News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
January 16, 2023 strategycomparisonagent

NXLog vs Splunk Universal Forwarder

By Arielle Bonnici

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

NXLog supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis.

If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy.

NXLog and Splunk Universal Forwarder feature comparison

Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them. Splunk offers two types of forwarders; a heavy forwarder, essentially a Splunk Enterprise instance with limited features, and a Universal Forwarder, which is a standalone package that only forwards data. The latter supersedes the Splunk light forwarder, deprecated as of Splunk Enterprise version 6.0.0. If you are unfamiliar with Splunk forwarders, see Types of forwarders in the Splunk manual. On the other hand, NXLog offers two editions of its log collection software; a free Community Edition (CE) and the paid Enterprise Edition (EE).

In this comparison, we will focus on the Splunk Universal Forwarder, which Splunk defines as "a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data." From this description, it’s natural to deduce that its design goals were focused on performance rather than possessing a rich set of functional features.

The universal forwarder is the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data.

— Splunk's Splexicon: the Splunk glossary

The following table compares Splunk Universal Forwarder agent version 9.0.3 with both editions of NXLog. In this matrix, we will look at supported operating systems and output formats, along with 28 functional capabilities one might expect to find in a log forwarding agent.

Table 1. NXLog Manager/EE and CE vs. Splunk Universal Forwarder
Feature Splunk Universal Forwarder NXLog Enterprise Edition NXLog Community Edition

OS Support

Microsoft Windows

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Linux

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Windows Nano Server

cross mark 274c

heavy check mark 2714

cross mark 274c

IBM AIX

heavy check mark 2714

heavy check mark 2714

cross mark 274c

BSD

heavy check mark 2714

heavy check mark 2714

cross mark 274c

Apple macOS

heavy check mark 2714

heavy check mark 2714

cross mark 274c

Solaris

heavy check mark 2714

heavy check mark 2714

cross mark 274c

ARM

cross mark 274c

heavy check mark 2714

cross mark 274c

Docker

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Output Format Support

Snare

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

JSON

cross mark 274c

heavy check mark 2714

heavy check mark 2714

GELF

cross mark 274c

heavy check mark 2714

heavy check mark 2714

XML

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Syslog (RFC5424)

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Syslog (RFC3164)

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Log Processing Features

Windows XP/2000/2003 Event Log Support

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Per-Event Filtering

   cross mark 274c [1]

heavy check mark 2714

heavy check mark 2714

Event Parsing

   cross mark 274c [2]

heavy check mark 2714

heavy check mark 2714

Event Log Caching

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Use as Windows Event Collector for WEF

cross mark 274c

heavy check mark 2714

cross mark 274c

Event Tracing for Windows (ETW)

cross mark 274c

heavy check mark 2714

cross mark 274c

UTC Logging

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Field/Value Rewrite or Injection

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Normalizing Windows Logs to Syslog

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Event Correlation

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Truncation of Verbose Event Text

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Filter for Events of Interest

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Debug Mode

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Group Policy Support

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Agent Networking and Output Features

Failover

heavy check mark 2714

heavy check mark 2714

cross mark 274c

TCP/UDP Message Delivery

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

HTTP Event Collector Support

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Forwards to Splunk Enterprise

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Forwards to 3rd Party Systems

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Event Routing

cross mark 274c

heavy check mark 2714

heavy check mark 2714

SSL/TLS Encryption

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Log Message Simulcasting

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Centralized Configuration Management

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Enhanced Event Throttling

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Agent Heartbeat

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Alerting

cross mark 274c

heavy check mark 2714

heavy check mark 2714

Support for Thousands of Agents

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

Vendor Support

Vendor Product Support

heavy check mark 2714

heavy check mark 2714

heavy check mark 2714

 


  1. Limited filtering for Windows logs is available in the Windows Universal Forwarder.

  2. Limited CSV parsing is available for file-based logs.

Why is NXLog a better alternative?

Improves log ingestion speed

NXLog is a robust log collector designed to work under heavy loads and sudden spurts of high log volumes. Curiously, our fully-featured agent outperforms the minimalist Splunk Universal Forwarder containing "only the essential components needed to forward data."

When we benchmarked Splunk Enterprise’s processing and indexing rate with a sudden flood of over 30,000 Windows Sysmon events, it processed and indexed the same dataset far more quickly when NXLog sent the events versus the Splunk Universal Forwarder. In our test environment, Splunk Enterprise consistently indexed events forwarded by NXLog over ten times faster than those sent by the Splunk Universal Forwarder, despite the extra processing for the NXLog agent to emulate the log format of the Universal Forwarder.

