 'output.log'
12 </Output>

31.3. Protection Against Duplication

If the contents of the cache file containing the event position are lost, the module can either read everything
from the beginning or risk losing some messages. In the former case, messages may be duplicated. When using
persistent queues, messages are not removed from the queue until they have been successfully delivered. If the
crash occurs just before removal, the message will be sent again after the agent restarts resulting in a duplicate.

In some cases it may be very important that a log message is not duplicated. For example, a duplicated message
may trigger the same alarm a second time or cause an extra entry in a financial transaction log. NXLog Enterprise
Edition can be configured to prevent duplicate messages from occurring.

The best way to prevent duplicated messages is by using serial numbers, as it is only possible to detect
duplicates at the receiver. The receiver can keep track of what has been received by storing the serial number of
the last message. If a message is received with the same or a lower serial number from the same source, the
message is simply discarded.

In NXLog Enterprise Edition, duplication prevention works as follows.

• Each module that receives a message directly from an input source or from another module in the route
assigns a field named $__SERIAL__$ with a monotonically increasing serial number. The serial number is

260
taken from a global generator and is increased after each fetch so that two messages received at two
modules simultaneously will not have the same serial number. The serial number is initialized to the seconds
elapsed since the UNIX epoch when NXLog is started. This way it can provide 1,000,000 serial numbers per
second without problems in case it is stopped and restarted. Otherwise the value would need to be saved
and synced to disk as after each serial number fetch which would adversely affect performance. When a
module receives a message it checks the value of the field named $__SERIAL__$ against the last saved
value.
• The im_http module keeps the value of the last $__SERIAL__$ for each client. It is only possible to know and
identify the client (om_http sender) in HTTPS mode. The Common Name (CN) in the certificate subject is
used and is assumed to uniquely identify the client.

The remote IP and port number cannot be used to identify the remote sender because the
remote port is assigned dynamically and changes for every connection. Thus if a client
sends a message, disconnects, reconnects, and then sends the same message again, it is
NOTE impossible to know if this is the same client or another. For this reason it is not possible to
protect against message duplication with plain TCP or HTTP when multiple clients connect
from the same IP. The im_ssl and im_batchcompress modules do not have the certificate
subject extraction implemented at this time.

• All other non-network modules use the value of $SourceModuleName which is automatically set to the name
of the module instance generating the log message. This value is assumed to uniquely identify the source.
The value of $SourceModuleName is not overwritten if it already exists. Note that this may present problems
in some complex setups.
• The algorithm is implemented in one procedure call named duplicate_guard(), which can be used in modules
to prevent message duplication. The dropped() function can be then used to test whether the current log
message has been dropped.

261
Example 162. Disallowing Duplicated Messages

The following client and server configuration examples extend the earlier HTTPS example to provide an
ultra-reliable operation where messages cannot be lost locally due to a crash, lost over the network, or
duplicated.

nxlog.conf (Client/Sending)
1 PersistLogqueue TRUE
2 SyncLogqueue TRUE
3 CacheFlushInterval always
4 CacheSync TRUE
5
6 <Input in>
7 Module im_file
8 File 'input.log'
9 </Input>
10
11 <Output out>
12 Module om_http
13 URL https://10.0.0.1:8080/
14 HTTPSCertFile %CERTDIR%/client-cert.pem
15 HTTPSCertKeyFile %CERTDIR%/client-key.pem
16 HTTPSCAFile %CERTDIR%/ca.pem
17 Exec duplicate_guard();
18 </Output>

The server accepts the HTTPS connections and stores the received messages in a file. The contents of
input.log will be replicated in output.log

nxlog.conf (Server/Receiving)
1 PersistLogqueue TRUE
2 SyncLogqueue TRUE
3 CacheFlushInterval always
4 CacheSync TRUE
5
6 <Input in>
7 Module im_http
8 ListenAddr 0.0.0.0
9 Port 8080
10 HTTPSCertFile %CERTDIR%/server-cert.pem
11 HTTPSCertKeyFile %CERTDIR%/server-key.pem
12 HTTPSCAFile %CERTDIR%/ca.pem
13 Exec duplicate_guard();
14 </Input>
15
16 <Output out>
17 Module om_file
18 File 'output.log'
19 Exec duplicate_guard();
20 </Output>

262
OS Support
Each of the following chapters lists some of the common log sources that can be collected on the corresponding
platform. See also Supported Platforms.

263
Chapter 32. IBM AIX
NXLog can collect various types of system logs on the AIX platform. For deployment details, see the supported
AIX platforms, AIX installation, and monitoring.

AIX Audit
The im_aixaudit module natively collects logs generated by the AIX Audit system, without depending on
auditstream or any other process.

Example 163. Collecting AIX Audit Logs

This example reads AIX audit logs from the /dev/audit device file.

nxlog.conf
1 <Input in>
2 Module im_aixaudit
3 DeviceFile /dev/audit
4 </Input>

Custom Programs
The im_exec module allows log data to be collected from custom external programs.

Example 164. Using an External Command

This example uses the tail command to read from a file.

The im_file module should be used to read log messages from files. This example only
NOTE
demonstrates the use of the im_exec module.

nxlog.conf
1 <Input exec>
2 Module im_exec
3 Command /usr/bin/tail
4 Arg -f
5 Arg /var/adm/ras/errlog
6 </Input>

DNS Monitoring
Logs can be collected from BIND 9.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity
Monitoring.

