Category: agent
November 8, 2023
Three easy ways to optimize your Windows logs - Reduce cost, network load, and time
If you are capturing Windows Event Logs on a large scale, you know that the more logs you collect, the more resources you need. Thus, the more expensive your SIEM becomes. The main issue is a large amount of the log data you are sending to your SIEM contains no valuable information. This means you waste a sizable portion of your cost on what the industry calls “log noise”.
February 6, 2023
Our customers asked - How to start an NXLog module with a delay?
There are several reasons you might want to start a particular NXLog module with a delay. You can think of it like delaying the start of a Windows service. In most cases, you need to do this for performance reasons. But there might be other scenarios where you would want to do this, such as collecting logs during a specific time frame. If you have, for example, a less critical module block, you can prioritize the more important one by delaying the less important one.
January 31, 2023
Our customers asked - Input stream EPS tracking with NXLog
This post is the first in a series of answers to questions that our customers asked.
Clarifying EPS EPS stands for Events Per Second and is considered a standard for measuring the speed of event processing. More precisely, it tells how many events can flow through a particular system in a second. In our case, the number relates to how many events NXLog receives, handles, and outputs in one second.
January 16, 2023
NXLog vs Splunk Universal Forwarder
NXLog supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis.
If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy.
NXLog and Splunk Universal Forwarder feature comparison Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them.
February 2, 2022
NXLog vs IBM QRadar WinCollect - Let's get things straight
How does NXLog Enterprise Edition compare to the IBM QRadar WinCollect event forwarder?
IBM QRadar SIEM collects, processes, and aggregates log data to provide real-time monitoring and automated response to network threats. With its powerful correlation engine and specialized modules for risk and vulnerability management, it is no surprise that it is among the highest-rated tools on Gartner Peer Insights.
To get the best out of a platform like IBM QRadar, you need to ensure that you send the proper amount of data in a format that it can process efficiently.
September 25, 2021
Putting together your first NXLog configuration
If you are reading this, then it is safe to say that you are now part of the NXLog community. In other words, you are ready to dive into the world of log collection. Excellent. You have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works.
The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages.
October 9, 2020
NXLog vs Snare
How does NXLog CE and EE compare to the Snare Enterprise Agent?
If you are reading this article, you may either be looking for a new log collection agent solution or seeking to replace and improve an existing deployment. This article provides information based on some fairly common questions from those who have migrated from Snare to NXLog.
Feature Comparison There are multiple choices of log collection agents available on the market, some are free and have paid versions that come with official support.
October 22, 2019
Agent-based versus agentless log collection - which option is best?
One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes.
Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?
Category: announcement
October 25, 2024
Announcing NXLog Platform 1.3
We proudly announce the latest release of NXLog Platform, version 1.3. This release adds new features and bug fixes, including the ones highlighted below.
Improved installation and configuration The installation processes for NXLog Platform and NXLog Agent received the following configuration improvements:
You can now configure the NXLog Platform hostname and specify a label when running the NXLog Agent installer to ease automatic enrollment and agent configuration. This configuration is available on Windows, Debian/Ubuntu, Red Hat Enterprise Linux, and macOS.
September 26, 2024
Understanding telemetry pipelines
Back in the day, Gordon Moore made relatively accurate observations and projections about the exponential growth of transistors on semiconductors. It still amazes me, yet very few predicted the incredible growth of system interconnectedness and the vast amount of data it generates. It is estimated that 90% of all data was created in the last last two years. Given that everything is connected, the need for telemetry is growing at an unprecedented rate, and thus, the need to efficiently channel and manage telemetry data has also grown.
September 24, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
NXLog Platform is a new centralized log management solution from the vendor with over 12 years of experience and 600 clients worldwide, including Fortune 500 companies.
The new solution stands out for the following unique features:
Agentless or agent-based log collection using the most versatile log processor and forwarder.
Cloud-ready self-hosted centralized agent and log management system for ultimate scalability.
High-volume, fast, schemaless long-term log retention database with high compression ratios.
September 19, 2024
Announcing the end-of-sale for NXLog Enterprise Edition and NXLog Manager
We are officially announcing that NXLog will no longer be selling NXLog Enterprise Edition and NXLog Manager. This decision reflects our commitment to evolving our product offerings and delivering more powerful, future-proof solutions.
While the sale of these products is ending, please be assured that we will continue to provide full technical support, maintenance, and bug fixes for both NXLog Enterprise Edition and NXLog Manager until the end of your contractual period.
August 28, 2024
Welcome to the future of log management with NXLog Platform
Centralized log management at the core of security monitoring Enhance data visibility, streamline security operations, and reduce SIEM costs.
We are excited to announce the upcoming launch of our new centralized log management solution, NXLog Platform.
Over the past year, our team has been working hard to bring you an innovative log collection and management solution. In our 12+ years of experience in the industry, we have learned that one of the biggest challenges in log management is the number of dispersed systems you need to manage.
July 25, 2024
The CrowdStrike incident and how the NXLog agent operates
Automatic updates are recommended by many vendors as they are considered essential for safeguarding against security threats and maintaining system performance. Updates not only enhance security but also deliver bug fixes and new features, contributing to improved user experience. Software updates, however, come with the inherent risk of breaking existing functionality and can potentially interfere with other software or the operating system itself causing unintended side effects. Automatic updates that the user has no control over escalate the risk further.
June 20, 2024
Announcing NXLog Enterprise Edition 5.11
We are excited to announce the release of NXLog Enterprise Edition 5.11. This latest version introduces two new features and addresses over twenty important issues, including two of the most significant which are highlighted in this announcement.
Key enhancements in NXLog Enterprise Edition 5.11 Support for new macOS ES events NXLog Enterprise Edition 5.11 now supports the events introduced by version 13 of the macOS Endpoint Security (ES) API. Check the official Apple documentation for the most up-to-date list of events supported by the macOS ES API.
May 31, 2024
Raijin announces release of version 2.1
Raijin has announced the release of version 2.1 of its powerful, schemaless SQL-like database engine. This focuses on performance improvements.
Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements.
Performance improvements As mentioned, this release focused on optimizing the performance of partitioned database tables. Partitioned tables store data in separate locations with their own set of metadata based on the values present in the data.
May 13, 2024
Announcing NXLog Enterprise Edition 6.3
We proudly announce the latest release of NXLog Enterprise Edition, version 6.3. This release adds new features and bug fixes, including the ones highlighted below.
Support for parsing DTS Compliant logs from Microsoft Network Policy Server (NPS) The xm_nps extension module now supports parsing the newest DTL Compliant log format from Microsoft NPS.
The module can now automatically parse all NPS log types, including legacy ODBC and IAS, without you having to specify the log type when configuring the module.
March 14, 2024
Raijin announces release of version 2.0
Raijin has announced the release of version 2.0 of its powerful, schemaless SQL-like database engine. This version introduces several performance improvements.
Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements.
Enhanced table partitioning Table partitioning is a key factor in database management, improving query performance by only searching through relevant information and optimizing storage by efficiently pruning irrelevant content.
January 26, 2024
Raijin announces release of version 1.5
Raijin has announced the release of version 1.5 of its powerful, schemaless SQL-like database engine. This version introduces several performance improvements.
Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements.
Centralized storage for simpler management Until now, Raijin stored various stateful files in different locations across the system, requiring additional effort to keep track of that content. Raijin has now been refactored to use /data as the base directory.
December 22, 2023
2023 and NXLog - a review
It’s finally the holiday season, and we’re down to a skeleton staff here at NXLog. It’s nearly time for us to shut down our laptops, pick up a cup of hot chocolate (or mulled wine if we’re lucky), and get ready for a week or so of reading, relaxing, opening presents, perhaps coping with distant relatives, and all-around merry-making over the holiday period.
So we hope you’ll forgive us if we keep this recap of 2023 succinct.
December 21, 2023
Announcing NXLog Enterprise Edition 5.10
We are excited to announce the release of NXLog Enterprise Edition 5.10. This latest version addresses over twenty important issues - the two most significant are mentioned in this announcement - and introduces two features backported from NXLog Enterprise Edition 6.
