Every telemetry vendor’s demo runs on the same infrastructure: a clean, cloud-native, container-friendly stack where a modern agent drops in and just works. Then you go back to the bank you run day to day, where a mainframe still clears transactions, an IBM i (AS/400) system has been in production for decades, and a core-banking platform speaks a log format no off-the-shelf agent has heard of. That gap between the demo and the data center is where audit blind spots live.
The systems your SIEM agent quietly skips
Native SIEM agents and cloud-first collectors are built for the modern estate. They tend to fall short exactly where financial services is heaviest:
- Mainframes and IBM i / AS/400
-
Proprietary log formats, no modern agent, decades of accumulated criticality.
- Core banking and payment systems
-
Often closed, often unable to host third-party software, and often the single most audit-sensitive component you own.
- Legacy and end-of-life Windows
-
Including 32-bit hosts that current agents have dropped support for.
- Air-gapped, OT, and network/appliance gear
-
Emits via syslog or files, rarely a friendly API.
When a source can’t be onboarded, it doesn’t show up as an error. It shows up as nothing, which is precisely why it’s dangerous.
A blind spot is two risks, not one
For the engineer, an uncovered system is an operational gap. For the CISO, it’s two problems at once: a security blind spot (attackers prefer the systems nobody is watching) and an audit finding (you can’t produce records you never collected). The systems hardest to collect from are disproportionately the ones regulators and attackers care most about.
Why these systems are hard, and how a pipeline gets in anyway
The trick isn’t forcing a heavy modern agent onto a system that can’t take one. It’s meeting each system where it already is. A telemetry pipeline collects through the mechanisms these platforms do support: syslog, file and message-queue output, native forwarding. It then parses the proprietary formats, normalizes and timestamps the events, and forwards a clean, structured stream to your SIEM and your retention tier. The legacy system doesn’t change; the blind spot closes.
For example, mainframe, IBM i, and most network and OT gear can emit syslog, so you receive and parse it centrally:
<Extension syslog>
Module xm_syslog
</Extension>
<Input legacy_syslog>
Module im_tcp
ListenAddr 0.0.0.0:1514
Exec parse_syslog();
</Input>
Closed core-banking systems often can’t forward at all, but they can write an audit file. Tail it and lift the proprietary record into fields your SIEM understands. NXLog Agent’s named captures become event fields automatically:
<Input corebank_export>
Module im_file
File '/data/corebanking/audit/*.log'
<Exec>
# $txn_time, $acct, and $action become fields on the event
if $raw_event =~ /^(?<txn_time>\S+\s\S+)\s+(?<acct>\d+)\s+(?<action>\w+)/
{
$EventTime = parsedate($txn_time);
}
</Exec>
</Input>
And the Windows-heavy estate, including older hosts, collects natively, then deploys at scale through tooling you already run (for example, Group Policy with a signed package):
<Input windows_events>
Module im_msvistalog
</Input>
With NXLog Platform that adds up to:
-
One agent across every OS, source, and destination, including the Windows-heavy, legacy-heavy infrastructure you manage, not the idealized cloud setup in the vendor demo.
-
Edge processing, so parsing and filtering happen close to the source instead of overloading a central tier.
-
Fleet management at scale and IaC-friendly deployment, so covering thousands of heterogeneous hosts is a managed rollout, not a manual one.
That last point isn’t hypothetical. One of the largest banks in the US runs NXLog across thousands of devices spanning numerous data centers and cloud environments, exactly the kind of sprawling, mixed-vendor estate where coverage gaps would otherwise hide. The pipeline’s job there is to make "every device, one pipeline" an operational reality rather than an aspiration.
The bonus: you stop being locked in
Because the pipeline owns collection and normalization, your hard-won coverage of these difficult systems is no longer tied to a single SIEM. Change or add an analytics tool and the telemetry layer stays put. No re-instrumenting the mainframe, again, to satisfy a new vendor.
The takeaway
You can’t monitor a system you can’t collect from, let alone prove compliance on it. Closing the legacy blind spot isn’t about replacing the systems banks depend on; it’s about putting a pipeline in front of them that speaks their language.