All posts NXLog Blog

June 24, 2026

Structured logging and JSON conversion: Getting logs SIEM-ready at the source

Your detections, correlation rules, and search results are only as good as the underlying data structure. A raw log line is a string. A structured JSON event is a set of named fields you can filter, pivot, and alert on. Convert your logs to JSON at the collection layer before they reach your SIEM. Doing it early cuts ingest cost, keeps your schema consistent across sources, and makes your detections less fragile.

June 22, 2026

Log analysis tools for SecOps: How to evaluate the whole stack in 2026

Teams usually choose a log analysis tool by comparing vendors. The more costly decision sits one level up: the category of tool. The wrong choice there surfaces months later as a source you can’t collect, data you can’t normalize, or a per-gigabyte bill for logs you never needed. Log analysis tools collect, parse, store, search, and visualize log data so teams can detect threats, investigate incidents, and troubleshoot systems. The term spans four distinct categories — collection agents, processing pipelines, storage and search engines, and analysis platforms — that each handle a different job in the same workflow.

June 17, 2026

How to handle log rotation without losing events

Log rotation is supposed to be routine maintenance. But if your collector reads a file while another process renames, truncates, or compresses it, events can slip through the gap — and you often won’t notice until you go looking for a log that isn’t there. For a security team, that gap is a blind spot: a detection that never fired, an audit trail with a hole in it, a control you can’t prove was working.

June 15, 2026

Fluentd vs Logstash: which log pipeline tool fits your stack?

Pick the wrong log collector and you pay for it on every node you deploy. A heavier agent multiplied across a thousand hosts is real memory and CPU you can’t get back, and a pipeline wired tightly to one vendor’s backend is hard to unwind later. So the Fluentd vs Logstash decision usually comes down to two questions: how much processing do you need at the collection point, and how committed are you to the Elastic Stack?

June 12, 2026

Multiline log parsing with regex: Keeping multiline events intact for your SIEM

Most telemetry pipelines treat every newline as the end of an event. That assumption holds for a tidy syslog stream but breaks the moment a Java stack trace, a Python traceback, or a pretty-printed JSON payload lands in the file. One event becomes forty lines, and your SIEM ingests forty fragments instead of one record. For a SecOps team, the cost is operational. Detection rules match on fragments or miss the event entirely, correlation loses the context that made the event worth alerting on, and the event count balloons against a volume-based license.

June 9, 2026

Announcing NXLog Platform 1.13

We are happy to announce the latest release of NXLog Platform, version 1.13. This update adds NXLog Platform operating system support for Debian 13 and NXLog Agent support for legacy 32-bit Windows. Plus, you can now use NXLog Agent with the native macOS Keychain for secure certificate storage on Apple systems. Read on for more details about these updates. Deploy NXLog Platform on Debian 13 NXLog Platform 1.13 adds support for installation on Debian 13, the latest stable release of the Debian operating system.

June 8, 2026

From blind spot to monitored: Log collection for 32-bit Windows

At NXLog, we’ve been in the log collection space long enough to know that the toughest challenges aren’t technical but political. There’s always that Windows XP machine running the ATM firmware that no one can touch. Or the Windows Server 2003 box that keeps the conveyor belt running 24/7. Then there’s the industrial SCADA system installed before smartphones existed, quietly humming along in a corner of the plant floor.

June 2, 2026

Watching the agent watch you: Telemetry for OpenClaw with NXLog

Agentic AI is now embedded across the enterprise: summarizing customer records, pulling from data warehouses, drafting on top of internal documents, calling production APIs on behalf of staff. The pitch is compelling. The reality is that you have deployed a non-deterministic process with read access to PII, trade secrets, and the business intelligence your competitors would pay for. It is a black box that reasons differently on each run, and a single misrouted tool call can move sensitive data into a context where it does not belong.

June 1, 2026

Fluent Bit vs Logstash: which pipeline fits your stack?

Fluent Bit wins on footprint. Logstash wins on parsing depth. The choice isn’t which tool is "better" — it’s where in your pipeline each one earns its keep, and what your detection tier silently misses when you put one in the wrong tier. Pick wrong and the cost shows up in three places: detection latency when batches stall, audit evidence when collectors stop shipping, and MTTR when responders can’t tell whether a quiet endpoint is an attack indicator or a broken agent.

May 28, 2026

Syslog forwarding over TLS: getting the operational layer right

Plaintext syslog crossing a network boundary in 2026 is a finding waiting to happen. The IETF defined encrypted syslog years ago in RFC 5425: TCP/6514, mutual TLS where the trust model needs it. What still trips teams up is rarely the protocol itself — it’s certificate lifecycle, framing mismatches, and forwarders that fall over when the collector blinks. Here’s the short version: which standards matter, where teams break the framing, and the four operational habits that decide whether the pipeline holds up.

All articles

Featured posts

Categories

All articles

Sign up

Featured posts

Categories