NXLog News and Blog

Enterprise IIS log analysis software: top tools, use cases, and NXLog Agent integration

Arielle Bonnici — Thu, 07 May 2026 00:00:00 +0000

Ever tried to analyze IIS logs manually across dozens of web servers during a security incident? If so, you know the challenge: massive log files across multiple systems, cryptic log entries, and no easy way to correlate events. When running Microsoft Internet Information Services (IIS) across large infrastructures, log data accumulates quickly, increasing the risk of missing critical events. IIS log analysis software is designed to collect, parse, and analyze IIS web server logs to monitor activity, troubleshoot performance issues, detect threats, and demonstrate compliance.

From 4688 to 1102: The Windows event IDs that matter for threat detection

João Correia — Tue, 28 Apr 2026 00:00:00 +0000

Most Windows detection programs are anchored on a small set of well-known event IDs: 4624, 4625, maybe 4688 if process creation auditing is turned on. The events that actually describe an intrusion (the new service, the scheduled task, the explicit credential, the share enumeration) live elsewhere on the same host, often on channels that are not enabled by default. We have written before about why a 4625-only mindset leaves most of the attack chain in the dark; this post is the catalog that picks up where that argument ended.

Filebeat vs Logstash: when the shipper is enough and when you need a pipeline

João Correia — Thu, 23 Apr 2026 00:00:00 +0000

The choice here is not between two interchangeable log tools. It is a choice about where you want parsing, routing, and failure handling to live. Filebeat runs close to the source and keeps collection small. Logstash sits in the middle of the flow and takes on filtering, enrichment, and fan-out. That architectural difference matters more than a feature checklist. Pick the narrower tool when your logs have one destination and your parsing rules are modest.

The case for not ripping and replacing: Securing Win32 infrastructure in place

João Correia — Wed, 22 Apr 2026 00:00:00 +0000

The default advice for any system running an unsupported operating system is simple: replace it. Upgrade to a supported platform. Move to modern hardware. Problem solved. It’s good advice in theory. As with many other things in life however, in practice it ignores everything that makes legacy infrastructure hard to deal with in the first place. For organizations running Windows XP, Server 2003, or other legacy 32-bit Windows systems, "just upgrade" is often the most expensive, disruptive, and operationally risky option on the table.

Announcing NXLog Platform 1.12

Mariush Minkov — Tue, 21 Apr 2026 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.12. This release introduces full version history for agent configurations, giving you a clear audit trail and the ability to instantly restore any previous version. It also brings a redesigned Customer Portal with a streamlined onboarding experience and improved navigation. Want a quick overview? Watch a short demo showcasing configuration version history, one of the key new features in this release:

NIS2, HIPAA, PCI DSS: What compliance means when you can't upgrade your OS

João Correia — Mon, 20 Apr 2026 00:00:00 +0000

Compliance frameworks don’t have a checkbox for "we know it’s a problem, but we can’t afford to fix it right now." Yet that’s the position thousands of organizations find themselves in — bound by regulation to meet security standards that their operating systems are physically incapable of supporting. If you run Windows XP, Server 2003, or any other unsupported OS in a regulated environment, the compliance obligation doesn’t go away just because the upgrade path is blocked.

Deploying NXLog Platform on Kubernetes with Helm

Paulo Ribeiro — Thu, 16 Apr 2026 00:00:00 +0000

NXLog Platform can now be installed using the official Helm chart, following the same Kubernetes deployment standard as any other enterprise Kubernetes application. Red Hat OpenShift is also fully supported using native OpenShift Routes. According to the CNCF 2025 Annual Cloud Native Survey, 82% of container users run Kubernetes in production, and 81% prefer Helm as their package manager of choice. Kubernetes adoption spans every major cloud provider and distribution, including GKE (32%), AKS (17%), OpenShift (13%), and Amazon EKS, and continues to grow as the default substrate for enterprise infrastructure.

Legacy Windows systems: Enterprise security's biggest blind spot

João Correia — Thu, 09 Apr 2026 00:00:00 +0000

Somewhere in a hospital basement, an MRI machine hums along on Windows XP. Down the road, a CNC controller on a factory floor runs Windows Server 2003. Across town, a municipal utility manages water treatment with software that hasn’t seen an update since the second Bush administration. These aren’t edge cases. They’re everywhere — and they represent one of the most underestimated risks in enterprise security today. Still here, still running It would be reasonable to assume that operating systems from the early 2000s have no place in a modern network.

Filebeat vs Vector: Routing, transforms, and the better fit for your pipeline

João Correia — Mon, 06 Apr 2026 00:00:00 +0000

Filebeat and Vector both move logs, but they solve different design problems. Filebeat is a shipper that fits neatly into Elastic-centric pipelines. Vector is a data pipeline runtime that can collect, reshape, split, and forward the same stream to several destinations before storage. The cost of choosing badly does not show up on day one. It shows up later as duplicate agents, extra relay tiers, backend-specific parsing rules, or migration work when a second destination appears.

How to visualize telemetry data flow and volume with NXLog Platform

Arielle Bonnici — Mon, 23 Mar 2026 00:00:00 +0000

As organizations collect more telemetry data, their pipelines grow in complexity and scale. Telemetry pipelines are dynamic, continually adjusted to improve data quality, reduce costs, and meet evolving observability requirements. At this scale, even small configuration changes can significantly affect how much data moves through your pipeline. Without clear visibility, you rely on assumptions. Did the new filtering rule actually reduce the amount of data you’re sending to the SIEM?

Fluent Bit vs Filebeat: Architecture, trade-offs, and the better default

João Correia — Mon, 16 Mar 2026 00:00:00 +0000

If you are choosing between Fluent Bit and Filebeat, the real question is where you want routing, parsing, and failure handling to live. Pick the wrong default, and you create config sprawl, brittle pipelines, and extra work every time your backend or deployment model changes. Choose Fluent Bit when the agent itself needs to behave like a small pipeline, and choose Filebeat when your log path ends inside Elastic and you want the shipper to match Elastic’s operating model.

NXLog and Logpoint partner to advance European digital sovereignty

NXLog — Thu, 12 Mar 2026 00:00:00 +0000

[Update on 12 March 2026: Logpoint is now guardsix] Dubai, UAE, Feb 27, 2026 - NXLog today announced a technology alliance partnership with Logpoint. Together, the companies offer a vendor-agnostic approach anchored in Logpoint’s European roots, providing organizations with a clear alternative to US-centric security platforms and renewed control over rapidly expanding telemetry flows. As European organizations face growing pressure from regulations such as NIS2, the ability to decide where security data is processed, how it is handled, and which systems it flows into has become a critical requirement.

What is telemetry data? A practical guide for modern systems

Paulo Ribeiro — Wed, 11 Mar 2026 00:00:00 +0000

Telemetry data is the stream of measurements that instrumented devices, applications, and services continuously emit to a central system so engineers can monitor behavior, diagnose problems, and make informed decisions in real time and over the long term. In this article, we’ll look at what telemetry data means in practice for modern software, networks, and cloud platforms: how it’s produced, what kinds of signals it carries (logs, metrics, traces, and more), and why it has become essential for observability, performance, and security at scale.

Beyond basic ingestion: Advanced OpenTelemetry data processing with NXLog

João Correia — Mon, 09 Mar 2026 00:00:00 +0000

Most discussions about OpenTelemetry pipelines focus on getting data from point A to point B. Collect telemetry, maybe convert the format, forward it to a backend. That’s the minimum viable pipeline, and it’s where most tooling stops. But a pipeline that only moves data is a pipe, not a processing layer. The telemetry arriving at your observability platform or SIEM is only as useful as the context it carries. A raw log entry saying "connection from 198.

How NXLog simplifies your OpenTelemetry journey

João Correia — Thu, 05 Mar 2026 00:00:00 +0000

OpenTelemetry has become the de facto standard for telemetry data. Nearly 50% of surveyed cloud-native end-user companies have adopted it, and the project ranks as the second-highest-velocity initiative in the CNCF, behind only Kubernetes. The direction is clear: if your infrastructure doesn’t speak OpenTelemetry, it will increasingly be left out of the observability conversation. But adopting OpenTelemetry across an entire infrastructure is a different problem than adopting it in a greenfield application.

Fluent Bit vs Fluentd: How to choose the right tool for your log pipeline

João Correia — Tue, 03 Mar 2026 00:00:00 +0000

Choosing between Fluent Bit and Fluentd is an architecture decision, not a product shootout. Both projects live under the CNCF Fluent umbrella and share a common lineage at Treasure Data, but they target different roles in a logging pipeline. Fluent Bit is a C-based telemetry agent designed for low-overhead collection at the edge. Fluentd is a Ruby-and-C data collector built for aggregation, transformation, and multi-destination routing. The practical question is not which one is better — it’s where each one belongs in your stack, and whether you need both.

Data format chaos costs you weeks of visibility

João Correia — Mon, 02 Mar 2026 00:00:00 +0000

Why the federal agency breach shows that standardized telemetry formats aren’t optional anymore When CISA analyzed the federal agency breach that went undetected for three weeks, they identified a familiar pattern: EDR alerts existed but weren’t continuously reviewed. Security teams had visibility tools, but critical signals got lost in the noise. What the advisory doesn’t detail—but every security practitioner knows—is the infrastructure nightmare hiding behind that simple statement. Those unreviewed alerts likely came from dozens of sources, each speaking its own dialect of security telemetry.

Security dashboards go dark: why visibility isn't optional, even when your defenses keep running

João Correia — Thu, 26 Feb 2026 00:00:00 +0000

The SentinelOne outage showed why visibility isn’t optional—even when your defenses keep running. On May 29, 2025, organizations running SentinelOne experienced something unsettling: their security controls kept working, but they couldn’t see what was happening. A software flaw in SentinelOne’s infrastructure control system caused a global service disruption that lasted several hours. According to reports, the incident significantly impacted customers' ability to manage their security operations and access important data.

Building a practical OpenTelemetry pipeline with NXLog Platform

Arielle Bonnici — Wed, 25 Feb 2026 00:00:00 +0000

Collecting, processing, and forwarding logs and metrics at scale. OpenTelemetry provides a common instrumentation model that makes it easier to collect telemetry data across distributed systems, and many modern applications are adopting it as a standard for generating logs and metrics. However, in practice, you still need to collect, process, and shape the data before it becomes useful. You cannot simply forward raw telemetry data downstream without risking that your observability platform becomes expensive storage instead of a means of maintaining visibility into your environment.

