Tag: agent-based-telemetry-collection
May 28, 2024
What is agentless log collection?
Agentless log collection refers to gathering log data from various sources without installing dedicated software agents on the systems generating the logs. Instead, it leverages protocols such as SNMP traps, WECS, WMI, and syslog to retrieve log data remotely.
It is easier to explain what agentless log collection is by also providing some context about agent-based log collection. The truth is that these two options for collecting logs walk hand in hand, meaning that they can and will likely coexist on your network.
October 22, 2019
Agent-based versus agentless log collection - which option is best?
One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes.
Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?
Tag: agentless-telemetry-collection
May 28, 2024
What is agentless log collection?
Agentless log collection refers to gathering log data from various sources without installing dedicated software agents on the systems generating the logs. Instead, it leverages protocols such as SNMP traps, WECS, WMI, and syslog to retrieve log data remotely.
It is easier to explain what agentless log collection is by also providing some context about agent-based log collection. The truth is that these two options for collecting logs walk hand in hand, meaning that they can and will likely coexist on your network.
October 22, 2019
Agent-based versus agentless log collection - which option is best?
One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes.
Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?
Tag: aviation
September 8, 2023
The cybersecurity challenges of modern aviation systems
Since the Wright brothers' first flight, the aviation industry has been advancing at an unprecedented rate. But it has always been a step behind other sectors in some areas, for safety and security reasons. Engineers are only allowed to apply well-matured technologies thoroughly trialed in different industries. Civil aviation, especially from the IT and IT security perspective, is a bit like Debian among the Linux operating systems. It does not always include all the latest inventions, but it aims to be safe and very stable in return.
Tag: centralized-logging
February 24, 2026
Centralized log management: What it is, how centralized logging works, and how to choose the right system
Centralized log management is the practice of collecting logs from across an environment, including applications, servers, containers, networks, and cloud services, and storing them in a single location where they can be searched and analyzed.
For operations and security teams, centralized logging is now a core requirement. Without it, logs are scattered across hosts, ephemeral containers, cloud consoles, and disconnected tools. This fragmentation slows troubleshooting, complicates incident response, and limits visibility during security investigations.
March 12, 2025
Log management best practices
People think about logs as one of the biggest chores in the IT industry. Well, that does not necessarily need to be true. If you adhere to some fundamental log management best practices, the value you could get out of them quickly outweighs the effort put into managing them. Logs can easily become the best friend of IT teams looking to keep their systems secure, meet compliance requirements, and maintain a smoothly running network.
November 27, 2024
Centralized Windows log collection - NXLog Platform vs. WEF
One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems.
WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:
January 11, 2024
The story of the $1,900,000 penalty for insufficient log management
It was late March 2021 when a phishing email was sent to a network administrator of TTEC Healthcare Solutions, Inc. (TTEC HS) - an integrated healthcare CX solutions provider - and a threat actor gained highly privileged access to the network. On September 12, 2021, a common ransomware scenario was triggered, with approximately 1,800 devices compromised via the access channel obtained almost 5 months earlier.
Prior to executing the ransomware attack, the threat actor successfully exfiltrated data from the TTEC HS network, containing non-public information (NPI) of current and former employees of TTEC HS, and for individuals who were insured by one of TTEC HS’s clients, including, importantly, some New York residents.
November 8, 2022
Looking beyond Cybersecurity Awareness Month
Cybersecurity Awareness Month has come and gone again. October marks that festive time of year when companies circulate their mandatory think pieces, remind their employees of the dangers of clicking questionable links, and pat themselves on the back and call it a day. Here’s your friendly November reminder to keep your wits about you year-round.
A (brief) history of Cybersecurity Awareness Month The Cybersecurity Awareness Month story began as a partnership between an American governmental agency—the Cybersecurity and Infrastructure Agency (CISA)--and the National Cyber Security Alliance non-profit.
August 1, 2022
The benefits of log aggregation
Logs are a record of the internal workings of a system. Nowadays, organizations can have hundreds and, more regularly, thousands of managed computers, servers, mobile devices, and applications; even refrigerators are generating logs in this Internet of Things era. The result is the production of terabytes of log data—event logs, network flow logs, and application logs, to name a few—that must be carefully sorted, analyzed, and stored.
Without a log management tool, you would need to manually search through many directories of log files on each system to access and extract meaning from these millions of event logs.
January 3, 2022
Log aggregation with NXLog
The value of log aggregation There is no denying the importance of log aggregation for multi-million-dollar enterprises worldwide. But just what is log aggregation? And how can it help your organization? Well, log aggregation is the process of standardizing and consolidating your log data from distributed systems across your network into one centralized server. By doing so, you have a unified view of what occurs across your entire IT infrastructure.
April 1, 2020
How a centralized log collection tool can help your SIEM solutions
IT security should be one of the main focus points of all enterprises. In today’s world, when digital transformation is taking place at an unprecedented pace, securing online data is vital for all kinds of businesses. This is why most companies are utilizing SIEM (Security Information and Event Management) solutions that help them identify threats before they can do any harm.
Even though SIEM tools are perfect for event correlation and analytics, it is not part of their core functionality to manage log collection, filtering, distribution, and formatting.
December 17, 2018
Making the most of Windows Event Forwarding for centralized log collection
Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.
Tag: ciso
May 2, 2023
CISO starter pack - Security Policy
The three characteristics your data must possess at all times, as dictated by your IT Security Policy, are:
It must be confidential
It must be available and
It must not have any unauthorized modifications
Your log policy will only be as good as the IT Security policy infrastructure behind it. And as much as we love talking about logs, that’s part of a more considerable general discussion about security policies.
April 13, 2023
MFA Fatigue - What it is, and how to combat it
A multi-factor authentication (MFA) fatigue attack is a form of a social engineering cyberattack strategy where attackers repeatedly try to make second-factor authentication requests to the target’s email, phone, or other registered devices to gain access to the system. You may also hear about MFA Fatigue attack as MFA Bombing, 2FA fatigue, MFA push spam, MFA Spamming, or prompt bombing.
Technology administrators are always playing a never-ending battle of cat and mouse when it comes to threat actors.
April 3, 2023
CISO starter pack - Log collection fundamentals
Log collection is essential to managing an IT department because it allows administrators to research historical events throughout a network. Therefore, it’s critical to understand a few key points about collecting logs; the why, and what. We’ll look at a few specific examples of collecting log events efficiently, like incorporating threat modeling to enhance our collection. Implementing log collection policies and procedures is as fun as watching anti-phishing videos. But at the end of the day, the effort put in at the beginning will be worth it.
Tag: cloud-logs
June 10, 2025
Enhancing security with Microsoft's Expanded Cloud Logs
Nation-state-sponsored hacking stories are everyone’s favorite Hollywood movies — until our personal or corporate sensitive data shows up on the dark web for sale, being compromised. In real life, cyber espionage groups’s activities trigger security enforcement. First in the government sector, then the government standards slowly shift industry norms starting by gently forcing vendors who are also selling into government contracts.
In the case of the recently announced playbook on MICROSOFT EXPANDED CLOUD LOGS IMPLEMENTATION PLAYBOOK, issued by the US Cybersecurity and Infrastructure Security Agency (CISA), it all started in July 2023, when the Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft’s Outlook email system to gain unauthorized access to email accounts belonging to U.
Tag: critical-infrastructure
June 8, 2026
From blind spot to monitored: Log collection for 32-bit Windows
At NXLog, we’ve been in the log collection space long enough to know that the toughest challenges aren’t technical but political. There’s always that Windows XP machine running the ATM firmware that no one can touch. Or the Windows Server 2003 box that keeps the conveyor belt running 24/7. Then there’s the industrial SCADA system installed before smartphones existed, quietly humming along in a corner of the plant floor.
April 22, 2026
The case for not ripping and replacing: Securing Win32 infrastructure in place
The default advice for any system running an unsupported operating system is simple: replace it. Upgrade to a supported platform. Move to modern hardware. Problem solved.
It’s good advice in theory. As with many other things in life however, in practice it ignores everything that makes legacy infrastructure hard to deal with in the first place.
For organizations running Windows XP, Server 2003, or other legacy 32-bit Windows systems, "just upgrade" is often the most expensive, disruptive, and operationally risky option on the table.
April 9, 2026
Legacy Windows systems: Enterprise security's biggest blind spot
Somewhere in a hospital basement, an MRI machine hums along on Windows XP. Down the road, a CNC controller on a factory floor runs Windows Server 2003. Across town, a municipal utility manages water treatment with software that hasn’t seen an update since the second Bush administration.
These aren’t edge cases. They’re everywhere — and they represent one of the most underestimated risks in enterprise security today.
Still here, still running It would be reasonable to assume that operating systems from the early 2000s have no place in a modern network.
February 26, 2024
Digital substations and log collection
European electric power system operators supply around 2800 TWh of electricity per year and manage around 10 million kilometers of power lines - more than ten round trips to the Moon. Such electric travel is impossible without electric substations, an essential component of a power grid. Its automation becomes ultimately digitalized, so requires proper monitoring both for operational and security purposes. Let’s take a look at how a unified log collection pipeline embeds into power automation systems and helps make sure the lights stay on.
October 17, 2023
Log management for maritime cybersecurity compliance regulations
Historically, seaports have played a crucial role in a state’s development, and interruption in their services has a significant impact on economics. So, it’s no surprise commercial ports are regarded as a critical transport infrastructure.
One of the most significant challenges ports face today is ongoing digital transformation. The majority of tasks carried out across a port utilize autonomous and partially automated systems, including those for managing port access, vessel berthing (bridges, locks, gates, etc.
November 22, 2022
The EU's response to cyberwarfare
With open war in Europe for the first time since 1945, nations across the continent have been busy shoring up their information security defenses. The European Union is stepping up to the plate, releasing a Cyber Defence Policy to, in its words, "boost EU cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities."
However, bolstering cyber defenses across a collection of countries, home to 450 million people and spanning four million square kilometers, is no easy feat.
March 3, 2022
Cyberattacks on the power grid - are you prepared?