264
Example 165. Monitoring File Integrity

This example monitors files in the /etc and /srv directories, generating events when files are modified
or deleted. Files ending in .bak are excluded from the watch list.

nxlog.conf
1 <Input fim>
2 Module im_fim
3 File "/etc/*"
4 File "/srv/*"
5 Exclude "*.bak"
6 Digest sha1
7 ScanInterval 3600
8 Recursive TRUE
9 </Input>

Local Syslog
Messages written to /dev/log can be collected with the im_uds module. Events written to file in Syslog
format can be collected with im_file. In both cases, the xm_syslog module can be used to parse the events.
See Collecting and Parsing Syslog for more information.

Example 166. Reading Syslog Messages From File

This example reads Syslog messages from /var/log/messages and parses them with the parse_syslog()
procedure.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/var/log/messages"
8 Exec parse_syslog();
9 </Input>

Log Files
The im_file module can be used to collect events from log files.

Example 167. Reading From Log Files

This configuration reads messages from the /opt/test/input.log file. No parsing is performed; each
line is available in the $raw_event field.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "/opt/test/input.log"
4 </Input>

Process Accounting
The im_acct module can be used to gather details about which owner (user and group) runs what processes.

265
Example 168. Reading Process Accounting Logs

This configuration turns on process accounting (using /tmp/nxlog.acct as the log file) and watches for
messages.

nxlog.conf
1 <Input acct>
2 Module im_acct
3 AcctOn TRUE
4 File "/tmp/nxlog.acct"
5 </Input>

266
Chapter 33. FreeBSD
NXLog can collect various types of system logs on FreeBSD platforms. For deployment details, see the supported
FreeBSD platforms, FreeBSD installation, and monitoring.

Basic Security Mode (BSM) Auditing

The im_bsm module collects logs generated by the BSM auditing system.

Example 169. Collecting BSM Audit Logs

This example reads BSM audit logs from the /dev/auditpipe device file.

nxlog.conf
1 <Input bsm>
2 Module im_bsm
3 DeviceFile /dev/auditpipe
4 </Input>

Custom Programs
The im_exec module allows log data to be collected from custom external programs.

Example 170. Using an External Command

This example uses the tail command to read from a file.

The im_file module should be used to read log messages from files. This example only
NOTE
demonstrates the use of the im_exec module.

nxlog.conf
1 <Input exec>
2 Module im_exec
3 Command /usr/bin/tail
4 Arg -f
5 Arg /var/log/messages
6 </Input>

DNS Monitoring
Logs can be collected from BIND 9.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity
Monitoring.

267
Example 171. Monitoring File Integrity

This example monitors files in the /etc and /srv directories, generating events when files are modified
or deleted. Files ending in .bak are excluded from the watch list.

nxlog.conf
1 <Input fim>
2 Module im_fim
3 File "/etc/*"
4 File "/srv/*"
5 Exclude "*.bak"
6 Digest sha1
7 ScanInterval 3600
8 Recursive TRUE
9 </Input>

Kernel
Logs from the kernel can be collected directly with the im_kernel module.

The system logger may need to be disabled or reconfigured to collect logs with im_kernel. To
NOTE completely disable syslogd on FreeBSD, run service syslogd onestop and sysrc
syslogd_enable=NO.

Example 172. Collecting Kernel Logs

This configuration reads events from the kernel.

nxlog.conf
1 <Input kernel>
2 Module im_kernel
3 </Input>

Local Syslog
Messages written to /dev/log can be collected with the im_uds module. Events written to file in Syslog
format can be collected with im_file. In both cases, the xm_syslog module can be used to parse the events.
See the Linux System Logs and Collecting and Parsing Syslog sections for more information.

Example 173. Reading Syslog Messages From File

This example reads Syslog messages from /var/log/messages and parses them with the parse_syslog()
procedure.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/var/log/messages"
8 Exec parse_syslog();
9 </Input>

268
Log Files
The im_file module can be used to collect events from log files.

Example 174. Reading From Log Files

This configuration reads messages from the /opt/test/input.log file. No parsing is performed; each
line is available in the $raw_event field.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "/opt/test/input.log"
4 </Input>

Process Accounting
The im_acct module can be used to gather details about which owner (user and group) runs what processes.

Example 175. Reading Process Accounting Logs

This configuration turns on process accounting (using /var/account/acct as the log file) and watches
for messages.

nxlog.conf
1 <Input acct>
2 Module im_acct
3 AcctOn TRUE
4 File "/var/account/acct"
5 </Input>

269
Chapter 34. OpenBSD
NXLog can collect various types of system logs on OpenBSD platforms. For deployment details, see the
supported OpenBSD platforms, OpenBSD installation, and monitoring.

Basic Security Mode (BSM) Auditing

The im_bsm module collects logs generated by the BSM auditing system.

NOTE OpenBSD does not support BSM Auditing.

Example 176. Collecting BSM Audit Logs

This example reads BSM audit logs from the /dev/auditpipe device file.

nxlog.conf
1 <Input bsm>
2 Module im_bsm
3 DeviceFile /dev/auditpipe
4 </Input>

Custom Programs
The im_exec module allows log data to be collected from custom external programs.

Example 177. Using an External Command

This example uses the tail command to read from a file.

The im_file module should be used to read log messages from files. This example only
NOTE
demonstrates the use of the im_exec module.

nxlog.conf
1 <Input exec>
2 Module im_exec
3 Command /usr/bin/tail
4 Arg -f
5 Arg /var/log/messages
6 </Input>

DNS Monitoring
Logs can be collected from BIND 9.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity
Monitoring.

