News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Agent
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Open Telemetry
    Cost reduction
    Industries
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Pricing
    Licensing
    Plans
  • Partners
    Find a Reseller
    Partner Program
    Partner Portal
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Agent
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Open Telemetry
Cost reduction
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing

Licensing
Plans

Find a Reseller
Partner Program
Partner Portal

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk
  • Start free
  • Interactive demo
Let's Talk
  • Start free
  • Interactive demo
NXLog search
  • Loading...
Let's Talk
  • Start free
  • Interactive demo
July 16, 2026 security

The audit blind spot: collecting logs from mainframes and core banking systems your SIEM doesn't speak

By João Correia

Share
ALL ANNOUNCEMENT COMPARISON COMPLIANCE DEPLOYMENT SECURITY SIEM STRATEGY RSS

Every telemetry vendor’s demo runs on the same infrastructure: a clean, cloud-native, container-friendly stack where a modern agent drops in and just works. Then you go back to the bank you run day to day, where a mainframe still clears transactions, an IBM i (AS/400) system has been in production for decades, and a core-banking platform speaks a log format no off-the-shelf agent has heard of. That gap between the demo and the data center is where audit blind spots live.

The systems your SIEM agent quietly skips

Native SIEM agents and cloud-first collectors are built for the modern estate. They tend to fall short exactly where financial services is heaviest:

Mainframes and IBM i / AS/400

Proprietary log formats, no modern agent, decades of accumulated criticality.

Core banking and payment systems

Often closed, often unable to host third-party software, and often the single most audit-sensitive component you own.

Legacy and end-of-life Windows

Including 32-bit hosts that current agents have dropped support for.

Air-gapped, OT, and network/appliance gear

Emits via syslog or files, rarely a friendly API.

When a source can’t be onboarded, it doesn’t show up as an error. It shows up as nothing, which is precisely why it’s dangerous.

A blind spot is two risks, not one

For the engineer, an uncovered system is an operational gap. For the CISO, it’s two problems at once: a security blind spot (attackers prefer the systems nobody is watching) and an audit finding (you can’t produce records you never collected). The systems hardest to collect from are disproportionately the ones regulators and attackers care most about.

Why these systems are hard, and how a pipeline gets in anyway

The trick isn’t forcing a heavy modern agent onto a system that can’t take one. It’s meeting each system where it already is. A telemetry pipeline collects through the mechanisms these platforms do support: syslog, file and message-queue output, native forwarding. It then parses the proprietary formats, normalizes and timestamps the events, and forwards a clean, structured stream to your SIEM and your retention tier. The legacy system doesn’t change; the blind spot closes.

For example, mainframe, IBM i, and most network and OT gear can emit syslog, so you receive and parse it centrally:

<Extension syslog>
    Module        xm_syslog
</Extension>

<Input legacy_syslog>
    Module        im_tcp
    ListenAddr    0.0.0.0:1514
    Exec          parse_syslog();
</Input>

Closed core-banking systems often can’t forward at all, but they can write an audit file. Tail it and lift the proprietary record into fields your SIEM understands. NXLog Agent’s named captures become event fields automatically:

<Input corebank_export>
    Module    im_file
    File      '/data/corebanking/audit/*.log'
    <Exec>
        # $txn_time, $acct, and $action become fields on the event
        if $raw_event =~ /^(?<txn_time>\S+\s\S+)\s+(?<acct>\d+)\s+(?<action>\w+)/
        {
            $EventTime = parsedate($txn_time);
        }
    </Exec>
</Input>

And the Windows-heavy estate, including older hosts, collects natively, then deploys at scale through tooling you already run (for example, Group Policy with a signed package):

<Input windows_events>
    Module    im_msvistalog
</Input>

With NXLog Platform that adds up to:

  • One agent across every OS, source, and destination, including the Windows-heavy, legacy-heavy infrastructure you manage, not the idealized cloud setup in the vendor demo.

  • Edge processing, so parsing and filtering happen close to the source instead of overloading a central tier.

  • Fleet management at scale and IaC-friendly deployment, so covering thousands of heterogeneous hosts is a managed rollout, not a manual one.

That last point isn’t hypothetical. One of the largest banks in the US runs NXLog across thousands of devices spanning numerous data centers and cloud environments, exactly the kind of sprawling, mixed-vendor estate where coverage gaps would otherwise hide. The pipeline’s job there is to make "every device, one pipeline" an operational reality rather than an aspiration.

The bonus: you stop being locked in

Because the pipeline owns collection and normalization, your hard-won coverage of these difficult systems is no longer tied to a single SIEM. Change or add an analytics tool and the telemetry layer stays put. No re-instrumenting the mainframe, again, to satisfy a new vendor.

The takeaway

You can’t monitor a system you can’t collect from, let alone prove compliance on it. Closing the legacy blind spot isn’t about replacing the systems banks depend on; it’s about putting a pipeline in front of them that speaks their language.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • Financial services
  • Telemetry collection
  • Windows
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Enterprise IIS log analysis software: top tools, use cases, and NXLog Agent integration
17 minutes | May 7, 2026
Making the most of Windows Event Forwarding for centralized log collection in 2026
7 minutes | July 8, 2026
DNS Log Collection on Windows
9 minutes | May 28, 2020

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.13
June 9, 2026
Enterprise IIS log analysis software: top tools, use cases, and NXLog Agent integration
May 7, 2026
Announcing NXLog Platform 1.12
April 21, 2026
How to visualize telemetry data flow and volume with NXLog Platform
March 23, 2026
Security dashboards go dark: why visibility isn't optional, even when your defenses keep running
February 26, 2026
Building a practical OpenTelemetry pipeline with NXLog Platform
February 25, 2026
Announcing NXLog Platform 1.11
February 23, 2026
Adopting OpenTelemetry without changing your applications
February 10, 2026
Linux security monitoring with NXLog Platform: Extracting key events for better monitoring
January 9, 2026
2025 and NXLog - a recap
December 18, 2025
Announcing NXLog Platform 1.10
December 11, 2025
Announcing NXLog Platform 1.9
October 22, 2025
Gaining valuable host performance metrics with NXLog Platform
September 30, 2025
Security Event Logs: Importance, best practices, and management
July 22, 2025
Enhancing security with Microsoft's Expanded Cloud Logs
June 10, 2025

Categories

  • ANNOUNCEMENT
  • COMPARISON
  • COMPLIANCE
  • DEPLOYMENT
  • SECURITY
  • SIEM
  • STRATEGY
  • Products
  • NXLog Platform
  • NXLog Agent
  • NXLog Community Edition
  • Integration
  • Professional Services
  • Licensing
  • Plans
  • Resources
  • Documentation
  • Blog
  • White Papers
  • Videos
  • Webinars
  • Case Studies
  • Community Program
  • Community Forum
  • Compare NXLog Platform
  • Partners
  • Find a Reseller
  • Partner Program
  • Partner Portal
  • About NXLog
  • Company
  • Careers
  • Support Portals
  • Contact Us

Follow us

LinkedIn Facebook YouTube Reddit
logo

© Copyright NXLog Ltd.

Privacy Policy • General Terms of Business