In light of recent news stories about possible cyberattacks on the U.S. power grid, we are inclined to ponder over precautions we can take to prepare for such a scenario. If you are in the public utilities industry, this blog post is for you. But, if you’re not, don’t worry. We will cover some basic principles you can follow to get your organization ready before such a cyberattack occurs.
Tag: database
August 9, 2022
Raijin vs Elasticsearch
Log collection is most closely linked to enterprise security practices—for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention.
Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.
February 22, 2022
NXLog Community Edition support for Raijin Database
Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution.
What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.
July 29, 2021
Using Raijin Database Engine to aggregate and analyze Windows security events
In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools.
A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.
Tag: dhcp
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
Tag: dns
November 19, 2025
Monitoring BIND9 logs: Comparing syslog and dnstap for DNS visibility
As system and network administrators know, DNS logs are essential for understanding what’s happening across your infrastructure, whether you’re troubleshooting slow lookups, investigating odd traffic patterns, or monitoring your security posture.
We recently had the opportunity to help a customer set up monitoring for BIND9 logs and discovered that the two main options, syslog and dnstap, offer very different experiences in setup, performance, and the level of DNS visibility they provide.
February 20, 2023
Our customers asked - Collecting Windows DNS resolved address with NXLog Agent
Windows DNS Server log collection is essential yet complex, primarily because Windows DNS Server provides logs in various places in different forms containing a vast amount of information. Nevertheless, we all know that DNS Server log collection is paramount in IT security. Getting it right can be challenging.
The Windows DNS Server section in the NXLog Integrations Guides offers a comprehensive guide on collecting log records from a Windows DNS Server.
August 18, 2022
The disappearing Windows DNS debug log
The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging.
Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
July 1, 2021
Top 5 security concerns revealed with DNS logging
The Domain Name System (DNS) facilitates communication between all devices connected to the Internet. It consists of hierarchical servers that can translate any given hostname, along with its corresponding domain name, to its internet protocol (IP) address(es). One of the most common is the windows DNS server that ensures that data requests are sent to their correct endpoints while providing human-readable addresses for websites connected to the Internet. With the ever-growing number of cloud-based devices and technologies, for instance, the Internet of things (IoT), portals, web applications, as well as online transaction processing, it is more important than ever to identify the actual physical addresses of remote devices when relying on DNS-dependent connectivity.
May 31, 2020
DNS Log Collection and Parsing
DNS Log Collection and Parsing DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include:
Operations and Support Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.
May 28, 2020
DNS Log Collection on Windows
Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.
DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform.
While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.
May 14, 2020
DNS Log Collection on Linux
Be sure to read Part 1 and Part 2 of our series in case you missed them.
DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.
Tag: elasticsearch
June 2, 2026
Watching the agent watch you: Telemetry for OpenClaw with NXLog
Agentic AI is now embedded across the enterprise: summarizing customer records, pulling from data warehouses, drafting on top of internal documents, calling production APIs on behalf of staff. The pitch is compelling. The reality is that you have deployed a non-deterministic process with read access to PII, trade secrets, and the business intelligence your competitors would pay for. It is a black box that reasons differently on each run, and a single misrouted tool call can move sensitive data into a context where it does not belong.
February 2, 2026
Graylog vs ELK Stack: Unbiased comparison of log management tools
Centralized logging is no longer optional. Whether you’re troubleshooting production incidents, investigating suspicious activity, or meeting audit requirements, you need a way to collect logs from many sources, normalize them, search them quickly, and turn them into alerts and dashboards. In practice, that starts with reliable collection — often via solutions like NXLog Platform — so the data arrives clean and consistent.
Two of the most common open-source paths people compare are Graylog vs ELK Stack.
November 3, 2025
Linux security monitoring: Collecting and visualizing events in Elasticsearch and Kibana
Timely visibility into system activity is what separates effective defense from reactive analysis. Every operating system, application, and device logs a trail of evidence. However, transforming that trail into actionable intelligence requires the right tools. In our previous posts, we’ve walked you through:
Visualizing VPN connection logs,
Monitoring Windows security events, and
Analyzing web server activity logs.
In this final installment in our series on log visualization, we’re turning our attention to Linux security monitoring.
September 22, 2025
Windows security monitoring: Collecting and visualizing events in Elasticsearch and Kibana
In our previous blog post, From network logs to insights: Visualizing OpenVPN logs with Elasticsearch and Kibana, we explored how you can gain visibility into VPN activity by collecting and analyzing network logs. Windows security monitoring is another common use case we encounter at NXLog.
Windows workstations and servers generate security event logs ranging from authentication attempts and privilege escalations to policy changes and process executions. Such events can reveal external intrusions and insider threats, and for security analysts, they are the first line of evidence in investigating suspicious activity.
September 18, 2025
From network event logs to insights: Visualizing OpenVPN logs with Elasticsearch and Kibana
At NXLog, we help customers solve real-world telemetry data challenges and bring value to the table with NXLog Platform. One of the recurring problems we see is that while network event logs contain a wealth of information, turning them into actionable insights isn’t straightforward. Security operations teams often struggle to make sense of these logs in a way that directly supports threat detection, response, and investigation.
A perfect example of this challenge is VPN logs.
August 9, 2022
Raijin vs Elasticsearch
Log collection is most closely linked to enterprise security practices—for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention.
Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.
May 30, 2022
Collecting kernel events with NXLog for analysis in the Elastic stack
It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results.
The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.
Tag: encryption
May 28, 2026
Syslog forwarding over TLS: getting the operational layer right
Plaintext syslog crossing a network boundary in 2026 is a finding waiting to happen. The IETF defined encrypted syslog years ago in RFC 5425: TCP/6514, mutual TLS where the trust model needs it. What still trips teams up is rarely the protocol itself — it’s certificate lifecycle, framing mismatches, and forwarders that fall over when the collector blinks. Here’s the short version: which standards matter, where teams break the framing, and the four operational habits that decide whether the pipeline holds up.
May 25, 2026
Post-quantum cryptography in NXLog Agent: Post-quantum readiness for Q-Day
You have probably seen the term "post-quantum cryptography" enough times to glaze over it. The headlines tend to focus on a vague future event: a quantum computer somewhere will eventually break RSA, and at that point you should have moved on. That framing makes it easy to file PQC under "worry about it in 2030." The framing is wrong.
The actual threat is happening now, and it has a name: harvest now, decrypt later.
May 14, 2024
Harnessing TPM encryption with NXLog
In an increasingly digitalized world, protecting your business’s digital assets is becoming more urgent by the day. Realizing the need to protect data from malicious actors, researchers created encryption. And I am not talking about the Enigma here, but software-based encryption algorithms, with their public and private signing keys, and so on.
Like every other technology, encryption methods have evolved throughout the years. However, the goal remained the same: encryption is there to secure our digital communications.
Tag: event-tracing-for-windows
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
March 3, 2020
Sending ETW Logs to Splunk with NXLog
NXLog supports direct collection of Event Tracing for Windows (ETW) data. DNS Analytical logs, for example, can be forwarded to Splunk or another SIEM for monitoring and analysis.
Collecting ETW Logs Event Tracing for Windows (ETW) is a kernel-level tracing facility that provides high-performance logging of kernel and application events. ETW events can be written to a log file or collected directly from the system in realtime via the Consumers API.
Tag: fault-tolerance
March 13, 2025
High Availability and Fault Tolerance
Imagine trying to buy tickets for your favorite band’s concert, only to find the website down just minutes before they sell out. Or logging into the cloud to look through your cherished digital photos and discovering they’ve been lost because of a data center failure.
These scenarios are — at best — frustrating for you. But, for your customers, they can erode trust and damage your business’s reputation.
That’s why organizations invest in strategies like high availability (HA) and fault tolerance (FT).
February 2, 2022
Reliable delivery of logs - can you trust TCP?
When considering your log collection strategy, a decision you have to make is which transport protocol to use to transfer logs from source to destination. The choice is often between the two most commonly used protocols, UDP (User Datagram Protocol) and TCP (Transfer Control Protocol). Which one to use depends on the type of logs you need to transfer, and whether performance or reliability is more important.
This blog post will compare these protocols, discuss why TCP is usually the preferred choice, and provide some options to further increase log delivery reliability with NXLog.
Tag: fim
May 26, 2023
How to monitor file access in Windows
File access auditing is the process of tracking who reads, modifies, or deletes files on a system, providing a record of user activity for security and compliance purposes. On Windows systems, this is especially important for monitoring sensitive or business-critical files, such as financial records, HR data, or confidential customer information, where unauthorized access could result in a data breach or regulatory violation.
In this post, I’ll show you how to enable file access auditing on Windows and use NXLog Agent to collect and forward file access events to help you protect sensitive data and meet compliance requirements.
January 24, 2020
What is File Integrity Monitoring (FIM)? Why do you need it?
About File Integrity Monitoring (FIM) File integrity monitoring is implemented as a detection mechanism to monitor changes to important files and folders. File integrity monitoring is largely used as a security measure for detection and for meeting obligations such as compliance. By using file integrity monitoring, better control measures can be taken due to being able to track and provide data for alerts of activities on assets that are being monitored, such as potential unauthorized changes.
Tag: gdpr
September 23, 2022
GDPR compliance and log management best practices
The European Union’s General Data Protection Regulation (EU GDPR) came into force on 25 May 2018. Many of us remember the influx of marketing emails around this time, with companies updating their privacy policies and asking for the consent of around 450 million Europeans to continue using their personal data.
An often misunderstood participant of this compliance quest is log data—a source potentially rich in protected personal data. So, how does the GDPR apply to an organization’s log data?
Tag: google-secops
May 11, 2022
NXLog provides native support for Google Chronicle
We are delighted to announce that with the release of NXLog Enterprise Edition 5.5, NXLog provides native support for sending log data to the Google Chronicle threat intelligence platform.
About Google Chronicle Google Chronicle is a cloud-native SIEM service provided on the Google Cloud Platform. It allows organizations to normalize, correlate, and analyze their logging data. Chronicle makes threat hunting easy by empowering security experts to investigate logs allowing them to take a holistic approach to threat detection.