Key enhancements in NXLog Enterprise Edition 5.10 ElasticSearch integration NXLog Enterprise Edition 5.10 now allows ElasticSearch users to send data as a stream. This feature enables the storage of events in an append-only, single-named manner, enhancing data management and retrieval efficiency.
December 12, 2023
Raijin announces release of version 1.4
Raijin has announced the release of version 1.4 of its powerful, schemaless SQL-like database engine. This version introduces new functionality for managing users and views, among several fixes and performance improvements.
Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements.
Improved user management This release builds on the previous one to provide better user management and auditing. With the SHOW USERS command, you can now retrieve a list of your Raijin users and their authentication type.
December 4, 2023
Announcing NXLog Enterprise Edition 6.2
We proudly announce the latest release of NXLog Enterprise Edition, version 6.2. This release adds some new features and includes bug fixes and stability enhancements.
File and folder symlink support In this release, the primary focus was on adding uniform support for file and folder symlinks. The new development affects the im_file and im_fim modules when collecting logs from files, and when using File Integrity Monitoring. The new feature is available to use with the newly introduced directive FollowSymlink.
November 3, 2023
Announcing NXLog Manager 5.7
We are pleased to announce the latest release of NXLog Manager, version 5.7. This release addresses several CVE issues, adds support for NXLog’s Microsoft Azure modules, and provides an updated Docker image.
Read on to find out more about these new features.
A more secure NXLog Manager This version addresses multiple known Common Vulnerabilities and Exposures (CVE), reducing the attack surface in our customers' systems. See the release notes for a complete list of corrected CVEs.
October 20, 2023
Announcing NXLog Enterprise Edition 6.1
We proudly announce the latest release of NXLog Enterprise Edition, version 6.1. This release adds new features to our Google Chronicle and Kafka output modules to provide more flexible configuration, introduces support for certificates with TPM-attested keys, and implements enhancements to our HTTP input module.
Read on to find out more about these new features.
More flexibility for your Google Chronicle integration We continue to build up our Google Chronicle output module with new functionality to give you more flexibility and control over your data.
October 6, 2023
Raijin announces release of version 1.3
Raijin has announced the release of version 1.3 of its powerful, schemaless SQL-like database engine. This version implements user authentication and permissions and focuses on enhancing performance and robustness.
New user authentication and permissions This release introduces certificate and password-based user authentication and granular user permissions. You can grant permissions at the database or table level with support for the following privileges:
ALL PRIVILEGE (superuser)
CREATE
SELECT
INSERT
DROP
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
We proudly announce the latest release of NXLog Enterprise Edition, version 6.0. This major release includes new NXLog language data types, additional TCP and HTTP configuration options, and enhancements to our Elasticsearch and remote administration modules. It will help you improve data integration and handling, enhance manageability, and increase cost efficiency.
Empower your data integration with new "Array" and "Hash" data types As the NXLog configuration language now supports compound values with Array and Hash data types, you can enhance data integrity and coherence.
August 11, 2023
Raijin announces release of version 1.2
Raijin has announced the release of version 1.2 of its powerful, schemaless SQL-like database engine. This version introduces significant performance improvements and usability enhancements.
Faster data ingestion and query performance This release optimizes data ingestion by introducing partial parallelization. Raijin Database now parses and inserts batches of data simultaneously, resulting in up to 15% faster ingestion.
The team also addressed bottlenecks in the SELECT and COPY statements and implemented several optimizations to improve overall query performance.
June 20, 2023
Announcing NXLog Enterprise Edition 5.9
We are proud to announce the latest release of NXLog Enterprise Edition, version 5.9. This release focuses on bringing you new supported platforms and configuration options.
Read on to find out more about some of these new features.
Added protocols to network packet capture information Our administrative module (xm_admin) now returns a list of protocols configured in a packet capture (im_pcap) instance when you request server or module information. This allows you to track, count, and report on the network protocols you are monitoring.
May 30, 2023
Raijin announces release of version 1.1
Raijin has announced the release of version 1.1 of its powerful, schemaless SQL-like database engine. Many new features have been added to version 1.1.
Let’s take a look at the highlights.
Prometheus exporter improvements Introduced disk usage statistics - Disk usage statistics about free space availability and file system size were introduced.
Introduced query statistics - Event and query statistics were introduced in the Prometheus exporter. The following statistics can be queried:
April 24, 2023
Announcing NXLog Enterprise Edition 5.8
We are proud to announce the latest release of NXLog Enterprise Edition, version 5.8. Our newest release includes new modules, better integrations, and additional metrics to collect across your organization.
Read on to find out more about some of these new features.
Native Salesforce module We’ve built a new native module (im_salesforce) for ingesting logs from Salesforce. With this, you no longer have to run an external Python-based Add-On script.
April 20, 2023
Announcing NXLog Community Edition 3.2
We’re glad to announce the latest release of NXLog Community Edition. This release mainly fixes an issue where the file_name() function returns an unknown error.
We’ve also stopped officially supporting the Android mobile operating system.
Get in touch with our team if you have any questions, or request a free trial of our flagship log collection solution, NXLog Enterprise Edition, below.
NXLog Platform is an on-premises solution for centralized log management with versatile processing forming the backbone of security monitoring.
March 9, 2023
Raijin announces release of version 1.0
Raijin has announced the release of version 1.0 of its powerful schemaless SQL database engine, furthering its goal of "solving schema rigidity" in modern databases. Many new features have been added to this version 1.0 milestone release.
Let’s take a look at some of the headline features.
The power of SQL without the drawbacks SQL has been the titan of database query languages for decades, and it is still ubiquitous the world over.
February 2, 2023
NXLog in the world - January 2023
A round-up of some of our favorite social media chatter about NXLog this month. Tecmint: Most notable open source log collection tools - NXLog features on the list of top centralized log collection tools
Blumira: Windows Firewall with GPOs - NXLog is recommended to be used in managing the Windows Firewall with GPOs
NSTEC: Exploring the benefits of SCEP - NXLog is recommended for collecting logs for System Center Endpoint Protection
January 20, 2023
Announcing NXLog Enterprise Edition 5.7
New year, new NXLog Enterprise Edition.
Our developers have been hard at work throughout the holiday season to release the latest version of our flagship log collection solution. We are proud to announce NXLog Enterprise Edition 5.7, which includes bug fixes, security updates, and, of course, many new features.
Read on to find out more about some of these new features.
Native support for Google Cloud Logging, Amazon S3, and Microsoft 365 Google Cloud Logging, Amazon S3, and Microsoft 365 integrations were already available as Add-Ons to NXLog Enterprise Edition.
December 22, 2022
NXLog - 2022 in review
We’ve come to the end of 2022, and what a year it’s been. It was a year marked by war, economic toil, and addressing the aftermath of the Covid-19 pandemic.
Europe was immediately thrust into crisis in February when the Russia-Ukraine War began. Unfortunately, as an Eastern European-based company, many of our colleagues were directly affected by it.
Then, more recently and in the United States especially, many tech companies began restructuring their organizations to deal with the looming economic problems that are forecast.
May 11, 2022
NXLog provides native support for Google Chronicle
We are delighted to announce that with the release of NXLog Enterprise Edition 5.5, NXLog provides native support for sending log data to the Google Chronicle threat intelligence platform.
About Google Chronicle Google Chronicle is a cloud-native SIEM service provided on the Google Cloud Platform. It allows organizations to normalize, correlate, and analyze their logging data. Chronicle makes threat hunting easy by empowering security experts to investigate logs allowing them to take a holistic approach to threat detection.
February 22, 2022
NXLog Community Edition support for Raijin Database
Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution.
What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.
March 23, 2021
Responsible disclosure - Our encounter with Monero mining
On the 18th of March, we noticed some unusual activity on one of our servers we use for build automation. Further investigation revealed that an outside party had deployed a Monero miner. The server was immediately taken offline. There was no customer data stored on the server and we have since replaced all our private keys and secrets that might have been potentially compromised.
After careful and thorough investigation of the incident, we decided to publish this announcement and share this news with our customers and users, hoping that it might serve as a lesson for others.
