News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
November 23, 2022 deploymentcomparison

Need to replace syslog-ng? Changing to NXLog is easier than you think

By Arielle Bonnici

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

syslog-ng and NXLog are both powerful log collectors providing flexible log processing. However, you might be in a position where you need to switch from syslog-ng to NXLog. Whether it’s because syslog-ng doesn’t support an operating system or you want to upgrade your log collection solution to one that can be centrally managed, converting your syslog-ng configuration to NXLog is a simple task.

How do syslog-ng and NXLog differ?

syslog ng to nxlog syslog-ng and NXLog are alike in many ways. They can both parse, process, normalize, and forward logs over the network via secure transport, all at impressive speeds. They also implement caching mechanisms for reliable message delivery and their own protocol for more efficient log forwarding between nodes. However, NXLog’s rich feature set supports more input sources in more formats and ships to more output destinations.

Some of the predominant differences include the following:

  • syslog-ng does not support macOS. On the other hand, NXLog can be installed on macOS and has specialized modules for collecting macOS system and security logs.

  • Unlike syslog-ng, NXLog is made to be centrally managed. The agent includes a remote management module providing RESTful and SOAP APIs, so you can easily integrate it with whatever SCM tool you already use. In addition, we make your life easy with NXLog Manager and NXLog Minder.

  • NXLog supports custom extensions in Go, Perl, Python, Ruby, and Java. In comparison, syslog-ng only supports Python, which is still a preview feature at the time of writing.

  • Whereas syslog-ng requires Java to be installed when using certain destinations, such as Elasticsearch and HDFS, NXLog has no such requirements.

What can NXLog do that syslog-ng can’t?

Here is a non-exhaustive list of input/output sources and log formats NXLog supports out-of-the-box that are not available in syslog-ng.

Input Output Log format

Generic HTTP(s) input

Amazon S3

GELF

Google Cloud Logging (formerly Stackdriver)

Microsoft Azure - tables and blobs (in addition to Log Analytics workspaces, also supported by syslog-ng)

NetFlow

macOS - Apple’s unified logging system (ULS) and Endpoint Security auditing system

Microsoft 365 - Microsoft Graph and Office 365 Reporting web service (in addition to the Office 365 Management API, also supported by syslog-ng)

Microsoft DNS Server

Microsoft Azure - tables, blobs, and Log Analytics workspaces

Google Chronicle

SAP audit logs

Network packet capture

Raijin Database

W3C

Redis

Redis

Salesforce

ZeroMQ

Okta

File integrity monitoring

Windows Registry monitoring

ZeroMQ

syslog-ng and NXLog configuration comparison

syslog-ng v.s. NXLog nomenclature

Before going any further, it would be wise to familiarize yourself with how both products refer to configuration elements. We cover the basics in the following matrix.

Configuration element syslog-ng NXLog

Log ingestion element

source/source driver

input module

Log output element

destination/destination driver

output module

Log routing element

log path

route

Log filtering element

filter block

xm_pattern module or via regular expressions

Log parsing element

parser block

extension modules or via regular expressions

Log transformation element

rewrite rule

xm_rewrite module or Exec statements

Configuration parameters

options

directives

Values parsed from log records

macros

fields

NXLog on Linux

Both syslog-ng and NXLog use a file-based configuration system on Linux platforms. The default configuration file location for the two products is:

syslog-ng

/opt/syslog-ng/etc/syslog-ng.conf

NXLog

/opt/nxlog/etc/nxlog.conf

A key difference is that syslog-ng automatically disables Rsyslog and renames the /etc/init.d/sysklogd init script to /etc/init.d/sysklogd.backup upon installation. NXLog doesn’t make changes to other components on the system. Therefore, if you’d like to disable Rsyslog, you must do it manually by executing the following commands:

$ sudo systemctl disable --now rsyslog
$ sudo systemctl force-reload systemd-journald
$ sudo systemctl restart nxlog

Ready to start? Let’s dive right into the configuration.

