Windows logging with NXLog Enterprise Edition

Microsoft Windows remains an important platform for most organizations, and as a result, establishes the importance for choosing a log collection solution capable of interacting with native Windows logging subsystems and their APIs.

Windows operating systems generate a variety of logs: the modern Applications and Services Logs as well as the legacy Windows logs for backwards compatibility with older Windows systems. Each of these logging facilities is further subdivided into specific categories and channels such as Admin, Operational, Analytic, and Debug logs, just to name a few. These log sources are accessed either interactively via Windows Event Log or programmatically via the Event Tracing for Windows (ETW) API. NXLog is capable of collecting all types of logs from any Windows system, either natively via ETW, directly from Windows Event Log, from local log files, or remotely from Windows systems that forward events over the network. It can even generate logs for various protocols by passively monitoring network traffic and capturing network packets being sent to Windows systems.

Windows Event Log

The Windows logging subsystem that collects and stores application, security, setup, system, and forwarded events is commonly referred to as Windows Event Log. The default user interface for searching, configuring, and viewing the logs it collects is the Event Viewer.

NXLog can connect directly to Windows Event Log natively, without any dependence on intermediate applications or layers. This solution provides a simple, secure, reliable, and efficient way of collecting logs from Windows Event Log.

Event Tracing for Windows (ETW)

Windows is deeply integrated with ETW, a powerful trace collection system that captures event data all the way down to the kernel level. Microsoft uses it to test the performance of new versions of Windows before they are released. In fact, Windows Performance Analyzer (WPA) was built on top of the structured data that ETW provides. Unlike conventional text-based logging, structured data can be forwarded as-is, directly to SIEMs for ingestion and analysis without any need for pre-processing.

Debug and Analytical event channels are based on ETW and cannot be collected via regular Windows Event Log channels. Various Windows services such as the Windows Firewall and DNS Server can also be configured to capture events using Windows Event Tracing.

NXLog is equipped with a module that reads event traces directly for maximum efficiency. Unlike other solutions, NXLog can query, filter, enrich, and forward ETW events to multiple destinations simultaneously without any need to write intermediate trace files to disk.

File-based logs

Since the release of Windows Vista and Windows Server 2008, log files are stored as EVTX files which has replaced the older EVT file format. Both are proprietary formats readable by the Microsoft Management Console (MMC) snap-in Eventvwr.msc.

NXLog is capable of reading EVTX and EVT files directly thus offering a quick and efficient means of processing and forwarding such logs.

Packet Capture

NXLog can also passively monitor network traffic and generate logs for various network protocols. Passive network monitoring can give you an insight on what happening on the network.

It can help you:

  • react faster to critical network events

  • discover security breaches

  • identify applications, services or servers maliciously using up bandwidth

  • identify traffic caused by malicious code

Features and benefits

The NXLog Enterprise Edition is one of the most feature rich log collector software for the Windows platform, offering outstanding log collection capabilities.

This section provides a list of the most notable features of NXLog covering the most important log sources on the Windows platform. Please note that the following list is by no means exhaustive. NXLog can capture and parse practically any logs generated on a Windows system.

Collect Windows Event Log locally or remotely

Learn how the im_msvistalog and the im_mseventlog modules can capture Windows Event Log data locally, or how to configure the im_msvistalog module to collect events generated on remote Windows systems. NXLog can even collect logs from Windows systems that do not have an NXLog agent installed. Instead, MSRPC is used to receive the events. To learn more about NXLog’s integration with Windows Event Log, see the Windows Event Log chapter in the NXLog User Guide dedicated to this integration topic.

Microsoft Share­point log collection support

Microsoft SharePoint Server provides many different types of logs. Logs are written to files, databases, and the Windows Event Log. NXLog can be configured to collect these logs following these steps.

Full coverage for Microsoft Exchange logs

Exchange stores most of its operational logs in a comma-delimited format similar to W3C. These files can be read with the im_file module when used in conjunction with the xm_w3c extension module.

In addition to the above, NXLog features a dedicated Exhange add-on that can be used to retrieve administrator audit logs and mailbox audit logs.

Collect WEF logs remotely from Linux or Windows

Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up and has only a few prerequisites. The WEF subscriber is a server that collects the forwarded events and is usually referred to as a Windows Event Collector (WEC). It can be implemented with NXLog on Linux and Windows as well.