Tag: grafana
June 2, 2026
Watching the agent watch you: Telemetry for OpenClaw with NXLog
Agentic AI is now embedded across the enterprise: summarizing customer records, pulling from data warehouses, drafting on top of internal documents, calling production APIs on behalf of staff. The pitch is compelling. The reality is that you have deployed a non-deterministic process with read access to PII, trade secrets, and the business intelligence your competitors would pay for. It is a black box that reasons differently on each run, and a single misrouted tool call can move sensitive data into a context where it does not belong.
October 20, 2025
From web server logs to metrics: Visualizing NGINX logs with Prometheus and Grafana
When users start reporting slow responses or intermittent errors from your web applications, your first go-to is your web server logs. But did you know those same logs can provide more than just troubleshooting clues? When analyzed with the right tools, they give system administrators and DevOps teams real-time visibility into your web environment, enabling them to monitor web servers proactively, rather than reactively.
In this post, we’re going to show you how you can uncover web server performance issues and potential attacks early on by collecting NGINX access logs with NXLog Agent, transforming them into Prometheus metrics, and visualizing them with Grafana.
September 30, 2025
Gaining valuable host performance metrics with NXLog Platform
What are performance metrics and why are they important? IT and security systems don’t just generate logs; they also produce extremely valuable performance data that helps ensure the health and stability of your business infrastructure. Host-level performance metrics provide visibility into key resources, such as:
CPU usage — Helps identify over-utilization, process bottlenecks, or underused resources.
Memory usage — Indicates whether applications are consuming excessive RAM or leaking memory over time.
Tag: hipaa
April 20, 2026
NIS2, HIPAA, PCI DSS: What compliance means when you can't upgrade your OS
Compliance frameworks don’t have a checkbox for "we know it’s a problem, but we can’t afford to fix it right now." Yet that’s the position thousands of organizations find themselves in — bound by regulation to meet security standards that their operating systems are physically incapable of supporting.
If you run Windows XP, Server 2003, or any other unsupported OS in a regulated environment, the compliance obligation doesn’t go away just because the upgrade path is blocked.
July 19, 2023
HIPAA logging requirements and how to ensure compliance
The U.S. Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 to protect the privacy and security of health information. HIPAA’s Privacy, Security, and Breach Notification rules require healthcare providers and their partners to protect electronic protected health information (ePHI) through robust access controls, breach reporting, and documentation practices.
A critical part of this compliance effort involves maintaining detailed audit logs that track who accessed, modified, or disclosed PHI, and retaining HIPAA logs for at least six years.
Tag: ibm-qradar
February 2, 2022
NXLog vs IBM QRadar WinCollect - Let's get things straight
How does NXLog compare to the IBM QRadar WinCollect event forwarder?
IBM QRadar SIEM collects, processes, and aggregates log data to provide real-time monitoring and automated response to network threats. With its powerful correlation engine and specialized modules for risk and vulnerability management, it is no surprise that it is among the highest-rated tools on Gartner Peer Insights.
To get the best out of a platform like IBM QRadar, you need to ensure that you send the proper amount of data in a format that it can process efficiently.
Tag: incident-command-system
August 10, 2022
NXLog in an industrial control security context
Industrial Control Systems (ICS) have evolved over the years and now have a lot in common with traditional IT systems. Low-cost Ethernet and IP devices are replacing older, proprietary technology, which opens up new possibilities to improve connectivity and remote access. However, it also increases vulnerability to cyberattacks and incidents since the system is no longer segregated. Due to the nature of ICS, they differ from other IT systems. A compromised system can cause severe damage to the environment, incur substantial financial and production losses, and negatively impact an entire nation.
June 5, 2021
Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python
Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic.
What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.
Tag: infrastructure-monitoring
May 14, 2026
Network performance monitoring: metrics vs syslog logs vs traps
Every application depends on the network, yet networks are often the hardest part of the stack to diagnose when something goes wrong. Devices are up, utilization looks normal, and yet users report slowness or disconnections with no obvious cause in sight.
The instinct is to rely on metrics alone: poll devices at regular intervals, watch the dashboards, set thresholds. That approach catches obvious outages, but it struggles with the harder questions: Why did latency spike when nothing looked congested?
October 30, 2025
The shadow IT haunting your network: A Halloween horror story
It’s Halloween season, and while everyone else is worried about ghosts and goblins, you—the sysadmin holding the fort—know the real terror: that dusty print server in the corner that’s been running firmware from 2014. Or the Raspberry Pi someone set up to monitor the server room temperature "temporarily" three years ago. Or the CEO’s personal tablet that absolutely must connect to the internal network because "it’s just easier this way.
October 29, 2025
Watching the watchers: The need for telemetry system observability
Organizations invest heavily in sophisticated monitoring platforms, deploy countless agents across their infrastructure, and build elaborate dashboards to track every metric imaginable. Yet amid this pursuit of comprehensive visibility, a dangerous blind spot often emerges: the observability system itself becomes unobservable.
This meta-problem represents one of the most insidious risks in modern infrastructure management. When telemetry collection fails silently—whether due to misconfiguration, infrastructure changes, or system failures—operations teams continue making critical decisions based on incomplete or stale data, unaware that their digital nervous system has developed gaps in coverage.
October 28, 2025
Beyond the silicon: Why monitoring the infrastructure powering AI is critical to ROI
The AI gold rush has arrived, and organizations worldwide are making unprecedented investments in cutting-edge accelerator hardware. GPU clusters worth millions of dollars are being deployed at breakneck speed, with companies betting their competitive futures on these silicon powerhouses. Yet beneath the excitement of acquiring the latest H100s or MI300s lies a sobering reality: the most expensive part of your AI investment isn’t the initial purchase—it’s ensuring that hardware delivers value every single moment it’s operational.
May 9, 2023
BROP attacks - What is it and how to defend yourself?
Have you ever locked yourself out of your car? After calling for roadside service, your tow truck driver forces the internal locking mechanism open with a slim-jim. Car thieves quickly discovered this technique and began using it to steal cars. Digital thieves have devised a similar attack called a Blind Return-Oriented Programming (Blind ROP, or just BROP) attack. It’s as quiet as a jackhammer on cement, but an attacker can open a remote shell and gain remote code execution on your server if the conditions are right.
November 22, 2022
The EU's response to cyberwarfare
With open war in Europe for the first time since 1945, nations across the continent have been busy shoring up their information security defenses. The European Union is stepping up to the plate, releasing a Cyber Defence Policy to, in its words, "boost EU cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities."
However, bolstering cyber defenses across a collection of countries, home to 450 million people and spanning four million square kilometers, is no easy feat.
Tag: integrations
May 30, 2022
Collecting kernel events with NXLog for analysis in the Elastic stack
It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results.
The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.
May 11, 2022
NXLog provides native support for Google Chronicle
We are delighted to announce that with the release of NXLog Enterprise Edition 5.5, NXLog provides native support for sending log data to the Google Chronicle threat intelligence platform.
About Google Chronicle Google Chronicle is a cloud-native SIEM service provided on the Google Cloud Platform. It allows organizations to normalize, correlate, and analyze their logging data. Chronicle makes threat hunting easy by empowering security experts to investigate logs allowing them to take a holistic approach to threat detection.
March 19, 2022
Deploying and managing NXLog with Puppet
Puppet Bolt is an open-source orchestration tool that automates the manual configuration and management of your infrastructure.
In this post, we will look at how you can create your Puppet Bolt project directory, your inventory YAML file, and finally, your Puppet Bolt Plan to deploy NXLog on a variety of Operating Systems.
Why use Puppet Bolt to deploy NXLog? Apart from the usual tasks of updating software packages, configuring web servers and databases, the need for constant logging has become extremely important, and a de facto necessity nowadays.
March 1, 2022
Deploying and managing NXLog with Ansible
Ansible has become an industry standard when it comes to configuring and managing servers. As a configuration management tool, it carries the burden of simplifying system administration tasks, such as installing and updating software packages, and infrastructure provisioning. In this post, we will create an Ansible playbook that will enable us to automate the installation and configuration of NXLog across multiple endpoints. Whether you need only a single endpoint today or thousands of endpoints next week, Ansible will do the heavy lifting for you.
September 6, 2021
Collecting Kubernetes logs with NXLog
Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.
June 5, 2021
Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python
Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic.
What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.
Tag: kibana
February 2, 2026
Graylog vs ELK Stack: Unbiased comparison of log management tools
Centralized logging is no longer optional. Whether you’re troubleshooting production incidents, investigating suspicious activity, or meeting audit requirements, you need a way to collect logs from many sources, normalize them, search them quickly, and turn them into alerts and dashboards. In practice, that starts with reliable collection — often via solutions like NXLog Platform — so the data arrives clean and consistent.
Two of the most common open-source paths people compare are Graylog vs ELK Stack.
November 3, 2025
Linux security monitoring: Collecting and visualizing events in Elasticsearch and Kibana
Timely visibility into system activity is what separates effective defense from reactive analysis. Every operating system, application, and device logs a trail of evidence. However, transforming that trail into actionable intelligence requires the right tools. In our previous posts, we’ve walked you through:
Visualizing VPN connection logs,
Monitoring Windows security events, and
Analyzing web server activity logs.
In this final installment in our series on log visualization, we’re turning our attention to Linux security monitoring.
September 22, 2025
Windows security monitoring: Collecting and visualizing events in Elasticsearch and Kibana
In our previous blog post, From network logs to insights: Visualizing OpenVPN logs with Elasticsearch and Kibana, we explored how you can gain visibility into VPN activity by collecting and analyzing network logs. Windows security monitoring is another common use case we encounter at NXLog.
Windows workstations and servers generate security event logs ranging from authentication attempts and privilege escalations to policy changes and process executions. Such events can reveal external intrusions and insider threats, and for security analysts, they are the first line of evidence in investigating suspicious activity.
September 18, 2025
From network event logs to insights: Visualizing OpenVPN logs with Elasticsearch and Kibana
At NXLog, we help customers solve real-world telemetry data challenges and bring value to the table with NXLog Platform. One of the recurring problems we see is that while network event logs contain a wealth of information, turning them into actionable insights isn’t straightforward. Security operations teams often struggle to make sense of these logs in a way that directly supports threat detection, response, and investigation.
