Windows logging with NXLog Enterprise Edition
Microsoft Windows remains an important platform for most organizations, and as a result, establishes the importance for choosing a log collection solution capable of interacting with native Windows logging subsystems and their APIs.
Collecting all types of logs from the Windows platform
Windows operating systems generate a variety of logs: the modern Applications and Services Logs as well as the legacy Windows logs for backwards compatibility with older Windows systems. Each of these logging facilities is further subdivided into specific categories and channels such as Admin, Operational, Analytic, and Debug logs, just to name a few. These log sources are accessed either interactively via Windows Event Log or programmatically via the Event Tracing for Windows (ETW) API. NXLog is capable of collecting all types of logs from any Windows system, either natively via ETW, directly from Windows Event Log, from local log files, or remotely from Windows systems that forward events over the network. It can even generate logs for various protocols by passively monitoring network traffic and capturing network packets being sent to Windows systems.
Windows Event Log
The Windows logging subsystem that collects and stores application, security, setup, system, and forwarded events is commonly referred to as Windows Event Log. The default user interface for searching, configuring, and viewing the logs it collects is the Event Viewer.
NXLog can connect directly to Windows Event Log natively, without any dependence on intermediate applications or layers. This solution provides a simple, secure, reliable, and efficient way of collecting logs from Windows Event Log.
Event Tracing for Windows (ETW)
Windows is deeply integrated with ETW, a powerful trace collection system that captures event data all the way down to the kernel level. Microsoft uses it to test the performance of new versions of Windows before they are released. In fact, Windows Performance Analyzer (WPA) was built on top of the structured data that ETW provides. Unlike conventional text-based logging, structured data can be forwarded as-is, directly to SIEMs for ingestion and analysis without any need for pre-processing.
Debug and Analytical event channels are based on ETW and cannot be collected via regular Windows Event Log channels. Various Windows services such as the Windows Firewall and DNS Server can also be configured to capture events using Windows Event Tracing.
NXLog is equipped with a module that reads event traces directly for maximum efficiency. Unlike other solutions, NXLog can query, filter, enrich, and forward ETW events to multiple destinations simultaneously without any need to write intermediate trace files to disk.
Since the release of Windows Vista and Windows Server 2008, log files are stored as EVTX files which has replaced the older EVT file format. Both are proprietary formats readable by the Microsoft Management Console (MMC) snap-in Eventvwr.msc.
NXLog is capable of reading EVTX and EVT files directly thus offering a quick and efficient means of processing and forwarding such logs.
NXLog can also passively monitor network traffic and generate logs for various network protocols. Passive network monitoring can give you an insight on what happening on the network.
It can help you:
- react faster to critical network events
- discover security breaches
- identify applications, services or servers maliciously using up bandwidth
- identify traffic caused by malicious code
The NXLog Enterprise Edition is one of the most feature rich log collector software for the Windows platform, offering outstanding log collection capabilities.
Features and benefits
This section provides a list of the most notable features of NXLog covering the most important log sources on the Windows platform. Please note that the following list is by no means exhaustive. NXLog can capture and parse practically any logs generated on a Windows system.
NXLog support and integration with Microsoft Windows
You can be rest assured that NXLog is certified for both Windows 2016 and 2019, as well as the Windows releases listed in the Supported Platforms section of the NXLog User Guide.
For deployment details, see the Windows installation section. Information regarding how to harden NXLog security on Windows can help your further secure your log data assets.
Improve your SCADA and ICS network security with NXLog Enterprise Edition
With the arrival of our latest version, we have expanded the capabilities of NXLog with a new passive network monitoring module that comes equipped with additional protocol parsers. We have also expanded our documentation to include a wealth of configurations written specifically for Industrial Control Systems.
NXLog Enterprise Edition now supports passive network monitoring on Windows systems, allowing greater visibility into what is happening on the network. Combined with the added support for industrial control protocols such as BacNet, IEEE DNP3, Profinet, Modbus, IEC 61850, IEC 60870-5-104 and S7comm, the NXLog Enterprise Edition offers new capabilities for hardening your security even further.
NXLog Enterprise Edition now offers industry-leading features for collecting logs in industrial environments.
Outstanding support for writing log data in multiple formats
One of the most important attributes of log data is its format. Choosing the the right format is crucial for producing readable log files. And even more important is the ability to choose formats that yield structured data which can be readily consumed by analytical systems, as opposed to unstructured text that will require extensive post-processing. The format affects information availability, readability, manageability, as well as storage requirements. NXLog supports multiple industry-standard formats such as:
- CEF - Common Event Format (ArcSight)
- LEEF - Log Event Extended Format (IBM QRadar)
- GELF - Graylog Extended Log Format (Graylog)
- Syslog RFC3164 - BSD Syslog protocol
- Syslog RFC5424 - Syslog Protocol
- Snare or "Snare over Syslog" - Snare format with or without a Syslog header
NXLog’s support of such a large number of formats means you have more flexibility to work with almost any log source, SIEM, or any number of third- party products you have deployed, or plan to deploy in your enterprise.
Integration with third party products
In the world of Information Technology, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned.
NXLog’s forte is its support for practically any operating system found in enterprise computing environments. It seamlessly integrates with third-party solutions such as IBM QRadar, Rapid7, Splunk Enterprise, FireEye Helix, and Securonix, just to name a few. For a comprehensive list, visit our integrations page.
Documentation and product support
Our constantly updated, ever-growing documentation well exceeds 1,500 pages. It is a stand-alone product in itself. It is complete with configuration samples, real-world examples, and integration guides offering much more than a generic manual. Alongside this self-help resource, there is also a dedicated support team for our Enterprise customers which is available 24/7 with a world-class, 4-hour SLA.
Build a scalable logging infrastructure
The ultimate log collection and centralization solution
Download and try NXLog Enterprise Edition
See our extended documentation and how to set up the tool
Getting a quote on pricing is easy