270
Example 178. Monitoring File Integrity

This example monitors files in the /etc and /srv directories, generating events when files are modified
or deleted. Files ending in .bak are excluded from the watch list.

nxlog.conf
1 <Input fim>
2 Module im_fim
3 File "/etc/*"
4 File "/srv/*"
5 Exclude "*.bak"
6 Digest sha1
7 ScanInterval 3600
8 Recursive TRUE
9 </Input>

Kernel
Logs from the kernel can be collected directly with the im_kernel module. See Linux System Logs.

The system logger may need to be disabled or reconfigured to collect logs with im_kernel. To
NOTE completely disable syslogd on OpenBSD, run rcctl stop syslogd and rcctl disable
syslogd.

Example 179. Collecting Kernel Logs

This configuration reads events from the kernel.

nxlog.conf
1 <Input kernel>
2 Module im_kernel
3 </Input>

Local Syslog
Messages written to /dev/log can be collected with the im_uds module. Events written to file in Syslog
format can be collected with im_file. In both cases, the xm_syslog module can be used to parse the events.
See the Linux System Logs and Collecting and Parsing Syslog sections for more information.

Example 180. Reading Syslog Messages From File

This example reads Syslog messages from /var/log/messages and parses them with the parse_syslog()
procedure.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/var/log/messages"
8 Exec parse_syslog();
9 </Input>

271
Log Files
The im_file module can be used to collect events from log files.

Example 181. Reading From Log Files

This configuration reads messages from the /opt/test/input.log file. No parsing is performed; each
line is available in the $raw_event field.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "/opt/test/input.log"
4 </Input>

Process Accounting
The im_acct module can be used to gather details about which owner (user and group) runs what processes.

Example 182. Reading Process Accounting Logs

This configuration turns on process accounting (using /var/account/acct as the log file) and watches
for messages.

nxlog.conf
1 <Input acct>
2 Module im_acct
3 AcctOn TRUE
4 File "/var/account/acct"
5 </Input>

272
Chapter 35. GNU/Linux
NXLog can collect various types of system logs on GNU/Linux platforms. For deployment details, see the
supported Linux platforms and the corresponding installation page for RHEL/CentOS, Debian/Ubuntu, or SLES.
Notes are also available about hardening and monitoring NXLog on Linux.

Custom Programs and Scripts

The im_exec module allows log data to be collected from custom external programs. The im_perl, im_python
and im_ruby modules can also be used to implement integration with custom data sources or sources that
are not supported out-of-the-box.

The perlfcount add-on can be used to collect system information and statistics on Linux platforms.

DNS Monitoring
Logs can be collected from BIND 9 on Linux.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See Monitoring
on Linux.

Kernel
The im_kernel module reads logs directly from the kernel log buffer. These logs can be parsed with
xm_syslog. See the Linux System Logs section.

Linux Audit System

The im_linuxaudit module can be used to collect Audit System logs directly from the kernel without using
auditd or temporary log files. Audit logs can also be collected from file with im_file, or over the network by
using im_tcp in conjunction with audisp-remote (a plugin for the audit event dispatcher daemon, audispd,
that performs remote logging). See Linux Audit System for more details.

Local Syslog
Messages written to /dev/log can be collected with the im_uds module. Events written to file in Syslog
format can be collected with im_file. In each case, the xm_syslog module can be used to parse the events. See
the Linux System Logs and Collecting and Parsing Syslog sections for more information.

Log Databases
Events can be read from databases with the im_dbi, im_oci, and im_odbc modules.

Log Files
The im_file module can be used to collect events from log files.

Process Accounting
The im_acct module can be used to gather details about which owner (user and group) runs what processes.
This overlaps with Audit System logging.

273
Chapter 36. Apple macOS
NXLog can collect various types of system logs on the macOS platform. For deployment details, see the
supported macOS platforms and macOS installation.

Apple System Logs Files

The im_file and xm_asl modules can be used to collect and parse Apple System Log (*.asl) files.

Example 183. Reading and Parsing Apple System Logs

This example reads events from input.asl and parses them with the xm_asl parser.

nxlog.conf
1 <Extension asl_parser>
2 Module xm_asl
3 </Extension>
4
5 <Input in>
6 Module im_file
7 # Example: "/var/log/asl/*"
8 File "foo/input.asl"
9 InputType asl_parser
10 Exec delete($EventReceivedTime);
11 </Input>

Basic Security Mode (BSM) Auditing

The im_bsm module collects logs directly from the BSM auditing system.

Example 184. Collecting BSM Audit Logs From the Kernel

This configuration reads BSM audit logs directly from the kernel with the im_bsm module.

nxlog.conf
1 Group wheel
2
3 <Input bsm>
4 Module im_bsm
5 DeviceFile /dev/auditpipe
6 </Input>

Alternatively, BSM logs can be read from the log files.

274
Example 185. Reading BSM Audit Logs From File

This configuration reads from the BSM audit log files with im_file and parses the events with xm_bsm.

nxlog.conf
1 Group wheel
2
3 <Extension bsm_parser>
4 Module xm_bsm
5 </Extension>
6
7 <Input bsm>
8 Module im_file
9 File '/var/audit/*'
10 InputType bsm_parser
11 </Input>

Custom Programs
The im_exec module allows log data to be collected from custom external programs.

Example 186. Using an External Command

This example uses the tail command to read from a file.

