• Products
    LOG COLLECTOR
    NXLog Enterprise Edition
    Full feature multi-platform log collection
    NXLog Community Edition
    Open-source free log collector
    ADD-ONS FOR NXLOG ENTERPRISE EDITION
    NXLog Add-Ons
    Integration with various software
    AGENT MANAGER FOR NXLOG ENTERPRISE EDITION
    NXLog Manager
    Manage and monitor NXLog instances
    NXLog Minder
    Hyper-scalable, API-first agent management
    DATABASE FOR NXLOG ENTERPRISE EDITION
    Raijin Database Engine
    The schemaless SQL database for storing events
    more from nxlog
    Professional Services
    Compare NXLog EE and CE
  • Downloads
    NXLog Enterprise Edition
    Full feature multi-platform log collection
    NXLog Manager
    Manage and monitor NXLog instances
    NXLog Community Edition
    Open-source free log collector
  • Solutions
    Integrations
    With SIEM, Devices, SaaS...
    Specfic OS support
    AIX, Linux, FreeBSD
    SCADA/ICS
    Energy, Oil & Gas, Transport...
    Windows Event log
    Collect locally or remotely, ..
    DNS Logging
    Enterprise-grade DNS log...
    Log Collection Modes
    Agent-based, Agentless or Cloud
    Agent Management
    Agents management and monitoring
    FIM
    File Integrity Monitoring
    macOS Logging
    ULS events, Apple System Logs ...

    By Industry

    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Partners
    Find a Reseller
    Look for our resellers worldwide
    Technology Ecosystem
    See all our partners and integrations
    Partner Program
    Join our community of partners
    Partner Portal →
  • Resources
    Documentation
    Products guides and integrations
    Blog
    Tutorials, updates and releases
    White papers
    Datasheets, infographics and more
    Videos
    Trainings and tutorial on specific topics
    Webinars
    Community events and webinars
    Community Forum →
  • Support
  • Why Nxlog
    About Us
    Our journey, team and mission
    Customers
    Testimonials and case studies
    Careers
    We are hiring!
    Contact Us →
Log In Sign Up
Request Trial
LOG COLLECTOR
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Community Edition
Open-source free log collector
ADD-ONS FOR NXLOG ENTERPRISE EDITION
NXLog Add-Ons
Integration with various software
AGENT MANAGER FOR NXLOG ENTERPRISE EDITION
NXLog Manager
Manage and monitor NXLog instances
NXLog Minder
Hyper-scalable, API-first agent management
DATABASE FOR NXLOG ENTERPRISE EDITION
Raijin Database Engine
The schemaless SQL database for storing events
more from nxlog
Professional Services
Compare NXLog EE and CE
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Manager
Manage and monitor NXLog instances
NXLog Community Edition
Open-source free log collector
Integrations
With SIEM, Devices, SaaS...
Specfic OS support
AIX, Linux, FreeBSD
SCADA/ICS
Energy, Oil & Gas, Transport...
Windows Event log
Collect locally or remotely, ..
DNS Logging
Enterprise-grade DNS log...
Log Collection Modes
Agent-based, Agentless or Cloud
Agent Management
Agents management and monitoring
FIM
File Integrity Monitoring
macOS Logging
ULS events, Apple System Logs ...

By Industry

Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing
Find a Reseller
Look for our resellers worldwide
Technology Ecosystem
See all our partners and integrations
Partner Program
Join our community of partners
Partner Portal →
Documentation
Products guides and integrations
Blog
Tutorials, updates and releases
White papers
Datasheets, infographics and more
Videos
Trainings and tutorial on specific topics
Webinars
Community events and webinars
Community Forum →
Support
About Us
Our journey, team and mission
Customers
Testimonials and case studies
Careers
We are hiring!
Contact Us →
  • Loading...
Request Trial
January 16, 2023 strategycomparisonagent

NXLog vs. Splunk Universal Forwarder

By Arielle Bonnici

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

NXLog supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis.

If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy.

NXLog and Splunk Universal Forwarder feature comparison

Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them. Splunk offers two types of forwarders; a heavy forwarder, essentially a Splunk Enterprise instance with limited features, and a Universal Forwarder, which is a standalone package that only forwards data. The latter supersedes the Splunk light forwarder, deprecated as of Splunk Enterprise version 6.0.0. If you are unfamiliar with Splunk forwarders, see Types of forwarders in the Splunk manual. On the other hand, NXLog offers two editions of its log collection software; a free Community Edition (CE) and the paid Enterprise Edition (EE).

In this comparison, we will focus on the Splunk Universal Forwarder, which Splunk defines as "a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data." From this description, it’s natural to deduce that its design goals were focused on performance rather than possessing a rich set of functional features.

