If you are reading this article, you may either be looking for a new log collection agent solution or seeking to replace and improve an existing deployment. This article provides information based on some fairly common questions from those who have migrated from Snare to NXLog.
Feature Comparison
There are multiple choices of log collection agents available on the market, some are free and have paid versions that come with official support. Similar to the Snare Enterprise edition, the NXLog Enterprise edition is actively maintained by NXLog and frequently enhanced by features demanded by the market.
In stark contrast to the legacy, open source Snare Lite agent (which is no longer secure and compliant according to Snare Lite on Sourceforge), the NXLog Community Edition offers superior features, such as a secure log collection agent supporting the latest major operating systems as well as providing both agent-based and agent-less logging solutions.
The NXLog Community and Enterprise Editions includes, and in many cases supersedes, the majority of the features of their Snare counterparts.
|
Note
|
As the Snare Lite agent is no longer supported by Snare, it is not included in the comparison table below. It would be unfair to compare any of our products to an insecure non-compliant product, as none of its features would be useful in any real-life scenario. |
| Feature | Snare Enterprise Agent | NXLog Community Edition | NXLog Enterprise Edition |
|---|---|---|---|
Operating System Support |
|||
Microsoft Windows |
|
|
|
MSI for Windows Platforms |
|
|
|
Linux |
|
|
|
Ubuntu |
|
|
|
Debian |
|
|
|
RHEL |
|
|
|
CentOS |
|
|
|
AWS - Amazon Linux |
|
|
|
Docker |
|
|
|
Apple macOS |
|
|
|
Solaris |
|
|
|
SLES |
|
|
|
Windows Nano Server |
|
|
|
IBM AIX |
|
|
|
FreeBSD and OpenBSD |
|
|
|
Android |
|
|
|
Certifications and Partnerships |
|||
Technology Alliance partner with Splunk |
|
|
|
Partner Product with RSA NetWitness |
|
|
|
Part of the McAfee Security Innovation Alliance Partner Directory |
|
|
|
Certified with the SUSE Linux Enterprise Ready Mark |
|
|
|
Technology Certified with Red Hat Enterprise Linux |
|
|
|
Certified on Windows Server 2016 and Windows Server 2019 |
|
|
|
Output Format Support |
|||
Snare Output Support |
|
|
|
Syslog Formatting (RFC5424) |
|
|
|
Syslog Formatting (RFC3164) |
|
|
|
CEF Output Support |
|
|
|
LEEF Output Support |
|
|
|
JSON Output Support |
|
|
|
GELF Output Support |
|
|
|
XML Output Support |
|
|
|
CSV Output Support |
|
|
|
KVP Output Support |
|
|
|
Log Processing Features |
|||
Log Caching |
|
|
|
Custom Windows Event Log Sources |
|
|
|
UTC Logging |
|
|
|
Truncation of Verbose Event Text |
|
|
|
Filter for Events of Interest |
|
|
|
Debug Mode |
|
|
|
Message re-write |
|
|
|
Correlation/Alerting |
|
|
|
Event Tracing for Windows (ETW) |
|
|
|
Browser-based UI Configuration |
|
|
|
Auditing Features |
|||
USB Monitoring |
|
|
|
File Integrity Monitoring |
|
|
|
Linux Auditing |
|
|
|
Collect from Windows Auditing Events |
|
|
|
Windows Registry Monitoring |
|
|
|
Group Policy Support |
|
|
|
Linux or BSD kernel Auditing |
|
|
|
AIX Auditing |
|
|
|
Audit logs from Sun’s Basic Security Module auditing |
|
|
|
Agent Networking and Output Features |
|||
Failover |
|
|
|
TCP/UDP Message Delivery |
|
|
|
Delivery Over SSL/TLS |
|
|
|
SSL/TLS Encryption |
|
|
|
Log Message Simulcasting |
|
|
|
Centralized Configuration Management |
|
|
|
Enhanced Event Throttling |
|
|
|
Agent Heartbeat |
|
|
|
Windows Event Collector Support |
|
|
|
*Using NXLog Manager
Support Writing in Multiple Formats
One of the most important aspect of logs is the format, it is crucial to achieving readable log files. And, above all it is best if logs are in a structured format, rather than as unstructured text. The format affects information availability, readability, manageability and size as well. As opposed to the limited output formats supported by Snare, NXLog supports multiple industry-standard formats such as:
-
CEF - Common Event Format (ArcSight)
-
LEEF - Log Event Extended Format (IBM QRadar)
-
GELF - Graylog Extended Log Format (Graylog)
-
Syslog RFC3164 - BSD Syslog protocol
-
Syslog RFC5424 - Syslog Protocol
-
JSON - JavaScript Object Notation
-
XML - Extensible Markup Language
-
KVP - Key-Value Pairs
-
CSV - Comma Separated Values
-
Snare or "Snare over Syslog" - Snare format with or without a Syslog header
The wider format support by NXLog also enables greater flexibility for the end-user and easier integration with third party products.
NXLog’s core design embraces structured logging, while Snare was primarily designed around its propritery Snare syslog format. In contrast, NXLog provides structured data support - such as JSON and KVP, as well as CSV and XML. Using structured logging can dramatically reduce the operation cost of a SIEM.
Integration with Third Party Products
In the world of Information Technology, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned.
NXLog’s forte is its support for practically any operating system found in enterprise computing environments and its seamless integration with third party solutions such as IBM QRadar, Rapid7, Splunk Enterprise, FireEye, Helix, and Securonix just to name a few. For a comprehensive list, visit our integrations page.
NXLog also provides extensive documentation to help with the integrations. See the Integration section in the NXLog User Guide.
Footprint and Configuration
NXLog agents are lightweight and operate using minimal resources and can be run as a service practically unnoticeable in the background. With NXLog, you can get started right away with the text-based configuration, rather than going through the Snare setup wizard that ends up with a generic configuration that is unlikely to be tailored to your specific needs. In addition, any further NXLog installation instances will only require the custom configuration file that was created once to be deployed, potentially to thousands of agents, in an enterprise environment, which results in conserving considerable time and money.
Documentation and Product Support
Our constantly updated, ever-growing documentation, already well above 1,000 pages, is a stand-alone product in itself. It is complete with configuration samples, real-world examples, and integration guides offering much more than a generic manual. Alongside this self-help resource, there is also the Community Forum for the Community Edition users, as well as the dedicated support team for our Enterprise customers which is available 24/7 with a world-class, 4-hour SLA.
Conclusion
In light of the information presented, it is now readily apparent that NXLog is a viable alternative to Snare for logging in an enterprise environment.
For further information or questions, please contact us.