Category: articles
September 23, 2022
GDPR compliance and log data
The European Union’s General Data Protection Regulation (EU GDPR) came into force on 25 May 2018. Many of us remember the influx of marketing emails around this time, with companies updating their privacy policies and asking for the consent of around 450 million Europeans to continue using their personal data. An often misunderstood participant of this compliance quest is log data—a source potentially rich in protected personal data. So, how does the GDPR apply to an organization’s log data?
Category: comparison
January 16, 2023
NXLog vs Splunk Universal Forwarder
NXLog supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis.
If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy.
NXLog and Splunk Universal Forwarder feature comparison Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them.
November 23, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
syslog-ng and NXLog are both powerful log collectors providing flexible log processing. However, you might be in a position where you need to switch from syslog-ng to NXLog. Whether it’s because syslog-ng doesn’t support an operating system or you want to upgrade your log collection solution to one that can be centrally managed, converting your syslog-ng configuration to NXLog is a simple task.
How do syslog-ng and NXLog differ? syslog-ng and NXLog are alike in many ways.
August 9, 2022
Raijin vs Elasticsearch
Log collection is most closely linked to enterprise security practices—for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention.
Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.
February 7, 2022
Centralized Windows log collection - NXLog Enterprise Edition vs. WEF
One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems.
WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:
February 2, 2022
NXLog vs IBM QRadar WinCollect - Let's get things straight
How does NXLog Enterprise Edition compare to the IBM QRadar WinCollect event forwarder?
IBM QRadar SIEM collects, processes, and aggregates log data to provide real-time monitoring and automated response to network threats. With its powerful correlation engine and specialized modules for risk and vulnerability management, it is no surprise that it is among the highest-rated tools on Gartner Peer Insights.
To get the best out of a platform like IBM QRadar, you need to ensure that you send the proper amount of data in a format that it can process efficiently.
October 9, 2020
NXLog vs Snare
How does NXLog CE and EE compare to the Snare Enterprise Agent?
If you are reading this article, you may either be looking for a new log collection agent solution or seeking to replace and improve an existing deployment. This article provides information based on some fairly common questions from those who have migrated from Snare to NXLog.
Feature Comparison There are multiple choices of log collection agents available on the market, some are free and have paid versions that come with official support.
Category: compliance
July 18, 2024
NIS2 Directive: a strong request for better incident handling
Did you know the European Union created a rule called the NIS Directive? This rule was established in 2016 to ensure that all member countries are equally protected against cyber attacks. It’s a step towards making it easier for governments to work together to stop cyber threats. However, the Directive was expected to provide more specific instructions for protecting against attacks and ensuring all countries follow the rule. The rule also requires companies and governments to be better prepared to handle cyber attacks and have a plan in case something goes wrong.
April 12, 2024
NIST Cybersecurity Framework 2.0. Update Takeaways
On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) officially released Cybersecurity Framework (CSF) 2.0. This release has had the most significant changes since its inception in 2014. Let’s quickly walk through the updates it brought and how log collection supports the functions of the renewed framework.
What is NIST CSF The U.S. NIST Cybersecurity Framework is one of the most widely used security frameworks (with ISO27001, CIS, and others), helping organizations estimate, manage, and reduce their cybersecurity risks.
January 23, 2024
GLBA Compliance in 2024 - Reporting directly to the FTC
The U.S. Federal Trade Commission (FTC) approved amendments to its Safeguards Rule that require FTC-regulated non-banking financial institutions to report data breaches and other security events directly to the FTC. It was originally proposed to add a breach notification requirement back in late 2021. The rule requires financial institutions to report “notification events” to the FTC within 30 days of discovery of the notification event where the private information of 500+ consumers is involved.
January 11, 2024
The story of the $1,900,000 penalty for insufficient log management
It was late March 2021 when a phishing email was sent to a network administrator of TTEC Healthcare Solutions, Inc. (TTEC HS) - an integrated healthcare CX solutions provider - and a threat actor gained highly privileged access to the network. On September 12, 2021, a common ransomware scenario was triggered, with approximately 1,800 devices compromised via the access channel obtained almost 5 months earlier.
Prior to executing the ransomware attack, the threat actor successfully exfiltrated data from the TTEC HS network, containing non-public information (NPI) of current and former employees of TTEC HS, and for individuals who were insured by one of TTEC HS’s clients, including, importantly, some New York residents.
October 17, 2023
Log management for maritime cybersecurity compliance regulations
Historically, seaports have played a crucial role in a state’s development, and interruption in their services has a significant impact on economics. So, it’s no surprise commercial ports are regarded as a critical transport infrastructure.
One of the most significant challenges ports face today is ongoing digital transformation. The majority of tasks carried out across a port utilize autonomous and partially automated systems, including those for managing port access, vessel berthing (bridges, locks, gates, etc.
August 9, 2023
The Sarbanes-Oxley (SOX) Act and security observability
SOX - an overview Serious financial fraud was never considered a real risk while investing in U.S.-listed stocks until 2001, when energy giant Enron Corporation, which held $63.4 billion in assets, collapsed. It was revealed that the company had been misleading investors for years and the company’s stock price quickly plummeted from $90 to less than $1 per share. It was the largest bankruptcy in US history, followed by a $40 billion lawsuit and imprisonment for the corporation’s executives.
August 2, 2023
Log Management and PCI DSS 4.0 compliance
What is PCI DSS? PCI DSS, or Payment Card Industry Data Security Standard, is a collection of security requirements developed by major credit card companies to safeguard merchants who accept credit card payments by ensuring they provide a secure environment. The standard includes provisions for data protection, network security, and security management, among other things. Organizations that process credit card transactions are required to comply with these standards.
Who needs to be PCI DSS compliant?
September 30, 2022
Assertive compliance - using frameworks to extend your coverage
So, it happened again. You got an internal audit finding or a regulatory notice. Or you just had a nagging feeling and found customer data somewhere it shouldn’t have been. Morale sinks. Are you forced to choose between serving your customers and addressing compliance weaknesses? Nobody said IT Compliance was easy. But don’t sign up to do any more work than is necessary. Use Frameworks to identify the activities, like logging, that demonstrate compliance for multiple domains and get the absolute best coverage without extra work.
June 1, 2022
How NXLog can help meet compliance mandates
Compliance mandates are frameworks that organizations must implement to meet industry regulations. Some of these mandates provide guidelines and best practices, while others may be tied to legislation. With the constant and rapid changes in technology, ensuring that your organization adheres to the relevant regulations is an ongoing process.
So why should you comply? Simply put, not complying might cost you more than implementing processes to meet regulatory requirements. By not complying, you might be violating the law, and in case of a data breach, you may face litigation from affected parties.
Category: configuration
September 25, 2021
Putting together your first NXLog configuration
If you are reading this, then it is safe to say that you are now part of the NXLog community. In other words, you are ready to dive into the world of log collection. Excellent. You have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works.
The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages.
Category: container
September 6, 2021
Collecting Kubernetes logs with NXLog
Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.
Category: containers
January 13, 2021
NXLog Containers were certified by Red Hat
Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them.
Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.
Category: database
August 9, 2022
Raijin vs Elasticsearch
Log collection is most closely linked to enterprise security practices—for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention.
Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.
Category: deployment
September 26, 2024
Understanding telemetry pipelines
Back in the day, Gordon Moore made relatively accurate observations and projections about the exponential growth of transistors on semiconductors. It still amazes me, yet very few predicted the incredible growth of system interconnectedness and the vast amount of data it generates. It is estimated that 90% of all data was created in the last last two years. Given that everything is connected, the need for telemetry is growing at an unprecedented rate, and thus, the need to efficiently channel and manage telemetry data has also grown.
July 25, 2024
The CrowdStrike incident and how the NXLog agent operates
Automatic updates are recommended by many vendors as they are considered essential for safeguarding against security threats and maintaining system performance. Updates not only enhance security but also deliver bug fixes and new features, contributing to improved user experience. Software updates, however, come with the inherent risk of breaking existing functionality and can potentially interfere with other software or the operating system itself causing unintended side effects. Automatic updates that the user has no control over escalate the risk further.
