If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy.
NXLog and Splunk Universal Forwarder feature comparison
Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them. Splunk offers two types of forwarders; a heavy forwarder, essentially a Splunk Enterprise instance with limited features, and a Universal Forwarder, which is a standalone package that only forwards data. The latter supersedes the Splunk light forwarder, deprecated as of Splunk Enterprise version 6.0.0. If you are unfamiliar with Splunk forwarders, see Types of forwarders in the Splunk manual. On the other hand, NXLog offers two editions of its log collection software; a free Community Edition (CE) and the paid Enterprise Edition (EE).
In this comparison, we will focus on the Splunk Universal Forwarder, which Splunk defines as "a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data." From this description, it’s natural to deduce that its design goals were focused on performance rather than possessing a rich set of functional features.
The universal forwarder is the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data.
The following table compares Splunk Universal Forwarder agent version 9.0.3 with both editions of NXLog. In this matrix, we will look at supported operating systems and output formats, along with 28 functional capabilities one might expect to find in a log forwarding agent.
| Feature | Splunk Universal Forwarder | NXLog Enterprise Edition | NXLog Community Edition |
|---|---|---|---|
OS Support |
|||
Microsoft Windows |
|
|
|
Linux |
|
|
|
Windows Nano Server |
|
|
|
IBM AIX |
|
|
|
BSD |
|
|
|
Apple macOS |
|
|
|
Solaris |
|
|
|
ARM |
|
|
|
Docker |
|
|
|
Output Format Support |
|||
Snare |
|
|
|
JSON |
|
|
|
GELF |
|
|
|
XML |
|
|
|
Syslog (RFC5424) |
|
|
|
Syslog (RFC3164) |
|
|
|
Log Processing Features |
|||
Windows XP/2000/2003 Event Log Support |
|
|
|
Per-Event Filtering |
|
|
|
Event Parsing |
|
|
|
Event Log Caching |
|
|
|
Use as Windows Event Collector for WEF |
|
|
|
Event Tracing for Windows (ETW) |
|
|
|
UTC Logging |
|
|
|
Field/Value Rewrite or Injection |
|
|
|
Normalizing Windows Logs to Syslog |
|
|
|
Event Correlation |
|
|
|
Truncation of Verbose Event Text |
|
|
|
Filter for Events of Interest |
|
|
|
Debug Mode |
|
|
|
Group Policy Support |
|
|
|
Agent Networking and Output Features |
|||
Failover |
|
|
|
TCP/UDP Message Delivery |
|
|
|
HTTP Event Collector Support |
|
|
|
Forwards to Splunk Enterprise |
|
|
|
Forwards to 3rd Party Systems |
|
|
|
Event Routing |
|
|
|
SSL/TLS Encryption |
|
|
|
Log Message Simulcasting |
|
|
|
Centralized Configuration Management |
|
|
|
Enhanced Event Throttling |
|
|
|
Agent Heartbeat |
|
|
|
Alerting |
|
|
|
Support for Thousands of Agents |
|
|
|
Vendor Support |
|||
Vendor Product Support |
|
|
|
-
Limited filtering for Windows logs is available in the Windows Universal Forwarder.
-
Limited CSV parsing is available for file-based logs.
Why is NXLog a better alternative?
Improves log ingestion speed
NXLog is a robust log collector designed to work under heavy loads and sudden spurts of high log volumes. Curiously, our fully-featured agent outperforms the minimalist Splunk Universal Forwarder containing "only the essential components needed to forward data."
When we benchmarked Splunk Enterprise’s processing and indexing rate with a sudden flood of over 30,000 Windows Sysmon events, it processed and indexed the same dataset far more quickly when NXLog sent the events versus the Splunk Universal Forwarder. In our test environment, Splunk Enterprise consistently indexed events forwarded by NXLog over ten times faster than those sent by the Splunk Universal Forwarder, despite the extra processing for the NXLog agent to emulate the log format of the Universal Forwarder.
| Indexing rate (EPS) | Splunk Universal Forwarder | NXLog |
|---|---|---|
Maximum |
259 |
3,377 |
Mean |
121 |
1,439 |
Median |
121 |
1,192 |
Minimum |
0 |
1,116 |
Integrates with any SIEM
In the world of enterprise software, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned. Although Splunk has been a key player in the SIEM market for a while, no one can predict the future. For example, suppose management decided that Splunk needs to be complemented with another SIEM solution to fill a functional gap or even replaced entirely. What would be the ramifications of such a decision for the hundreds or thousands of log sources on which the Splunk Universal Forwarder is the sole log forwarding agent?