Centralized log management: What it is, how centralized logging works, and how to choose the right system

Rui Oliveira — Tue, 24 Feb 2026 00:00:00 +0100

Centralized log management is the practice of collecting logs from across an environment, including applications, servers, containers, networks, and cloud services, and storing them in a single location where they can be searched and analyzed. For operations and security teams, centralized logging is now a core requirement. Without it, logs are scattered across hosts, ephemeral containers, cloud consoles, and disconnected tools. This fragmentation slows troubleshooting, complicates incident response, and limits visibility during security investigations.

Announcing NXLog Platform 1.11

Mariush Minkov — Mon, 23 Feb 2026 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.11. This version focuses on operational visibility and compliance, smoother troubleshooting, and improved security and access controls. Want a quick overview? Watch a short demo showcasing the new features in this release: Read on for more details about these updates. Monitor data volume in the NXLog Platform UI You can now monitor the volume of inbound and outbound data flowing through your agents directly in the NXLog Platform UI, either from the agent statistics view or via the data flow visualization.

NXLog announces distribution agreement with Softprom

NXLog — Mon, 16 Feb 2026 00:00:00 +0000

Dubai, UAE, Feb 16, 2026 — NXLog, a global provider of high-performance log and telemetry pipeline management solutions, today announced a distribution agreement with Softprom, a leading value-added IT distributor in Central and Eastern Europe, the Caucasus, and Central Asia, Through this partnership, Softprom will distribute and support NXLog’s vendor-agnostic telemetry management platform, enabling organizations to gain control over log and event data before it reaches SIEM, APM, and analytics platforms.

Adopting OpenTelemetry without changing your applications

Arielle Bonnici — Tue, 10 Feb 2026 00:00:00 +0000

A practical approach to converting existing logs into modern observability. OpenTelemetry promises a vendor-neutral standard for observability, consistent telemetry, and the flexibility to change backends without rewriting everything. In practice, however, OpenTelemetry adoption often runs into a familiar obstacle: reality. Here’s a common scenario. You’re eager to improve observability, but your environment includes a mix of legacy applications, network devices, and third-party systems. Many of these were never designed for modern instrumentation, and changing them is risky, expensive, or simply not an option.

Graylog vs ELK Stack: Unbiased comparison of log management tools

João Correia — Mon, 02 Feb 2026 00:00:00 +0000

Centralized logging is no longer optional. Whether you’re troubleshooting production incidents, investigating suspicious activity, or meeting audit requirements, you need a way to collect logs from many sources, normalize them, search them quickly, and turn them into alerts and dashboards. In practice, that starts with reliable collection — often via solutions like NXLog Platform — so the data arrives clean and consistent. Two of the most common open-source paths people compare are Graylog vs ELK Stack.

The GeoServer breach that could have been stopped in hours, not weeks

João Correia — Thu, 29 Jan 2026 00:00:00 +0000

How a federal agency’s monitoring gaps turned a containable incident into a three-week nightmare In September 2025, CISA responded to a federal agency breach that security teams could have stopped in hours. Instead, threat actors roamed the network undetected for three weeks. The damage? Multiple compromised servers, web shells planted across the infrastructure, and a persistent foothold that took significant resources to remediate. The root cause wasn’t a zero-day exploit or sophisticated malware.

Linux security monitoring with NXLog Platform: Extracting key events for better monitoring

Arielle Bonnici — Fri, 09 Jan 2026 00:00:00 +0000

From years of supporting NXLog Agent deployments across many environments, we’ve learned that while Linux generates a wealth of security logging, much of it remains underutilized. Critical security events are buried across multiple log files and subsystems, making it more complicated than it should be to spot suspicious activity. Efficient Linux security logging requires knowledge of which events matter and where to get them. Authentication attempts, privilege changes, package installations, audit events, and system shutdown events can all tell a story when viewed together.

Telemetry is evolving; is your business ready?

Roman Krasnov — Mon, 05 Jan 2026 00:00:00 +0000

Some still think telemetry is a futuristic concept, but it isn’t. It’s already integral to the smooth running of everything from websites, e-commerce platforms and mobile apps to manufacturing, traffic control and much, much more. And it all begins with the humble data log. From the earliest days of computing, programmers have recorded useful information — often in a file — to help track and react to potential threats and understand what’s going on "under the hood" of their IT infrastructures.

Security advisory for CVE-2025-67900 affecting NXLog Agent 6.10 and older on Windows

Andrei Popa — Thu, 18 Dec 2025 00:00:00 +0000

We are committed to the security of our customers, and wish to inform you of CVE-2025-67900, a recently published vulnerability affecting the Windows version of NXLog Agent 6.10 and older. Technical description The Windows version of NXLog Agent 6.10.10368 and older includes a Privilege Escalation vulnerability because it attempts to load an OpenSSL configuration file from the hardcoded and unintended directory C:\nxlog4\x64\ on startup. This is a legacy installation directory that may not exist in clean NXLog Agent installations.

2025 and NXLog - a recap

Rui Oliveira — Thu, 18 Dec 2025 00:00:00 +0100

As the new year looms large, we at NXLog are ready for one of the season’s most cherished traditions: reflecting on the year that ends. Coming off a 2024 that was centered on the NXLog Platform release, our 2025 was built on our analysis of the current state of the telemetry landscape. The main conclusion is that while telemetry data is essential for operations and security, 35% of organizations still struggle to collect it at scale.

rsyslog vs syslog-ng: Which is the right log shipper?

Roman Krasnov — Fri, 12 Dec 2025 00:00:00 +0000

Well, no doubt logging is the nervous system of any IT infrastructure. From troubleshooting outages to satisfying compliance audits and threat management, having the right log management pipeline can make the difference between smooth operations and chaotic firefighting. For decades, syslog-ng and rsyslog have been two of the most widely used log management tools for Unix and Linux environments. Both provide implementations of the original 1980s syslog protocol and are designed to collect, process, and forward log messages across networks.

Announcing NXLog Platform 1.10

Mariush Minkov — Thu, 11 Dec 2025 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.10. This update introduces streamlined TLS certificate management, broader operating system support, and simplified agent configuration. It will now be even faster and easier to deploy and operate your telemetry pipeline. Want a quick overview? Watch a short demo showcasing the new features in this release: Read on for more details about these updates. Centrally managed certificates for data destinations NXLog Platform 1.

Identity and Access Management (IAM): Guide for 2026

Roman Krasnov — Wed, 10 Dec 2025 00:00:00 +0000

Imagine a typical company: employees join, they move between offices and departments, then they leave. Each of these changes requires a systems access update for email, databases, internal tools, and more. Manually managing these transitions can be burdensome and error-prone. And where you have errors, you have inefficiencies and exposure to security breaches — neither of which is good for your business. This is where Identity and Access Management (IAM) comes in.

End-to-end Windows file monitoring with FIM and Windows Security Auditing

Arielle Bonnici — Thu, 27 Nov 2025 00:00:00 +0000

In the past, we’ve written about monitoring file access in Windows. However, monitoring file access events alone doesn’t capture the full lifecycle of changes that matter for security and compliance. To gain true end-to-end visibility, you need to track not only when a file is accessed, but also when it’s modified, renamed, or deleted. In this guide, we’ll show how combining File Integrity Monitoring (FIM) with Windows Security Auditing delivers a complete file monitoring solution and how NXLog Agent ties these log sources together.

Monitoring BIND9 logs: Comparing syslog and dnstap for DNS visibility

Arielle Bonnici — Wed, 19 Nov 2025 00:00:00 +0000

As system and network administrators know, DNS logs are essential for understanding what’s happening across your infrastructure, whether you’re troubleshooting slow lookups, investigating odd traffic patterns, or monitoring your security posture. We recently had the opportunity to help a customer set up monitoring for BIND9 logs and discovered that the two main options, syslog and dnstap, offer very different experiences in setup, performance, and the level of DNS visibility they provide.

Linux security monitoring: Collecting and visualizing events in Elasticsearch and Kibana

Arielle Bonnici — Mon, 03 Nov 2025 00:00:00 +0000

Timely visibility into system activity is what separates effective defense from reactive analysis. Every operating system, application, and device logs a trail of evidence. However, transforming that trail into actionable intelligence requires the right tools. In our previous posts, we’ve walked you through: Visualizing VPN connection logs, Monitoring Windows security events, and Analyzing web server activity logs. In this final installment in our series on log visualization, we’re turning our attention to Linux security monitoring.

The shadow IT haunting your network: A Halloween horror story

João Correia — Thu, 30 Oct 2025 00:00:00 +0000

It’s Halloween season, and while everyone else is worried about ghosts and goblins, you—the sysadmin holding the fort—know the real terror: that dusty print server in the corner that’s been running firmware from 2014. Or the Raspberry Pi someone set up to monitor the server room temperature "temporarily" three years ago. Or the CEO’s personal tablet that absolutely must connect to the internal network because "it’s just easier this way.

Watching the watchers: The need for telemetry system observability

João Correia — Wed, 29 Oct 2025 00:00:00 +0000

Organizations invest heavily in sophisticated monitoring platforms, deploy countless agents across their infrastructure, and build elaborate dashboards to track every metric imaginable. Yet amid this pursuit of comprehensive visibility, a dangerous blind spot often emerges: the observability system itself becomes unobservable. This meta-problem represents one of the most insidious risks in modern infrastructure management. When telemetry collection fails silently—whether due to misconfiguration, infrastructure changes, or system failures—operations teams continue making critical decisions based on incomplete or stale data, unaware that their digital nervous system has developed gaps in coverage.

Beyond the silicon: Why monitoring the infrastructure powering AI is critical to ROI

João Correia — Tue, 28 Oct 2025 00:00:00 +0000

The AI gold rush has arrived, and organizations worldwide are making unprecedented investments in cutting-edge accelerator hardware. GPU clusters worth millions of dollars are being deployed at breakneck speed, with companies betting their competitive futures on these silicon powerhouses. Yet beneath the excitement of acquiring the latest H100s or MI300s lies a sobering reality: the most expensive part of your AI investment isn’t the initial purchase—it’s ensuring that hardware delivers value every single moment it’s operational.

Announcing NXLog Platform 1.9

Mariush Minkov — Wed, 22 Oct 2025 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.9. This version transforms how you manage observability by combining metrics and logs in one platform, optimizing agent management workflows, and enabling enterprise-grade deployments for modern infrastructures. Want a quick overview? Watch a short demo showcasing the new features in this release: Read on for more details about these updates. Metrics made simple NXLog Platform provides built-in support for all types of telemetry data, including metrics.