May 28, 2024
What is agentless log collection?
Agentless log collection refers to gathering log data from various sources without installing dedicated software agents on the systems generating the logs. Instead, it leverages protocols such as SNMP traps, WECS, WMI, and syslog to retrieve log data remotely.
It is easier to explain what agentless log collection is by also providing some context about agent-based log collection. The truth is that these two options for collecting logs walk hand in hand, meaning that they can and will likely coexist on your network.
May 21, 2024
Ingesting log data from Debian UFW to Loki and Grafana
An excellent way to get started in a new technology area or refresh our knowledge is to devise a solution based on a small idea or need. This blog post covers such a situation, with a small personal project demonstrating how to use NXLog’s powerful features.
I embarked on a small pet project centered around a cloud machine running Debian 10. It connects telemetry from my home, country house, and notebook.
September 11, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
The NXLog team is constantly improving the quality of NXLog Enterprise Edition and will soon introduce a new major release - NXLog Enterprise Edition 6.0. This release will bring a large number of changes and it is important to correctly adapt your current configuration when upgrading your system.
Warning We strongly recommend testing NXLog Enterprise Edition 6.0 operation on a smaller set of devices before commiting to a full-scale upgrade of your complete system.
February 20, 2023
Our customers asked - Collecting Windows DNS resolved address with NXLog
Windows DNS Server log collection is essential yet complex, primarily because Windows DNS Server provides logs in various places in different forms containing a vast amount of information. Nevertheless, we all know that DNS Server log collection is paramount in IT security. Getting it right can be challenging.
The Windows DNS Server section in the NXLog user guide offers a comprehensive guide on collecting log records from a Windows DNS Server.
November 23, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
syslog-ng and NXLog are both powerful log collectors providing flexible log processing. However, you might be in a position where you need to switch from syslog-ng to NXLog. Whether it’s because syslog-ng doesn’t support an operating system or you want to upgrade your log collection solution to one that can be centrally managed, converting your syslog-ng configuration to NXLog is a simple task.
How do syslog-ng and NXLog differ? syslog-ng and NXLog are alike in many ways.
August 9, 2022
Raijin vs Elasticsearch
Log collection is most closely linked to enterprise security practices—for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention.
Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.
March 19, 2022
Deploying and managing NXLog with Puppet
Puppet Bolt is an open-source orchestration tool that automates the manual configuration and management of your infrastructure.
In this post, we will look at how you can create your Puppet Bolt project directory, your inventory YAML file, and finally, your Puppet Bolt Plan to deploy NXLog on a variety of Operating Systems.
Why use Puppet Bolt to deploy NXLog? Apart from the usual tasks of updating software packages, configuring web servers and databases, the need for constant logging has become extremely important, and a de facto necessity nowadays.
March 1, 2022
Deploying and managing NXLog with Ansible
Ansible has become an industry standard when it comes to configuring and managing servers. As a configuration management tool, it carries the burden of simplifying system administration tasks, such as installing and updating software packages, and infrastructure provisioning. In this post, we will create an Ansible playbook that will enable us to automate the installation and configuration of NXLog across multiple endpoints. Whether you need only a single endpoint today or thousands of endpoints next week, Ansible will do the heavy lifting for you.
September 25, 2021
Putting together your first NXLog configuration
If you are reading this, then it is safe to say that you are now part of the NXLog community. In other words, you are ready to dive into the world of log collection. Excellent. You have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works.
The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages.
October 22, 2019
Agent-based versus agentless log collection - which option is best?
One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes.
Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?
Category: dns
August 18, 2022
The disappearing Windows DNS debug log
The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging.
Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
May 31, 2020
DNS Log Collection and Parsing
DNS Log Collection and Parsing DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include:
Operations and Support Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.
May 28, 2020
DNS Log Collection on Windows
Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.
DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform.
While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.
May 14, 2020
DNS Log Collection on Linux
Be sure to read Part 1 and Part 2 of our series in case you missed them.
DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.
Category: feature
October 27, 2021
Three important features you can have with the Enterprise Edition over the Community Edition
Features of NXLog Enterprise Edition you must have So, it turns out that your organization needs a reliable solution that can collect, parse, forward, and aggregate your log data. This need might be based on any number of reasons. Perhaps it is due to regulatory compliance mandates. Maybe your security analysts have realized that collecting security logs is the best way to detect potential cyber attacks. These are all valid reasons.
Category: fim
January 24, 2020
What is File Integrity Monitoring (FIM)? Why do you need it?
About File Integrity Monitoring (FIM) File integrity monitoring is implemented as a detection mechanism to monitor changes to important files and folders. File integrity monitoring is largely used as a security measure for detection and for meeting obligations such as compliance. By using file integrity monitoring, better control measures can be taken due to being able to track and provide data for alerts of activities on assets that are being monitored, such as potential unauthorized changes.
Category: ics
August 10, 2022
NXLog in an industrial control security context
Industrial Control Systems (ICS) have evolved over the years and now have a lot in common with traditional IT systems. Low-cost Ethernet and IP devices are replacing older, proprietary technology, which opens up new possibilities to improve connectivity and remote access. However, it also increases vulnerability to cyberattacks and incidents since the system is no longer segregated. Due to the nature of ICS, they differ from other IT systems. A compromised system can cause severe damage to the environment, incur substantial financial and production losses, and negatively impact an entire nation.
June 5, 2021
Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python
Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic.
What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.
Category: linux
May 30, 2022
Collecting kernel events with NXLog for analysis in the Elastic stack
It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results.
The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
January 13, 2021
NXLog Containers were certified by Red Hat
Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them.
Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.
May 14, 2020
DNS Log Collection on Linux
Be sure to read Part 1 and Part 2 of our series in case you missed them.
DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.
Category: log-collection
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
August 25, 2021
File-based logs? Yes, they’re still being used!
File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches.
In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.
Category: log-file
August 25, 2021
File-based logs? Yes, they’re still being used!
File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches.
In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.
Category: log-management
February 17, 2022
Aggregating macOS logs for SIEM systems
Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.
Category: macos
February 17, 2022
Aggregating macOS logs for SIEM systems
Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.
Category: os
August 18, 2022
The disappearing Windows DNS debug log
The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging.
Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
May 30, 2022
Collecting kernel events with NXLog for analysis in the Elastic stack
It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results.
The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.
February 17, 2022
Aggregating macOS logs for SIEM systems
Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
May 28, 2020
DNS Log Collection on Windows
Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.
DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform.
While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.
May 14, 2020
DNS Log Collection on Linux
Be sure to read Part 1 and Part 2 of our series in case you missed them.
DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.
Category: raijin
February 22, 2022
NXLog Community Edition support for Raijin Database
Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution.
What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.
July 29, 2021
Using Raijin Database Engine to aggregate and analyze Windows security events
In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools.
A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.
Category: security
September 26, 2024
Understanding telemetry pipelines
Back in the day, Gordon Moore made relatively accurate observations and projections about the exponential growth of transistors on semiconductors. It still amazes me, yet very few predicted the incredible growth of system interconnectedness and the vast amount of data it generates. It is estimated that 90% of all data was created in the last last two years. Given that everything is connected, the need for telemetry is growing at an unprecedented rate, and thus, the need to efficiently channel and manage telemetry data has also grown.
July 25, 2024
The CrowdStrike incident and how the NXLog agent operates
Automatic updates are recommended by many vendors as they are considered essential for safeguarding against security threats and maintaining system performance. Updates not only enhance security but also deliver bug fixes and new features, contributing to improved user experience. Software updates, however, come with the inherent risk of breaking existing functionality and can potentially interfere with other software or the operating system itself causing unintended side effects. Automatic updates that the user has no control over escalate the risk further.
July 18, 2024
NIS2 Directive: a strong request for better incident handling
Did you know the European Union created a rule called the NIS Directive? This rule was established in 2016 to ensure that all member countries are equally protected against cyber attacks. It’s a step towards making it easier for governments to work together to stop cyber threats. However, the Directive was expected to provide more specific instructions for protecting against attacks and ensuring all countries follow the rule. The rule also requires companies and governments to be better prepared to handle cyber attacks and have a plan in case something goes wrong.
