If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the information you need to take the next step toward a better log collection strategy.
NXLog Agent and Splunk Universal Forwarder feature comparison
Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them. Splunk offers two types of forwarders: a heavy forwarder, essentially a Splunk Enterprise instance with limited features, and a Universal Forwarder, which is a standalone package that only forwards data. The latter supersedes the Splunk light forwarder, deprecated as of Splunk Enterprise version 6.0.0. If you are unfamiliar with Splunk forwarders, see Types of forwarders in the Splunk manual.
In this comparison, we will focus on the Splunk Universal Forwarder, which Splunk defines as "a dedicated, streamlined version of Splunk Enterprise that contains only the essential components needed to forward data." From this description, it’s natural to deduce that its design goals were focused on performance rather than possessing a rich set of functional features.
The following table compares Splunk Universal Forwarder agent version 10.2.2 with NXLog Agent. In this matrix, we will examine supported operating systems, output formats, and functional capabilities one might expect from a log-forwarding agent.
| Feature | Splunk Universal Forwarder | NXLog Agent |
|---|---|---|
OS Support |
||
Microsoft Windows |
|
|
Microsoft Windows Nano Server |
|
|
Linux |
|
|
IBM AIX |
|
|
BSD |
|
|
Apple macOS |
|
|
Solaris |
|
|
ARM |
|
|
Docker |
|
|
Output Format Support |
||
Snare |
|
|
JSON |
|
|
GELF |
|
|
XML |
|
|
Syslog (RFC5424) |
|
|
Syslog (RFC3164) |
|
|
Log Processing Features |
||
Windows XP/2000/2003 Event Log Support |
|
|
Per-Event Filtering |
|
|
Event Parsing |
|
|
Event Log Caching |
|
|
Use as Windows Event Collector for WEF |
|
|
Event Tracing for Windows (ETW) |
|
|
UTC Logging |
|
|
Field/Value Rewrite or Injection |
|
|
Normalizing Windows Logs to Syslog |
|
|
Event Correlation |
|
|
Truncation of Verbose Event Text |
|
|
Debug Mode |
|
|
Group Policy Deployment and Configuration |
|
|
Agent Networking and Output Features |
||
Failover |
|
|
TCP/UDP Message Delivery |
|
|
HTTP Event Collector Support |
|
|
Forwards to Splunk Enterprise |
|
|
Forwards to 3rd Party Systems |
|
|
Content-based Event Routing |
|
|
TLS/SSL Encryption |
|
|
Log Message Simulcasting |
|
|
Centralized Configuration Management |
|
|
Enhanced Event Throttling |
|
|
Agent Heartbeat |
|
|
Alerting |
|
|
Support for Thousands of Agents |
|
|
Vendor Support |
||
Vendor Product Support |
|
|
-
Limited filtering for Windows logs is available in the Windows Universal Forwarder.
-
Limited CSV parsing is available for file-based logs.
-
Only possible via an add-on.
Why is NXLog Agent a better alternative?
Improves log ingestion speed
NXLog Agent is a robust log collector designed to handle heavy loads and sudden spikes in log volume. Curiously, our agent outperforms the minimalist Splunk Universal Forwarder containing "only the essential components needed to forward data."
When we benchmarked Splunk Enterprise’s processing and indexing rate with a sudden flood of over 30,000 Windows Sysmon events, it processed and indexed the same dataset far more quickly when NXLog Agent sent the events versus the Splunk Universal Forwarder. In our test environment, Splunk Enterprise consistently indexed events forwarded by NXLog Agent over ten times faster than those sent by the Splunk Universal Forwarder, despite the extra processing required for NXLog Agent to emulate the Splunk Universal Forwarder log format.
| Indexing rate (EPS) | Splunk Universal Forwarder | NXLog Agent |
|---|---|---|
Maximum |
259 |
3,377 |
Mean |
121 |
1,439 |
Median |
121 |
1,192 |
Minimum |
0 |
1,116 |
Integrates with any SIEM
In the world of enterprise software, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned. Although Splunk has been a key player in the SIEM market for a while, no one can predict the future. For example, suppose management decided that Splunk needs to be complemented with another SIEM solution to fill a functional gap or even replaced entirely. What would be the ramifications of such a decision for the hundreds or thousands of log sources using solely the Splunk Universal Forwarder to forward logs?