The im_file module should be used to read log messages from files. This example only
NOTE
demonstrates the use of the im_exec module.

nxlog.conf
1 <Input systemlog>
2 Module im_exec
3 Command /usr/bin/tail
4 Arg -f
5 Arg /var/log/system.log
6 </Input>

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity
Monitoring.

Example 187. Monitoring File Integrity

This configuration watches for changes to files and directories under /bin and /usr/bin/.

nxlog.conf
1 <Input fim>
2 Module im_fim
3 File "/bin/*"
4 File "/usr/bin/*"
5 ScanInterval 3600
6 Recursive TRUE
7 </Input>

Kernel
Logs from the kernel can be collected directly with the im_kernel module or via the local log file with im_file.

275
For log collection details, see macOS Kernel.

Local Syslog
Events written to file in Syslog format can be collected with im_file. The xm_syslog module can be used to
parse the events. See the Syslog section for more information.

Example 188. Reading Syslog Messages From File

This configuration file collects system logs from /var/log/system.log. This method does not read
from /dev/klog directly, so it is not necessary to disable syslogd.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/var/log/system.log"
8 Exec parse_syslog();
9 </Input>

Log Files
The im_file module can be used to collect events from log files.

Example 189. Reading From Log Files

This configuration uses the im_file module to read events from the specified log file.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "/foo/in.log"
4 </Input>

Process Accounting
The im_acct module can be used to gather details about which owner (user and group) runs what processes.

Example 190. Reading Process Accounting Logs

With this configuration file, NXLog will enable process accounting to the specified file and reads events
from it.

nxlog.conf
1 Group wheel
2
3 <Input acct>
4 Module im_acct
5 File '/var/log/acct'
6 AcctOn TRUE
7 </Input>

276
Chapter 37. Oracle Solaris
NXLog can collect various types of system logs on the Solaris platform. For deployment details, see the
supported Solaris platforms, Solaris installation, and monitoring.

Basic Security Mode (BSM) Auditing

The xm_bsm module can be used to parse logs collected with im_file.

Example 191. Collect BSM Audit Logs From the Kernel

This example configuration reads from files in /var/audit with im_file. The InputType provided by
xm_bsm is used to parse the binary format.

nxlog.conf
1 <Extension bsm_parser>
2 Module xm_bsm
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File '/var/audit/*'
8 InputType bsm_parser
9 </Input>

Custom Programs
The im_exec module allows log data to be collected from custom external programs.

Example 192. Using an External Command

This example uses the tail command to read from a file.

The im_file module should be used to read log messages from files. This example only
NOTE
demonstrates the use of the im_exec module.

nxlog.conf
1 <Input systemlog>
2 Module im_exec
3 Command /usr/bin/tail
4 Arg -f
5 Arg /var/log/syslog
6 </Input>

DNS Monitoring
Logs can be collected from BIND 9.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity
Monitoring.

277
Example 193. Monitoring File Integrity

This configuration watches for changes to files and directories under /usr/bin/.

nxlog.conf
1 <Input fim>
2 Module im_fim
3 File "/usr/bin/*"
4 Digest SHA1
5 ScanInterval 3600
6 Recursive TRUE
7 </Input>

Local Syslog
Events written to file in Syslog format can be collected with the im_file module and parsed with the xm_syslog
module. See Collecting and Parsing Syslog for more information.

Example 194. Reading Syslog Messages From File

This example uses the im_file module to read messages from /var/log/messages and the xm_syslog
parse_syslog() procedure to parse them.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input in>
6 Module im_file
7 File "/var/log/messages"
8 Exec parse_syslog();
9 </Input>

Log Files
The im_file module can be used to collect events from log files.

Example 195. Reading From Log Files

This configuration uses the im_file module to read events from the specified log file.

nxlog.conf
1 <Input in>
2 Module im_file
3 File "/foo/input.log"
4 </Input>

Process Accounting
The im_acct module can be used to gather details about which owner (user and group) runs what processes.

278
Example 196. Reading Process Accounting Logs

With this configuration file, NXLog will enable process accounting to the specified file and read events
from it.

nxlog.conf
1 <Input acct>
2 Module im_acct
3 AcctOn TRUE
4 File '/tmp/nxlog.acct'
5 </Input>

279
Chapter 38. Microsoft Windows
NXLog can collect various types of system logs on the Windows platform. For deployment details, see the
supported Windows platforms and Windows installation. Notes are also available about hardening and
monitoring NXLog on Windows.

Custom Programs
The im_exec module allows log data to be collected from custom external programs.

DHCP Monitoring
DHCP logging can be set up for Windows DHCP Server using the im_file module by reading DHCP audit logs
directly from CSV files. Alternatively, the im_msvistalog module can be used to collect DHCP Server or Client
event logs from the built-in channels in Windows Event Log.

DNS Monitoring
DNS logging can be set up for Windows DNS Server using either ETW tracing or debug logging.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity
Monitoring on Windows.

Log Databases
Events can be read from databases with the im_odbc module. Some products write logs to SQL Server
databases; see the Microsoft System Center Operations Manager section for an example.

Log Files
The im_file module can be used to collect events from log files.

Microsoft Active Directory Domain Controller

Troubleshoot Active Directory domain controllers by integrating DCs as log sources.

Microsoft Exchange
Logs generated by Microsoft Exchange can be used as a source for log collection with many log types
supported.

Microsoft IIS
IIS can be configured to write logs in W3C format, which can be read with im_file and parsed with xm_w3c or
xm_csv. Other formats can be parsed with other methods. See Microsoft IIS.

Microsoft .NET applications

Capture logs directly from Microsoft .NET applications using third-party utilities.