June 26, 2024
Onboarding Microsoft NPS logs
For those of us who manage network authentication and authorization, RADIUS is a familiar term. This protocol was introduced in the last century, and many of us from those days still remember the old-school diagrams, which surprisingly remain on the Cisco Systems website today.
Figure 1. Interaction between dial-in user requests, the RADIUS client and server © Cisco RADIUS, which stands for Remote Authentication Dial-In User Service, was developed to address a specific challenge.
May 14, 2024
Harnessing TPM encryption with NXLog
In an increasingly digitalized world, protecting your business’s digital assets is becoming more urgent by the day. Realizing the need to protect data from malicious actors, researchers created encryption. And I am not talking about the Enigma here, but software-based encryption algorithms, with their public and private signing keys, and so on.
Like every other technology, encryption methods have evolved throughout the years. However, the goal remained the same: encryption is there to secure our digital communications.
March 11, 2024
NXLog Enterprise Edition on Submarines
I always wondered what happens to our software when a company purchases it. Okay, I know they will install it and use it. But where do they install it? On what kind of machines? In what kind of environment? And why is it important for them to collect and handle logs? The possibilities are endless. We have customers worldwide; from shoemakers to telecom companies, NXLog is everywhere. But where are the most remarkable places NXLog Enterprise Edition is employed?
February 26, 2024
Digital substations and log collection
European electric power system operators supply around 2800 TWh of electricity per year and manage around 10 million kilometers of power lines - more than ten round trips to the Moon. Such electric travel is impossible without electric substations, an essential component of a power grid. Its automation becomes ultimately digitalized, so requires proper monitoring both for operational and security purposes. Let’s take a look at how a unified log collection pipeline embeds into power automation systems and helps make sure the lights stay on.
September 8, 2023
The cybersecurity challenges of modern aviation systems
Since the Wright brothers' first flight, the aviation industry has been advancing at an unprecedented rate. But it has always been a step behind other sectors in some areas, for safety and security reasons. Engineers are only allowed to apply well-matured technologies thoroughly trialed in different industries. Civil aviation, especially from the IT and IT security perspective, is a bit like Debian among the Linux operating systems. It does not always include all the latest inventions, but it aims to be safe and very stable in return.
August 30, 2023
Meeting HIPAA Compliance with NXLog
The U.S. Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 to protect the privacy and security of health information. It was one of the first sectoral security and privacy legislations in the United States. According to the Act, compliance guidelines had to be developed and regulated by the Secretary of the U.S. Department of Health and Human Services (HHS) and enforced by its Office for Civil Rights (OCR) with voluntary compliance activities and civil money penalties.
July 27, 2023
Detect threats using NXLog and Sigma
The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation.
However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.
July 19, 2023
HIPAA compliance logging requirements
Anyone not living under a rock in the last 25 years knows that the US healthcare and health insurance industries are required to safeguard patient data under the Health Insurance Portability and Accountability Act (HIPAA). This includes anyone who deals with protected health information (PHI), such as healthcare providers, health plans, healthcare clearinghouses, and business associates like vendors, contractors, and subcontractors. It’s crucial to remain compliant, or else you could face some hefty fines and penalties allowable by the law.
June 8, 2023
Industrial cybersecurity - The facts
In Feb 2021, a major cybersecurity incident was declared when a hacker gained malicious access to the water treatment system of Oldsmar, Florida. Officials said the hacker tried to increase the level of sodium hydroxide in the city’s water supply, putting thousands at risk of being poisoned. Fortunately, it was quickly confirmed that this potential terroristic act did not come to fruition.
Two years later, we still have no details on the malicious actor.
May 9, 2023
BROP attacks - What is it and how to defend yourself?
Have you ever locked yourself out of your car? After calling for roadside service, your tow truck driver forces the internal locking mechanism open with a slim-jim. Car thieves quickly discovered this technique and began using it to steal cars. Digital thieves have devised a similar attack called a Blind Return-Oriented Programming (Blind ROP, or just BROP) attack. It’s as quiet as a jackhammer on cement, but an attacker can open a remote shell and gain remote code execution on your server if the conditions are right.
May 2, 2023
CISO starter pack - Security Policy
The three characteristics your data must possess at all times, as dictated by your IT Security Policy, are:
It must be confidential
It must be available and
It must not have any unauthorized modifications
Your log policy will only be as good as the IT Security policy infrastructure behind it. And as much as we love talking about logs, that’s part of a more considerable general discussion about security policies.
April 3, 2023
CISO starter pack - Log collection fundamentals
Log collection is essential to managing an IT department because it allows administrators to research historical events throughout a network. Therefore, it’s critical to understand a few key points about collecting logs; the why, and what. We’ll look at a few specific examples of collecting log events efficiently, like incorporating threat modeling to enhance our collection. Implementing log collection policies and procedures is as fun as watching anti-phishing videos. But at the end of the day, the effort put in at the beginning will be worth it.
November 22, 2022
The EU's response to cyberwarfare
With open war in Europe for the first time since 1945, nations across the continent have been busy shoring up their information security defenses. The European Union is stepping up to the plate, releasing a Cyber Defence Policy to, in its words, "boost EU cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities."
However, bolstering cyber defenses across a collection of countries, home to 450 million people and spanning four million square kilometers, is no easy feat.
November 8, 2022
Looking beyond Cybersecurity Awareness Month
Cybersecurity Awareness Month has come and gone again. October marks that festive time of year when companies circulate their mandatory think pieces, remind their employees of the dangers of clicking questionable links, and pat themselves on the back and call it a day. Here’s your friendly November reminder to keep your wits about you year-round.
A (brief) history of Cybersecurity Awareness Month The Cybersecurity Awareness Month story began as a partnership between an American governmental agency—the Cybersecurity and Infrastructure Agency (CISA)--and the National Cyber Security Alliance non-profit.
August 10, 2022
NXLog in an industrial control security context
Industrial Control Systems (ICS) have evolved over the years and now have a lot in common with traditional IT systems. Low-cost Ethernet and IP devices are replacing older, proprietary technology, which opens up new possibilities to improve connectivity and remote access. However, it also increases vulnerability to cyberattacks and incidents since the system is no longer segregated. Due to the nature of ICS, they differ from other IT systems. A compromised system can cause severe damage to the environment, incur substantial financial and production losses, and negatively impact an entire nation.
August 3, 2022
Send email alerts from NXLog using Python, Perl, or Ruby
NXLog is a versatile log collector that easily integrates with other software, platforms, and programming languages. Out-of-the-box it supports integration with many third-party solutions through its input, output, and extension modules. Moreover, extending NXLog with custom functionality is as easy as writing an application or script in your favorite programming language and loading it from the configuration.
Email notifications of events indicating potential security breaches or severe application errors are a standard procedure for IT admins and DevOps engineers.
June 28, 2022
Security logging on Windows - beyond 4625
As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log. You might even go as far as filtering for specific event IDs, such as EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source.
The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.
March 3, 2022
Cyberattacks on the power grid - are you prepared?
In light of recent news stories about possible cyberattacks on the U.S. power grid, we are inclined to ponder over precautions we can take to prepare for such a scenario. If you are in the public utilities industry, this blog post is for you. But, if you’re not, don’t worry. We will cover some basic principles you can follow to get your organization ready before such a cyberattack occurs.
February 3, 2022
How to prevent and detect Log4j vulnerabilities
The Apache Log4j vulnerability has attracted a lot of media attention as a result of recent security incidents that were reported by some organizations using versions 2.0-beta9 through 2.14.1. This security flaw has the potential to affect thousands of applications since some of the world’s largest databases rely on Log4j.
Because so many organizations are affected, cybercriminals are actively exploiting this well-known vulnerability.
Why is this so dangerous? In addition to the threat of malware and ransomware, hackers can also perform remote code execution due to the Log4j vulnerability.
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
September 6, 2021
Collecting Kubernetes logs with NXLog
Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.
August 25, 2021
File-based logs? Yes, they’re still being used!
File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches.
In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.
July 15, 2021
Top 5 Windows Security logs everyone should collect
It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component.
Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer.
July 1, 2021
Top 5 security concerns revealed with DNS logging
The Domain Name System (DNS) facilitates communication between all devices connected to the Internet. It consists of hierarchical servers that can translate any given hostname, along with its corresponding domain name, to its internet protocol (IP) address(es). One of the most common is the windows DNS server that ensures that data requests are sent to their correct endpoints while providing human-readable addresses for websites connected to the Internet. With the ever-growing number of cloud-based devices and technologies, for instance, the Internet of things (IoT), portals, web applications, as well as online transaction processing, it is more important than ever to identify the actual physical addresses of remote devices when relying on DNS-dependent connectivity.
January 13, 2021
NXLog Containers were certified by Red Hat
Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them.
Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.
May 31, 2020
DNS Log Collection and Parsing
DNS Log Collection and Parsing DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include:
Operations and Support Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.
May 28, 2020
DNS Log Collection on Windows
Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.
DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform.
While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.
May 14, 2020
DNS Log Collection on Linux
Be sure to read Part 1 and Part 2 of our series in case you missed them.
DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.
February 3, 2020
Insufficient logging and monitoring, TOP 10 security risk
"The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications."
In this article these top security risks discussed in the context of log collection.
OWASP API security top 10 most critical API security risks APIs are a critical part of modern technologies - from SaaS and web consumer applications to enterprise deployments.
January 24, 2020
What is File Integrity Monitoring (FIM)? Why do you need it?
About File Integrity Monitoring (FIM) File integrity monitoring is implemented as a detection mechanism to monitor changes to important files and folders. File integrity monitoring is largely used as a security measure for detection and for meeting obligations such as compliance. By using file integrity monitoring, better control measures can be taken due to being able to track and provide data for alerts of activities on assets that are being monitored, such as potential unauthorized changes.
Category: siem
July 27, 2023
Detect threats using NXLog and Sigma
The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation.
However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.
February 20, 2023
Our customers asked - Collecting Windows DNS resolved address with NXLog
Windows DNS Server log collection is essential yet complex, primarily because Windows DNS Server provides logs in various places in different forms containing a vast amount of information. Nevertheless, we all know that DNS Server log collection is paramount in IT security. Getting it right can be challenging.
The Windows DNS Server section in the NXLog user guide offers a comprehensive guide on collecting log records from a Windows DNS Server.
February 13, 2023
Avoid vendor lock-in and declare SIEM independence
The global Security Information and Event Management (SIEM) market is big business. In 2022, it was valued at $5.2 billion, with analysts projecting that it will reach $8.5 billion dollars within five years.
It’s a highly consolidated market dominated by a few major players in the information security field. They want your business, and they don’t want to lose it.
As companies ship more and more data to their respective solutions and make use of more and more features, they become specialized and dependent on a vendor.
August 9, 2022
Raijin vs Elasticsearch
Log collection is most closely linked to enterprise security practices—for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention.
Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.
May 30, 2022
Collecting kernel events with NXLog for analysis in the Elastic stack
It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results.
The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.
May 11, 2022
NXLog provides native support for Google Chronicle
We are delighted to announce that with the release of NXLog Enterprise Edition 5.5, NXLog provides native support for sending log data to the Google Chronicle threat intelligence platform.
About Google Chronicle Google Chronicle is a cloud-native SIEM service provided on the Google Cloud Platform. It allows organizations to normalize, correlate, and analyze their logging data. Chronicle makes threat hunting easy by empowering security experts to investigate logs allowing them to take a holistic approach to threat detection.
February 17, 2022
Aggregating macOS logs for SIEM systems
Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.
June 16, 2021
Forwarding logs with NXLog
So, you managed to read through all the compliance mandates that are required for the industry you are in. And, during the mandatory consultation you had with your company’s IT security expert and network manager you came to an agreement on which logs to collect and carefully selected their final destination. Which — in most cases — is usually some kind of analytics system or SIEM technology where log data can be analyzed and stored based on your business requirements.
February 1, 2021
Sending logs to Microsoft Sentinel with NXLog
What if you could selectively ingest only the high-quality events needed for metrics and reporting that come not only from Azure, but also from other cloud- based resources and on-site assets directly into Microsoft Sentinel?
In this post, the technology we will be examining is the Azure Monitor HTTP Data Collector API, which enables clients, such as the NXLog Enterprise Edition agent, to send events to a Log Analytics workspace, making them directly accessible using Microsoft Sentinel queries.
April 1, 2020
How a centralized log collection tool can help your SIEM solutions
IT security should be one of the main focus points of all enterprises. In today’s world, when digital transformation is taking place at an unprecedented pace, securing online data is vital for all kinds of businesses. This is why most companies are utilizing SIEM (Security Information and Event Management) solutions that help them identify threats before they can do any harm.
Even though SIEM tools are perfect for event correlation and analytics, it is not part of their core functionality to manage log collection, filtering, distribution, and formatting.
March 3, 2020
Sending ETW Logs to Splunk with NXLog
NXLog supports direct collection of Event Tracing for Windows (ETW) data. DNS Analytical logs, for example, can be forwarded to Splunk or another SIEM for monitoring and analysis.
Collecting ETW Logs Event Tracing for Windows (ETW) is a kernel-level tracing facility that provides high-performance logging of kernel and application events. ETW events can be written to a log file or collected directly from the system in realtime via the Consumers API.
Category: strategy
November 12, 2024
Optimize log management and cut costs with NXLog Platform
Data logging and event monitoring have become essential to provide security and performance monitoring of business operations. However, the vast volume of logs generated can lead to significant challenges, including high costs and inefficiencies.
Many companies collect an excessive number of logs, often missing out on the most critical security-related events. The majority of these logs, known as log noise, offer little to no value to security analysts and can obstruct timely access to high-priority security events.
May 21, 2024
Ingesting log data from Debian UFW to Loki and Grafana
An excellent way to get started in a new technology area or refresh our knowledge is to devise a solution based on a small idea or need. This blog post covers such a situation, with a small personal project demonstrating how to use NXLog’s powerful features.
I embarked on a small pet project centered around a cloud machine running Debian 10. It connects telemetry from my home, country house, and notebook.
May 14, 2024
Harnessing TPM encryption with NXLog
In an increasingly digitalized world, protecting your business’s digital assets is becoming more urgent by the day. Realizing the need to protect data from malicious actors, researchers created encryption. And I am not talking about the Enigma here, but software-based encryption algorithms, with their public and private signing keys, and so on.
Like every other technology, encryption methods have evolved throughout the years. However, the goal remained the same: encryption is there to secure our digital communications.
April 12, 2024
NIST Cybersecurity Framework 2.0. Update Takeaways
On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) officially released Cybersecurity Framework (CSF) 2.0. This release has had the most significant changes since its inception in 2014. Let’s quickly walk through the updates it brought and how log collection supports the functions of the renewed framework.
What is NIST CSF The U.S. NIST Cybersecurity Framework is one of the most widely used security frameworks (with ISO27001, CIS, and others), helping organizations estimate, manage, and reduce their cybersecurity risks.
March 11, 2024
NXLog Enterprise Edition on Submarines
I always wondered what happens to our software when a company purchases it. Okay, I know they will install it and use it. But where do they install it? On what kind of machines? In what kind of environment? And why is it important for them to collect and handle logs? The possibilities are endless. We have customers worldwide; from shoemakers to telecom companies, NXLog is everywhere. But where are the most remarkable places NXLog Enterprise Edition is employed?
February 26, 2024
Digital substations and log collection
European electric power system operators supply around 2800 TWh of electricity per year and manage around 10 million kilometers of power lines - more than ten round trips to the Moon. Such electric travel is impossible without electric substations, an essential component of a power grid. Its automation becomes ultimately digitalized, so requires proper monitoring both for operational and security purposes. Let’s take a look at how a unified log collection pipeline embeds into power automation systems and helps make sure the lights stay on.
February 6, 2024
The evolution of event logging: from clay tablets to Taylor Swift
Event logs are our breakfast, lunch, and dinner at NXLog. Before NXLog, I worked on an API that collected software usage logs. And before that, on a centralized log management application. Today, after a career of dealing with logs, I wondered, "How did our world come to rely so much on event logging?"