From web server logs to metrics: Visualizing NGINX logs with Prometheus and Grafana

Arielle Bonnici — Mon, 20 Oct 2025 00:00:00 +0000

When users start reporting slow responses or intermittent errors from your web applications, your first go-to is your web server logs. But did you know those same logs can provide more than just troubleshooting clues? When analyzed with the right tools, they give system administrators and DevOps teams real-time visibility into your web environment, enabling them to monitor web servers proactively, rather than reactively. In this post, we’re going to show you how you can uncover web server performance issues and potential attacks early on by collecting NGINX access logs with NXLog Agent, transforming them into Prometheus metrics, and visualizing them with Grafana.

Elcore signs a distribution agreement with NXLog

NXLog — Tue, 30 Sep 2025 00:00:00 +0000

Dubai, UAE, Sept 30, 2025 — NXLog, a global leader in telemetry pipeline management, and Elcore, a specialized distributor of IT solutions, have announced a new distribution partnership. Through this collaboration, Elcore will bring NXLog’s cutting-edge solutions to a wider market, empowering enterprises to collect, process, and route logs, metrics, and traces from any source to any destination. NXLog’s vendor-agnostic technology delivers structured, real-time insights that enhance visibility, strengthen security, and improve operational efficiency across IT, OT, and cloud environments.

Gaining valuable host performance metrics with NXLog Platform

Roman Krasnov — Tue, 30 Sep 2025 00:00:00 +0000

What are performance metrics and why are they important? IT and security systems don’t just generate logs; they also produce extremely valuable performance data that helps ensure the health and stability of your business infrastructure. Host-level performance metrics provide visibility into key resources, such as: CPU usage — Helps identify over-utilization, process bottlenecks, or underused resources. Memory usage — Indicates whether applications are consuming excessive RAM or leaking memory over time.

Windows security monitoring: Collecting and visualizing events in Elasticsearch and Kibana

Arielle Bonnici — Mon, 22 Sep 2025 00:00:00 +0000

In our previous blog post, From network logs to insights: Visualizing OpenVPN logs with Elasticsearch and Kibana, we explored how you can gain visibility into VPN activity by collecting and analyzing network logs. Windows security monitoring is another common use case we encounter at NXLog. Windows workstations and servers generate security event logs ranging from authentication attempts and privilege escalations to policy changes and process executions. Such events can reveal external intrusions and insider threats, and for security analysts, they are the first line of evidence in investigating suspicious activity.

From network event logs to insights: Visualizing OpenVPN logs with Elasticsearch and Kibana

Arielle Bonnici — Thu, 18 Sep 2025 00:00:00 +0000

At NXLog, we help customers solve real-world telemetry data challenges and bring value to the table with NXLog Platform. One of the recurring problems we see is that while network event logs contain a wealth of information, turning them into actionable insights isn’t straightforward. Security operations teams often struggle to make sense of these logs in a way that directly supports threat detection, response, and investigation. A perfect example of this challenge is VPN logs.

Announcing NXLog Platform 1.8

Mariush Minkov — Fri, 12 Sep 2025 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.8. This release is packed with improvements to give you deeper insights into your telemetry pipeline and infrastructure, expand compatibility, and enhance the user experience. Want a quick overview? Watch a short demo showcasing the new features in this release: Read on for more details about these updates. Agent metrics for telemetry pipeline observability The new Internal Metrics module supports collecting agent metrics, simplifying data flow and agent health monitoring.

How to reduce log noise and fight SOC alert fatigue

Arielle Bonnici — Wed, 27 Aug 2025 00:00:00 +0000

Do you ever feel like you’re drowning in data? From endpoint logs and firewall events to database auditing and cloud metrics, the sheer amount of data is overwhelming. While telemetry data is crucial for threat detection, incident response, and compliance, it also brings a major challenge: log noise. Log noise obscures meaningful security signals. If left unchecked, you risk increased false positives, overloading security tools, higher SIEM licensing costs, and, most importantly, SOC alert fatigue.

Security Event Logs: Importance, best practices, and management

Arielle Bonnici — Tue, 22 Jul 2025 00:00:00 +0000

Understanding security event logs for stronger cybersecurity. Whether a multinational corporation or a small business, organizations face ever-increasing risks of data theft, insider threats, and system intrusions. In 2025, the security landscape is further complicated by the growing influence of artificial intelligence, as cybercriminals are leveraging AI to enhance the sophistication and scale of attacks. One of the most powerful tools for detecting and responding to attacks is the humble security event logs.

Announcing NXLog Platform 1.7

Paulo Ribeiro — Wed, 25 Jun 2025 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.7. This release introduces key enhancements focused on the usability and performance of the log discovery UI, as well as the SMTP integration with Microsoft 365. Read on for more details about these updates. Improved log discovery NXLog Platform 1.7 introduces the beta release of a new log discovery UI with significant improvements in usability and performance:

Current challenges in log and telemetry data management

Rui Oliveira — Tue, 24 Jun 2025 00:00:00 +0000

Today, most enterprises use a security log analytics solution or SIEM (Security Information & Event Management), but analytics are only as good as the data fed into your solution. If you’re missing data sources or are failing to extract full value from the data, you won’t see the big picture. This is an issue new customers commonly mention to NXLog. That’s why one of our key goals is to provide a solid data collection layer that ensures all relevant data is collected and properly fed into the SIEM.

Leveraging Okta logs for improved security monitoring

Roman Krasnov — Mon, 16 Jun 2025 00:00:00 +0000

Most corporate environments require a login, and Identity and Access Management (IAM) is a solution that helps manage that process in different ways. IAM ensures that only the necessary people can access the relevant IT resources. Each user, device or service is assigned a unique digital identity. So, when an employee logs into a company system, IAM confirms that person’s identity. This might involve a login/password check, multi-factor authentication, or both.

Enhancing security with Microsoft's Expanded Cloud Logs

Botond Botyánszki — Tue, 10 Jun 2025 00:00:00 +0000

Nation-state-sponsored hacking stories are everyone’s favorite Hollywood movies — until our personal or corporate sensitive data shows up on the dark web for sale, being compromised. In real life, cyber espionage groups’s activities trigger security enforcement. First in the government sector, then the government standards slowly shift industry norms starting by gently forcing vendors who are also selling into government contracts. In the case of the recently announced playbook on MICROSOFT EXPANDED CLOUD LOGS IMPLEMENTATION PLAYBOOK, issued by the US Cybersecurity and Infrastructure Security Agency (CISA), it all started in July 2023, when the Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft’s Outlook email system to gain unauthorized access to email accounts belonging to U.

Remote Desktop logs – A comprehensive guide to RDP logging and monitoring

Arielle Bonnici — Thu, 15 May 2025 00:00:00 +0000

Monitoring and centralizing Remote Desktop logs is critical for IT security, compliance, and operational efficiency, and NXLog Platform makes it simple and scalable. Remote Desktop Protocol (RDP) is a powerful Windows feature that allows users to access a computer remotely over the network. While convenient and widely used, it’s also a potential entry point for attackers. Understanding how to check and analyze RDP connection logs can help detect unauthorized access, troubleshoot issues, and maintain system integrity.

From NXLog Community Edition to NXLog Platform

Roman Krasnov — Tue, 13 May 2025 08:13:48 +0000

NXLog Community Edition was launched many years ago and, being cross-platform and highly versatile, quickly became a leading log collection tool. With millions of downloads, it is widely used across on-premises, cloud, and hybrid deployments. While over 70% of users have upgraded to the more feature-rich and robust NXLog Enterprise Edition, many still rely on NXLog Community Edition due to its flexibility and fit for many use cases. However, as technology advances and business and security demands grow, we are excited to introduce NXLog Platform—a modern, comprehensive solution that offers enhanced functionality and performance.

Monitoring NXLog Agent with Zabbix using the Agent Management API

Arielle Bonnici — Wed, 30 Apr 2025 00:00:00 +0000

NXLog Agent plays a vital role in aggregating, processing, and forwarding logs to centralized platforms for analysis. Whether it’s system logs, application logs, or security audit trails, these agents are often the first line of visibility into what’s happening in your environment. In many setups, especially large-scale infrastructures, NXLog Agent relays act as crucial intermediaries, collecting logs from edge systems and forwarding them to a SIEM or log analytics platform.

Announcing NXLog Platform 1.6

Tamás Burtics — Tue, 22 Apr 2025 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.6. This release brings several key improvements, changes, and fixes to aid usability, security, and performance. Our team has introduced changes to improve integration with third-party technologies, made packaging adjustments, and enhanced the configuration workflow. Below, we highlight the most significant changes. Enhanced configuration editor The configuration editor in NXLog Platform has been improved with better syntax highlighting, more accurate error detection, and smarter input suggestions when operating in text mode.

NXLog Agent vs. Snare Agent - A practical comparison of log collection capabilities

Tamás Burtics — Wed, 09 Apr 2025 00:00:00 +0000

Are you looking to replace Snare? Here’s how NXLog Agent compares in real-world environments. This article will help if you consider a new log collection solution or evaluate alternatives to your existing deployment. It answers key questions from organizations that have migrated from Snare to NXLog solutions. Feature comparison - Snare Agent vs. NXLog Agent Multiple log collection agents are available on the market. While both Snare Agent and NXLog Agent serve similar use cases, NXLog Agent provides broader platform support, more advanced log processing, and greater flexibility in integration.

High Availability and Fault Tolerance

Roman Krasnov — Thu, 13 Mar 2025 00:00:00 +0000

Imagine trying to buy tickets for your favorite band’s concert, only to find the website down just minutes before they sell out. Or logging into the cloud to look through your cherished digital photos and discovering they’ve been lost because of a data center failure. These scenarios are — at best — frustrating for you. But, for your customers, they can erode trust and damage your business’s reputation. That’s why organizations invest in strategies like high availability (HA) and fault tolerance (FT).

Log management best practices

Tamás Burtics — Wed, 12 Mar 2025 00:00:00 +0100

People think about logs as one of the biggest chores in the IT industry. Well, that does not necessarily need to be true. If you adhere to some fundamental log management best practices, the value you could get out of them quickly outweighs the effort put into managing them. Logs can easily become the best friend of IT teams looking to keep their systems secure, meet compliance requirements, and maintain a smoothly running network.