Microsoft SharePoint
Collect the various types of logs generated by Microsoft SharePoint, parse the ULS into another format, and
send.

Microsoft SQL Server

Log messages can be collected from the Microsoft SQL Server error log files with the im_file module. See
Microsoft SQL Server.

Microsoft System Center Operations Manager (SCOM)

Logs recorded in Microsoft System Center Operations Manager databases can be collected with the im_odbc
module.

Registry Monitoring
The Windows Registry can be monitored for changes; see the im_regmon module. For an example ruleset,

280
see the regmon-rules add-on.

Snare
Windows Event Log data can be converted to Snare format as needed for some third-party integrations.

Sysmon
Many additional audit events can be generated with the Sysmon utility, including process creation, system
driver loading, network connections, and modification of file creation timestamps. These events are written to
the Event Log. See the Sysmon section for more information.

Windows Applocker
Collecting event logs from Windows AppLocker is supported by using the im_msvistalog or the other Windows
Event Log modules.

Windows Event Tracing (ETW)

Events logged through ETW can be collected with the im_etw module. This includes events logged to the
Analytical and Debug logs.

Windows Event Log

See the Windows Event Log section, which covers both local and remote event collection with the
im_msvistalog, im_wseventing, and im_mseventlog modules.

Windows Firewall
Windows Firewall logs can be collected with the im_file module from the Advanced Security log. Alternatively,
the im_msvistalog module can be used to collect Windows Firewall events from Windows Event Log.

Windows Management Instrumentation (WMI)

WMI event logs can be read directly from Windows Event Log by using the im_msvistalog module. WMI events
can also be collected via ETW directly using the im_etw module. Reading WMI log files utilizing the im_file
module is also supported.

Windows Performance Counters

The im_winperfcount module can be used for collecting data such as CPU and memory usage.

Windows Powershell
PowerShell scripts can be integrated for log processing tasks and configuration generation (for example,
Azure SQL Database); see Using PowerShell Scripts. It is also possible to collect Powershell activity logs.

281
Integration

282
Chapter 39. Amazon Web Services (AWS)
AWS is a subsidiary of Amazon that provides various cloud computing services.

39.1. Amazon CloudWatch

Amazon CloudWatch is a set of cloud monitoring services. The CloudWatch Logs service can be used to collect
log data from Elastic Compute Cloud (EC2), CloudTrail, Route 53, and other sources. See the CloudWatch
documentation for more information about configuring and using CloudWatch Logs.

NXLog can be set up to retrieve CloudWatch log streams in either of two ways:

• NXLog can connect to the CloudWatch API using the Boto 3 client and poll for logs at regular intervals. This is
suitable when a short delay in log collection is acceptable.
• Or, AWS Lambda can be set up to push log data to NXLog via HTTP. This method offers low latency log
collection.

39.1.1. Pulling Logs via the CloudWatch API

1. A service account must be created for accessing the log data. In the AWS web interface, go to Services >
IAM.
2. Click the Users option in the left-side panel and click the Add user button.
3. Provide a User name, for example nxlog. Tick the checkbox to allow Programmatic access to this account.

4. Choose to Attach existing policies directly and select the CloudWatchLogsReadOnly policy. Click Next:
Review and then Create user.

283
5. Save access keys for this user and Close.
6. Install and configure Boto 3, the AWS SDK for Python. See the Boto 3 Quickstart and Credentials
documentation for more details.
7. Edit the region_name and group_name variables in the cloudwatch.py script, as necessary.

8. Configure NXLog to execute the script with the im_python module.

284
Example 197. Using a Amazon CloudWatch Add-On

This example NXLog configuration uses im_python to execute the CloudWatch add-on script. The xm_json
parse_json() procedure is then used is parse the JSON log data into fields.

nxlog.conf
1 <Extension _json>
2 Module xm_json
3 </Extension>
4
5 <Input py>
6 Module im_python
7 PythonCode cloudwatch.py
8 Exec parse_json();
9 </Input>

cloudwatch.py (truncated)
import nxlog, boto3, json, time

class LogReader:
def __init__(self, time_interval):
client = boto3.client('logs', region_name='eu-central-1')

self.lines = ""
all_streams = []
group_name = '<ENTER GROUP NAME HERE>'

#query CloudWatch for all log streams in the group

stream_batch = client.describe_log_streams(logGroupName=group_name)
all_streams += stream_batch['logStreams']
start_time = int(time.time()-time_interval)*1000
end_time = int(time.time())*1000

while 'nextToken' in stream_batch:

stream_batch = client.describe_log_streams(
[...]

39.1.2. Accepting Log Data From Lambda via HTTP

Using a push model follows an event-driven computing approach and allows for low latency. In this scenario, an
AWS Lambda function sends log data in JSON format with the HTTP POST method. NXLog listens for connections
and accepts log data.

1. In the AWS web interface, go to Services › Lambda and click the Create function button.

2. Click the Author from scratch button.

3. Provide the name for the function and select Create a new role from template(s) from the Role dropdown.
Enter a role name to be associated with this Lambda function. Then click the Create function button.

285
4. Under Function code select Upload a .ZIP file for Code entry type, select Python under Runtime, and
change the Handler name to lambda_function.lambda_handler.
5. Set the correct host and port in lambda_function.py, then upload a ZIP archive with that file (and
certificates, if needed). Click Save.

6. From the Configuration tab, change to the Triggers tab. Click + Add trigger.
7. Choose CloudWatch Logs as a trigger for the Lambda function. Select the log group that should be
forwarded and provide a Filter Name, then click Submit.

