NXLog User Guide
- OS Support
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elastic Cloud
- 67. Elastic Common Schema (ECS)
- 68. Elasticsearch and Kibana
- 69. F5 BIG-IP
- 70. File Integrity Monitoring
- 71. FreeRADIUS
- 72. General Electric CIMPLICITY
- 73. Google Chronicle
- 74. Graylog
- 75. HP ProCurve
- 76. IBM QRadar SIEM
- 77. Industrial Control Systems
- 78. Kubernetes
- 79. Linux Audit System
- 80. Linux system logs
- 81. Log Event Extended Format (LEEF)
- 82. LogPoint
- 83. Logstash
- 84. McAfee Enterprise Security Manager (ESM)
- 85. McAfee ePolicy Orchestrator
- 86. Micro Focus ArcSight Logger
- 87. Microsoft Active Directory Domain Controller
- 88. Microsoft Azure
- 89. Microsoft Azure Event Hubs
- 90. Microsoft Azure Sentinel
- 91. Microsoft Defender for Identity
- 92. Microsoft Exchange
- 93. Microsoft IIS
- 94. Microsoft SharePoint
- 95. Microsoft SQL Server
- 96. Microsoft System Center Endpoint Protection
- 97. Microsoft System Center Configuration Manager
- 98. Microsoft System Center Operations Manager
- 99. MongoDB
- 100. Nagios Log Server
- 101. Nessus Vulnerability Scanner
- 102. NetApp
- 103. .NET application logs
- 104. Nginx
- 105. Okta
- 106. Oracle Database
- 107. Osquery
- 108. Postfix
- 109. Promise
- 110. Raijin Database Engine
- 111. Rapid7 InsightIDR SIEM
- 112. RSA NetWitness
- 113. SafeNet KeySecure
- 114. Salesforce
- 115. SAP
- 116. Schneider Electric Citect SCADA
- 117. Siemens SICAM SCC
- 118. Siemens SIMATIC PCS 7
- 119. Snare
- 120. Snort
- 121. Solarwinds Loggly
- 122. Splunk
- 123. Sumo Logic
- 124. Symantec Endpoint Protection
- 125. Synology DiskStation
- 126. Syslog
- 127. Sysmon
- 128. Ubiquiti UniFi
- 129. VMware vCenter
- 130. Windows AppLocker
- 131. Windows Command Line Auditing
- 132. Windows Event Log
- 133. Windows Firewall
- 134. Windows Group Policy
- 135. Windows Management Instrumentation (WMI)
- 136. Windows PowerShell
- 137. Windows Security audit
- 138. Windows Time service
- 139. Microsoft Windows Update
- 140. Windows USB auditing
- 141. YOKOGAWA FAST/TOOLS
- 142. Zeek (formerly Bro) Network Security Monitor
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
Elastic Cloud is a Software as a Service (SaaS) offering managed enterprise search, data visualization, and security. This includes Elastic SIEM, a solution for analyzing data in your hosted Elasticsearch instance to detect and respond to threats in real time. NXLog can integrate with Elastic Cloud by sending logs over HTTPS and provides several benefits over using Elastic Beats as a data shipper such as:
A single NXLog agent installation includes full functionality to collect, process, and forward any type of logs. It can be configured as an end-to-end solution, collecting and sending logs directly to Elastic Cloud, or to act as a relay, receiving logs from different sources and forwarding them to Elastic Cloud.
NXLog offers an extensive list of input modules that can collect logs from sources not supported by Elastic Beats. Some of which are the im_etw module, which can collect logs from ETW-only channels such as the Analytical and Debug channels, xm_aixaudit for IBM AIX platforms, and the im_maces and im_maculs modules for collecting Apple Endpoint Security events and ULS logs on macOS.
An equally extensive list of extension modules is available for parsing and transforming logs in different formats. Additionally, it includes support for processing logs with external scripts with support for Go, Java, Perl, Python, and Ruby.
And last but not least, NXLog is a mature solution that is robust and fit for production environments. All components are developed, maintained, and supported by NXLog, giving you peace of mind that support is available in case you need it.
Logs can be sent to Elastic Cloud using the Elasticsearch REST API. For NXLog to be able to connect to the API, it requires an API key, the Elasticsearch endpoint, and the Elastic Cloud CA certificate. Follow the instructions below to create an API key and retrieve the required information for your instance.
Log in to your Elastic Cloud instance.
From the main menu, navigate to Management > Stack Management.
From the management menu, under Security click API keys.
Click the Create API key button in the top right.
Enter a Name for the new key and click the Create API key button.
The new API key will be displayed. You will need the Base64 value for the NXLog configuration.
Make sure to save the key in a safe place because you will not be able to retrieve it once you navigate away from this screen.
Log in to your Elastic Cloud instance.
Click on the name of the relevant deployment to view the deployment information.
Under Applications, click on Copy endpoint next to Elasticsearch.
- Exporting the CA certificate using OpenSSL
Execute the following command:
$ openssl s_client -showcerts -connect <your_instance_url> < /dev/zero
<your_instance_url>with the endpoint URL retrieved above, including the port.
The information returned will contain the complete certificate chain. Copy the last certificate shown, including the
-----END CERTIFICATE-----lines, to a text file.
Save the file to a directory accessible by NXLog.
- Exporting the CA certificate from Chrome on Windows
Open Chrome and log in to your Elastic Cloud instance.
In the browser address bar, click on the padlock icon next to the URL.
On the Certification Path tab, select the topmost certificate and click the View Certificate button.
From the new dialog go to the Details tab and click the Copy to File… button.
Click Next in the export wizard.
Select the Base-64 encoded X.509 (.CER) option and click Next.
Select the directory where to save the certificate and click Next.
Review the details and click Finish to complete the export.
The procedure to export certificates differs according to the browser and operating system. Refer to your browser documentation for the relevant steps.
NXLog Enterprise Edition provides the om_elasticsearch output module that supports sending logs in bulk to Elasticsearch via the REST API. See the configuration example below for how to configure NXLog to forward logs to a managed Elasticsearch instance.
This example demonstrates the output instance for data to be forwarded to Elasticsearch. For in-depth information on how to output log data that complies with ECS, see our guide on the Elastic Common Schema (ECS).
In this configuration, the Elasticsearch endpoint and API key are defined as
constants. Replace the values of
API_KEY with the correct values for your Elastic Cloud instance. See
Retrieving your API endpoint
and Creating an API key.
Since the connection to the REST API uses HTTPS, the HTTPSCAFile directive is used to specify the path to the certificate authority certificate that will be used to verify the identity of the remote server. See Exporting the Elastic Cloud CA certificate.
One way to verify reception of log data in Elastic Cloud is from the Kibana app. Log in to your Elastic Cloud instance and from the main menu, navigate to Analytics > Discover.
Select the relevant index pattern to display the data. If this is your first time
viewing the data and you have not created an index pattern for it yet, you
will need to create one. The screenshot below shows log records for index