Announcing NXLog Platform 1.5

Tamás Burtics — Thu, 27 Feb 2025 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.5. This release brings several key improvements, changes, and fixes to aid usability, security, and performance. Our team is introducing a major change to log storage, adjustments in log retention settings, and expanded authentication options. Below, we highlight the most significant changes. Enhanced data storage with ClickHouse NXLog Platform 1.5 introduces a major upgrade to its data storage using ClickHouse, enhancing scalability and resilience while optimizing log storage and retrieval efficiency.

Install and enroll NXLog Agent automatically with Ansible and the Agent Management API

Tamás Burtics — Mon, 10 Feb 2025 00:00:00 +0000

In my early days as a Junior Sysadmin, I learned the value of automation when tasked with configuring hundreds of Windows XP machines. Yes, there was a version of Windows called XP. Automating large and repetitive tasks saves time and ensures scalability and consistency in IT environments. Scalability has become very important in IT, and in the golden age of automation tools and APIs, what could be a better way to execute the mass deployment and configuration of your log collection tool than using these very mature and available technologies?

How to choose a log management solution

Tamás Burtics — Mon, 06 Jan 2025 00:00:00 +0000

Logs play a critical role in IT infrastructure, and choosing the right log management solution is key to effective operations. This guide explores the core principles for selecting a solution that aligns with your log collection and management needs. Given the wide range of options available, we categorize them into three main groups for clarity. End-to-end Log Management Solutions Security Information & Event Management (SIEM) Application Performance Monitoring and Observability (APM)

Announcing NXLog Platform 1.4

Tamás Burtics — Fri, 20 Dec 2024 00:00:00 +0000

We are happy to announce the latest release of NXLog Platform, version 1.4. This release adds new features and bug fixes, including the ones highlighted below. Improved agent onboarding This release includes a new enhanced agent onboarding wizard. The process is much simpler yet achieves much more than the previous version. The new method incorporates everything you need to install, configure, and enroll your agents in five simple, easy-to-follow steps.

NXLog redefines log management for the digital age

NXLog Team — Thu, 19 Dec 2024 12:00:00 +0000

New CEO appointed as the company’s founder, former CEO & CTO, transitions to a dedicated CTO role, focusing on innovation in observability and telemetry pipeline management market. (LONDON, UK) – 19th December 2024 - NXLog, a leading technology provider of log management solutions, announced the appointment of Harald Reisinger as its new Chief Executive Officer. Co-founder and former CEO Botond Botyánszki will transition to the Chief Technology Officer (CTO) role.

2024 and NXLog - a review

Rui Oliveira — Thu, 19 Dec 2024 00:00:00 +0100

As another year draws to a close, we at NXLog are ready for one of the season’s traditions: reflecting on the year that was. For NXLog, 2024 marked two significant milestones: celebrating 12 years of the Company’s journey and unveiling its most ambitious product to date: NXLog Platform. NXLog Platform launch We couldn’t start a 2024 review in any other way. The launch of NXLog Platform was the culmination of a long process of envisioning, planning, and developing what we believe is a quantum leap in our log collection management solution.

World of OpenTelemetry

Roman Krasnov — Mon, 16 Dec 2024 00:00:00 +0000

With an ever-expanding choice of technologies on the market, navigating the range of open-source observability tools can be a challenge. Which is why, when it comes to managing complex multicloud environments and their services, standardization is crucial. Here’s where OpenTelemetry (OTel) can play a key role. Developed through the merger of OpenCensus and OpenTracing, OpenTelemetry has become the new standard for open-source telemetry. Discover what OTel is, the types of telemetry data it encompasses, its potential benefits, and how NXLog can support your OpenTelemetry ecosystem.

Centralized Windows log collection - NXLog Platform vs. WEF

Arielle Bonnici — Wed, 27 Nov 2024 00:00:00 +0000

One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems. WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:

Optimize log management and cut costs

Paulo Ribeiro — Tue, 12 Nov 2024 00:00:00 +0000

Data logging and event monitoring have become essential to provide security and performance monitoring of business operations. However, the vast volume of logs generated can lead to significant challenges, including high costs and inefficiencies. Many companies collect an excessive number of logs, often missing out on the most critical security-related events. The majority of these logs, known as log noise, offer little to no value to security analysts and can obstruct timely access to high-priority security events.

Announcing NXLog Platform 1.3

Gábor Horváth — Fri, 25 Oct 2024 00:00:00 +0000

We proudly announce the latest release of NXLog Platform, version 1.3. This release adds new features and bug fixes, including the ones highlighted below. Improved installation and configuration The installation processes for NXLog Platform and NXLog Agent received the following configuration improvements: You can now configure the NXLog Platform hostname and specify a label when running the NXLog Agent installer to ease automatic enrollment and agent configuration. This configuration is available on Windows, Debian/Ubuntu, Red Hat Enterprise Linux, and macOS.

What is a telemetry pipeline? Understanding and building effective telemetry data pipelines

Tamás Burtics — Thu, 26 Sep 2024 00:00:00 +0000

Back in the day, Gordon Moore made relatively accurate observations and projections about the exponential growth of transistors on semiconductors. It still amazes me, yet very few predicted the incredible growth of system interconnectedness and the vast amount of data it generates. It is estimated that 90% of all data was created in the last two years. Given that everything is connected, the need for telemetry is growing at an unprecedented rate, and so is the need to efficiently channel and manage telemetry data.

NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution

NXLog Team — Tue, 24 Sep 2024 00:00:00 +0000

NXLog Platform is a new centralized log management solution from the vendor with over 12 years of experience and 600 clients worldwide, including Fortune 500 companies. The new solution stands out for the following unique features: Agentless or agent-based log collection using the most versatile log processor and forwarder. Cloud-ready self-hosted centralized agent and log management system for ultimate scalability. High-volume, fast, schemaless long-term log retention database with high compression ratios.

Announcing the end-of-sale for NXLog Enterprise Edition and NXLog Manager

NXLog Team — Thu, 19 Sep 2024 00:00:00 +0000

We are officially announcing that NXLog will no longer be selling NXLog Enterprise Edition and NXLog Manager. This decision reflects our commitment to evolving our product offerings and delivering more powerful, future-proof solutions. While the sale of these products is ending, please be assured that we will continue to provide full technical support, maintenance, and bug fixes for both NXLog Enterprise Edition and NXLog Manager until the end of your contractual period.

Welcome to the future of log management with NXLog Platform

Tamás Burtics — Wed, 28 Aug 2024 00:00:00 +0100

Centralized log management at the core of security monitoring Enhance data visibility, streamline security operations, and reduce SIEM costs. We are excited to announce the upcoming launch of our new centralized log management solution, NXLog Platform. Over the past year, our team has been working hard to bring you an innovative log collection and management solution. In our 12+ years of experience in the industry, we have learned that one of the biggest challenges in log management is the number of dispersed systems you need to manage.

The CrowdStrike incident and how the NXLog agent operates

Botond Botyanszki — Thu, 25 Jul 2024 00:00:00 +0000

Automatic updates are recommended by many vendors as they are considered essential for safeguarding against security threats and maintaining system performance. Updates not only enhance security but also deliver bug fixes and new features, contributing to improved user experience. Software updates, however, come with the inherent risk of breaking existing functionality and can potentially interfere with other software or the operating system itself causing unintended side effects. Automatic updates that the user has no control over escalate the risk further.

NIS2 Directive: a strong request for better incident handling

Jonathan King, Roman Krasnov — Thu, 18 Jul 2024 00:00:00 +0000

Did you know the European Union created a rule called the NIS Directive? This rule was established in 2016 to ensure that all member countries are equally protected against cyber attacks. It’s a step towards making it easier for governments to work together to stop cyber threats. However, the Directive was expected to provide more specific instructions for protecting against attacks and ensuring all countries follow the rule. The rule also requires companies and governments to be better prepared to handle cyber attacks and have a plan in case something goes wrong.

Onboarding Microsoft NPS logs

Roman Krasnov — Wed, 26 Jun 2024 09:42:09 +0000

For those of us who manage network authentication and authorization, RADIUS is a familiar term. This protocol was introduced in the last century, and many of us from those days still remember the old-school diagrams, which surprisingly remain on the Cisco Systems website today. Figure 1. Interaction between dial-in user requests, the RADIUS client and server © Cisco RADIUS, which stands for Remote Authentication Dial-In User Service, was developed to address a specific challenge.

Announcing NXLog Enterprise Edition 5.11

Alexander Lifanov — Thu, 20 Jun 2024 00:00:00 +0000

We are excited to announce the release of NXLog Enterprise Edition 5.11. This latest version introduces two new features and addresses over twenty important issues, including two of the most significant which are highlighted in this announcement. Key enhancements in NXLog Enterprise Edition 5.11 Support for new macOS ES events NXLog Enterprise Edition 5.11 now supports the events introduced by version 13 of the macOS Endpoint Security (ES) API. Check the official Apple documentation for the most up-to-date list of events supported by the macOS ES API.

Raijin announces release of version 2.1

Tamás Burtics — Fri, 31 May 2024 00:00:00 +0000

Raijin has announced the release of version 2.1 of its powerful, schemaless SQL-like database engine. This focuses on performance improvements. Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements. Performance improvements As mentioned, this release focused on optimizing the performance of partitioned database tables. Partitioned tables store data in separate locations with their own set of metadata based on the values present in the data.

What is agentless log collection?

Tamás Burtics — Tue, 28 May 2024 00:00:00 +0000

Agentless log collection refers to gathering log data from various sources without installing dedicated software agents on the systems generating the logs. Instead, it leverages protocols such as SNMP traps, WECS, WMI, and syslog to retrieve log data remotely. It is easier to explain what agentless log collection is by also providing some context about agent-based log collection. The truth is that these two options for collecting logs walk hand in hand, meaning that they can and will likely coexist on your network.

Ingesting log data from Debian UFW to Loki and Grafana

Alexander Lifanov, Rui Oliveira — Tue, 21 May 2024 00:00:00 +0000

An excellent way to get started in a new technology area or refresh our knowledge is to devise a solution based on a small idea or need. This blog post covers such a situation, with a small personal project demonstrating how to use NXLog’s powerful features. I embarked on a small pet project centered around a cloud machine running Debian 10. It connects telemetry from my home, country house, and notebook.

Harnessing TPM encryption with NXLog

Tamás Burtics — Tue, 14 May 2024 00:00:00 +0000

In an increasingly digitalized world, protecting your business’s digital assets is becoming more urgent by the day. Realizing the need to protect data from malicious actors, researchers created encryption. And I am not talking about the Enigma here, but software-based encryption algorithms, with their public and private signing keys, and so on. Like every other technology, encryption methods have evolved throughout the years. However, the goal remained the same: encryption is there to secure our digital communications.