286
287
Example 198. Lambda Collection via HTTPS Input

In this example, the im_http module listens for connections from the Lambda script via HTTP. The xm_json
parse_json() procedure is then used to parse the JSON log data into fields.

nxlog.conf
1 <Extension _json>
2 Module xm_json
3 </Extension>
4
5 <Input http>
6 Module im_http
7 ListenAddr 127.0.0.1
8 Port 8080
9 HTTPSCertFile %CERTDIR%/server-cert.pem
10 HTTPSCertKeyFile %CERTDIR%/server-key.pem
11 HTTPSCAFile %CERTDIR%/ca.pem
12 HTTPSRequireCert TRUE
13 HTTPSAllowUntrusted FALSE
14 Exec parse_json();
15 </Input>

lambda_function.py
import json, base64, zlib, ssl, http.client

print('Loading function')

def lambda_handler(event, context):

compressed_logdata = base64.b64decode(event['awslogs']['data'])
logdata = zlib.decompress(compressed_logdata, 16+ zlib.MAX_WBITS)
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.load_verify_locations("ca.pem")

# For more details regarding the SSLContext.load_cert_chain()

# function, please refer to Python's ssl module documentation at
# <https://docs.python.org/3/library/ssl.html#ssl.SSLContext>
context.load_cert_chain("client.pem")

conn = http.client.HTTPSConnection("<HOST>:<PORT>", context=context)

conn.set_debuglevel(3)
headers = {"Content-type": "application/json"}
conn.request('POST', "", logdata, headers)
conn.close()

39.2. Amazon EC2

Amazon EC2 provides cloud-based virtual computing.

When running NXLog in EC2 instances, it may be helpful to include the current instance ID in the collected logs.
For more information about retrieving EC2 instance metadata and adding it to event data, see the Amazon Web
Services section of the Cloud Instance Metadata chapter.

39.3. Amazon Simple Storage Service (S3)

Amazon S3 is a high availability, low-latency storage service offered by Amazon. For more information, see the
AWS Amazon S3 Overview.

288
NXLog can be set up to send log data to S3 storage or read log data from S3 storage. For more information, see
the Amazon S3 add-on documentation.

289
Chapter 40. Apache HTTP Server
The Apache HTTP Server provides very comprehensive and flexible logging capabilities. A brief overview is
provided in the following sections. See the Log Files section of the Apache HTTP Server Documentation for more
detailed information about configuring logging.

40.1. Error Log

Apache error logging is controlled by the ErrorLog, ErrorLogFormat, and LogLevel directives. The error log can
be parsed by NXLog with a regular expression.

290
Example 199. Using the Apache Error Log

The following directives enable error logging of all messages at or above the "informational" severity level,
in the specified format, to the specified file. The ErrorLogFormat defined below is equivalent to the
default, which includes the timestamp, the module producing the message, the event severity, the process
ID, the thread ID, the client address, and the detailed error message.

apache2.conf
LogLevel info
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] [client %a] %M"
ErrorLog /var/log/apache2/error.log

The following is a typical log message generated by the Apache HTTP Server, an NXLog configuration for
parsing it, and the resulting JSON.

Log Sample
[Tue Aug 01 07:17:44.496832 2017] [core:info] [pid 15019:tid 140080326108928] [client
192.168.56.1:60154] AH00128: File does not exist: /var/www/html/notafile.html↵

nxlog.conf
1 <Input apache_error>
2 Module im_file
3 File '/var/log/apache2/error.log'
4 <Exec>
5 if $raw_event =~ /(?x)^\[\S+\ ([^\]]+)\]\ \[(\S+):(\S+)\]\ \[pid\ (\d+):
6 tid\ (\d+)\]\ (\[client\ (\S+)\]\ )?(.+)$/
7 {
8 $EventTime = parsedate($1);
9 $ApacheModule = $2;
10 $ApacheLogLevel = $3;
11 $ApachePID = $4;
12 $ApacheTID = $5;
13 if $7 != '' $ClientAddress = $7;
14 $Message = $8;
15 }
16 </Exec>
17 </Input>

Output Sample
{
"EventReceivedTime": "2017-08-01T07:17:45.641190+02:00",
"SourceModuleName": "apache_error",
"SourceModuleType": "im_file",
"EventTime": "2017-08-01T07:17:44.496832+02:00",
"ApacheModule": "core",
"ApacheLogLevel": "info",
"ApachePID": "15019",
"ApacheTID": "140080317716224",
"ClientAddress": "192.168.56.1:60026",
"Message": "AH00128: File does not exist: /var/www/html/notafile.html"
}

40.2. Access Log

The access log file and format are configured with the LogFormat and CustomLog directives. The LogFormat
directive is used to define a format, while the CustomLog directive configures logging to a specified file in one of
the defined formats. Multiple CustomLog directives can be used to enable logging to multiple files.

291
There are several options for handling logging when using virtual hosts. The examples below, when specified in
the main server context (not in a <VirtualHost> section) will log all requests exactly as with a single-host server.
The %v format string can be added, if desired, to log the name of the virtual server responding to the request.
Alternatively, the CustomLog directive can be specified inside a <VirtualHost> section, in which case only the
requests served by that virtual server will be logged to the file.

Pre-defined format strings for the Common Log and Combined Log Formats may be included by
NOTE default. These pre-defined formats may use %O (the total sent including headers) instead of the
standard %b (the size of the requested file) in order to allow detection of partial requests.