A perfect example of this challenge is VPN logs.
May 30, 2022
Collecting kernel events with NXLog for analysis in the Elastic stack
It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results.
The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.
Tag: kubernetes
June 1, 2026
Fluent Bit vs Logstash: which pipeline fits your stack?
Fluent Bit wins on footprint. Logstash wins on parsing depth. The choice isn’t which tool is "better" — it’s where in your pipeline each one earns its keep, and what your detection tier silently misses when you put one in the wrong tier.
Pick wrong and the cost shows up in three places: detection latency when batches stall, audit evidence when collectors stop shipping, and MTTR when responders can’t tell whether a quiet endpoint is an attack indicator or a broken agent.
April 16, 2026
Deploying NXLog Platform on Kubernetes with Helm
NXLog Platform can now be installed using the official Helm chart, following the same Kubernetes deployment standard as any other enterprise Kubernetes application. Red Hat OpenShift is also fully supported using native OpenShift Routes.
According to the CNCF 2025 Annual Cloud Native Survey, 82% of container users run Kubernetes in production, and 81% prefer Helm as their package manager of choice. Kubernetes adoption spans every major cloud provider and distribution, including GKE (32%), AKS (17%), OpenShift (13%), and Amazon EKS, and continues to grow as the default substrate for enterprise infrastructure.
March 16, 2026
Fluent Bit vs Filebeat: Architecture, trade-offs, and the better default
If you are choosing between Fluent Bit and Filebeat, the real question is where you want routing, parsing, and failure handling to live. Pick the wrong default, and you create config sprawl, brittle pipelines, and extra work every time your backend or deployment model changes.
Choose Fluent Bit when the agent itself needs to behave like a small pipeline, and choose Filebeat when your log path ends inside Elastic and you want the shipper to match Elastic’s operating model.
March 3, 2026
Fluent Bit vs Fluentd: How to choose the right tool for your log pipeline
Choosing between Fluent Bit and Fluentd is an architecture decision, not a product shootout. Both projects live under the CNCF Fluent umbrella and share a common lineage at Treasure Data, but they target different roles in a logging pipeline. Fluent Bit is a C-based telemetry agent designed for low-overhead collection at the edge. Fluentd is a Ruby-and-C data collector built for aggregation, transformation, and multi-destination routing.
The practical question is not which one is better — it’s where each one belongs in your stack, and whether you need both.
September 6, 2021
Collecting Kubernetes logs with NXLog
Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.
Tag: linux
January 9, 2026
Linux security monitoring with NXLog Platform: Extracting key events for better monitoring
From years of supporting NXLog Agent deployments across many environments, we’ve learned that while Linux generates a wealth of security logging, much of it remains underutilized. Critical security events are buried across multiple log files and subsystems, making it more complicated than it should be to spot suspicious activity.
Efficient Linux security logging requires knowledge of which events matter and where to get them. Authentication attempts, privilege changes, package installations, audit events, and system shutdown events can all tell a story when viewed together.
December 12, 2025
rsyslog vs syslog-ng: Which is the right log shipper?
Well, no doubt logging is the nervous system of any IT infrastructure. From troubleshooting outages to satisfying compliance audits and threat management, having the right log management pipeline can make the difference between smooth operations and chaotic firefighting. For decades, syslog-ng and rsyslog have been two of the most widely used log management tools for Unix and Linux environments. Both provide implementations of the original 1980s syslog protocol and are designed to collect, process, and forward log messages across networks.
November 3, 2025
Linux security monitoring: Collecting and visualizing events in Elasticsearch and Kibana
Timely visibility into system activity is what separates effective defense from reactive analysis. Every operating system, application, and device logs a trail of evidence. However, transforming that trail into actionable intelligence requires the right tools. In our previous posts, we’ve walked you through:
Visualizing VPN connection logs,
Monitoring Windows security events, and
Analyzing web server activity logs.
In this final installment in our series on log visualization, we’re turning our attention to Linux security monitoring.
May 30, 2022
Collecting kernel events with NXLog for analysis in the Elastic stack
It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results.
The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
January 13, 2021
NXLog Containers were certified by Red Hat
Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them.
Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.
May 14, 2020
DNS Log Collection on Linux
Be sure to read Part 1 and Part 2 of our series in case you missed them.
DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.
Tag: log-aggregation
April 23, 2026
Filebeat vs Logstash: when the shipper is enough and when you need a pipeline
The choice here is not between two interchangeable log tools. It is a choice about where you want parsing, routing, and failure handling to live. Filebeat runs close to the source and keeps collection small. Logstash sits in the middle of the flow and takes on filtering, enrichment, and fan-out.
That architectural difference matters more than a feature checklist. Pick the narrower tool when your logs have one destination and your parsing rules are modest.
February 2, 2026
Graylog vs ELK Stack: Unbiased comparison of log management tools
Centralized logging is no longer optional. Whether you’re troubleshooting production incidents, investigating suspicious activity, or meeting audit requirements, you need a way to collect logs from many sources, normalize them, search them quickly, and turn them into alerts and dashboards. In practice, that starts with reliable collection — often via solutions like NXLog Platform — so the data arrives clean and consistent.
Two of the most common open-source paths people compare are Graylog vs ELK Stack.
March 12, 2025
Log management best practices
People think about logs as one of the biggest chores in the IT industry. Well, that does not necessarily need to be true. If you adhere to some fundamental log management best practices, the value you could get out of them quickly outweighs the effort put into managing them. Logs can easily become the best friend of IT teams looking to keep their systems secure, meet compliance requirements, and maintain a smoothly running network.
January 6, 2025
How to choose a log management solution
Logs play a critical role in IT infrastructure, and choosing the right log management solution is key to effective operations. This guide explores the core principles for selecting a solution that aligns with your log collection and management needs. Given the wide range of options available, we categorize them into three main groups for clarity.
End-to-end Log Management Solutions
Security Information & Event Management (SIEM)
Application Performance Monitoring and Observability (APM)
May 28, 2024
What is agentless log collection?
Agentless log collection refers to gathering log data from various sources without installing dedicated software agents on the systems generating the logs. Instead, it leverages protocols such as SNMP traps, WECS, WMI, and syslog to retrieve log data remotely.
It is easier to explain what agentless log collection is by also providing some context about agent-based log collection. The truth is that these two options for collecting logs walk hand in hand, meaning that they can and will likely coexist on your network.
August 1, 2022
The benefits of log aggregation
Logs are a record of the internal workings of a system. Nowadays, organizations can have hundreds and, more regularly, thousands of managed computers, servers, mobile devices, and applications; even refrigerators are generating logs in this Internet of Things era. The result is the production of terabytes of log data—event logs, network flow logs, and application logs, to name a few—that must be carefully sorted, analyzed, and stored.
Without a log management tool, you would need to manually search through many directories of log files on each system to access and extract meaning from these millions of event logs.
February 17, 2022
Aggregating macOS logs for SIEM systems
Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.
January 3, 2022
Log aggregation with NXLog
The value of log aggregation There is no denying the importance of log aggregation for multi-million-dollar enterprises worldwide. But just what is log aggregation? And how can it help your organization? Well, log aggregation is the process of standardizing and consolidating your log data from distributed systems across your network into one centralized server. By doing so, you have a unified view of what occurs across your entire IT infrastructure.
July 29, 2021
Using Raijin Database Engine to aggregate and analyze Windows security events
In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools.
A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.
April 1, 2020
How a centralized log collection tool can help your SIEM solutions
IT security should be one of the main focus points of all enterprises. In today’s world, when digital transformation is taking place at an unprecedented pace, securing online data is vital for all kinds of businesses. This is why most companies are utilizing SIEM (Security Information and Event Management) solutions that help them identify threats before they can do any harm.
Even though SIEM tools are perfect for event correlation and analytics, it is not part of their core functionality to manage log collection, filtering, distribution, and formatting.
Tag: log-analysis
May 7, 2026
Enterprise IIS log analysis software: top tools, use cases, and NXLog Agent integration
Ever tried to analyze IIS logs manually across dozens of web servers during a security incident? If so, you know the challenge: massive log files across multiple systems, cryptic log entries, and no easy way to correlate events. When running Microsoft Internet Information Services (IIS) across large infrastructures, log data accumulates quickly, increasing the risk of missing critical events.
IIS log analysis software is designed to collect, parse, and analyze IIS web server logs to monitor activity, troubleshoot performance issues, detect threats, and demonstrate compliance.
Tag: log-forwarding
May 28, 2026
Syslog forwarding over TLS: getting the operational layer right
Plaintext syslog crossing a network boundary in 2026 is a finding waiting to happen. The IETF defined encrypted syslog years ago in RFC 5425: TCP/6514, mutual TLS where the trust model needs it. What still trips teams up is rarely the protocol itself — it’s certificate lifecycle, framing mismatches, and forwarders that fall over when the collector blinks. Here’s the short version: which standards matter, where teams break the framing, and the four operational habits that decide whether the pipeline holds up.
April 6, 2026
Filebeat vs Vector: Routing, transforms, and the better fit for your pipeline
Filebeat and Vector both move logs, but they solve different design problems. Filebeat is a shipper that fits neatly into Elastic-centric pipelines. Vector is a data pipeline runtime that can collect, reshape, split, and forward the same stream to several destinations before storage.
The cost of choosing badly does not show up on day one. It shows up later as duplicate agents, extra relay tiers, backend-specific parsing rules, or migration work when a second destination appears.
February 13, 2023
Avoid vendor lock-in and declare SIEM independence
The global Security Information and Event Management (SIEM) market is big business. In 2022, it was valued at $5.2 billion, with analysts projecting that it will reach $8.5 billion dollars within five years.
It’s a highly consolidated market dominated by a few major players in the information security field. They want your business, and they don’t want to lose it.
As companies ship more and more data to their respective solutions and make use of more and more features, they become specialized and dependent on a vendor.