Announcing NXLog Enterprise Edition 6.3

Alexander Lifanov — Mon, 13 May 2024 00:00:00 +0000

We proudly announce the latest release of NXLog Enterprise Edition, version 6.3. This release adds new features and bug fixes, including the ones highlighted below. Support for parsing DTS Compliant logs from Microsoft Network Policy Server (NPS) The xm_nps extension module now supports parsing the newest DTL Compliant log format from Microsoft NPS. The module can now automatically parse all NPS log types, including legacy ODBC and IAS, without you having to specify the log type when configuring the module.

NIST Cybersecurity Framework 2.0. Update Takeaways

Roman Krasnov — Fri, 12 Apr 2024 09:10:00 +0000

On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) officially released Cybersecurity Framework (CSF) 2.0. This release has had the most significant changes since its inception in 2014. Let’s quickly walk through the updates it brought and how log collection supports the functions of the renewed framework. What is NIST CSF The U.S. NIST Cybersecurity Framework is one of the most widely used security frameworks (with ISO27001, CIS, and others), helping organizations estimate, manage, and reduce their cybersecurity risks.

Raijin announces release of version 2.0

Rui Oliveira — Thu, 14 Mar 2024 08:31:53 +0000

Raijin has announced the release of version 2.0 of its powerful, schemaless SQL-like database engine. This version introduces several performance improvements. Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements. Enhanced table partitioning Table partitioning is a key factor in database management, improving query performance by only searching through relevant information and optimizing storage by efficiently pruning irrelevant content.

NXLog Agent on Submarines

Tamás Burtics — Mon, 11 Mar 2024 11:56:44 +0000

I always wondered what happens to our software when a company purchases it. Okay, I know they will install it and use it. But where do they install it? On what kind of machines? In what kind of environment? And why is it important for them to collect and handle logs? The possibilities are endless. We have customers worldwide; from shoemakers to telecom companies, NXLog is everywhere. But where are the most remarkable places NXLog Agent is employed?

Digital substations and log collection

Roman Krasnov — Mon, 26 Feb 2024 14:06:44 +0000

European electric power system operators supply around 2800 TWh of electricity per year and manage around 10 million kilometers of power lines - more than ten round trips to the Moon. Such electric travel is impossible without electric substations, an essential component of a power grid. Its automation becomes ultimately digitalized, so requires proper monitoring both for operational and security purposes. Let’s take a look at how a unified log collection pipeline embeds into power automation systems and helps make sure the lights stay on.

The evolution of event logging: from clay tablets to Taylor Swift

Arielle Bonnici — Tue, 06 Feb 2024 18:22:29 +0000

Event logs are our breakfast, lunch, and dinner at NXLog. Before NXLog, I worked on an API that collected software usage logs. And before that, on a centralized log management application. Today, after a career of dealing with logs, I wondered, "How did our world come to rely so much on event logging?" I mean, in the vast landscape of technological progress, the history of event logging is only a minor subplot.

Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience

Roman Krasnov — Fri, 02 Feb 2024 10:20:55 +0000

NXLog Enterprise Edition 5 has been with us for nearly four years. That’s four years of being an industry-leading log collection tool adored by engineering teams and Fortune 100 customers around the globe. And while the NXLog Enterprise Edition 5 story isn’t yet over, it needs to move forward to keep pace with modern technologies and new demands. Like any good muscle car, NXLog EE 5 has its limits, and so back in 2022 we came face-to-face with a problem - it required too much to change under the hood to stay modern and effective.

Raijin announces release of version 1.5

Rui Oliveira — Fri, 26 Jan 2024 09:31:53 +0000

Raijin has announced the release of version 1.5 of its powerful, schemaless SQL-like database engine. This version introduces several performance improvements. Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements. Centralized storage for simpler management Until now, Raijin stored various stateful files in different locations across the system, requiring additional effort to keep track of that content. Raijin has now been refactored to use /data as the base directory.

GLBA Compliance in 2024 - Reporting directly to the FTC

Roman Krasnov — Tue, 23 Jan 2024 19:26:49 +0000

The U.S. Federal Trade Commission (FTC) approved amendments to its Safeguards Rule that require FTC-regulated non-banking financial institutions to report data breaches and other security events directly to the FTC. It was originally proposed to add a breach notification requirement back in late 2021. The rule requires financial institutions to report “notification events” to the FTC within 30 days of discovery of the notification event where the private information of 500+ consumers is involved.

The story of the $1,900,000 penalty for insufficient log management

Roman Krasnov — Thu, 11 Jan 2024 06:47:55 +0000

It was late March 2021 when a phishing email was sent to a network administrator of TTEC Healthcare Solutions, Inc. (TTEC HS) - an integrated healthcare CX solutions provider - and a threat actor gained highly privileged access to the network. On September 12, 2021, a common ransomware scenario was triggered, with approximately 1,800 devices compromised via the access channel obtained almost 5 months earlier. Prior to executing the ransomware attack, the threat actor successfully exfiltrated data from the TTEC HS network, containing non-public information (NPI) of current and former employees of TTEC HS, and for individuals who were insured by one of TTEC HS’s clients, including, importantly, some New York residents.

2023 and NXLog - a review

Andrew Brown — Fri, 22 Dec 2023 06:40:00 +0100

It’s finally the holiday season, and we’re down to a skeleton staff here at NXLog. It’s nearly time for us to shut down our laptops, pick up a cup of hot chocolate (or mulled wine if we’re lucky), and get ready for a week or so of reading, relaxing, opening presents, perhaps coping with distant relatives, and all-around merry-making over the holiday period. So we hope you’ll forgive us if we keep this recap of 2023 succinct.

Announcing NXLog Enterprise Edition 5.10

Alexander Lifanov, Tamás Burtics — Thu, 21 Dec 2023 04:23:17 +0000

We are excited to announce the release of NXLog Enterprise Edition 5.10. This latest version addresses over twenty important issues - the two most significant are mentioned in this announcement - and introduces two features backported from NXLog Enterprise Edition 6. Key enhancements in NXLog Enterprise Edition 5.10 ElasticSearch integration NXLog Enterprise Edition 5.10 now allows ElasticSearch users to send data as a stream. This feature enables the storage of events in an append-only, single-named manner, enhancing data management and retrieval efficiency.

Raijin announces release of version 1.4

Arielle Bonnici — Tue, 12 Dec 2023 11:22:56 +0100

Raijin has announced the release of version 1.4 of its powerful, schemaless SQL-like database engine. This version introduces new functionality for managing users and views, among several fixes and performance improvements. Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements. Improved user management This release builds on the previous one to provide better user management and auditing. With the SHOW USERS command, you can now retrieve a list of your Raijin users and their authentication type.

Announcing NXLog Enterprise Edition 6.2

Tamás Burtics — Mon, 04 Dec 2023 06:54:43 +0200

We proudly announce the latest release of NXLog Enterprise Edition, version 6.2. This release adds some new features and includes bug fixes and stability enhancements. File and folder symlink support In this release, the primary focus was on adding uniform support for file and folder symlinks. The new development affects the im_file and im_fim modules when collecting logs from files, and when using File Integrity Monitoring. The new feature is available to use with the newly introduced directive FollowSymlink.

Three easy ways to optimize your Windows logs - Reduce cost, network load, and time

Tamás Burtics — Wed, 08 Nov 2023 06:40:00 +0100

If you are capturing Windows Event Logs on a large scale, you know that the more logs you collect, the more resources you need. Thus, the more expensive your SIEM becomes. The main issue is a large amount of the log data you are sending to your SIEM contains no valuable information. This means you waste a sizable portion of your cost on what the industry calls “log noise”.

Announcing NXLog Manager 5.7

Rui Oliveira — Fri, 03 Nov 2023 10:54:43 +0200

We are pleased to announce the latest release of NXLog Manager, version 5.7. This release addresses several CVE issues, adds support for NXLog’s Microsoft Azure modules, and provides an updated Docker image. Read on to find out more about these new features. A more secure NXLog Manager This version addresses multiple known Common Vulnerabilities and Exposures (CVE), reducing the attack surface in our customers' systems. See the release notes for a complete list of corrected CVEs.

Announcing NXLog Enterprise Edition 6.1

Alexander Lifanov — Fri, 20 Oct 2023 13:54:43 +0200

We proudly announce the latest release of NXLog Enterprise Edition, version 6.1. This release adds new features to our Google Chronicle and Kafka output modules to provide more flexible configuration, introduces support for certificates with TPM-attested keys, and implements enhancements to our HTTP input module. Read on to find out more about these new features. More flexibility for your Google Chronicle integration We continue to build up our Google Chronicle output module with new functionality to give you more flexibility and control over your data.

Log management for maritime cybersecurity compliance regulations

Roman Krasnov — Tue, 17 Oct 2023 06:40:00 +0100

Historically, seaports have played a crucial role in a state’s development, and interruption in their services has a significant impact on economics. So, it’s no surprise commercial ports are regarded as a critical transport infrastructure. One of the most significant challenges ports face today is ongoing digital transformation. The majority of tasks carried out across a port utilize autonomous and partially automated systems, including those for managing port access, vessel berthing (bridges, locks, gates, etc.

Raijin announces release of version 1.3

Arielle Bonnici — Fri, 06 Oct 2023 16:46:22 +0200

Raijin has announced the release of version 1.3 of its powerful, schemaless SQL-like database engine. This version implements user authentication and permissions and focuses on enhancing performance and robustness. New user authentication and permissions This release introduces certificate and password-based user authentication and granular user permissions. You can grant permissions at the database or table level with support for the following privileges: ALL PRIVILEGE (superuser) CREATE SELECT INSERT DROP

Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6

Alexander Lifanov — Mon, 11 Sep 2023 07:03:34 +0000

The NXLog team is constantly improving the quality of NXLog Enterprise Edition and will soon introduce a new major release - NXLog Enterprise Edition 6.0. This release will bring a large number of changes and it is important to correctly adapt your current configuration when upgrading your system. Warning We strongly recommend testing NXLog Enterprise Edition 6.0 operation on a smaller set of devices before commiting to a full-scale upgrade of your complete system.

