NXLog User Guide
- OS Support
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elastic Common Schema (ECS)
- 67. Elasticsearch and Kibana
- 68. F5 BIG-IP
- 69. File Integrity Monitoring
- 70. FreeRADIUS
- 71. General Electric CIMPLICITY
- 72. Google Chronicle
- 73. Graylog
- 74. HP ProCurve
- 75. IBM QRadar SIEM
- 76. Industrial Control Systems
- 77. Kubernetes
- 78. Linux Audit System
- 79. Linux system logs
- 80. Log Event Extended Format (LEEF)
- 81. LogPoint
- 82. Logstash
- 83. McAfee Enterprise Security Manager (ESM)
- 84. McAfee ePolicy Orchestrator
- 85. Microsoft Active Directory Domain Controller
- 86. Microsoft Azure
- 87. Microsoft Azure Event Hubs
- 88. Microsoft Azure Sentinel
- 89. Microsoft Defender for Identity
- 90. Microsoft Exchange
- 91. Microsoft IIS
- 92. Microsoft SharePoint
- 93. Microsoft SQL Server
- 94. Microsoft System Center Endpoint Protection
- 95. Microsoft System Center Configuration Manager
- 96. Microsoft System Center Operations Manager
- 97. MongoDB
- 98. Nagios Log Server
- 99. Nessus Vulnerability Scanner
- 100. NetApp
- 101. .NET application logs
- 102. Nginx
- 103. Okta
- 104. Oracle Database
- 105. Osquery
- 106. Postfix
- 107. Promise
- 108. Raijin Database Engine
- 109. Rapid7 InsightIDR SIEM
- 110. RSA NetWitness
- 111. SafeNet KeySecure
- 112. Salesforce
- 113. SAP
- 114. Schneider Electric Citect SCADA
- 115. Siemens SIMATIC PCS 7
- 116. Snare
- 117. Snort
- 118. Solarwinds Loggly
- 119. Splunk
- 120. Sumo Logic
- 121. Symantec Endpoint Protection
- 122. Synology DiskStation
- 123. Syslog
- 124. Sysmon
- 125. Ubiquiti UniFi
- 126. VMware vCenter
- 127. Windows AppLocker
- 128. Windows Command Line Auditing
- 129. Windows Event Log
- 130. Windows Firewall
- 131. Windows Group Policy
- 132. Windows Management Instrumentation (WMI)
- 133. Windows PowerShell
- 134. Windows Time service
- 135. Microsoft Windows Update
- 136. Windows USB auditing
- 137. YOKOGAWA FAST/TOOLS
- 138. Zeek (formerly Bro) Network Security Monitor
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
Azure Event Hubs is a big data streaming platform and event ingestion service from Microsoft. Data sent to an event hub can be transformed and stored by using any real-time analytics provider or batching/storage adapters.
NXLog can be configured to send data to Azure Event Hubs via the Kafka and HTTP protocols using the om_kafka and om_http modules. NXLog can also receive log data from Azure Event Hubs via the Kafka protocol using the im_kafka module.
Kafka requires at least a Standard Tier, while HTTP works with any tier. For more information on tiers, see the What is the difference between Event Hubs Basic and Standard tiers? section in the Microsoft documentation. With both methods a SAS (Shared Access Signature) is used for authentication.
In order to successfully forward and retrieve logs from Azure Event Hubs, an Azure account with an appropriate subscription is required.
With all of the above created, the event hub can be found by browsing to the Home > Event Hubs > <YOURNAMESPACE> > Event Hubs page in the Azure portal. This page lists some basic details about the event hub as well as graphs of the data flow. In addition, the left side panel serves as a control panel for managing your event hub.
NXLog can forward logs to an Event Hub via the Kafka protocol.
In order to configure NXLog you need the following details:
The entry for the
BrokerListdirective. This is derived from the name of the namespace and a fixed URL with a port number and looks like:
<YOURNAMESPACE>.servicebus.windows.net:9093. The namespace needs to be changed to match your environment.
The name of the event hub created in Azure for the
The name of your resource group defined in an
Optiondirective. Read more about What is a resource group in the Microsoft Documentation.