I mean, in the vast landscape of technological progress, the history of event logging is only a minor subplot.
February 2, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
NXLog Enterprise Edition 5 has been with us for nearly four years. That’s four years of being an industry-leading log collection tool adored by engineering teams and Fortune 100 customers around the globe. And while the NXLog Enterprise Edition 5 story isn’t yet over, it needs to move forward to keep pace with modern technologies and new demands.
Like any good muscle car, NXLog EE 5 has its limits, and so back in 2022 we came face-to-face with a problem - it required too much to change under the hood to stay modern and effective.
January 23, 2024
GLBA Compliance in 2024 - Reporting directly to the FTC
The U.S. Federal Trade Commission (FTC) approved amendments to its Safeguards Rule that require FTC-regulated non-banking financial institutions to report data breaches and other security events directly to the FTC. It was originally proposed to add a breach notification requirement back in late 2021. The rule requires financial institutions to report “notification events” to the FTC within 30 days of discovery of the notification event where the private information of 500+ consumers is involved.
January 11, 2024
The story of the $1,900,000 penalty for insufficient log management
It was late March 2021 when a phishing email was sent to a network administrator of TTEC Healthcare Solutions, Inc. (TTEC HS) - an integrated healthcare CX solutions provider - and a threat actor gained highly privileged access to the network. On September 12, 2021, a common ransomware scenario was triggered, with approximately 1,800 devices compromised via the access channel obtained almost 5 months earlier.
Prior to executing the ransomware attack, the threat actor successfully exfiltrated data from the TTEC HS network, containing non-public information (NPI) of current and former employees of TTEC HS, and for individuals who were insured by one of TTEC HS’s clients, including, importantly, some New York residents.
November 8, 2023
Three easy ways to optimize your Windows logs - Reduce cost, network load, and time
If you are capturing Windows Event Logs on a large scale, you know that the more logs you collect, the more resources you need. Thus, the more expensive your SIEM becomes. The main issue is a large amount of the log data you are sending to your SIEM contains no valuable information. This means you waste a sizable portion of your cost on what the industry calls “log noise”.
September 8, 2023
The cybersecurity challenges of modern aviation systems
Since the Wright brothers' first flight, the aviation industry has been advancing at an unprecedented rate. But it has always been a step behind other sectors in some areas, for safety and security reasons. Engineers are only allowed to apply well-matured technologies thoroughly trialed in different industries. Civil aviation, especially from the IT and IT security perspective, is a bit like Debian among the Linux operating systems. It does not always include all the latest inventions, but it aims to be safe and very stable in return.
August 30, 2023
Meeting HIPAA Compliance with NXLog
The U.S. Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 to protect the privacy and security of health information. It was one of the first sectoral security and privacy legislations in the United States. According to the Act, compliance guidelines had to be developed and regulated by the Secretary of the U.S. Department of Health and Human Services (HHS) and enforced by its Office for Civil Rights (OCR) with voluntary compliance activities and civil money penalties.
July 27, 2023
Detect threats using NXLog and Sigma
The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation.
However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.
July 19, 2023
HIPAA compliance logging requirements
Anyone not living under a rock in the last 25 years knows that the US healthcare and health insurance industries are required to safeguard patient data under the Health Insurance Portability and Accountability Act (HIPAA). This includes anyone who deals with protected health information (PHI), such as healthcare providers, health plans, healthcare clearinghouses, and business associates like vendors, contractors, and subcontractors. It’s crucial to remain compliant, or else you could face some hefty fines and penalties allowable by the law.
July 12, 2023
Understanding memory usage in NXLog
Understanding how NXLog allocates memory is essential to optimize your configuration for performance and utilize system resources efficiently.
NXLog is designed for high-performance log collection and processing and is optimized to use system resources efficiently. However, various external factors affect how NXLog uses system resources, including memory, which can impact NXLog’s and its host’s performance. Misconfiguration is the leading factor we see when troubleshooting excessive memory consumption. Therefore, in this blog post, we will dive deeper into how NXLog allocates memory to help you create the optimal configuration for your system or determine whether high memory usage results from a misconfiguration.
June 8, 2023
Industrial cybersecurity - The facts
In Feb 2021, a major cybersecurity incident was declared when a hacker gained malicious access to the water treatment system of Oldsmar, Florida. Officials said the hacker tried to increase the level of sodium hydroxide in the city’s water supply, putting thousands at risk of being poisoned. Fortunately, it was quickly confirmed that this potential terroristic act did not come to fruition.
Two years later, we still have no details on the malicious actor.
May 26, 2023
How can I monitor file access on Windows?
Why do you want to monitor who accessed a particular file? Files are one of the primary forms of storing information. It is common practice for companies to store data in files that hold valuable, sometimes sensitive, information. What could this "important" data be? Of course, I am not talking about the company’s last team-building pictures. I’m afraid that’s not what the bad guys are interested in. They will likely be more interested in business plans, financial or personal data.
May 2, 2023
CISO starter pack - Security Policy
The three characteristics your data must possess at all times, as dictated by your IT Security Policy, are:
It must be confidential
It must be available and
It must not have any unauthorized modifications
Your log policy will only be as good as the IT Security policy infrastructure behind it. And as much as we love talking about logs, that’s part of a more considerable general discussion about security policies.
April 21, 2023
Our customers asked - Execution of powershell scripts inside NXLog Exec modules
PowerShell scripts can be used with NXLog for generating, processing, and forwarding logs, as well as for generating configuration content. In this article, we will take a look at how to execute PowerShell directly from NXLog.
You can run a PowerShell script in multiple NXLog instances without using any PowerShell script file, and is achievable through having the script code directly in NXLog’s exec modules. This is ideal because if you need to make any change to the script, it’s easier to modify just the NXLog module rather than change the script on every computer used.
April 13, 2023
MFA Fatigue - What it is, and how to combat it
A multi-factor authentication (MFA) fatigue attack is a form of a social engineering cyberattack strategy where attackers repeatedly try to make second-factor authentication requests to the target’s email, phone, or other registered devices to gain access to the system. You may also hear about MFA Fatigue attack as MFA Bombing, 2FA fatigue, MFA push spam, MFA Spamming, or prompt bombing.
Technology administrators are always playing a never-ending battle of cat and mouse when it comes to threat actors.
April 3, 2023
CISO starter pack - Log collection fundamentals
Log collection is essential to managing an IT department because it allows administrators to research historical events throughout a network. Therefore, it’s critical to understand a few key points about collecting logs; the why, and what. We’ll look at a few specific examples of collecting log events efficiently, like incorporating threat modeling to enhance our collection. Implementing log collection policies and procedures is as fun as watching anti-phishing videos. But at the end of the day, the effort put in at the beginning will be worth it.
February 13, 2023
Avoid vendor lock-in and declare SIEM independence
The global Security Information and Event Management (SIEM) market is big business. In 2022, it was valued at $5.2 billion, with analysts projecting that it will reach $8.5 billion dollars within five years.
It’s a highly consolidated market dominated by a few major players in the information security field. They want your business, and they don’t want to lose it.
As companies ship more and more data to their respective solutions and make use of more and more features, they become specialized and dependent on a vendor.
February 6, 2023
Our customers asked - How to start an NXLog module with a delay?
There are several reasons you might want to start a particular NXLog module with a delay. You can think of it like delaying the start of a Windows service. In most cases, you need to do this for performance reasons. But there might be other scenarios where you would want to do this, such as collecting logs during a specific time frame. If you have, for example, a less critical module block, you can prioritize the more important one by delaying the less important one.
January 31, 2023
Our customers asked - Input stream EPS tracking with NXLog
This post is the first in a series of answers to questions that our customers asked.
Clarifying EPS EPS stands for Events Per Second and is considered a standard for measuring the speed of event processing. More precisely, it tells how many events can flow through a particular system in a second. In our case, the number relates to how many events NXLog receives, handles, and outputs in one second.
January 16, 2023
NXLog vs Splunk Universal Forwarder
NXLog supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis.
If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy.