Convert syslog-ng internal and Linux system log sources

The default syslog-ng configuration on Linux collects system and kernel logs and syslog-ng’s own internal logs. So let’s see how easy it is to replicate these sources in NXLog.

source s_local {
    internal();
    system();
};

down arrow

<Extension syslog>
    Module         xm_syslog
</Extension>

<Input kernel>
    Module         im_kernel
    Exec           parse_syslog_bsd();
</Input>

<Input systemd>
    Module         im_systemd
</Input>

<Input devlog>
    Module         im_uds
    UDS            /dev/log
    FlowControl    FALSE
    Exec           parse_syslog_bsd();
</Input>

<Input internal>
    Module         im_internal
</Input>

Start by choosing which Linux logs you want to collect:

  • Use the im_kernel module to collect logs from the kernel log buffer

  • Read daemon messages from the systemd journal socket with im_systemd

  • Collect other user-space messages from the /dev/log socket with im_uds

  • Set up auditing rules and collect logs directly from the kernel with the im_linuxaudit input module

In this NXLog configuration, we collect the first three logs corresponding to syslog-ng’s system() source. Since the kernel and user-space messages are in syslog-BSD format, we’re using the parse_syslog_bsd() procedure provided by the xm_syslog extension to parse log records into fields.

NXLog can also collect its own internal logs with the im_internal module.

Convert a syslog-ng file source

The use of log files is still widespread in the logging sphere, especially on Linux platforms. So let’s convert a syslog-ng file source collecting Apache access logs to NXLog.

source s_apache_access {
    file(
        "/var/log/apache/access.log"
        follow-freq(1)
        flags(no-parse)
    );
};

down arrow

<Input apache_access>
    Module          im_file
    File            '/var/log/apache/access.log'
    PollInterval    1
    Exec            $Message = $raw_event;
</Input>

Use the im_file input module to collect file-based logs. You can specify the File directive multiple times and use wildcards. The PollInterval directive, set to 1 second by default, corresponds to the syslog-ng follow-freq option.

Since the syslog-ng configuration uses the no-parse flag, in this NXLog configuration, we are using the Exec directive to simply add a $Message field containing the unparsed log record. However, NXLog can easily parse Apache access logs into fields. See our guide on parsing the Common & Combined Log Formats.

Convert syslog-ng destinations and log paths

Now that we sorted our input sources, we’ll see how to save the logs to a file and/or forward them to a remote host over TCP.

destination d_messages {
    file("/var/log/messages");
};

destination d_siem {
    syslog(
        "192.168.1.23"
        transport("tcp")
        port(601)
    );
};

log {
    source(s_local);
    destination(d_messages);
    destination(d_siem);
};

log {
    source(s_apache_access);
    destination(d_siem);
};

down arrow

<Output output_file>
    Module         om_file
    File           '/var/log/messages'
    Exec           to_syslog_bsd();
</Output>

<Output siem>
    Module         om_tcp
    Host           192.168.1.23:601
    OutputType     Syslog_TLS
    Exec           to_syslog_ietf();
</Output>

<Route r_siem>
    Path           kernel, systemd, devlog, internal, apache_access => siem
</Route>

<Route r_file>
    Path           kernel, systemd, devlog, internal => output_file
</Route>

Use the om_file output module to save logs to a file. For example, in this NXLog configuration, we’re writing the log records in syslog-BSD format by using the to_syslog_bsd() procedure provided by the xm_syslog extension.

To forward logs to a remote destination over TCP, the om_tcp output module will do the job. By default, this module outputs logs one record per line separated by a newline character. In this example, we change the output format to use octet-framing by setting the OutpuType directive to Syslog_TLS. We also convert log records to syslog-IETF messages by calling the to_syslog_ietf() procedure. Both the Syslog_TLS output writer function and the to_syslog_ietf() procedure are provided by the xm_syslog extension.

Finally, all that’s left will be to convert the syslog-ng log paths to NXLog routes. This configuration forwards all logs to the remote host and saves the Linux system and NXLog internal logs to a file.

That was easy, right? Read on to see how to convert your syslog-ng configuration on Windows.

NXLog on Windows

The syslog-ng Agent for Windows comes with an MMC-based configuration interface and supports importing and exporting the configuration to and from an XML file. syslog-ng Agent for Windows is also available as an MSI, so you can deploy and configure it via GPO. However, the configuration options are limited on Windows. According to the syslog-ng documentation:

  • It only supports log forwarding using the Snare, IETF syslog, or BSD syslog protocols.