February 2, 2022
Reliable delivery of logs - can you trust TCP?
When considering your log collection strategy, a decision you have to make is which transport protocol to use to transfer logs from source to destination. The choice is often between the two most commonly used protocols, UDP (User Datagram Protocol) and TCP (Transfer Control Protocol). Which one to use depends on the type of logs you need to transfer, and whether performance or reliability is more important.
This blog post will compare these protocols, discuss why TCP is usually the preferred choice, and provide some options to further increase log delivery reliability with NXLog.
June 16, 2021
Forwarding logs with NXLog
So, you managed to read through all the compliance mandates that are required for the industry you are in. And, during the mandatory consultation you had with your company’s IT security expert and network manager you came to an agreement on which logs to collect and carefully selected their final destination. Which — in most cases — is usually some kind of analytics system or SIEM technology where log data can be analyzed and stored based on your business requirements.
February 1, 2021
Sending logs to Microsoft Sentinel with NXLog
What if you could selectively ingest only the high-quality events needed for metrics and reporting that come not only from Azure, but also from other cloud- based resources and on-site assets directly into Microsoft Sentinel?
In this post, the technology we will be examining is the Azure Monitor HTTP Data Collector API, which enables clients, such as the NXLog agent, to send events to a Log Analytics workspace, making them directly accessible using Microsoft Sentinel queries.
March 3, 2020
Sending ETW Logs to Splunk with NXLog
NXLog supports direct collection of Event Tracing for Windows (ETW) data. DNS Analytical logs, for example, can be forwarded to Splunk or another SIEM for monitoring and analysis.
Collecting ETW Logs Event Tracing for Windows (ETW) is a kernel-level tracing facility that provides high-performance logging of kernel and application events. ETW events can be written to a log file or collected directly from the system in realtime via the Consumers API.
Tag: log-noise
January 29, 2026
The GeoServer breach that could have been stopped in hours, not weeks
How a federal agency’s monitoring gaps turned a containable incident into a three-week nightmare
In September 2025, CISA responded to a federal agency breach that security teams could have stopped in hours. Instead, threat actors roamed the network undetected for three weeks.
The damage? Multiple compromised servers, web shells planted across the infrastructure, and a persistent foothold that took significant resources to remediate.
The root cause wasn’t a zero-day exploit or sophisticated malware.
August 27, 2025
How to reduce log noise and fight SOC alert fatigue
Do you ever feel like you’re drowning in data? From endpoint logs and firewall events to database auditing and cloud metrics, the sheer amount of data is overwhelming. While telemetry data is crucial for threat detection, incident response, and compliance, it also brings a major challenge: log noise.
Log noise obscures meaningful security signals. If left unchecked, you risk increased false positives, overloading security tools, higher SIEM licensing costs, and, most importantly, SOC alert fatigue.
Tag: macos
February 17, 2022
Aggregating macOS logs for SIEM systems
Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.
Tag: microsoft-iis
May 7, 2026
Enterprise IIS log analysis software: top tools, use cases, and NXLog Agent integration
Ever tried to analyze IIS logs manually across dozens of web servers during a security incident? If so, you know the challenge: massive log files across multiple systems, cryptic log entries, and no easy way to correlate events. When running Microsoft Internet Information Services (IIS) across large infrastructures, log data accumulates quickly, increasing the risk of missing critical events.
IIS log analysis software is designed to collect, parse, and analyze IIS web server logs to monitor activity, troubleshoot performance issues, detect threats, and demonstrate compliance.
Tag: microsoft-sentinel
February 1, 2021
Sending logs to Microsoft Sentinel with NXLog
What if you could selectively ingest only the high-quality events needed for metrics and reporting that come not only from Azure, but also from other cloud- based resources and on-site assets directly into Microsoft Sentinel?
In this post, the technology we will be examining is the Azure Monitor HTTP Data Collector API, which enables clients, such as the NXLog agent, to send events to a Log Analytics workspace, making them directly accessible using Microsoft Sentinel queries.
Tag: modbus
June 5, 2021
Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python
Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic.
What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.
Tag: nis2
April 20, 2026
NIS2, HIPAA, PCI DSS: What compliance means when you can't upgrade your OS
Compliance frameworks don’t have a checkbox for "we know it’s a problem, but we can’t afford to fix it right now." Yet that’s the position thousands of organizations find themselves in — bound by regulation to meet security standards that their operating systems are physically incapable of supporting.
If you run Windows XP, Server 2003, or any other unsupported OS in a regulated environment, the compliance obligation doesn’t go away just because the upgrade path is blocked.
July 18, 2024
NIS2 Directive: a strong request for better incident handling
Did you know the European Union created a rule called the NIS Directive? This rule was established in 2016 to ensure that all member countries are equally protected against cyber attacks. It’s a step towards making it easier for governments to work together to stop cyber threats. However, the Directive was expected to provide more specific instructions for protecting against attacks and ensuring all countries follow the rule. The rule also requires companies and governments to be better prepared to handle cyber attacks and have a plan in case something goes wrong.
Tag: nist
May 25, 2026
Post-quantum cryptography in NXLog Agent: Post-quantum readiness for Q-Day
You have probably seen the term "post-quantum cryptography" enough times to glaze over it. The headlines tend to focus on a vague future event: a quantum computer somewhere will eventually break RSA, and at that point you should have moved on. That framing makes it easy to file PQC under "worry about it in 2030." The framing is wrong.
The actual threat is happening now, and it has a name: harvest now, decrypt later.
April 12, 2024
NIST Cybersecurity Framework 2.0. Update Takeaways
On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) officially released Cybersecurity Framework (CSF) 2.0. This release has had the most significant changes since its inception in 2014. Let’s quickly walk through the updates it brought and how log collection supports the functions of the renewed framework.
What is NIST CSF The U.S. NIST Cybersecurity Framework is one of the most widely used security frameworks (with ISO27001, CIS, and others), helping organizations estimate, manage, and reduce their cybersecurity risks.
September 30, 2022
Assertive compliance - using frameworks to extend your coverage
So, it happened again. You got an internal audit finding or a regulatory notice. Or you just had a nagging feeling and found customer data somewhere it shouldn’t have been. Morale sinks. Are you forced to choose between serving your customers and addressing compliance weaknesses? Nobody said IT Compliance was easy. But don’t sign up to do any more work than is necessary. Use Frameworks to identify the activities, like logging, that demonstrate compliance for multiple domains and get the absolute best coverage without extra work.
Tag: nxlog-agent
May 25, 2026
Post-quantum cryptography in NXLog Agent: Post-quantum readiness for Q-Day
You have probably seen the term "post-quantum cryptography" enough times to glaze over it. The headlines tend to focus on a vague future event: a quantum computer somewhere will eventually break RSA, and at that point you should have moved on. That framing makes it easy to file PQC under "worry about it in 2030." The framing is wrong.
The actual threat is happening now, and it has a name: harvest now, decrypt later.
December 18, 2025
Security advisory for CVE-2025-67900 affecting NXLog Agent 6.10 and older on Windows
We are committed to the security of our customers, and wish to inform you of CVE-2025-67900, a recently published vulnerability affecting the Windows version of NXLog Agent 6.10 and older.
Technical description The Windows version of NXLog Agent 6.10.10368 and older includes a Privilege Escalation vulnerability because it attempts to load an OpenSSL configuration file from the hardcoded and unintended directory C:\nxlog4\x64\ on startup.
This is a legacy installation directory that may not exist in clean NXLog Agent installations.
February 10, 2025
Install and enroll NXLog Agent automatically with Ansible and the Agent Management API
In my early days as a Junior Sysadmin, I learned the value of automation when tasked with configuring hundreds of Windows XP machines. Yes, there was a version of Windows called XP. Automating large and repetitive tasks saves time and ensures scalability and consistency in IT environments. Scalability has become very important in IT, and in the golden age of automation tools and APIs, what could be a better way to execute the mass deployment and configuration of your log collection tool than using these very mature and available technologies?
July 25, 2024
The CrowdStrike incident and how the NXLog agent operates
Automatic updates are recommended by many vendors as they are considered essential for safeguarding against security threats and maintaining system performance. Updates not only enhance security but also deliver bug fixes and new features, contributing to improved user experience. Software updates, however, come with the inherent risk of breaking existing functionality and can potentially interfere with other software or the operating system itself causing unintended side effects. Automatic updates that the user has no control over escalate the risk further.
March 11, 2024
NXLog Agent on Submarines
I always wondered what happens to our software when a company purchases it. Okay, I know they will install it and use it. But where do they install it? On what kind of machines? In what kind of environment? And why is it important for them to collect and handle logs? The possibilities are endless. We have customers worldwide; from shoemakers to telecom companies, NXLog is everywhere. But where are the most remarkable places NXLog Agent is employed?
July 12, 2023
Understanding memory usage in NXLog Agent
Understanding how NXLog Agent allocates memory is essential to optimize your configuration for performance and utilize system resources efficiently.
NXLog Agent is designed for high-performance log collection and processing and is optimized to use system resources efficiently. However, various external factors affect how NXLog Agent uses system resources, including memory, which can impact NXLog Agent’s and its host’s performance. Misconfiguration is the leading factor we see when troubleshooting excessive memory consumption.
February 6, 2023
Our customers asked - How to start an NXLog module with a delay?
There are several reasons you might want to start a particular NXLog module with a delay. You can think of it like delaying the start of a Windows service. In most cases, you need to do this for performance reasons. But there might be other scenarios where you would want to do this, such as collecting logs during a specific time frame. If you have, for example, a less critical module block, you can prioritize the more important one by delaying the less important one.
January 31, 2023
Our customers asked - Input stream EPS tracking with NXLog
This post is the first in a series of answers to questions that our customers asked.
Clarifying EPS EPS stands for Events Per Second and is considered a standard for measuring the speed of event processing. More precisely, it tells how many events can flow through a particular system in a second. In our case, the number relates to how many events NXLog receives, handles, and outputs in one second.
September 25, 2021
Putting together your first NXLog configuration
If you are reading this, then it is safe to say that you are now part of the NXLog community. In other words, you are ready to dive into the world of log collection. Excellent. You have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works.