Powershell support

PowerShell scripts can be used with NXLog for generating, processing, and forwarding logs, as well as for generating configuration content. Recent versions of Windows PowerShell also provide several features for logging PowerShell activity. NXLog can be configured to collect and parse these logs.

Microsoft SQL server compatibility

NXLog can collect Microsoft SQL server audit logs, read and parse MS SQL error logs, as well as read and write data to an MS SQL database. NXLog provides the im_odbc and om_odbc modules for reading and writing logs via ODBC.

Pull data from Windows Performance counters

NXLog supports querying the windows performance counters periodically with the im_winperfcount module in order to create an event record from the pulled data. Each event record contains a field for each counter and each field is named according to the name of the corresponding counter. With the provided configuration options, NXLog can be fine tuned to retrieve data on counters at specified intervals.

Native Event Tracing for Windows (ETW) log collection support

ETW is a tracing facility in Windows designed for efficient logging of both kernel and user-mode applications. Debug and Analytical channels are based on ETW and cannot be collected like other Windows Event Log channels. Windows services such as the Windows Firewall and DNS Server can be configured to log events through ETW. Unlike other solutions on the market, the im_etw module reads event tracing data directly for maximum efficiency.

Collect and parse Microsoft IIS logs

Microsoft Internet Information Server supports several logging formats including the W3C extended log file format. Because of this, it is recommended to collect IIS logs with the xm_w3c module that provides native support for this format. The logging format can be configured in IIS. See the Configuring Logging section in the NXLog User Guide for details.

Comprehensive Windows DNS server log collection support

DNS events are available from a number of sources. NXLog offers five general event logging facilities for monitoring DNS events generated by Windows DNS Server and its clients. DNS Logging via ETW Providers, File-based DNS Debug Logging, Collecting DNS Query Logs via Sysmon, Monitoring DNS Event Sources Using Windows Event Log, as well as Passive DNS Monitoring. With these logging facilities at its disposal, NXLog can collect all possible DNS related logs and relevant network traffic in order to provide a thorough overview of all DNS related activities.

Microsoft Active Directory Domain Controller logs

An Active Directory (AD) Domain Controller (DC) responds to security authentication requests within a Windows domain. Most DC logging, especially security-related activity, is provided via Windows Event Log. For a full list of Active Directory events with high potential criticality and a complete configuration for collecting them, see the Active Directory Security Events section in the NXLog User Guide.

DHCP Monitoring

Windows DHCP Server provides an audit logging feature that writes server activity events to log files (if configured) and generates events in Windows Event Log as well. NXLog can be configured to read and parse these logs. For more details about configuring logging and collecting Windows DHCP logs with NXLog, see the Windows DHCP Server section.

File Integrity Monitoring (FIM)

File Integrity Monitoring can be used to detect changes to files and directories. A file may be altered due to an update to a newer version, a security breach, or data corruption. File integrity monitoring helps organizations respond quickly and effectively to unexpected changes to files and is therefore a standard requirement for many regulatory compliance objectives. The im_fim module can be configured for monitoring any specified set of files. See File Integrity Monitoring on Windows for more details and examples.

Collecting Microsoft .NET applications

With NXLog, it is possible to capture logs directly from Microsoft .NET applications using third-party utilities. The .NET applications guide demonstrates how to set up these utilities with a sample .NET application and the corresponding NXLog configuration.

Collecting logs from Microsoft System Center Operations Manager (SCOM)

Microsoft System Center Operations Manager (SCOM) provides infrastructure monitoring across various services, devices, and operations from a single console. The activities related to these systems are recorded in SCOM’s databases which can be queried using SQL. The resulting data can be collected and forwarded by NXLog. Logs recorded in the SCOM databases can be collected with the im_odbc module.

Registry Monitoring

NXLog can periodically scan the Windows registry and generate event records if a change in the monitored registry entries is detected. See the im_regmon module for more information.

Sysmon compatibility and support

NXLog can be configured to capture and process audit logs generated by the Sysmon utility, which is a Windows system service and device driver that logs system activity to Windows Event Log. See our Sysmon integration guide on how to set up and configure Sysmon to work with NXLog.