Announcing NXLog Enterprise Edition 6.0

Alexander Lifanov — Mon, 11 Sep 2023 06:42:13 +0200

We proudly announce the latest release of NXLog Enterprise Edition, version 6.0. This major release includes new NXLog language data types, additional TCP and HTTP configuration options, and enhancements to our Elasticsearch and remote administration modules. It will help you improve data integration and handling, enhance manageability, and increase cost efficiency. Empower your data integration with new "Array" and "Hash" data types As the NXLog configuration language now supports compound values with Array and Hash data types, you can enhance data integrity and coherence.

The cybersecurity challenges of modern aviation systems

Tamás Burtics — Fri, 08 Sep 2023 01:00:00 +0000

Since the Wright brothers' first flight, the aviation industry has been advancing at an unprecedented rate. But it has always been a step behind other sectors in some areas, for safety and security reasons. Engineers are only allowed to apply well-matured technologies thoroughly trialed in different industries. Civil aviation, especially from the IT and IT security perspective, is a bit like Debian among the Linux operating systems. It does not always include all the latest inventions, but it aims to be safe and very stable in return.

Raijin announces release of version 1.2

Arielle Bonnici — Fri, 11 Aug 2023 14:33:55 +0200

Raijin has announced the release of version 1.2 of its powerful, schemaless SQL-like database engine. This version introduces significant performance improvements and usability enhancements. Faster data ingestion and query performance This release optimizes data ingestion by introducing partial parallelization. Raijin Database now parses and inserts batches of data simultaneously, resulting in up to 15% faster ingestion. The team also addressed bottlenecks in the SELECT and COPY statements and implemented several optimizations to improve overall query performance.

The Sarbanes-Oxley (SOX) Act and security observability

Roman Krasnov — Wed, 09 Aug 2023 06:25:08 +0000

SOX - an overview Serious financial fraud was never considered a real risk while investing in U.S.-listed stocks until 2001, when energy giant Enron Corporation, which held $63.4 billion in assets, collapsed. It was revealed that the company had been misleading investors for years and the company’s stock price quickly plummeted from $90 to less than $1 per share. It was the largest bankruptcy in US history, followed by a $40 billion lawsuit and imprisonment for the corporation’s executives.

PCI DSS 4.0 compliance: Logging requirements and best practices

Roman Krasnov — Wed, 02 Aug 2023 04:23:17 +0000

With PCI DSS 4.0, logging plays an even more critical role in safeguarding cardholder data. In this post, we’ll break down the key PCI DSS logging requirements, explore best practices for log retention and monitoring, and highlight key areas where NXLog Platform can help you stay secure and compliant. What is PCI DSS? PCI DSS, or Payment Card Industry Data Security Standard, is a collection of security requirements developed by major credit card companies to safeguard merchants who accept credit card payments by ensuring they provide a secure environment.

Detect threats using NXLog and Sigma

Konstantinos Samalekas — Thu, 27 Jul 2023 09:42:06 +0000

The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation. However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.

HIPAA logging requirements and how to ensure compliance

Roman Krasnov — Wed, 19 Jul 2023 09:25:08 +0000

The U.S. Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 to protect the privacy and security of health information. HIPAA’s Privacy, Security, and Breach Notification rules require healthcare providers and their partners to protect electronic protected health information (ePHI) through robust access controls, breach reporting, and documentation practices. A critical part of this compliance effort involves maintaining detailed audit logs that track who accessed, modified, or disclosed PHI, and retaining HIPAA logs for at least six years.

Understanding memory usage in NXLog Agent

Gábor Horváth — Wed, 12 Jul 2023 09:42:09 +0000

Understanding how NXLog Agent allocates memory is essential to optimize your configuration for performance and utilize system resources efficiently. NXLog Agent is designed for high-performance log collection and processing and is optimized to use system resources efficiently. However, various external factors affect how NXLog Agent uses system resources, including memory, which can impact NXLog Agent’s and its host’s performance. Misconfiguration is the leading factor we see when troubleshooting excessive memory consumption.

Announcing NXLog Enterprise Edition 5.9

Collins Maina, Arielle Bonnici — Tue, 20 Jun 2023 04:23:17 +0000

We are proud to announce the latest release of NXLog Enterprise Edition, version 5.9. This release focuses on bringing you new supported platforms and configuration options. Read on to find out more about some of these new features. Added protocols to network packet capture information Our administrative module (xm_admin) now returns a list of protocols configured in a packet capture (im_pcap) instance when you request server or module information. This allows you to track, count, and report on the network protocols you are monitoring.

Industrial cybersecurity - The facts

Roman Krasnov — Thu, 08 Jun 2023 14:25:08 +0000

In Feb 2021, a major cybersecurity incident was declared when a hacker gained malicious access to the water treatment system of Oldsmar, Florida. Officials said the hacker tried to increase the level of sodium hydroxide in the city’s water supply, putting thousands at risk of being poisoned. Fortunately, it was quickly confirmed that this potential terroristic act did not come to fruition. Two years later, we still have no details on the malicious actor.

Raijin announces release of version 1.1

Tamás Burtics & Andrew Brown — Tue, 30 May 2023 09:25:31 +0000

Raijin has announced the release of version 1.1 of its powerful, schemaless SQL-like database engine. Many new features have been added to version 1.1. Let’s take a look at the highlights. Prometheus exporter improvements Introduced disk usage statistics - Disk usage statistics about free space availability and file system size were introduced. Introduced query statistics - Event and query statistics were introduced in the Prometheus exporter. The following statistics can be queried:

How to monitor file access in Windows

Tamás Burtics — Fri, 26 May 2023 06:40:00 +0100

File access auditing is the process of tracking who reads, modifies, or deletes files on a system, providing a record of user activity for security and compliance purposes. On Windows systems, this is especially important for monitoring sensitive or business-critical files, such as financial records, HR data, or confidential customer information, where unauthorized access could result in a data breach or regulatory violation. In this post, I’ll show you how to enable file access auditing on Windows and use NXLog Agent to collect and forward file access events to help you protect sensitive data and meet compliance requirements.

BROP attacks - What is it and how to defend yourself?

Jonathan King — Tue, 09 May 2023 09:40:00 +0100

Have you ever locked yourself out of your car? After calling for roadside service, your tow truck driver forces the internal locking mechanism open with a slim-jim. Car thieves quickly discovered this technique and began using it to steal cars. Digital thieves have devised a similar attack called a Blind Return-Oriented Programming (Blind ROP, or just BROP) attack. It’s as quiet as a jackhammer on cement, but an attacker can open a remote shell and gain remote code execution on your server if the conditions are right.

CISO starter pack - Security Policy

Jonathan King — Tue, 02 May 2023 08:40:00 +0100

The three characteristics your data must possess at all times, as dictated by your IT Security Policy, are: It must be confidential It must be available and It must not have any unauthorized modifications Your log policy will only be as good as the IT Security policy infrastructure behind it. And as much as we love talking about logs, that’s part of a more considerable general discussion about security policies.

Announcing NXLog Enterprise Edition 5.8

Andrew Brown — Mon, 24 Apr 2023 10:23:17 +0000

We are proud to announce the latest release of NXLog Enterprise Edition, version 5.8. Our newest release includes new modules, better integrations, and additional metrics to collect across your organization. Read on to find out more about some of these new features. Native Salesforce module We’ve built a new native module (im_salesforce) for ingesting logs from Salesforce. With this, you no longer have to run an external Python-based Add-On script.

Our customers asked - Execution of PowerShell scripts inside NXLog Exec modules

Collins Maina — Fri, 21 Apr 2023 06:40:00 +0100

PowerShell scripts can be used with NXLog for generating, processing, and forwarding logs, as well as for generating configuration content. In this article, we will take a look at how to execute PowerShell directly from NXLog. You can run a PowerShell script in multiple NXLog instances without using any PowerShell script file, and is achievable through having the script code directly in NXLog’s exec modules. This is ideal because if you need to make any change to the script, it’s easier to modify just the NXLog module rather than change the script on every computer used.

Announcing NXLog Community Edition 3.2

Andrew Brown — Thu, 20 Apr 2023 13:23:33 +0000

We’re glad to announce the latest release of NXLog Community Edition. This release mainly fixes an issue where the file_name() function returns an unknown error. We’ve also stopped officially supporting the Android mobile operating system. Get in touch with our team if you have any questions, or request a free trial of our flagship log collection solution, NXLog Enterprise Edition, below. NXLog Platform is an on-premises solution for centralized log management with versatile processing forming the backbone of security monitoring.

MFA Fatigue - What it is, and how to combat it

Jonathan King — Thu, 13 Apr 2023 10:00:00 -0500

A multi-factor authentication (MFA) fatigue attack is a form of a social engineering cyberattack strategy where attackers repeatedly try to make second-factor authentication requests to the target’s email, phone, or other registered devices to gain access to the system. You may also hear about MFA Fatigue attack as MFA Bombing, 2FA fatigue, MFA push spam, MFA Spamming, or prompt bombing. Technology administrators are always playing a never-ending battle of cat and mouse when it comes to threat actors.

CISO starter pack - Log collection fundamentals

Jonathan King — Mon, 03 Apr 2023 15:22:14 +0000

Log collection is essential to managing an IT department because it allows administrators to research historical events throughout a network. Therefore, it’s critical to understand a few key points about collecting logs; the why, and what. We’ll look at a few specific examples of collecting log events efficiently, like incorporating threat modeling to enhance our collection. Implementing log collection policies and procedures is as fun as watching anti-phishing videos. But at the end of the day, the effort put in at the beginning will be worth it.

Raijin announces release of version 1.0

Andrew Brown — Thu, 09 Mar 2023 14:25:31 +0000

Raijin has announced the release of version 1.0 of its powerful schemaless SQL database engine, furthering its goal of "solving schema rigidity" in modern databases. Many new features have been added to this version 1.0 milestone release. Let’s take a look at some of the headline features. The power of SQL without the drawbacks SQL has been the titan of database query languages for decades, and it is still ubiquitous the world over.

Our customers asked - Collecting Windows DNS resolved address with NXLog Agent

Tamás Burtics — Mon, 20 Feb 2023 16:42:09 +0000

Windows DNS Server log collection is essential yet complex, primarily because Windows DNS Server provides logs in various places in different forms containing a vast amount of information. Nevertheless, we all know that DNS Server log collection is paramount in IT security. Getting it right can be challenging. The Windows DNS Server section in the NXLog Integrations Guides offers a comprehensive guide on collecting log records from a Windows DNS Server.

