We proudly announce the latest release of NXLog Enterprise Edition, version 6.3. This release adds new features and bug fixes, including the ones highlighted below.
Support for parsing DTS Compliant logs from Microsoft Network Policy Server (NPS)
The xm_nps extension module now supports parsing the newest DTL Compliant log format from Microsoft NPS.
The module can now automatically parse all NPS log types, including legacy ODBC and IAS, without you having to specify the log type when configuring the module. This also means that you can use the same configuration together with filename wildcards to parse files of different types, and you don’t need to change your existing configurations to start parsing the new DTL Compliant log type.
Support for parsing new macOS 13 Endpoint Security (ES) events
The im_maces extension module now supports parsing the new events included in the macOS 13 ES API.
Streamlined pattern matching
The xm_pattern extension module now supports the following pattern database schema enhancements that simplify matching fields in common scenarios without having to resort to regular expressions:
-
Additional
matchfieldtypescontains,startswith, andendswith -
New
case-sensitiveelement that can be applied to all existing and newmatchfieldtypes
The following matchfield definition checks if the $SourceName field begins with the string "sshd", ignoring the case.
<matchfield>
<name>SourceName</name>
<type>startswith</type>
<value>sshd</value>
<case-sensitive>false</case-sensitive>
</matchfield>Pattern matching to specify SSL/TLS certificates on Windows
NXLog Enterprise Edition now also allows specifying SSL/TLS certificates and Certificate Authorities (CAs) on Windows by matching a pattern against their subject names. Use the optional directives ` CAPattern` and ` CertPattern` to specify the pattern, which can contain wildcards or an expression.
The following configuration matches the first certificate that includes the name of the NXLog Enterprise Edition hostname in the subject name:
<Input ssl>
Module im_ssl
ListenAddr localhost:5125
...
CertPattern $hostname
</Input>Enriched internal logs
The internal NXLog Enterprise Edition logs have been improved to:
-
Include any hostnames that fail to resolve so that the issue is simpler to debug and fix
-
Optionally include the TLS protocol cipher and version set used by the im_ssl module
The following log lines mention the exact hostname non.existent.org that the xm_admin module couldn’t resolve:
2024-03-22 11:38:52 ERROR [xm_admin|ssl_connect] Unable to resolve hostname 'non.existent.org': Name or service not known
2024-03-22 11:38:52 ERROR [xm_admin|ssl_connect] couldn't resolve any of the configured hostsThe following log lines mention the TLS protocol cipher and version used by the im_ssl module:
2024-03-22 12:04:30 INFO [im_ssl|inssl] SSL handshake successful; Cipher: TLS_AES_256_GCM_SHA384; Protocol: TLSv1.3To activate this additional information, you must enable the new module directive TLSConnectLog:
<Input ssl>
Module im_ssl
ListenAddr localhost:5125
...
TLSConnectLog true
</Input>Find out more
You can check out all of the new features and fixes in our release notes and view our changelog for a complete list of changes. Check out our comprehensive documentation, and get in touch with us below if you need help upgrading, have a feature request, or have any other questions.