The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages.
Tag: nxlog-enterprise-edition
September 19, 2024
Announcing the end-of-sale for NXLog Enterprise Edition and NXLog Manager
We are officially announcing that NXLog will no longer be selling NXLog Enterprise Edition and NXLog Manager. This decision reflects our commitment to evolving our product offerings and delivering more powerful, future-proof solutions.
While the sale of these products is ending, please be assured that we will continue to provide full technical support, maintenance, and bug fixes for both NXLog Enterprise Edition and NXLog Manager until the end of your contractual period.
June 20, 2024
Announcing NXLog Enterprise Edition 5.11
We are excited to announce the release of NXLog Enterprise Edition 5.11. This latest version introduces two new features and addresses over twenty important issues, including two of the most significant which are highlighted in this announcement.
Key enhancements in NXLog Enterprise Edition 5.11 Support for new macOS ES events NXLog Enterprise Edition 5.11 now supports the events introduced by version 13 of the macOS Endpoint Security (ES) API. Check the official Apple documentation for the most up-to-date list of events supported by the macOS ES API.
May 13, 2024
Announcing NXLog Enterprise Edition 6.3
We proudly announce the latest release of NXLog Enterprise Edition, version 6.3. This release adds new features and bug fixes, including the ones highlighted below.
Support for parsing DTS Compliant logs from Microsoft Network Policy Server (NPS) The xm_nps extension module now supports parsing the newest DTL Compliant log format from Microsoft NPS.
The module can now automatically parse all NPS log types, including legacy ODBC and IAS, without you having to specify the log type when configuring the module.
February 2, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
NXLog Enterprise Edition 5 has been with us for nearly four years. That’s four years of being an industry-leading log collection tool adored by engineering teams and Fortune 100 customers around the globe. And while the NXLog Enterprise Edition 5 story isn’t yet over, it needs to move forward to keep pace with modern technologies and new demands.
Like any good muscle car, NXLog EE 5 has its limits, and so back in 2022 we came face-to-face with a problem - it required too much to change under the hood to stay modern and effective.
December 21, 2023
Announcing NXLog Enterprise Edition 5.10
We are excited to announce the release of NXLog Enterprise Edition 5.10. This latest version addresses over twenty important issues - the two most significant are mentioned in this announcement - and introduces two features backported from NXLog Enterprise Edition 6.
Key enhancements in NXLog Enterprise Edition 5.10 ElasticSearch integration NXLog Enterprise Edition 5.10 now allows ElasticSearch users to send data as a stream. This feature enables the storage of events in an append-only, single-named manner, enhancing data management and retrieval efficiency.
December 4, 2023
Announcing NXLog Enterprise Edition 6.2
We proudly announce the latest release of NXLog Enterprise Edition, version 6.2. This release adds some new features and includes bug fixes and stability enhancements.
File and folder symlink support In this release, the primary focus was on adding uniform support for file and folder symlinks. The new development affects the im_file and im_fim modules when collecting logs from files, and when using File Integrity Monitoring. The new feature is available to use with the newly introduced directive FollowSymlink.
October 20, 2023
Announcing NXLog Enterprise Edition 6.1
We proudly announce the latest release of NXLog Enterprise Edition, version 6.1. This release adds new features to our Google Chronicle and Kafka output modules to provide more flexible configuration, introduces support for certificates with TPM-attested keys, and implements enhancements to our HTTP input module.
Read on to find out more about these new features.
More flexibility for your Google Chronicle integration We continue to build up our Google Chronicle output module with new functionality to give you more flexibility and control over your data.
September 11, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
The NXLog team is constantly improving the quality of NXLog Enterprise Edition and will soon introduce a new major release - NXLog Enterprise Edition 6.0. This release will bring a large number of changes and it is important to correctly adapt your current configuration when upgrading your system.
Warning We strongly recommend testing NXLog Enterprise Edition 6.0 operation on a smaller set of devices before commiting to a full-scale upgrade of your complete system.
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
We proudly announce the latest release of NXLog Enterprise Edition, version 6.0. This major release includes new NXLog language data types, additional TCP and HTTP configuration options, and enhancements to our Elasticsearch and remote administration modules. It will help you improve data integration and handling, enhance manageability, and increase cost efficiency.
Empower your data integration with new "Array" and "Hash" data types As the NXLog configuration language now supports compound values with Array and Hash data types, you can enhance data integrity and coherence.
June 20, 2023
Announcing NXLog Enterprise Edition 5.9
We are proud to announce the latest release of NXLog Enterprise Edition, version 5.9. This release focuses on bringing you new supported platforms and configuration options.
Read on to find out more about some of these new features.
Added protocols to network packet capture information Our administrative module (xm_admin) now returns a list of protocols configured in a packet capture (im_pcap) instance when you request server or module information. This allows you to track, count, and report on the network protocols you are monitoring.
April 24, 2023
Announcing NXLog Enterprise Edition 5.8
We are proud to announce the latest release of NXLog Enterprise Edition, version 5.8. Our newest release includes new modules, better integrations, and additional metrics to collect across your organization.
Read on to find out more about some of these new features.
Native Salesforce module We’ve built a new native module (im_salesforce) for ingesting logs from Salesforce. With this, you no longer have to run an external Python-based Add-On script.
January 20, 2023
Announcing NXLog Enterprise Edition 5.7
New year, new NXLog Enterprise Edition.
Our developers have been hard at work throughout the holiday season to release the latest version of our flagship log collection solution. We are proud to announce NXLog Enterprise Edition 5.7, which includes bug fixes, security updates, and, of course, many new features.
Read on to find out more about some of these new features.
Native support for Google Cloud Logging, Amazon S3, and Microsoft 365 Google Cloud Logging, Amazon S3, and Microsoft 365 integrations were already available as Add-Ons to NXLog Enterprise Edition.
October 27, 2021
Three important features you can have with the Enterprise Edition over the Community Edition
Features of NXLog Enterprise Edition you must have So, it turns out that your organization needs a reliable solution that can collect, parse, forward, and aggregate your log data. This need might be based on any number of reasons. Perhaps it is due to regulatory compliance mandates. Maybe your security analysts have realized that collecting security logs is the best way to detect potential cyber attacks. These are all valid reasons.
Tag: nxlog-manager
September 19, 2024
Announcing the end-of-sale for NXLog Enterprise Edition and NXLog Manager
We are officially announcing that NXLog will no longer be selling NXLog Enterprise Edition and NXLog Manager. This decision reflects our commitment to evolving our product offerings and delivering more powerful, future-proof solutions.
While the sale of these products is ending, please be assured that we will continue to provide full technical support, maintenance, and bug fixes for both NXLog Enterprise Edition and NXLog Manager until the end of your contractual period.
November 3, 2023
Announcing NXLog Manager 5.7
We are pleased to announce the latest release of NXLog Manager, version 5.7. This release addresses several CVE issues, adds support for NXLog’s Microsoft Azure modules, and provides an updated Docker image.
Read on to find out more about these new features.
A more secure NXLog Manager This version addresses multiple known Common Vulnerabilities and Exposures (CVE), reducing the attack surface in our customers' systems. See the release notes for a complete list of corrected CVEs.
Tag: nxlog-platform
June 9, 2026
Announcing NXLog Platform 1.13
We are happy to announce the latest release of NXLog Platform, version 1.13. This update adds NXLog Platform operating system support for Debian 13 and NXLog Agent support for legacy 32-bit Windows. Plus, you can now use NXLog Agent with the native macOS Keychain for secure certificate storage on Apple systems.
Read on for more details about these updates.
Deploy NXLog Platform on Debian 13 NXLog Platform 1.13 adds support for installation on Debian 13, the latest stable release of the Debian operating system.
May 14, 2026
Network performance monitoring: metrics vs syslog logs vs traps
Every application depends on the network, yet networks are often the hardest part of the stack to diagnose when something goes wrong. Devices are up, utilization looks normal, and yet users report slowness or disconnections with no obvious cause in sight.
The instinct is to rely on metrics alone: poll devices at regular intervals, watch the dashboards, set thresholds. That approach catches obvious outages, but it struggles with the harder questions: Why did latency spike when nothing looked congested?
April 21, 2026
Announcing NXLog Platform 1.12
We are happy to announce the latest release of NXLog Platform, version 1.12.
This release introduces full version history for agent configurations, giving you a clear audit trail and the ability to instantly restore any previous version. It also brings a redesigned Customer Portal with a streamlined onboarding experience and improved navigation.
Want a quick overview? Watch a short demo showcasing configuration version history, one of the key new features in this release:
April 16, 2026
Deploying NXLog Platform on Kubernetes with Helm
NXLog Platform can now be installed using the official Helm chart, following the same Kubernetes deployment standard as any other enterprise Kubernetes application. Red Hat OpenShift is also fully supported using native OpenShift Routes.
According to the CNCF 2025 Annual Cloud Native Survey, 82% of container users run Kubernetes in production, and 81% prefer Helm as their package manager of choice. Kubernetes adoption spans every major cloud provider and distribution, including GKE (32%), AKS (17%), OpenShift (13%), and Amazon EKS, and continues to grow as the default substrate for enterprise infrastructure.
March 9, 2026
Beyond basic ingestion: Advanced OpenTelemetry data processing with NXLog
Most discussions about OpenTelemetry pipelines focus on getting data from point A to point B. Collect telemetry, maybe convert the format, forward it to a backend. That’s the minimum viable pipeline, and it’s where most tooling stops.
But a pipeline that only moves data is a pipe, not a processing layer. The telemetry arriving at your observability platform or SIEM is only as useful as the context it carries. A raw log entry saying "connection from 198.
March 5, 2026
How NXLog simplifies your OpenTelemetry journey
OpenTelemetry has become the de facto standard for telemetry data. Nearly 50% of surveyed cloud-native end-user companies have adopted it, and the project ranks as the second-highest-velocity initiative in the CNCF, behind only Kubernetes. The direction is clear: if your infrastructure doesn’t speak OpenTelemetry, it will increasingly be left out of the observability conversation.