Avoid vendor lock-in and declare SIEM independence

Andrew Brown — Mon, 13 Feb 2023 14:25:08 +0000

The global Security Information and Event Management (SIEM) market is big business. In 2022, it was valued at $5.2 billion, with analysts projecting that it will reach $8.5 billion dollars within five years. It’s a highly consolidated market dominated by a few major players in the information security field. They want your business, and they don’t want to lose it. As companies ship more and more data to their respective solutions and make use of more and more features, they become specialized and dependent on a vendor.

Our customers asked - How to start an NXLog module with a delay?

Tamás Burtics — Mon, 06 Feb 2023 22:40:00 +0100

There are several reasons you might want to start a particular NXLog module with a delay. You can think of it like delaying the start of a Windows service. In most cases, you need to do this for performance reasons. But there might be other scenarios where you would want to do this, such as collecting logs during a specific time frame. If you have, for example, a less critical module block, you can prioritize the more important one by delaying the less important one.

NXLog in the world - January 2023

Andrew Brown — Thu, 02 Feb 2023 10:18:10 +0000

A round-up of some of our favorite social media chatter about NXLog this month. Tecmint: Most notable open source log collection tools - NXLog features on the list of top centralized log collection tools Blumira: Windows Firewall with GPOs - NXLog is recommended to be used in managing the Windows Firewall with GPOs StationX: CompTIA Security+ Cheat Sheet - NXLog is part of the CompTIA Security+ exam Reddit: Filter logon/logoff events from AD - How to filter logon/logoff logs from Active Directory with NXLog agent, and shipping to a syslog-ng server

Our customers asked - Input stream EPS tracking with NXLog

Tamás Burtics — Tue, 31 Jan 2023 22:40:00 +0100

This post is the first in a series of answers to questions that our customers asked. Clarifying EPS EPS stands for Events Per Second and is considered a standard for measuring the speed of event processing. More precisely, it tells how many events can flow through a particular system in a second. In our case, the number relates to how many events NXLog receives, handles, and outputs in one second.

Announcing NXLog Enterprise Edition 5.7

Andrew Brown, László Földesi — Fri, 20 Jan 2023 14:52:07 +0000

New year, new NXLog Enterprise Edition. Our developers have been hard at work throughout the holiday season to release the latest version of our flagship log collection solution. We are proud to announce NXLog Enterprise Edition 5.7, which includes bug fixes, security updates, and, of course, many new features. Read on to find out more about some of these new features. Native support for Google Cloud Logging, Amazon S3, and Microsoft 365 Google Cloud Logging, Amazon S3, and Microsoft 365 integrations were already available as Add-Ons to NXLog Enterprise Edition.

NXLog Agent vs Splunk Universal Forwarder

Arielle Bonnici — Mon, 16 Jan 2023 22:40:00 +0100

NXLog Agent supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis. If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the information you need to take the next step toward a better log collection strategy. NXLog Agent and Splunk Universal Forwarder feature comparison Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them.

NXLog - 2022 in review

Andrew Brown — Thu, 22 Dec 2022 13:23:13 +0000

We’ve come to the end of 2022, and what a year it’s been. It was a year marked by war, economic toil, and addressing the aftermath of the Covid-19 pandemic. Europe was immediately thrust into crisis in February when the Russia-Ukraine War began. Unfortunately, as an Eastern European-based company, many of our colleagues were directly affected by it. Then, more recently and in the United States especially, many tech companies began restructuring their organizations to deal with the looming economic problems that are forecast.

Need to replace syslog-ng? Changing to NXLog is easier than you think

Arielle Bonnici — Wed, 23 Nov 2022 18:34:00 +0100

syslog-ng and NXLog are both powerful log collectors providing flexible log processing. However, you might be in a position where you need to switch from syslog-ng to NXLog. Whether it’s because syslog-ng doesn’t support an operating system or you want to upgrade your log collection solution to one that can be centrally managed, converting your syslog-ng configuration to NXLog is a simple task. How do syslog-ng and NXLog differ? syslog-ng and NXLog are alike in many ways.

The EU's response to cyberwarfare

Andrew Brown — Tue, 22 Nov 2022 08:38:21 +0000

With open war in Europe for the first time since 1945, nations across the continent have been busy shoring up their information security defenses. The European Union is stepping up to the plate, releasing a Cyber Defence Policy to, in its words, "boost EU cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities." However, bolstering cyber defenses across a collection of countries, home to 450 million people and spanning four million square kilometers, is no easy feat.

Looking beyond Cybersecurity Awareness Month

Andrew Brown — Tue, 08 Nov 2022 09:12:37 +0000

Cybersecurity Awareness Month has come and gone again. October marks that festive time of year when companies circulate their mandatory think pieces, remind their employees of the dangers of clicking questionable links, and pat themselves on the back and call it a day. Here’s your friendly November reminder to keep your wits about you year-round. A (brief) history of Cybersecurity Awareness Month The Cybersecurity Awareness Month story began as a partnership between an American governmental agency—the Cybersecurity and Infrastructure Agency (CISA)--and the National Cyber Security Alliance non-profit.

Assertive compliance - using frameworks to extend your coverage

Jason Carney — Fri, 30 Sep 2022 00:19:19 +0300

So, it happened again. You got an internal audit finding or a regulatory notice. Or you just had a nagging feeling and found customer data somewhere it shouldn’t have been. Morale sinks. Are you forced to choose between serving your customers and addressing compliance weaknesses? Nobody said IT Compliance was easy. But don’t sign up to do any more work than is necessary. Use Frameworks to identify the activities, like logging, that demonstrate compliance for multiple domains and get the absolute best coverage without extra work.

GDPR compliance and log management best practices

Andrew Brown — Fri, 23 Sep 2022 12:16:54 +0000

The European Union’s General Data Protection Regulation (EU GDPR) came into force on 25 May 2018. Many of us remember the influx of marketing emails around this time, with companies updating their privacy policies and asking for the consent of around 450 million Europeans to continue using their personal data. An often misunderstood participant of this compliance quest is log data—a source potentially rich in protected personal data. So, how does the GDPR apply to an organization’s log data?

The disappearing Windows DNS debug log

Collins Maina — Thu, 18 Aug 2022 00:19:19 +0300

The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging. Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.

NXLog in an industrial control security context

Arielle Bonnici — Wed, 10 Aug 2022 12:45:35 +0200

Industrial Control Systems (ICS) have evolved over the years and now have a lot in common with traditional IT systems. Low-cost Ethernet and IP devices are replacing older, proprietary technology, which opens up new possibilities to improve connectivity and remote access. However, it also increases vulnerability to cyberattacks and incidents since the system is no longer segregated. Due to the nature of ICS, they differ from other IT systems. A compromised system can cause severe damage to the environment, incur substantial financial and production losses, and negatively impact an entire nation.

Raijin vs Elasticsearch

John Kirch — Tue, 09 Aug 2022 18:31:22 +0300

Log collection is most closely linked to enterprise security practices—for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention. Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.

Send email alerts from NXLog using Python, Perl, or Ruby

Arielle Bonnici — Wed, 03 Aug 2022 15:40:00 +0200

NXLog is a versatile log collector that easily integrates with other software, platforms, and programming languages. Out-of-the-box it supports integration with many third-party solutions through its input, output, and extension modules. Moreover, extending NXLog with custom functionality is as easy as writing an application or script in your favorite programming language and loading it from the configuration. Email notifications of events indicating potential security breaches or severe application errors are a standard procedure for IT admins and DevOps engineers.

The benefits of log aggregation

Andrew Brown — Mon, 01 Aug 2022 13:25:49 +0200

Logs are a record of the internal workings of a system. Nowadays, organizations can have hundreds and, more regularly, thousands of managed computers, servers, mobile devices, and applications; even refrigerators are generating logs in this Internet of Things era. The result is the production of terabytes of log data—event logs, network flow logs, and application logs, to name a few—that must be carefully sorted, analyzed, and stored. Without a log management tool, you would need to manually search through many directories of log files on each system to access and extract meaning from these millions of event logs.

Security logging on Windows - beyond 4625

Collins Maina — Tue, 28 Jun 2022 23:51:40 +0300

As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log. You might even go as far as filtering for specific event IDs, such as EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source. The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.

How NXLog can help meet compliance mandates

Collins Maina — Wed, 01 Jun 2022 22:14:36 +0300

Compliance mandates are frameworks that organizations must implement to meet industry regulations. Some of these mandates provide guidelines and best practices, while others may be tied to legislation. With the constant and rapid changes in technology, ensuring that your organization adheres to the relevant regulations is an ongoing process. So why should you comply? Simply put, not complying might cost you more than implementing processes to meet regulatory requirements. By not complying, you might be violating the law, and in case of a data breach, you may face litigation from affected parties.

Collecting kernel events with NXLog for analysis in the Elastic stack

Igor Bezzubchenko — Mon, 30 May 2022 05:28:47 +0000

It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results. The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.

NXLog provides native support for Google Chronicle

Collins Maina — Wed, 11 May 2022 17:40:40 +0200

We are delighted to announce that with the release of NXLog Enterprise Edition 5.5, NXLog provides native support for sending log data to the Google Chronicle threat intelligence platform. About Google Chronicle Google Chronicle is a cloud-native SIEM service provided on the Google Cloud Platform. It allows organizations to normalize, correlate, and analyze their logging data. Chronicle makes threat hunting easy by empowering security experts to investigate logs allowing them to take a holistic approach to threat detection.

Deploying and managing NXLog with Puppet

Tamás Burtics — Sat, 19 Mar 2022 12:45:35 +0200

Puppet Bolt is an open-source orchestration tool that automates the manual configuration and management of your infrastructure. In this post, we will look at how you can create your Puppet Bolt project directory, your inventory YAML file, and finally, your Puppet Bolt Plan to deploy NXLog on a variety of Operating Systems. Why use Puppet Bolt to deploy NXLog? Apart from the usual tasks of updating software packages, configuring web servers and databases, the need for constant logging has become extremely important, and a de facto necessity nowadays.

Cyberattacks on the power grid - are you prepared?

John Kirch — Thu, 03 Mar 2022 11:28:23 +0100

In light of recent news stories about possible cyberattacks on the U.S. power grid, we are inclined to ponder over precautions we can take to prepare for such a scenario. If you are in the public utilities industry, this blog post is for you. But, if you’re not, don’t worry. We will cover some basic principles you can follow to get your organization ready before such a cyberattack occurs.

