Windows logging with NXLog Platform

Microsoft Windows remains an important platform for most organizations, and as a result, establishes the importance for choosing a log collection solution capable of interacting with native Windows logging subsystems and their APIs.

Start free
30-day fully functional trial, no credit card required
Windows Logging

Collecting all types of logs from the Windows platform


Windows operating systems generate a variety of logs: the modern Applications and Services Logs as well as the legacy Windows logs for backwards compatibility with older Windows systems. Each of these logging facilities is further subdivided into specific categories and channels such as Admin, Operational, Analytic, and Debug logs, just to name a few. These log sources are accessed either interactively via Windows Event Log or programmatically via the Event Tracing for Windows (ETW) API. NXLog is capable of collecting all types of logs from any Windows system, either natively via ETW, directly from Windows Event Log, from local log files, or remotely from Windows systems that forward events over the network. It can even generate logs for various protocols by passively monitoring network traffic and capturing network packets being sent to Windows systems.

Windows Event Log

The Windows logging subsystem that collects and stores application, security, setup, system, and forwarded events is commonly referred to as Windows Event Log. The default user interface for searching, configuring, and viewing the logs it collects is the Event Viewer.

NXLog can connect directly to Windows Event Log natively, without any dependence on intermediate applications or layers. This solution provides a simple, secure, reliable, and efficient way of collecting logs from Windows Event Log.

Event Tracing for Windows (ETW)

Windows is deeply integrated with ETW, a powerful trace collection system that captures event data all the way down to the kernel level. Microsoft uses it to test the performance of new versions of Windows before they are released. In fact, Windows Performance Analyzer (WPA) was built on top of the structured data that ETW provides. Unlike conventional text-based logging, structured data can be forwarded as-is, directly to SIEMs for ingestion and analysis without any need for pre-processing.

Debug and Analytical event channels are based on ETW and cannot be collected via regular Windows Event Log channels. Various Windows services such as the Windows Firewall and DNS Server can also be configured to capture events using Windows Event Tracing.

NXLog is equipped with a module that reads event traces directly for maximum efficiency. Unlike other solutions, NXLog can query, filter, enrich, and forward ETW events to multiple destinations simultaneously without any need to write intermediate trace files to disk.

File-based logs

Since the release of Windows Vista and Windows Server 2008, log files are stored as EVTX files which has replaced the older EVT file format. Both are proprietary formats readable by the Microsoft Management Console (MMC) snap-in Eventvwr.msc.

NXLog is capable of reading EVTX and EVT files directly thus offering a quick and efficient means of processing and forwarding such logs.

Packet Capture

NXLog can also passively monitor network traffic and generate logs for various network protocols. Passive network monitoring can give you an insight on what happening on the network.

It can help you:

  • react faster to critical network events
  • discover security breaches
  • identify applications, services or servers maliciously using up bandwidth
  • identify traffic caused by malicious code


NXLog Platform is one of the most feature rich log collector software for the Windows platform, offering outstanding log management capabilities.

Features and benefits


This section provides a list of the most notable features of NXLog covering the most important log sources on the Windows platform. Please note that the following list is by no means exhaustive. NXLog can capture and parse practically any logs generated on a Windows system.

Windows Microsoft
Collect Windows Event Log locally or remotely
Microsoftsharepoint
Microsoft Share­point log collection support
Microsoftexchange Svgrepo Com
Full coverage for Microsoft Exchange logs
Linux
Collect WEF logs remotely from Linux or Windows
Powershell
Powershell support
Msql Server
Microsoft SQL server compatibility
Windows
Native Event Tracing for Windows (ETW) log collection support
Iis
Collect and parse Microsoft IIS logs
DNS
Comprehensive Windows DNS server log collection support
Research
DHCP Monitoring
Dot Net
Collecting Microsoft .NET applications
Scan Svgrepo Com
Registry Monitoring
Decode
Sysmon compatibility and support
Encryption
Collecting Windows Applocker logs
Firewall Svgrepo Com
Collecting Windows Firewall logs

NXLog support and integration with Microsoft Windows

You can be rest assured that NXLog is certified for both Windows 2016 and 2019, as well as the Windows releases listed in the Supported Platforms section of the NXLog User Guide.

For deployment details, see the Windows installation section. Information regarding how to harden NXLog security on Windows can help your further secure your log data assets.

Screenshot 2021 11 15 At 1530 05

Improve your SCADA and ICS network security with NXLog Platform

With the arrival of our latest version, we have expanded the capabilities of NXLog with a new passive network monitoring module that comes equipped with additional protocol parsers. We have also expanded our documentation to include a wealth of configurations written specifically for Industrial Control Systems.

NXLog Platform now supports passive network monitoring on Windows systems, allowing greater visibility into what is happening on the network. Combined with the added support for industrial control protocols such as BacNet, IEEE DNP3, Profinet, Modbus, IEC 61850, IEC 60870-5-104 and S7comm, the NXLog Platform offers new capabilities for hardening your security even further.

NXLog Platform now offers industry-leading features for collecting logs in industrial environments.


Outstanding support for writing log data in multiple formats

One of the most important attributes of log data is its format. Choosing the the right format is crucial for producing readable log files. And even more important is the ability to choose formats that yield structured data which can be readily consumed by analytical systems, as opposed to unstructured text that will require extensive post-processing. The format affects information availability, readability, manageability, as well as storage requirements. NXLog supports multiple industry-standard formats such as:

  • CEF - Common Event Format (ArcSight)
  • LEEF - Log Event Extended Format (IBM QRadar)
  • GELF - Graylog Extended Log Format (Graylog)
  • Syslog RFC3164 - BSD Syslog protocol
  • Syslog RFC5424 - Syslog Protocol
  • JSON - JavaScript Object Notation
  • Snare or "Snare over Syslog" - Snare format with or without a Syslog header

NXLog’s support of such a large number of formats means you have more flexibility to work with almost any log source, SIEM, or any number of third- party products you have deployed, or plan to deploy in your enterprise.


Integration with third party products

In the world of Information Technology, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned.

NXLog’s forte is its support for practically any operating system found in enterprise computing environments. It seamlessly integrates with third-party solutions such as IBM QRadar, Rapid7, Splunk Enterprise, FireEye Helix, and Securonix, just to name a few. For a comprehensive list, visit our integrations page.


Documentation and product support

Our constantly updated, ever-growing documentation well exceeds 1,500 pages. It is a stand-alone product in itself. It is complete with configuration samples, real-world examples, and integration guides offering much more than a generic manual. Alongside this self-help resource, there is also a dedicated support team for our Enterprise customers which is available 24/7 with a world-class, 4-hour SLA.

Build a scalable logging infrastructure

The ultimate log collection and centralization solution

https://nxlog.co/storage/uploads/ce6fcde9-da1c-41f2-ba32-5e4ec59a8b75/download-2.png

Try NXLog Platform

https://nxlog.co/storage/uploads/33b0d24e-c758-42f8-822c-c3f1ecc65289/google-docs-icon.svg

See our extended documentation

https://nxlog.co/storage/uploads/4c9a368b-7be5-4569-8344-db5fd6491c40/price-tag.svg

Contact us