Table 2. Indexing a flood of 30,000 Sysmon logs
Indexing rate (EPS) Splunk Universal Forwarder NXLog

Maximum

259

3,377

Mean

121

1,439

Median

121

1,192

Minimum

0

1,116

Integrates with any SIEM

In the world of enterprise software, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned. Although Splunk has been a key player in the SIEM market for a while, no one can predict the future. For example, suppose management decided that Splunk needs to be complemented with another SIEM solution to fill a functional gap or even replaced entirely. What would be the ramifications of such a decision for the hundreds or thousands of log sources on which the Splunk Universal Forwarder is the sole log forwarding agent?

NXLog is vendor-agnostic and supports practically any operating system in enterprise computing environments. It can function as the sole log collector and forwarder and seamlessly integrates with any third-party SIEM or log storage, such as:

  • ArcSight Enterprise Security Manager (ESM)

  • Amazon Web Services (AWS)

  • Elasticsearch

  • Google Chronicle

  • Graylog

  • IBM QRadar

  • Microsoft Azure Sentinel

  • McAfee ESM

  • Rapid7

  • RSA NetWitness

  • Securonix

  • Splunk Enterprise

Today, software solutions must be able to integrate with other systems, such as log management and threat analysis platforms. For example, Elasticsearch may be introduced into an existing environment to store and analyze logs. If you’re using NXLog EE as your log collector, you only need to make minimal changes to the NXLog configurations to start forwarding logs to it. Simply add another output and route, and you can simulcast logs in different formats to Elasticsearch and any other platform.

Enriches log data

Most enterprises aim for a consolidated view of their data from all sources, including logs. Such a goal is only possible with the ability to normalize data into a common structure. For example, most log sources include a field to determine where the log record originated. However, the naming varies from one log source to another and can be Computer, ComputerName, Host, Hostname, or any other name determined by the vendor. In addition, Splunk creates default fields during indexing, including host, source, and sourcetype. Yet, a log record in Splunk can have an IP address in the host field, while another ComputerName field contains the hostname. This makes searching your data challenging because you need to include all possible field names in your queries.

NXLog automatically adds three core fields to every event to facilitate normalization: EventReceivedTime, SourceModuleName, and SourceModuleType. Additionally, if a hostname is defined, it also adds a Hostname field. These field names are common across all events processed by NXLog.

Log enrichment goes beyond simply normalizing field names across disparate log sources. Imagine the benefits of creating custom fields specific to your organization. It would allow analysts to isolate events from log sources associated with a particular project, group, external business partner, business unit, store number, geographical region/zone, etc.

Reduces operational costs

Some Splunk pricing models are volume-based. Consequently, to get the best value out of Splunk, the number of events sent to it needs to be kept at a minimum with a high ratio of high-quality event records. The challenge of this strategy is that—​more often than not—​log sources contain a low proportion of quality logs mixed in among an ocean of relatively useless informational records. Although you can blacklist specific log sources and perform basic filtering on Windows logs, with the Splunk Universal Forwarder, you cannot implement complex, highly selective filters on noisy log sources containing high-value events.

In comparison, NXLog provides advanced filtering capabilities. For example, it supports native XPath filters (QueryXML) to filter Windows logs. For example, the following configuration collects logs based on a combination of source, log level, and event ID while ignoring other unimportant events.

nxlog.conf
<Input SecurityAuditEvents>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Security">
                <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows
                -Security-Auditing'] and (Level=1 or Level=2 or Level=3) and 
                ((EventID=4928 and EventID=4931) or (EventID=4932 and EventID=4937)
                or EventID=4662 or (EventID=5136 and EventID = 5141))]]</Select>
            </Query>
         </QueryList>
    </QueryXML>
</Input>
Note

See Filtering events in the NXLog User Guide for further details on filtering Windows logs.

See our Reduce data size and cut SIEM licensing costs white paper for how to reduce your SIEM operational costs.

Give NXLog a try

NXLog is a superior Splunk Universal Forwarder alternative. Faster log processing, data enrichment, advanced filtering, and multicasting logs to different endpoints are only a few of the benefits you will get when you switch to NXLog. What might initially appear to be an additional expense can be the start of a wise investment strategy for throttling the long-term operational costs of a hungry SIEM.

Our documentation abounds with detailed, step-by-step deployment instructions for all platforms, an extensive configuration section, and over 100 integration guides with real-world configuration samples to get you started. In addition, find in-depth technical documentation in the NXLog EE Reference Manual.

Please get in touch if you require further information or assistance. Our experts are always happy to help!

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • splunk
  • universal forwarder
  • comparison
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

NXLog provides native support for Google Chronicle
2 minutes | May 11, 2022
The EU's response to cyberwarfare
3 minutes | November 22, 2022
Aggregating macOS logs for SIEM systems
8 minutes | February 17, 2022

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us