NXLog and Splunk Universal Forwarder feature comparison Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them.
November 22, 2022
The EU's response to cyberwarfare
With open war in Europe for the first time since 1945, nations across the continent have been busy shoring up their information security defenses. The European Union is stepping up to the plate, releasing a Cyber Defence Policy to, in its words, "boost EU cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities."
However, bolstering cyber defenses across a collection of countries, home to 450 million people and spanning four million square kilometers, is no easy feat.
September 30, 2022
Assertive compliance - using frameworks to extend your coverage
So, it happened again. You got an internal audit finding or a regulatory notice. Or you just had a nagging feeling and found customer data somewhere it shouldn’t have been. Morale sinks. Are you forced to choose between serving your customers and addressing compliance weaknesses? Nobody said IT Compliance was easy. But don’t sign up to do any more work than is necessary. Use Frameworks to identify the activities, like logging, that demonstrate compliance for multiple domains and get the absolute best coverage without extra work.
August 18, 2022
The disappearing Windows DNS debug log
The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging.
Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
August 1, 2022
The benefits of log aggregation
Logs are a record of the internal workings of a system. Nowadays, organizations can have hundreds and, more regularly, thousands of managed computers, servers, mobile devices, and applications; even refrigerators are generating logs in this Internet of Things era. The result is the production of terabytes of log data—event logs, network flow logs, and application logs, to name a few—that must be carefully sorted, analyzed, and stored.
Without a log management tool, you would need to manually search through many directories of log files on each system to access and extract meaning from these millions of event logs.
June 1, 2022
How NXLog can help meet compliance mandates
Compliance mandates are frameworks that organizations must implement to meet industry regulations. Some of these mandates provide guidelines and best practices, while others may be tied to legislation. With the constant and rapid changes in technology, ensuring that your organization adheres to the relevant regulations is an ongoing process.
So why should you comply? Simply put, not complying might cost you more than implementing processes to meet regulatory requirements. By not complying, you might be violating the law, and in case of a data breach, you may face litigation from affected parties.
February 7, 2022
Centralized Windows log collection - NXLog Enterprise Edition vs. WEF
One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems.
WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:
February 2, 2022
Reliable delivery of logs - can you trust TCP?
When considering your log collection strategy, a decision you have to make is which transport protocol to use to transfer logs from source to destination. The choice is often between the two most commonly used protocols, UDP (User Datagram Protocol) and TCP (Transfer Control Protocol). Which one to use depends on the type of logs you need to transfer, and whether performance or reliability is more important.
This blog post will compare these protocols, discuss why TCP is usually the preferred choice, and provide some options to further increase log delivery reliability with NXLog Enterprise Edition.
February 2, 2022
NXLog vs IBM QRadar WinCollect - Let's get things straight
How does NXLog Enterprise Edition compare to the IBM QRadar WinCollect event forwarder?
IBM QRadar SIEM collects, processes, and aggregates log data to provide real-time monitoring and automated response to network threats. With its powerful correlation engine and specialized modules for risk and vulnerability management, it is no surprise that it is among the highest-rated tools on Gartner Peer Insights.
To get the best out of a platform like IBM QRadar, you need to ensure that you send the proper amount of data in a format that it can process efficiently.
January 25, 2022
Understanding and auditing WMI
If you’re a cyber security enthusiast, you’ve probably heard a lot about Windows Management Instrumentation (WMI) lately. There’s a good reason why this topic has gained popularity, however, this technology has been integrated into Windows operating systems for over 20 years now. In this blog post, we will delve into how WMI works, the risks resulting from misuse, and how to audit it with NXLog.
A standardization effort The first thing to clarify about WMI is that it’s not a Windows-only technology.
January 3, 2022
Log aggregation with NXLog
The value of log aggregation There is no denying the importance of log aggregation for multi-million-dollar enterprises worldwide. But just what is log aggregation? And how can it help your organization? Well, log aggregation is the process of standardizing and consolidating your log data from distributed systems across your network into one centralized server. By doing so, you have a unified view of what occurs across your entire IT infrastructure.
October 27, 2021
Three important features you can have with the Enterprise Edition over the Community Edition
Features of NXLog Enterprise Edition you must have So, it turns out that your organization needs a reliable solution that can collect, parse, forward, and aggregate your log data. This need might be based on any number of reasons. Perhaps it is due to regulatory compliance mandates. Maybe your security analysts have realized that collecting security logs is the best way to detect potential cyber attacks. These are all valid reasons.
July 29, 2021
Using Raijin Database Engine to aggregate and analyze Windows security events
In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools.
A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.
June 16, 2021
Forwarding logs with NXLog
So, you managed to read through all the compliance mandates that are required for the industry you are in. And, during the mandatory consultation you had with your company’s IT security expert and network manager you came to an agreement on which logs to collect and carefully selected their final destination. Which — in most cases — is usually some kind of analytics system or SIEM technology where log data can be analyzed and stored based on your business requirements.
June 14, 2021
Windows Event Log collection in a nutshell
Unquestionably, Microsoft Windows is the number one desktop operating system in the world, as well as having a significant share of the server operating system market. Multi-million-dollar organizations rely heavily on Windows Server and Active Directory to provide a safe, secure networked environment for their business operations. Such an enterprise infrastructure alone can generate thousands of events per second that range anywhere from benign user authentication events to logs indicating a severe software failure, or even more serious events such as DoS attacks or intrusion attempts.
June 5, 2021
Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python
Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic.
What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
October 9, 2020
NXLog vs Snare
How does NXLog CE and EE compare to the Snare Enterprise Agent?
If you are reading this article, you may either be looking for a new log collection agent solution or seeking to replace and improve an existing deployment. This article provides information based on some fairly common questions from those who have migrated from Snare to NXLog.
Feature Comparison There are multiple choices of log collection agents available on the market, some are free and have paid versions that come with official support.
April 1, 2020
How a centralized log collection tool can help your SIEM solutions
IT security should be one of the main focus points of all enterprises. In today’s world, when digital transformation is taking place at an unprecedented pace, securing online data is vital for all kinds of businesses. This is why most companies are utilizing SIEM (Security Information and Event Management) solutions that help them identify threats before they can do any harm.
Even though SIEM tools are perfect for event correlation and analytics, it is not part of their core functionality to manage log collection, filtering, distribution, and formatting.
October 22, 2019
Agent-based versus agentless log collection - which option is best?
One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes.
Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?
December 17, 2018
Making the most of Windows Event Forwarding for centralized log collection
Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.
Category: windows
August 18, 2022
The disappearing Windows DNS debug log
The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging.
Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
June 28, 2022
Security logging on Windows - beyond 4625
As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log. You might even go as far as filtering for specific event IDs, such as EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source.
The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.
February 7, 2022
Centralized Windows log collection - NXLog Enterprise Edition vs. WEF
One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems.
WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:
January 25, 2022
Understanding and auditing WMI
If you’re a cyber security enthusiast, you’ve probably heard a lot about Windows Management Instrumentation (WMI) lately. There’s a good reason why this topic has gained popularity, however, this technology has been integrated into Windows operating systems for over 20 years now. In this blog post, we will delve into how WMI works, the risks resulting from misuse, and how to audit it with NXLog.
A standardization effort The first thing to clarify about WMI is that it’s not a Windows-only technology.
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
July 29, 2021
Using Raijin Database Engine to aggregate and analyze Windows security events
In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools.
A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.
July 15, 2021
Top 5 Windows Security logs everyone should collect
It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component.
Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer.
June 14, 2021
Windows Event Log collection in a nutshell
Unquestionably, Microsoft Windows is the number one desktop operating system in the world, as well as having a significant share of the server operating system market. Multi-million-dollar organizations rely heavily on Windows Server and Active Directory to provide a safe, secure networked environment for their business operations. Such an enterprise infrastructure alone can generate thousands of events per second that range anywhere from benign user authentication events to logs indicating a severe software failure, or even more serious events such as DoS attacks or intrusion attempts.
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
May 28, 2020
DNS Log Collection on Windows
Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.
DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform.
While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.
December 17, 2018
Making the most of Windows Event Forwarding for centralized log collection
Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.