Example 200. Using the Common Log Format for the Access Log

The LogFormat directive below creates a format named common that corresponds to the Common Log
Format. The second directive configures the Apache HTTP Server to write entries to the access_log file in
the common format.

apache2.conf
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /var/log/apache2/access_log common

Example 201. Using the Combined Log Format for the Access Log

The following directives will configure the Apache HTTP Server to write entries to the access_log file in the
Combined Log Format.

apache2.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/apache2/access_log combined

NXLog configuration examples for parsing these access log formats can be found in the Common & Combined
Log Formats section.

292
Chapter 41. Apache Tomcat
Apache Tomcat provides flexible logging that can be configured for different transports and formats.

Example 202. Collecting Apache Tomcat Logs

Here is a log sample consisting of three events. The log message of the second event spans multiple lines.

Log Sample
2001-01-25 17:31:42,136 INFO [org.nxlog.somepackage.Class] - single line↵
2001-01-25 17:41:16,268 ERROR [org.nxlog.somepackage.Class] - Error retrieving names: ; nested
exception is:↵
java.net.ConnectException: Connection refused↵
AxisFault↵
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException↵
faultSubcode:↵
faultString: java.net.ConnectException: Connection refused↵
faultActor:↵
faultNode:↵
faultDetail:↵
{http://xml.apache.org/axis/}stackTrace:java.net.ConnectException: Connection refused↵
2001-01-25 17:57:38,469 INFO [org.nxlog.somepackage.Class] - third log message↵

In order to parse and process multiple line log messages, the xm_multiline module can be used. In this
example, a regular expression match determines the beginning of a log message.

nxlog.conf
1 define REGEX /(?x)^(?<EventTime>\d{4}\-\d{2}\-\d{2}\ \d{2}\:\d{2}\:\d{2}),\d{3}\ \
2 (?<Severity>\S+)\ \[(?<Class>\S+)\]\ \-\ (?<Message>[\s\S]+)/
3
4 <Extension multiline>
5 Module xm_multiline
6 HeaderLine %REGEX%
7 </Extension>
8
9 <Input log4j>
10 Module im_file
11 File "/var/log/tomcat6/catalina.out"
12 InputType multiline
13 Exec if $raw_event =~ %REGEX% $EventTime = parsedate($EventTime);
14 </Input>

293
Chapter 42. APC Automatic Transfer Switch
The APC Automatic Transfer Switch (ATS) is capable of sending its logs to a remote Syslog destination via UDP.

Log Sample
Date Time Event↵
------------------------------------------------------------------------↵
03/26/2017 16:20:55 Automatic Transfer Switch: Communication↵
established.↵
03/26/2017 16:20:45 System: Warmstart.↵
03/26/2017 16:19:13 System: Detected an unauthorized user attempting↵
to access the SNMP interface from 192.168.15.11.↵

The ATS is an independent device, so if there more than one installed in a particular environment the
configuration below must be applied to each device individually. For more details about configuring APC ATS
logging, go to the APC Support Site and select the product name or part number.

The steps below have been tested on AP7700 series devices and should work for other ATS
NOTE
models also.

1. Configure NXLog for receiving log entries via UDP (see the example below). Then restart NXLog.
2. Make sure the NXLog agent is accessible from the device.
3. Configure Syslog logging on the ATS using either the web interface or the command line. See the following
sections.

Example 203. Receiving Logs from APC ATS

The following examples shows the ATS logs as received and processed by NXLog.

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Extension _json>
6 Module xm_json
7 </Extension>
8
9 <Input in_syslog_udp>
10 Module im_udp
11 Host 0.0.0.0
12 Port 514
13 Exec parse_syslog();
14 </Input>
15
16 <Output file>
17 Module om_file
18 File "/var/log/apc.log"
19 Exec to_json();
20 </Output>

Logs like the example at the beginning of the chapter will produce output as follows.

294
Output Sample
{
"MessageSourceAddress": "192.168.15.22",
"EventReceivedTime": "2017-03-26 17:03:27",
"SourceModuleName": "in_syslog_udp",
"SourceModuleType": "im_udp",
"SyslogFacilityValue": 23,
"SyslogFacility": "LOCAL7",
"SyslogSeverityValue": 7,
"SyslogSeverity": "DEBUG",
"SeverityValue": 1,
"Severity": "DEBUG",
"Hostname": "192.168.15.22",
"EventTime": "2017-03-26 16:04:18",
"SourceName": "System",
"Message": "Detected an unauthorized user attempting to access the SNMP interface from
192.168.15.11. 0x0004"
}
{
"MessageSourceAddress": "192.168.15.22",
"EventReceivedTime": "2017-03-26 17:20:04",
"SourceModuleName": "in_syslog_udp",
"SourceModuleType": "im_udp",
"SyslogFacilityValue": 23,
"SyslogFacility": "LOCAL7",
"SyslogSeverityValue": 7,
"SyslogSeverity": "DEBUG",
"SeverityValue": 1,
"Severity": "DEBUG",
"Hostname": "192.168.15.22",
"EventTime": "2017-03-26 16:20:54",
"SourceName": "System",
"Message": "Warmstart. 0x0002"
}
{
"MessageSourceAddress": "192.168.15.22",
"EventReceivedTime": "2017-03-26 17:20:04",
"SourceModuleName": "in_syslog_udp",
"SourceModuleType": "im_udp",
"SyslogFacilityValue": 23,
"SyslogFacility": "LOCAL7",
"SyslogSeverityValue": 7,
"SyslogSeverity": "DEBUG",
"SeverityValue": 1,
"Severity": "DEBUG",
"Hostname": "192.168.15.22",
"EventTime": "2017-03-26 16:20:55",
"Message": "Automatic Transfer Switch: Communication established. 0x0C05"
}

42.1. Configuring via the Web Interface

1. Log in to the web panel.
2. Go to Network › Syslog.

3. Enable Syslog.
4. Select the Facility.

295
5. Add up to four Syslog servers and a port for each.
6. Map the Local Severity to the Syslog Severity as required.