Collecting Windows Applocker logs

Windows AppLocker allows administrators to create rules restricting which executables, scripts, and other files users are allowed to run. Since Windows AppLocker events are maintained by Windows Event Log, the im_msvistalog module can be used to collect Windows AppLocker logs.

Collecting Windows Firewall logs

Windows Firewall generates a variety of different types of logs: flat files, events in Windows Event Log, and event traces via Event Tracing for Windows (ETW). The Windows Firewall section of the NXLog User Guide explains the various methods of collecting Windows Firewall logs with NXLog.

Windows Management Instrumentation (WMI) logging support

The WMI system is an implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards. WMI event logs can be read directly from Windows Event Log by using the im_msvistalog module and natively via ETW using the im_etw module.

NXLog support and integration with Microsoft Windows

You can be rest assured that NXLog is certified for both Windows 2016 and 2019, as well as the Windows releases listed in the Supported Platforms section of the NXLog User Guide.

Windows 2542c
Windows 947d0

For deployment details, see the Windows installation section. Information regarding how to harden NXLog security on Windows can help your further secure your log data assets.

Improve your SCADA and ICS network security with NXLog Enterprise Edition

With the arrival of our latest version, we have expanded the capabilities of NXLog with a new passive network monitoring module that comes equipped with additional protocol parsers. We have also expanded our documentation to include a wealth of configurations written specifically for Industrial Control Systems.

NXLog Enterprise Edition now supports passive network monitoring on Windows systems, allowing greater visibility into what is happening on the network. Combined with the added support for industrial control protocols such as BacNet, IEEE DNP3, Profinet, Modbus, IEC 61850, IEC 60870-5-104 and S7comm, the NXLog Enterprise Edition offers new capabilities for hardening your security even further.

NXLog Enterprise Edition now offers industry-leading features for collecting logs in industrial environments.

Outstanding support for writing log data in multiple formats

One of the most important attributes of log data is its format. Choosing the the right format is crucial for producing readable log files. And even more important is the ability to choose formats that yield structured data which can be readily consumed by analytical systems, as opposed to unstructured text that will require extensive post-processing. The format affects information availability, readability, manageability, as well as storage requirements. NXLog supports multiple industry-standard formats such as:

  • CEF - Common Event Format (ArcSight)

  • LEEF - Log Event Extended Format (IBM QRadar)

  • GELF - Graylog Extended Log Format (Graylog)

  • Syslog RFC3164 - BSD Syslog protocol

  • Syslog RFC5424 - Syslog Protocol

  • JSON - JavaScript Object Notation

  • Snare or "Snare over Syslog" - Snare format with or without a Syslog header

NXLog’s support of such a large number of formats means you have more flexibility to work with almost any log source, SIEM, or any number of third- party products you have deployed, or plan to deploy in your enterprise.

Integration with third party products

In the world of Information Technology, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned.

NXLog’s forte is its support for practically any operating system found in enterprise computing environments. It seamlessly integrates with third-party solutions such as IBM QRadar, Rapid7, Splunk Enterprise, FireEye Helix, and Securonix, just to name a few. For a comprehensive list, visit our integrations page.

Documentation and product support

Our constantly updated, ever-growing documentation well exceeds 1,500 pages. It is a stand-alone product in itself. It is complete with configuration samples, real-world examples, and integration guides offering much more than a generic manual. Alongside this self-help resource, there is also a dedicated support team for our Enterprise customers which is available 24/7 with a world-class, 4-hour SLA.

Help meeting compliance mandates

Without the necessary tools to collect and send quality log data to SIEM platforms as well as meeting regulatory compliance and standards requirements at the same time, organizations may be unable to ensure proper information security and business continuity for their customers.

If your organization has business operations in one or more highly-regulated industries, you know how crucial it is to meet regulatory compliance and standards requirements in environments that generate an enormous volume of log data. NXLog Enterprise Edition can provide highly configurable, secure, centralized log collection solutions that can help your organization to meet your compliance mandates.

An essential part of most compliance requirements is to ensure the privacy and security of high-value, sensitive logs. NXLog Enterprise Edition can significantly mitigate security risks by using a flexible architecture for forwarding such data with end-to-end encryption, directly, and in real-time, to a centralized log collection server cluster configured for redundancy, either offsite, onsite, or mixed.

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.