But adopting OpenTelemetry across an entire infrastructure is a different problem than adopting it in a greenfield application.
February 23, 2026
Announcing NXLog Platform 1.11
We are happy to announce the latest release of NXLog Platform, version 1.11. This version focuses on operational visibility and compliance, smoother troubleshooting, and improved security and access controls.
Want a quick overview? Watch a short demo showcasing the new features in this release:
Read on for more details about these updates.
Monitor data volume in the NXLog Platform UI You can now monitor the volume of inbound and outbound data flowing through your agents directly in the NXLog Platform UI, either from the agent statistics view or via the data flow visualization.
December 11, 2025
Announcing NXLog Platform 1.10
We are happy to announce the latest release of NXLog Platform, version 1.10. This update introduces streamlined TLS certificate management, broader operating system support, and simplified agent configuration. It will now be even faster and easier to deploy and operate your telemetry pipeline.
Want a quick overview? Watch a short demo showcasing the new features in this release:
Read on for more details about these updates.
Centrally managed certificates for data destinations NXLog Platform 1.
October 22, 2025
Announcing NXLog Platform 1.9
We are happy to announce the latest release of NXLog Platform, version 1.9. This version transforms how you manage observability by combining metrics and logs in one platform, optimizing agent management workflows, and enabling enterprise-grade deployments for modern infrastructures.
Want a quick overview? Watch a short demo showcasing the new features in this release:
Read on for more details about these updates.
Metrics made simple NXLog Platform provides built-in support for all types of telemetry data, including metrics.
September 12, 2025
Announcing NXLog Platform 1.8
We are happy to announce the latest release of NXLog Platform, version 1.8. This release is packed with improvements to give you deeper insights into your telemetry pipeline and infrastructure, expand compatibility, and enhance the user experience.
Want a quick overview? Watch a short demo showcasing the new features in this release:
Read on for more details about these updates.
Agent metrics for telemetry pipeline observability The new Internal Metrics module supports collecting agent metrics, simplifying data flow and agent health monitoring.
June 25, 2025
Announcing NXLog Platform 1.7
We are happy to announce the latest release of NXLog Platform, version 1.7. This release introduces key enhancements focused on the usability and performance of the log discovery UI, as well as the SMTP integration with Microsoft 365. Read on for more details about these updates.
Improved log discovery NXLog Platform 1.7 introduces the beta release of a new log discovery UI with significant improvements in usability and performance:
June 24, 2025
Current challenges in log and telemetry data management
Today, most enterprises use a security log analytics solution or SIEM (Security Information & Event Management), but analytics are only as good as the data fed into your solution. If you’re missing data sources or are failing to extract full value from the data, you won’t see the big picture.
This is an issue new customers commonly mention to NXLog. That’s why one of our key goals is to provide a solid data collection layer that ensures all relevant data is collected and properly fed into the SIEM.
May 13, 2025
From NXLog Community Edition to NXLog Platform
NXLog Community Edition was launched many years ago and, being cross-platform and highly versatile, quickly became a leading log collection tool. With millions of downloads, it is widely used across on-premises, cloud, and hybrid deployments. While over 70% of users have upgraded to the more feature-rich and robust NXLog Enterprise Edition, many still rely on NXLog Community Edition due to its flexibility and fit for many use cases.
However, as technology advances and business and security demands grow, we are excited to introduce NXLog Platform—a modern, comprehensive solution that offers enhanced functionality and performance.
April 22, 2025
Announcing NXLog Platform 1.6
We are happy to announce the latest release of NXLog Platform, version 1.6. This release brings several key improvements, changes, and fixes to aid usability, security, and performance. Our team has introduced changes to improve integration with third-party technologies, made packaging adjustments, and enhanced the configuration workflow. Below, we highlight the most significant changes.
Enhanced configuration editor The configuration editor in NXLog Platform has been improved with better syntax highlighting, more accurate error detection, and smarter input suggestions when operating in text mode.
February 27, 2025
Announcing NXLog Platform 1.5
We are happy to announce the latest release of NXLog Platform, version 1.5. This release brings several key improvements, changes, and fixes to aid usability, security, and performance. Our team is introducing a major change to log storage, adjustments in log retention settings, and expanded authentication options. Below, we highlight the most significant changes.
Enhanced data storage with ClickHouse NXLog Platform 1.5 introduces a major upgrade to its data storage using ClickHouse, enhancing scalability and resilience while optimizing log storage and retrieval efficiency.
February 10, 2025
Install and enroll NXLog Agent automatically with Ansible and the Agent Management API
In my early days as a Junior Sysadmin, I learned the value of automation when tasked with configuring hundreds of Windows XP machines. Yes, there was a version of Windows called XP. Automating large and repetitive tasks saves time and ensures scalability and consistency in IT environments. Scalability has become very important in IT, and in the golden age of automation tools and APIs, what could be a better way to execute the mass deployment and configuration of your log collection tool than using these very mature and available technologies?
December 20, 2024
Announcing NXLog Platform 1.4
We are happy to announce the latest release of NXLog Platform, version 1.4. This release adds new features and bug fixes, including the ones highlighted below.
Improved agent onboarding This release includes a new enhanced agent onboarding wizard. The process is much simpler yet achieves much more than the previous version. The new method incorporates everything you need to install, configure, and enroll your agents in five simple, easy-to-follow steps.
November 27, 2024
Centralized Windows log collection - NXLog Platform vs. WEF
One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems.
WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:
October 25, 2024
Announcing NXLog Platform 1.3
We proudly announce the latest release of NXLog Platform, version 1.3. This release adds new features and bug fixes, including the ones highlighted below.
Improved installation and configuration The installation processes for NXLog Platform and NXLog Agent received the following configuration improvements:
You can now configure the NXLog Platform hostname and specify a label when running the NXLog Agent installer to ease automatic enrollment and agent configuration. This configuration is available on Windows, Debian/Ubuntu, Red Hat Enterprise Linux, and macOS.
September 24, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
NXLog Platform is a new centralized log management solution from the vendor with over 12 years of experience and 600 clients worldwide, including Fortune 500 companies.
The new solution stands out for the following unique features:
Agentless or agent-based log collection using the most versatile log processor and forwarder.
Cloud-ready self-hosted centralized agent and log management system for ultimate scalability.
High-volume, fast, schemaless long-term log retention database with high compression ratios.
August 28, 2024
Welcome to the future of log management with NXLog Platform
Centralized log management at the core of security monitoring Enhance data visibility, streamline security operations, and reduce SIEM costs.
We are excited to announce the upcoming launch of our new centralized log management solution, NXLog Platform.
Over the past year, our team has been working hard to bring you an innovative log collection and management solution. In our 12+ years of experience in the industry, we have learned that one of the biggest challenges in log management is the number of dispersed systems you need to manage.
Tag: nxlog-product-features
July 12, 2023
Understanding memory usage in NXLog Agent
Understanding how NXLog Agent allocates memory is essential to optimize your configuration for performance and utilize system resources efficiently.
NXLog Agent is designed for high-performance log collection and processing and is optimized to use system resources efficiently. However, various external factors affect how NXLog Agent uses system resources, including memory, which can impact NXLog Agent’s and its host’s performance. Misconfiguration is the leading factor we see when troubleshooting excessive memory consumption.
January 31, 2023
Our customers asked - Input stream EPS tracking with NXLog
This post is the first in a series of answers to questions that our customers asked.
Clarifying EPS EPS stands for Events Per Second and is considered a standard for measuring the speed of event processing. More precisely, it tells how many events can flow through a particular system in a second. In our case, the number relates to how many events NXLog receives, handles, and outputs in one second.
May 11, 2022
NXLog provides native support for Google Chronicle
We are delighted to announce that with the release of NXLog Enterprise Edition 5.5, NXLog provides native support for sending log data to the Google Chronicle threat intelligence platform.
About Google Chronicle Google Chronicle is a cloud-native SIEM service provided on the Google Cloud Platform. It allows organizations to normalize, correlate, and analyze their logging data. Chronicle makes threat hunting easy by empowering security experts to investigate logs allowing them to take a holistic approach to threat detection.
February 22, 2022
NXLog Community Edition support for Raijin Database
Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution.
What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.
October 27, 2021
Three important features you can have with the Enterprise Edition over the Community Edition
Features of NXLog Enterprise Edition you must have So, it turns out that your organization needs a reliable solution that can collect, parse, forward, and aggregate your log data. This need might be based on any number of reasons. Perhaps it is due to regulatory compliance mandates. Maybe your security analysts have realized that collecting security logs is the best way to detect potential cyber attacks. These are all valid reasons.
Tag: observability
June 2, 2026
Watching the agent watch you: Telemetry for OpenClaw with NXLog
Agentic AI is now embedded across the enterprise: summarizing customer records, pulling from data warehouses, drafting on top of internal documents, calling production APIs on behalf of staff. The pitch is compelling. The reality is that you have deployed a non-deterministic process with read access to PII, trade secrets, and the business intelligence your competitors would pay for. It is a black box that reasons differently on each run, and a single misrouted tool call can move sensitive data into a context where it does not belong.
March 11, 2026
What is telemetry data? A practical guide for modern systems
Telemetry data is the stream of measurements that instrumented devices, applications, and services continuously emit to a central system so engineers can monitor behavior, diagnose problems, and make informed decisions in real time and over the long term.
In this article, we’ll look at what telemetry data means in practice for modern software, networks, and cloud platforms: how it’s produced, what kinds of signals it carries (logs, metrics, traces, and more), and why it has become essential for observability, performance, and security at scale.
January 5, 2026
Telemetry is evolving; is your business ready?
Some still think telemetry is a futuristic concept, but it isn’t. It’s already integral to the smooth running of everything from websites, e-commerce platforms and mobile apps to manufacturing, traffic control and much, much more. And it all begins with the humble data log.
From the earliest days of computing, programmers have recorded useful information — often in a file — to help track and react to potential threats and understand what’s going on "under the hood" of their IT infrastructures.