7. Click [ Apply ].

42.2. Configuring via the Command Line

1. Log in to the ATS via Telnet.
2. Type 2 and then 9 to go to the Syslog settings.
3. Type 1 to configure the Syslog settings.
4. Type 1 to enable Syslog.
5. Type 2 to configure the Syslog facility.
6. Type 3 to save the changes.
7. Press ESC to go one level up.
8. Select one of the four Syslog server slots.
9. Type 1 to set the Syslog server IP address.
10. Type 2 to change set the UDP port number.
11. Type 3 to apply the changes.
12. Press ESC to go one level up.
13. Type 6 to map the local severity to the Syslog severity.
14. Use options from 1 to 4 to choose the mapping.
15. Type 5 to accept the changes.

296
Example 204. ATS Syslog Settings

The following shows the Syslog settings screen, which is shown after completing step 2 above.

------- Syslog ---------------------------------------------------------

Syslog Settings Severity Mapping

--------------------------------------------------------------------
Syslog : Enabled Severe : DEBUG Info: DEBUG
Facility: LOCAL7 Warning: DEBUG None: DEBUG

# Syslog Server Port IP

--------------------------------------------------------------------
1 514 192.168.15.251
2 514 0.0.0.0
3 514 0.0.0.0
4 514 0.0.0.0

1- Settings
2- Server 1
3- Server 2
4- Server 3
5- Server 4
6- Severity Mapping

<ESC>- Back, <ENTER>- Refresh, <CTRL-L>- Event Log

> 1

297
Chapter 43. Apple macOS Kernel
NXLog supports different ways of collecting Apple macOS kernel logs:

• Collect directly with the im_kernel module, which requires disabling syslogd.
• Collect via the local log file with im_file; see Local Syslog below.

Example 205. Collecting Kernel Logs Directly

This configuration uses the im_kernel module to read events directly from the kernel (via /dev/klog).
This requires that syslogd be disabled as follows:

1. Unload the daemon.

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

2. Rename plist to keep syslogd from starting again at the next reboot.

$ sudo mv /System/Library/LaunchDaemons/com.apple.syslogd.plist \
/System/Library/LaunchDaemons/com.apple.syslogd.plist.disabled

nxlog.conf
1 <Extension _syslog>
2 Module xm_syslog
3 </Extension>
4
5 <Input kernel>
6 Module im_kernel
7 Exec parse_syslog_bsd();
8 </Input>

Newer versions of Apple macOS use ULS (Unified Logging System) with SIP (System Integrity Protection) and
users are unable to easily disable syslogd while keeping SIP enabled. For this setup, you can leverage the
im_exec module to collect from /usr/bin/log stream --style=json --type=log.

298
Example 206. Collecting ULS Kernel Logs from /usr/bin/log

This configuration uses the im_exec module to read events from the kernel (via /usr/bin/log) and
parses the data with the xm_json module.

nxlog.conf
1 <Extension json>
2 Module xm_json
3 </Extension>
4
5 <Extension multiline>
6 Module xm_multiline
7 HeaderLine /^\[{|^},{/
8 </Extension>
9
10 <Input in>
11 Module im_exec
12 Command /usr/bin/log
13 Arg stream
14 Arg --style=json
15 Arg --type=log
16 InputType multiline
17 <Exec>
18 $raw_event =~ s/^\[{|^},{/{/;
19 $raw_event =~ s/\}]$//;
20 $raw_event = $raw_event + "\n}";
21 parse_json();
22 </Exec>
23 </Input>

299
Chapter 44. ArcSight Common Event Format (CEF)
NXLog can be configured to collect or forward logs in Common Event Format (CEF). NXLog Enterprise Edition
provides the xm_cef module for parsing and generating CEF.

CEF is a text-based log format developed by ArcSight™ and used by HP ArcSight™ products. It uses Syslog as
transport. The full format includes a Syslog header or "prefix", a CEF "header", and a CEF "extension". The
extension contains a list of key-value pairs. Standard key names are provided, and user-defined extensions can
be used for additional key names. In some cases, CEF is used with the Syslog header omitted.

44.1. Collecting and Parsing CEF

NXLog Enterprise Edition can be configured to collect and parse CEF logs with the xm_cef module.

The ArcSight™ Logger can be configured to send CEF logs via TCP with the following steps.

1. Log in to the Logger control panel.

2. Browse to Configuration › Data › Forwarders.

3. Click Add to create a new Forwarder:

◦ Name: nxlog

◦ Type: TCP Forwarder

◦ Type of Filter: Unified Query

4. Click Next to proceed to editing the new Forwarder:

◦ Query: (define as required)
◦ IP/Host: (enter the IP address or hostname of the system running NXLog)
◦ Port: 1514

5. Click Save.

300
Example 207. Receiving CEF Logs

With this configuration, NXLog will collect CEF logs via TCP, convert to plain JSON format, and save to file.

nxlog.conf
1 <Extension _cef>
2