The universal forwarder is the best tool for forwarding data to indexers. Its main limitation is that it forwards only unparsed data.

— Splunk's Splexicon: the Splunk glossary

The following table compares Splunk Universal Forwarder agent version 9.0.3 with both editions of NXLog. In this matrix, we will look at supported operating systems and output formats, along with 28 functional capabilities one might expect to find in a log forwarding agent.

Table 1. NXLog Manager/EE and CE vs. Splunk Universal Forwarder
Feature Splunk Universal Forwarder NXLog Enterprise Edition NXLog Community Edition

OS Support

Microsoft Windows

20

20

20

Linux

20

20

20

Windows Nano Server

20

20

20

IBM AIX

20

20

20

BSD

20

20

20

Apple macOS

20

20

20

Solaris

20

20

20

ARM

20

20

20

Docker

20

20

20

Output Format Support

Snare

20

20

20

JSON

20

20

20

GELF

20

20

20

XML

20

20

20

Syslog (RFC5424)

20

20

20

Syslog (RFC3164)

20

20

20

Log Processing Features

Windows XP/2000/2003 Event Log Support

20

20

20

Per-Event Filtering

   20 [1]

20

20

Event Parsing

   20 [2]

20

20

Event Log Caching

20

20

20

Use as Windows Event Collector for WEF

20

20

20

Event Tracing for Windows (ETW)

20

20

20

UTC Logging

20

20

20

Field/Value Rewrite or Injection

20

20

20

Normalizing Windows Logs to Syslog

20

20

20

Event Correlation

20

20

20

Truncation of Verbose Event Text

20

20

20

Filter for Events of Interest

20

20

20

Debug Mode

20

20

20

Group Policy Support

20

20

20

Agent Networking and Output Features

Failover

20

20

20

TCP/UDP Message Delivery

20

20

20

HTTP Event Collector Support

20

20

20

Forwards to Splunk Enterprise

20

20

20

Forwards to 3rd Party Systems

20

20

20

Event Routing

20

20

20

SSL/TLS Encryption

20

20

20

Log Message Simulcasting

20

20

20

Centralized Configuration Management

20

20

20

Enhanced Event Throttling

20

20

20

Agent Heartbeat

20

20

20

Alerting

20

20

20

Support for Thousands of Agents

20

20

20

Vendor Support

Vendor Product Support

20

20

20

 


  1. Limited filtering for Windows logs is available in the Windows Universal Forwarder.

  2. Limited CSV parsing is available for file-based logs.

Why is NXLog a better alternative?

Improves log ingestion speed

NXLog is a robust log collector designed to work under heavy loads and sudden spurts of high log volumes. Curiously, our fully-featured agent outperforms the minimalist Splunk Universal Forwarder containing "only the essential components needed to forward data."

When we benchmarked Splunk Enterprise’s processing and indexing rate with a sudden flood of over 30,000 Windows Sysmon events, it processed and indexed the same dataset far more quickly when NXLog sent the events versus the Splunk Universal Forwarder. In our test environment, Splunk Enterprise consistently indexed events forwarded by NXLog over ten times faster than those sent by the Splunk Universal Forwarder, despite the extra processing for the NXLog agent to emulate the log format of the Universal Forwarder.

Table 2. Indexing a flood of 30,000 Sysmon logs
Indexing rate (EPS) Splunk Universal Forwarder NXLog

Maximum

259

3,377

Mean

121

1,439

Median

121

1,192

Minimum

0

1,116

Integrates with any SIEM

In the world of enterprise software, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned. Although Splunk has been a key player in the SIEM market for a while, no one can predict the future. For example, suppose management decided that Splunk needs to be complemented with another SIEM solution to fill a functional gap or even replaced entirely. What would be the ramifications of such a decision for the hundreds or thousands of log sources on which the Splunk Universal Forwarder is the sole log forwarding agent?

NXLog is vendor-agnostic and supports practically any operating system in enterprise computing environments. It can function as the sole log collector and forwarder and seamlessly integrates with any third-party SIEM or log storage, such as:

  • ArcSight Enterprise Security Manager (ESM)

  • Amazon Web Services (AWS)

  • Elasticsearch

  • Google Chronicle

  • Graylog

  • IBM QRadar

  • Microsoft Azure Sentinel

  • McAfee ESM

  • Rapid7

  • RSA NetWitness

  • Securonix

  • Splunk Enterprise

Today, software solutions must be able to integrate with other systems, such as log management and threat analysis platforms. For example, Elasticsearch may be introduced into an existing environment to store and analyze logs. If you’re using NXLog EE as your log collector, you only need to make minimal changes to the NXLog configurations to start forwarding logs to it. Simply add another output and route, and you can simulcast logs in different formats to Elasticsearch and any other platform.