Deploying and managing NXLog with Ansible

Tamás Burtics — Tue, 01 Mar 2022 13:35:35 +0200

Ansible has become an industry standard when it comes to configuring and managing servers. As a configuration management tool, it carries the burden of simplifying system administration tasks, such as installing and updating software packages, and infrastructure provisioning. In this post, we will create an Ansible playbook that will enable us to automate the installation and configuration of NXLog across multiple endpoints. Whether you need only a single endpoint today or thousands of endpoints next week, Ansible will do the heavy lifting for you.

NXLog Community Edition support for Raijin Database

Arielle Bonnici — Tue, 22 Feb 2022 20:12:59 +0100

Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution. What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.

Aggregating macOS logs for SIEM systems

John Kirch — Thu, 17 Feb 2022 22:10:12 -0600

Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.

How to prevent and detect Log4j vulnerabilities

John Kirch — Thu, 03 Feb 2022 14:07:48 +0100

The Apache Log4j vulnerability has attracted a lot of media attention as a result of recent security incidents that were reported by some organizations using versions 2.0-beta9 through 2.14.1. This security flaw has the potential to affect thousands of applications since some of the world’s largest databases rely on Log4j. Because so many organizations are affected, cybercriminals are actively exploiting this well-known vulnerability. Why is this so dangerous? In addition to the threat of malware and ransomware, hackers can also perform remote code execution due to the Log4j vulnerability.

Reliable delivery of logs - can you trust TCP?

Collins Maina — Wed, 02 Feb 2022 11:39:13 +0100

When considering your log collection strategy, a decision you have to make is which transport protocol to use to transfer logs from source to destination. The choice is often between the two most commonly used protocols, UDP (User Datagram Protocol) and TCP (Transfer Control Protocol). Which one to use depends on the type of logs you need to transfer, and whether performance or reliability is more important. This blog post will compare these protocols, discuss why TCP is usually the preferred choice, and provide some options to further increase log delivery reliability with NXLog.

NXLog vs IBM QRadar WinCollect - Let's get things straight

Collins Maina — Wed, 02 Feb 2022 05:28:47 +0000

How does NXLog compare to the IBM QRadar WinCollect event forwarder? IBM QRadar SIEM collects, processes, and aggregates log data to provide real-time monitoring and automated response to network threats. With its powerful correlation engine and specialized modules for risk and vulnerability management, it is no surprise that it is among the highest-rated tools on Gartner Peer Insights. To get the best out of a platform like IBM QRadar, you need to ensure that you send the proper amount of data in a format that it can process efficiently.

Understanding and auditing WMI

John Kirch — Tue, 25 Jan 2022 14:07:35 +0200

If you’re a cyber security enthusiast, you’ve probably heard a lot about Windows Management Instrumentation (WMI) lately. There’s a good reason why this topic has gained popularity, however, this technology has been integrated into Windows operating systems for over 20 years now. In this blog post, we will delve into how WMI works, the risks resulting from misuse, and how to audit it with NXLog. A standardization effort The first thing to clarify about WMI is that it’s not a Windows-only technology.

Log aggregation with NXLog

John Kirch — Mon, 03 Jan 2022 13:42:40 +0200

The value of log aggregation There is no denying the importance of log aggregation for multi-million-dollar enterprises worldwide. But just what is log aggregation? And how can it help your organization? Well, log aggregation is the process of standardizing and consolidating your log data from distributed systems across your network into one centralized server. By doing so, you have a unified view of what occurs across your entire IT infrastructure.

Three important features you can have with the Enterprise Edition over the Community Edition

John Kirch — Wed, 27 Oct 2021 14:29:22 +0200

Features of NXLog Enterprise Edition you must have So, it turns out that your organization needs a reliable solution that can collect, parse, forward, and aggregate your log data. This need might be based on any number of reasons. Perhaps it is due to regulatory compliance mandates. Maybe your security analysts have realized that collecting security logs is the best way to detect potential cyber attacks. These are all valid reasons.

Collecting DHCP server logs on Windows

John Kirch — Mon, 11 Oct 2021 14:07:35 +0200

DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised. You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.

Putting together your first NXLog configuration

John Kirch — Sat, 25 Sep 2021 05:28:47 +0000

If you are reading this, then it is safe to say that you are now part of the NXLog community. In other words, you are ready to dive into the world of log collection. Excellent. You have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works. The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages.

Collecting Kubernetes logs with NXLog

Arielle Bonnici — Mon, 06 Sep 2021 14:07:35 +0200

Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.

File-based logs? Yes, they're still being used!

Tamás Burtics — Wed, 25 Aug 2021 05:28:47 +0000

File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches. In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.

Using Raijin Database Engine to aggregate and analyze Windows security events

John Kirch — Thu, 29 Jul 2021 01:14:19 -0500

In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools. A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.

Top 5 Windows Security logs everyone should collect

Tamás Burtics — Thu, 15 Jul 2021 12:28:23 +0100

It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component. Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer.

Top 5 security concerns revealed with DNS logging

Tamás Burtics — Thu, 01 Jul 2021 18:03:18 -0600

The Domain Name System (DNS) facilitates communication between all devices connected to the Internet. It consists of hierarchical servers that can translate any given hostname, along with its corresponding domain name, to its internet protocol (IP) address(es). One of the most common is the windows DNS server that ensures that data requests are sent to their correct endpoints while providing human-readable addresses for websites connected to the Internet. With the ever-growing number of cloud-based devices and technologies, for instance, the Internet of things (IoT), portals, web applications, as well as online transaction processing, it is more important than ever to identify the actual physical addresses of remote devices when relying on DNS-dependent connectivity.

Forwarding logs with NXLog

Tamás Burtics — Wed, 16 Jun 2021 14:07:48 +0200

So, you managed to read through all the compliance mandates that are required for the industry you are in. And, during the mandatory consultation you had with your company’s IT security expert and network manager you came to an agreement on which logs to collect and carefully selected their final destination. Which — in most cases — is usually some kind of analytics system or SIEM technology where log data can be analyzed and stored based on your business requirements.

Windows Event Log collection in a nutshell

Collins Maina — Mon, 14 Jun 2021 11:55:21 +0200

Unquestionably, Microsoft Windows is the number one desktop operating system in the world, as well as having a significant share of the server operating system market. Multi-million-dollar organizations rely heavily on Windows Server and Active Directory to provide a safe, secure networked environment for their business operations. Such an enterprise infrastructure alone can generate thousands of events per second that range anywhere from benign user authentication events to logs indicating a severe software failure, or even more serious events such as DoS attacks or intrusion attempts.

Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python

Arielle Bonnici — Sat, 05 Jun 2021 08:57:54 -0800

Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic. What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.

Responsible disclosure - Our encounter with Monero mining

Botond Botyánszki — Tue, 23 Mar 2021 10:23:44 +0000

On the 18th of March, we noticed some unusual activity on one of our servers we use for build automation. Further investigation revealed that an outside party had deployed a Monero miner. The server was immediately taken offline. There was no customer data stored on the server and we have since replaced all our private keys and secrets that might have been potentially compromised. After careful and thorough investigation of the incident, we decided to publish this announcement and share this news with our customers and users, hoping that it might serve as a lesson for others.

Setting up a Windows Event Collector (WEC) on Linux

Arielle Bonnici — Mon, 22 Feb 2021 16:33:18 +0100

Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.

Sending logs to Microsoft Sentinel with NXLog

John Kirch — Mon, 01 Feb 2021 11:29:37 +0100

What if you could selectively ingest only the high-quality events needed for metrics and reporting that come not only from Azure, but also from other cloud- based resources and on-site assets directly into Microsoft Sentinel? In this post, the technology we will be examining is the Azure Monitor HTTP Data Collector API, which enables clients, such as the NXLog agent, to send events to a Log Analytics workspace, making them directly accessible using Microsoft Sentinel queries.

NXLog Containers were certified by Red Hat

Andrew Brown — Wed, 13 Jan 2021 10:23:44 +0000

Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them. Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.

DNS Log Collection and Parsing

Tamás Burtics — Sun, 31 May 2020 00:00:00 +0000

DNS Log Collection and Parsing DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include: Operations and Support Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.

DNS Log Collection on Windows

Tamás Burtics — Thu, 28 May 2020 12:28:23 +0100

Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them. DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform. While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.

DNS Log Collection on Linux

John Kirch — Thu, 14 May 2020 00:00:00 +0000

Be sure to read Part 1 and Part 2 of our series in case you missed them. DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.

How a centralized log collection tool can help your SIEM solutions

Arielle Bonnici — Wed, 01 Apr 2020 00:00:00 +0000

IT security should be one of the main focus points of all enterprises. In today’s world, when digital transformation is taking place at an unprecedented pace, securing online data is vital for all kinds of businesses. This is why most companies are utilizing SIEM (Security Information and Event Management) solutions that help them identify threats before they can do any harm. Even though SIEM tools are perfect for event correlation and analytics, it is not part of their core functionality to manage log collection, filtering, distribution, and formatting.

Sending ETW Logs to Splunk with NXLog

Arielle Bonnici — Tue, 03 Mar 2020 05:53:00 +0000

NXLog supports direct collection of Event Tracing for Windows (ETW) data. DNS Analytical logs, for example, can be forwarded to Splunk or another SIEM for monitoring and analysis. Collecting ETW Logs Event Tracing for Windows (ETW) is a kernel-level tracing facility that provides high-performance logging of kernel and application events. ETW events can be written to a log file or collected directly from the system in realtime via the Consumers API.

Insufficient logging and monitoring, TOP 10 security risk

Andrew Brown — Mon, 03 Feb 2020 01:01:01 +0100

"The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications." In this article these top security risks discussed in the context of log collection. OWASP API security top 10 most critical API security risks APIs are a critical part of modern technologies - from SaaS and web consumer applications to enterprise deployments.

What is File Integrity Monitoring (FIM)? Why do you need it?

Tamás Burtics — Fri, 24 Jan 2020 00:00:00 +0000

About File Integrity Monitoring (FIM) File integrity monitoring is implemented as a detection mechanism to monitor changes to important files and folders. File integrity monitoring is largely used as a security measure for detection and for meeting obligations such as compliance. By using file integrity monitoring, better control measures can be taken due to being able to track and provide data for alerts of activities on assets that are being monitored, such as potential unauthorized changes.

Agent-based versus agentless log collection - which option is best?

Collins Maina — Tue, 22 Oct 2019 12:28:23 +0100

One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes. Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?

Making the most of Windows Event Forwarding for centralized log collection

Arielle Bonnici — Mon, 17 Dec 2018 17:34:00 +0000

Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.