Either your primary key or your secondary key will be needed per the instructions in Get an Event Hubs connection string for retrieving the connection string defined in an
Optiondirective as a SASL password.
A CA certificate, even though it is not listed as a requirement by Azure Event Hubs.
In this configuration the logs are forwarded to Azure Event Hubs by the om_kafka module.
1 2 3 4 5 6 7 8 9 10 11 <Output out> Module om_kafka BrokerList <YOURNAMESPACE>.servicebus.windows.net:9093 Topic <YOUREVENTHUB> Option security.protocol SASL_SSL Option group.id <YOURCONSUMERGROUP> Option sasl.mechanisms PLAIN Option sasl.username $ConnectionString Option sasl.password <YOUR Connection string–primary key> CAFile C:\Program Files\nxlog\cert\<ca.pem> </Output>
NXLog can forward its collected logs to Azure Event Hubs via the HTTP protocol.
In order to configure NXLog you need the following details:
A shared access signature (SAS) token. The Microsoft documentation lists various scripts and methods to generate a SAS token. For the example below, the PowerShell example were used. None of the other methods or scripts were tested.
Entries for the
URLdirective and the Host HTTP header set by the
AddHeaderdirective require the name of the namespace you have created.
|The PowerShell example can be executed in the Azure Cloud Shell using the Try it button.|
The om_http module also supports sending logs in batches by
defining the BatchMode directive. The accepted
values for this directive are
multipart, however Azure Event
Hubs can only process logs sent with the
multiline batching method.
In this configuration logs are sent to Azure Event Hubs using the om_http
1 2 3 4 5 6 7 8 9 <Output out> Module om_http BatchMode multiline URL https://<YOURNAMESPACE>.servicebus.windows.net/nxlogeventhub/messages HTTPSCAFile C:\cacert.pem AddHeader Authorization: <YOURSASTOKEN> AddHeader Content-Type: application/atom+xml;type=entry;charset=utf-8 AddHeader Host: <YOURNAMESPACE>.servicebus.windows.net </Output>
There are several ways to confirm data reception in Azure Event Hubs.
The easiest was to look at it is to browse to the Home > Event Hubs > <YOURNAMESPACE> > Event Hubs page in the Azure portal where Microsoft provides a chart which displays incoming and outgoing message counts as well as event throughput metrics.
Logs forwarded to Azure Event Hubs by NXLog can also be collected using the im_kafka module. The logs collected with this method are identical to the ones sent to Azure Event Hubs.
This configuration uses the same settings as the om_kafka configuration in the first example. The only difference is the direction of the log flow. This configuration collects the logs and writes them to a file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <Input in> Module im_kafka BrokerList nxlognamespace.servicebus.windows.net:9093 Topic nxlogeventhub Option security.protocol SASL_SSL Option group.id nxlogconsumergroup Option sasl.mechanisms PLAIN Option sasl.username $ConnectionString Option sasl.password <Connection string–primary key> CAFile C:\Program Files\nxlog\cert\ca.pem </Input> <Output file> Module om_file File "C:\\logs\\logmsg.txt" </Output>
|This section is for informational purposes only.|
When deciding on which method to use for sending logs to Azure Event Hubs, performance, throughput, and size can all be important and decisive factors. It is important to note, when measuring throughput, the performance of a system depends on a number of factors including, but not limited to:
The performance and resource availability of the node which NXLog runs on.
The performance and capability of any networking equipment between MS Azure Event Hubs and the machine NXLog runs on.
The quality of service provided by your ISP. This includes bandwidth restrictions as well.
Your geographic location and how you set up Azure Event Hubs.
The number of throughput units you have purchased with your Azure Event Hubs subscription.
In addition, it is worth considering which tier to use as Kafka requires a more expensive subscription as it is not available in the Basic Tier according to the Event Hubs pricing.
In our tests we have used a single data throughput unit generating data with the im_testgen module and concluded that both Kafka and HTTP works reliably, but HTTP offers better throughput especially with batching enabled.
In any case, we strongly recommend thorough testing in your environment.