NXLog is vendor-agnostic and supports practically any operating system in enterprise computing environments. It can function as the sole log collector and forwarder and seamlessly integrates with any third-party SIEM or log storage, such as:
-
ArcSight Enterprise Security Manager (ESM)
-
Amazon Web Services (AWS)
-
Elasticsearch
-
Google Chronicle
-
Graylog
-
IBM QRadar
-
Microsoft Azure Sentinel
-
McAfee ESM
-
Rapid7
-
RSA NetWitness
-
Securonix
-
Splunk Enterprise
Today, software solutions must be able to integrate with other systems, such as log management and threat analysis platforms. For example, Elasticsearch may be introduced into an existing environment to store and analyze logs. If you’re using NXLog EE as your log collector, you only need to make minimal changes to the NXLog configurations to start forwarding logs to it. Simply add another output and route, and you can simulcast logs in different formats to Elasticsearch and any other platform.
Enriches log data
Most enterprises aim for a consolidated view of their data from all sources, including logs. Such a goal is only possible with the ability to normalize data into a common structure. For example, most log sources include a field to determine where the log record originated. However, the naming varies from one log source to another and can be Computer, ComputerName, Host, Hostname, or any other name determined by the vendor. In addition, Splunk creates default fields during indexing, including host, source, and sourcetype. Yet, a log record in Splunk can have an IP address in the host field, while another ComputerName field contains the hostname. This makes searching your data challenging because you need to include all possible field names in your queries.
NXLog automatically adds three core fields to every event to facilitate normalization: EventReceivedTime, SourceModuleName, and SourceModuleType. Additionally, if a hostname is defined, it also adds a Hostname field. These field names are common across all events processed by NXLog.
Log enrichment goes beyond simply normalizing field names across disparate log sources. Imagine the benefits of creating custom fields specific to your organization. It would allow analysts to isolate events from log sources associated with a particular project, group, external business partner, business unit, store number, geographical region/zone, etc.
Reduces operational costs
Some Splunk pricing models are volume-based. Consequently, to get the best value out of Splunk, the number of events sent to it needs to be kept at a minimum with a high ratio of high-quality event records. The challenge of this strategy is that—more often than not—log sources contain a low proportion of quality logs mixed in among an ocean of relatively useless informational records. Although you can blacklist specific log sources and perform basic filtering on Windows logs, with the Splunk Universal Forwarder, you cannot implement complex, highly selective filters on noisy log sources containing high-value events.
In comparison, NXLog provides advanced filtering capabilities. For example, it supports native XPath filters (QueryXML) to filter Windows logs.
For example, the following configuration collects logs based on a combination of source, log level, and event ID while ignoring other unimportant events.
<Input SecurityAuditEvents>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows
-Security-Auditing'] and (Level=1 or Level=2 or Level=3) and
((EventID=4928 and EventID=4931) or (EventID=4932 and EventID=4937)
or EventID=4662 or (EventID=5136 and EventID = 5141))]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>|
Note
|
See Filtering events in the NXLog User Guide for further details on filtering Windows logs. See our Reduce data size and cut SIEM licensing costs white paper for how to reduce your SIEM operational costs. |
Give NXLog a try
NXLog is a superior Splunk Universal Forwarder alternative. Faster log processing, data enrichment, advanced filtering, and multicasting logs to different endpoints are only a few of the benefits you will get when you switch to NXLog. What might initially appear to be an additional expense can be the start of a wise investment strategy for throttling the long-term operational costs of a hungry SIEM.
Our documentation abounds with detailed, step-by-step deployment instructions for all platforms, an extensive configuration section, and over 100 integration guides with real-world configuration samples to get you started. In addition, find in-depth technical documentation in the NXLog EE Reference Manual.
Please get in touch if you require further information or assistance. Our experts are always happy to help!