  • Only basic filtering is available. Log parsing and classification are not possible.

  • The syslog-ng Agent for Windows only reads logs from files, including for Eventlog Containers, and does not implement disk buffering.

NXLog on Windows is configured the same as any other platform, using the configuration file. It is fully featured with no limitations and can be installed interactively or deployed via GPO.

Now, onto some concrete configuration examples.

Convert a syslog-ng Event Container source

Let’s start by converting a Windows Eventlog Source that collects Application, Security, System, and DNS logs.

syslog ng windows eventlog source

down arrow

<Input windows_event_log>
    Module             im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

<Input dns_server>
    Module             im_etw
    Provider           Microsoft-Windows-DNSServer
    ParsePacketData    TRUE
</Input>

Use the im_msvistalog input module to collect Application, Security, and System logs. This diverse module can collect logs directly from the Event Log API or event log files (.evtx) and automatically parse them into fields. In addition, it supports filtering by Channel or an XPath query. The example above uses the latter. Generating an XPath query is easy! All you need to do is to configure a filter in Windows Event Viewer and copy the corresponding query to the NXLog configuration. See our guide on XPath filtering.

On the other hand, use the im_etw input module to collect DNS Server audit logs. This dedicated module collects logs directly from ETW channels, including Analytic and Debug logs, and automatically parses log records into fields. In this NXLog configuration, we also enable the ParsePacketData directive to convert the DNS payload into JSON format.

Convert a syslog-ng File source

Next, let’s look at how to convert this syslog-ng configuration collecting Domain Controller Promoter (DCPromo) logs.

syslog ng windows file source

down arrow

<Input dcpromo_logs>
    Module             im_file
    File               'C:\Windows\debug\DCPROMO.log'
    File               'C:\Windows\debug\DCPROMO.*.log'
    <Exec>
        $ApplicationName = "Domain Controller";
        $EventSource = "DCPROMO";

        if $raw_event =~ /^(\S+ \S+) \[(\S+)\] (.+)$/
        {
            $EventTime = parsedate($1);
            $Severity = $2;
            $Message = $3;
        }
    </Exec>
</Input>

Use the im_file input module to collect file-based logs. You can specify the File directive multiple times and use wildcards.

Optionally, you can include further log processing in an Exec block. For example, in this NXLog configuration, we are adding two new fields, $ApplicationName and $EventSource, and parsing the log record into fields with a regular expression.

Convert a syslog-ng Server destination

Finally, we’ll forward the logs to a remote server over TCP. You simply need to create the output and bind it to the above sources.

syslog ng windows destination

down arrow

<Extension syslog>
    Module             xm_syslog
</Extension>

<Output siem>
    Module             om_tcp
    Host               192.168.1.23:601
    FlowControl        TRUE
    OutputType         Syslog_TLS
    Exec               to_syslog_ietf();
</Output>

<Route r1>
    Path               windows_event_log, dns_server, dcpromo_logs => siem
</Route>

Use the om_tcp output module to forward logs to their destination over TCP. The FlowControl directive, enabled by default, corresponds to the Enable flow-control option in syslog-ng.

By default, om_tcp outputs logs one record per line separated by a newline character. In this NXLog configuration, we change the output format to use octet-framing by setting the OutpuType directive to Syslog_TLS. We also convert log records to syslog-IETF messages by calling the to_syslog_ietf() procedure. Both the Syslog_TLS output writer function and the to_syslog_ietf() procedure are provided by the xm_syslog extension.

What’s next?

If you haven’t already, download a free NXLog Enterprise Edition trial and try it for yourself. Once you’ve mastered the basics, converting more complex syslog-ng configuration to NXLog will become second nature.

We recommend the following additional reading to help you in the process:

  • Get started with NXLog

  • NXLog’s system architecture

  • Configuration overview

We hope you found our guide helpful in your quest to find a syslog-ng alternative. Finally, get in touch with us if you need advice or hit any walls. Our support team is always available to share their expertise!

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • syslog-ng
  • comparison
  • nxlog configuration
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Raijin vs Elasticsearch
14 minutes | August 9, 2022
Putting together your first NXLog configuration
4 minutes | September 25, 2021
Deploying and managing NXLog with Ansible
8 minutes | March 1, 2022

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us