Enriches log data

Most enterprises aim for a consolidated view of their data from all sources, including logs. Such a goal is only possible with the ability to normalize data into a common structure. For example, most log sources include a field to determine where the log record originated. However, the naming varies from one log source to another and can be Computer, ComputerName, Host, Hostname, or any other name determined by the vendor. In addition, Splunk creates default fields during indexing, including host, source, and sourcetype. Yet, a log record in Splunk can have an IP address in the host field, while another ComputerName field contains the hostname. This makes searching your data challenging because you need to include all possible field names in your queries.

NXLog automatically adds three core fields to every event to facilitate normalization: EventReceivedTime, SourceModuleName, and SourceModuleType. Additionally, if a hostname is defined, it also adds a Hostname field. These field names are common across all events processed by NXLog.

Log enrichment goes beyond simply normalizing field names across disparate log sources. Imagine the benefits of creating custom fields specific to your organization. It would allow analysts to isolate events from log sources associated with a particular project, group, external business partner, business unit, store number, geographical region/zone, etc.

Reduces operational costs

Some Splunk pricing models are volume-based. Consequently, to get the best value out of Splunk, the number of events sent to it needs to be kept at a minimum with a high ratio of high-quality event records. The challenge of this strategy is that—​more often than not—​log sources contain a low proportion of quality logs mixed in among an ocean of relatively useless informational records. Although you can blacklist specific log sources and perform basic filtering on Windows logs, with the Splunk Universal Forwarder, you cannot implement complex, highly selective filters on noisy log sources containing high-value events.

In comparison, NXLog provides advanced filtering capabilities. For example, it supports native XPath filters (QueryXML) to filter Windows logs. For example, the following configuration collects logs based on a combination of source, log level, and event ID while ignoring other unimportant events.

nxlog.conf
<Input SecurityAuditEvents>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Security">
                <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows
                -Security-Auditing'] and (Level=1 or Level=2 or Level=3) and 
                ((EventID=4928 and EventID=4931) or (EventID=4932 and EventID=4937)
                or EventID=4662 or (EventID=5136 and EventID = 5141))]]</Select>
            </Query>
         </QueryList>
    </QueryXML>
</Input>
Note

See Filtering events in the NXLog User Guide for further details on filtering Windows logs.

See our Reduce data size and cut SIEM licensing costs white paper for how to reduce your SIEM operational costs.

Give NXLog a try

NXLog is a superior Splunk Universal Forwarder alternative. Faster log processing, data enrichment, advanced filtering, and multicasting logs to different endpoints are only a few of the benefits you will get when you switch to NXLog. What might initially appear to be an additional expense can be the start of a wise investment strategy for throttling the long-term operational costs of a hungry SIEM.

Our documentation abounds with detailed, step-by-step deployment instructions for all platforms, an extensive configuration section, and over 100 integration guides with real-world configuration samples to get you started. In addition, find in-depth technical documentation in the NXLog EE Reference Manual.

Please get in touch if you require further information or assistance. Our experts are always happy to help!

GET STARTED TODAY:
CONTACT US Our experts are happy to help REQUEST A FREE TRIAL Give NXLog Enterprise Edition a try GET PRICING Request a quote

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.

  • splunk
  • universal forwarder
  • comparison
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

NXLog provides native support for Google Chronicle
2 minutes | May 11, 2022
The EU's response to cyberwarfare
4 minutes | November 22, 2022
Aggregating macOS logs for SIEM systems
9 minutes | February 17, 2022

Stay connected:

Sign up

Keep up to date with our weekly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2023 NXLog Ltd.

PRIVACY POLICY TERMS OF USE

  • PRODUCTS

  • NXLOG ENTERPRISE EDITION
  • NXLOG COMMUNITY EDITION
  • NXLOG ADD-ONS
  • NXLOG MANAGER
  • NXLOG MINDER
  • RAIJIN DATABASE
  • MORE NXLOG

  • COMPARE SOLUTIONS
  • INDUSTRIES
  • INTERGRATIONS
  • FIND A RESELLER
  • PARTNER PROGRAM
  • RESOURCES

  • DOCUMENTATION
  • WHITE PAPERS
  • WEBINARS
  • TUTORIALS
  • BLOG
  • COMMUNITY FORUM
  • ABOUT US

  • WHY NXLOG
  • CUSTOMERS
  • CAREERS
  • CONTACT US
  • DOWNLOADS

  • NXLOG ENTERPRISE EDITION
  • NXLOG COMMUNITY EDITION
  • NXLOG MINDER
  • NXLOG MANAGER
  • NXLOG ADD-ONS
  • RAIJIN DATABASE