NXLog Agent is vendor-agnostic and supports all popular operating systems used in enterprise environments. It can function as the sole log collector and forwarder and seamlessly integrates with any third-party SIEM or log storage, such as:
-
ArcSight Enterprise Security Manager (ESM)
-
Amazon Web Services (AWS)
-
Elasticsearch
-
Google SecOps
-
Graylog
-
IBM QRadar
-
Microsoft Sentinel
-
McAfee ESM
-
Rapid7
-
RSA NetWitness
-
Securonix
-
Splunk Enterprise
Today, software solutions must be able to integrate with diverse systems, such as log management and threat analysis platforms. For example, Elasticsearch may be introduced into an existing environment to store and analyze logs. If you’re using NXLog Agent as your log collector, you only need to make minimal configuration changes to start forwarding logs to it. Simply add another output and route, and you can simulcast logs in different formats to Elasticsearch and any other platform.
Enriches log data
Most enterprises aim to achieve a consolidated view of their data across all sources, including logs. Such a goal is only possible by normalizing data into a common structure. For example, most log sources include a field to determine where the log record originated. However, the naming varies from one log source to another and can be Computer, ComputerName, Host, Hostname, or any other name determined by the vendor. In addition, Splunk creates default fields during indexing, including host, source, and sourcetype. Furthermore, a log record in Splunk can have the host field set to an IP address, while the ComputerName field contains the hostname. This makes searching your data challenging because you need to include all possible field names in your queries.
NXLog Agent automatically adds four core fields to every event to facilitate normalization: EventReceivedTime, Hostname, SourceModuleName, and SourceModuleType. These field names are common across all events processed by NXLog Agent.
Log enrichment goes beyond simply normalizing field names across different log sources. Imagine the benefits of creating custom fields specific to your organization. It would allow analysts to isolate events from log sources associated with a particular project, group, business partner, business unit, or geographical region.
Reduces operational costs
Some Splunk pricing models are volume-based. Consequently, to get the best value from Splunk, the number of events sent to it should be kept to a minimum, with a high ratio of high-quality event records. The challenge with this strategy is that, more often than not, log sources contain a low proportion of high-quality logs amid an ocean of useless informational records. Although you can blacklist specific log sources and perform some filtering on Windows logs with the Splunk Universal Forwarder, you cannot implement complex, highly selective filters on noisy log sources containing high-value events.
In comparison, NXLog Agent provides advanced filtering capabilities, such as native XPath filtering (QueryXML) for Windows logs.
For example, the following configuration collects logs based on a combination of source, log level, and event ID while ignoring other unimportant events.
<Input SecurityAuditEvents>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows
-Security-Auditing'] and (Level=1 or Level=2 or Level=3) and
((EventID=4928 and EventID=4931) or (EventID=4932 and EventID=4937)
or EventID=4662 or (EventID=5136 and EventID = 5141))]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>|
Note
|
Filtering Windows logs in the NXLog Platform User Guide provides further details. See also our Reduce data size and cut SIEM licensing costs white paper for how to reduce your SIEM operational costs. |
Try NXLog Agent
NXLog Agent is a superior alternative to the Splunk Universal Forwarder. Faster log processing, data enrichment, advanced filtering, and multicasting logs to different endpoints are only a few of the benefits you will get when you switch to NXLog Agent. What might initially appear to be an additional expense can be the start of a wise investment strategy for throttling the long-term operational costs of a hungry SIEM.
Our documentation contains detailed, step-by-step deployment instructions for all platforms, extensive how-tos, and over 100 integration guides with real-world configuration samples to get you started. In addition, the NXLog Agent Reference Manual contains in-depth technical documentation.
Please get in touch if you require further information or assistance. Our experts are always happy to help!