October 30, 2025
The shadow IT haunting your network: A Halloween horror story
It’s Halloween season, and while everyone else is worried about ghosts and goblins, you—the sysadmin holding the fort—know the real terror: that dusty print server in the corner that’s been running firmware from 2014. Or the Raspberry Pi someone set up to monitor the server room temperature "temporarily" three years ago. Or the CEO’s personal tablet that absolutely must connect to the internal network because "it’s just easier this way.
October 29, 2025
Watching the watchers: The need for telemetry system observability
Organizations invest heavily in sophisticated monitoring platforms, deploy countless agents across their infrastructure, and build elaborate dashboards to track every metric imaginable. Yet amid this pursuit of comprehensive visibility, a dangerous blind spot often emerges: the observability system itself becomes unobservable.
This meta-problem represents one of the most insidious risks in modern infrastructure management. When telemetry collection fails silently—whether due to misconfiguration, infrastructure changes, or system failures—operations teams continue making critical decisions based on incomplete or stale data, unaware that their digital nervous system has developed gaps in coverage.
October 28, 2025
Beyond the silicon: Why monitoring the infrastructure powering AI is critical to ROI
The AI gold rush has arrived, and organizations worldwide are making unprecedented investments in cutting-edge accelerator hardware. GPU clusters worth millions of dollars are being deployed at breakneck speed, with companies betting their competitive futures on these silicon powerhouses. Yet beneath the excitement of acquiring the latest H100s or MI300s lies a sobering reality: the most expensive part of your AI investment isn’t the initial purchase—it’s ensuring that hardware delivers value every single moment it’s operational.
August 9, 2023
The Sarbanes-Oxley (SOX) Act and security observability
SOX - an overview Serious financial fraud was never considered a real risk while investing in U.S.-listed stocks until 2001, when energy giant Enron Corporation, which held $63.4 billion in assets, collapsed. It was revealed that the company had been misleading investors for years and the company’s stock price quickly plummeted from $90 to less than $1 per share. It was the largest bankruptcy in US history, followed by a $40 billion lawsuit and imprisonment for the corporation’s executives.
Tag: opentelemetry
June 2, 2026
Watching the agent watch you: Telemetry for OpenClaw with NXLog
Agentic AI is now embedded across the enterprise: summarizing customer records, pulling from data warehouses, drafting on top of internal documents, calling production APIs on behalf of staff. The pitch is compelling. The reality is that you have deployed a non-deterministic process with read access to PII, trade secrets, and the business intelligence your competitors would pay for. It is a black box that reasons differently on each run, and a single misrouted tool call can move sensitive data into a context where it does not belong.
June 1, 2026
Fluent Bit vs Logstash: which pipeline fits your stack?
Fluent Bit wins on footprint. Logstash wins on parsing depth. The choice isn’t which tool is "better" — it’s where in your pipeline each one earns its keep, and what your detection tier silently misses when you put one in the wrong tier.
Pick wrong and the cost shows up in three places: detection latency when batches stall, audit evidence when collectors stop shipping, and MTTR when responders can’t tell whether a quiet endpoint is an attack indicator or a broken agent.
March 9, 2026
Beyond basic ingestion: Advanced OpenTelemetry data processing with NXLog
Most discussions about OpenTelemetry pipelines focus on getting data from point A to point B. Collect telemetry, maybe convert the format, forward it to a backend. That’s the minimum viable pipeline, and it’s where most tooling stops.
But a pipeline that only moves data is a pipe, not a processing layer. The telemetry arriving at your observability platform or SIEM is only as useful as the context it carries. A raw log entry saying "connection from 198.
March 5, 2026
How NXLog simplifies your OpenTelemetry journey
OpenTelemetry has become the de facto standard for telemetry data. Nearly 50% of surveyed cloud-native end-user companies have adopted it, and the project ranks as the second-highest-velocity initiative in the CNCF, behind only Kubernetes. The direction is clear: if your infrastructure doesn’t speak OpenTelemetry, it will increasingly be left out of the observability conversation.
But adopting OpenTelemetry across an entire infrastructure is a different problem than adopting it in a greenfield application.
March 2, 2026
Data format chaos costs you weeks of visibility
Why the federal agency breach shows that standardized telemetry formats aren’t optional anymore
When CISA analyzed the federal agency breach that went undetected for three weeks, they identified a familiar pattern: EDR alerts existed but weren’t continuously reviewed. Security teams had visibility tools, but critical signals got lost in the noise.
What the advisory doesn’t detail—but every security practitioner knows—is the infrastructure nightmare hiding behind that simple statement. Those unreviewed alerts likely came from dozens of sources, each speaking its own dialect of security telemetry.
February 26, 2026
Security dashboards go dark: why visibility isn't optional, even when your defenses keep running
The SentinelOne outage showed why visibility isn’t optional—even when your defenses keep running.
On May 29, 2025, organizations running SentinelOne experienced something unsettling: their security controls kept working, but they couldn’t see what was happening.
A software flaw in SentinelOne’s infrastructure control system caused a global service disruption that lasted several hours. According to reports, the incident significantly impacted customers' ability to manage their security operations and access important data.
Tag: pci-dss
April 20, 2026
NIS2, HIPAA, PCI DSS: What compliance means when you can't upgrade your OS
Compliance frameworks don’t have a checkbox for "we know it’s a problem, but we can’t afford to fix it right now." Yet that’s the position thousands of organizations find themselves in — bound by regulation to meet security standards that their operating systems are physically incapable of supporting.
If you run Windows XP, Server 2003, or any other unsupported OS in a regulated environment, the compliance obligation doesn’t go away just because the upgrade path is blocked.
August 2, 2023
PCI DSS 4.0 compliance: Logging requirements and best practices
With PCI DSS 4.0, logging plays an even more critical role in safeguarding cardholder data. In this post, we’ll break down the key PCI DSS logging requirements, explore best practices for log retention and monitoring, and highlight key areas where NXLog Platform can help you stay secure and compliant.
What is PCI DSS? PCI DSS, or Payment Card Industry Data Security Standard, is a collection of security requirements developed by major credit card companies to safeguard merchants who accept credit card payments by ensuring they provide a secure environment.
Tag: perl
August 3, 2022
Send email alerts from NXLog using Python, Perl, or Ruby
NXLog is a versatile log collector that easily integrates with other software, platforms, and programming languages. Out-of-the-box it supports integration with many third-party solutions through its input, output, and extension modules. Moreover, extending NXLog with custom functionality is as easy as writing an application or script in your favorite programming language and loading it from the configuration.
Email notifications of events indicating potential security breaches or severe application errors are a standard procedure for IT admins and DevOps engineers.
Tag: press-release
May 20, 2026
NXLog Expands Distribution in Turkey and Emerging Markets Through Partnership with CyberDistro
Dubai, UAE, May 20, 2026 - NXLog, a leading provider of log and telemetry pipeline management solutions, today announced a distribution agreement with CyberDistro, a fast-growing global cybersecurity distributor headquartered in Istanbul and active across more than 15 countries.
Through this partnership, CyberDistro will distribute and support NXLog’s vendor-agnostic telemetry pipeline platform, enabling organizations to take control of log and event data before it reaches SIEM, analytics, and other observability and security operations tools.
March 12, 2026
NXLog and Logpoint partner to advance European digital sovereignty
[Update on 12 March 2026: Logpoint is now guardsix]
Dubai, UAE, Feb 27, 2026 - NXLog today announced a technology alliance partnership with Logpoint. Together, the companies offer a vendor-agnostic approach anchored in Logpoint’s European roots, providing organizations with a clear alternative to US-centric security platforms and renewed control over rapidly expanding telemetry flows.
As European organizations face growing pressure from regulations such as NIS2, the ability to decide where security data is processed, how it is handled, and which systems it flows into has become a critical requirement.
February 16, 2026
NXLog announces distribution agreement with Softprom
Dubai, UAE, Feb 16, 2026 — NXLog, a global provider of high-performance log and telemetry pipeline management solutions, today announced a distribution agreement with Softprom, a leading value-added IT distributor in Central and Eastern Europe, the Caucasus, and Central Asia,
Through this partnership, Softprom will distribute and support NXLog’s vendor-agnostic telemetry management platform, enabling organizations to gain control over log and event data before it reaches SIEM, APM, and analytics platforms.
September 30, 2025
Elcore signs a distribution agreement with NXLog
Dubai, UAE, Sept 30, 2025 — NXLog, a global leader in telemetry pipeline management, and Elcore, a specialized distributor of IT solutions, have announced a new distribution partnership.
Through this collaboration, Elcore will bring NXLog’s cutting-edge solutions to a wider market, empowering enterprises to collect, process, and route logs, metrics, and traces from any source to any destination. NXLog’s vendor-agnostic technology delivers structured, real-time insights that enhance visibility, strengthen security, and improve operational efficiency across IT, OT, and cloud environments.
Tag: prometheus
October 20, 2025
From web server logs to metrics: Visualizing NGINX logs with Prometheus and Grafana
When users start reporting slow responses or intermittent errors from your web applications, your first go-to is your web server logs. But did you know those same logs can provide more than just troubleshooting clues? When analyzed with the right tools, they give system administrators and DevOps teams real-time visibility into your web environment, enabling them to monitor web servers proactively, rather than reactively.
In this post, we’re going to show you how you can uncover web server performance issues and potential attacks early on by collecting NGINX access logs with NXLog Agent, transforming them into Prometheus metrics, and visualizing them with Grafana.
September 30, 2025
Gaining valuable host performance metrics with NXLog Platform
What are performance metrics and why are they important? IT and security systems don’t just generate logs; they also produce extremely valuable performance data that helps ensure the health and stability of your business infrastructure. Host-level performance metrics provide visibility into key resources, such as:
CPU usage — Helps identify over-utilization, process bottlenecks, or underused resources.
Memory usage — Indicates whether applications are consuming excessive RAM or leaking memory over time.
Tag: raijin
May 31, 2024
Raijin announces release of version 2.1
Raijin has announced the release of version 2.1 of its powerful, schemaless SQL-like database engine. This focuses on performance improvements.
Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements.
Performance improvements As mentioned, this release focused on optimizing the performance of partitioned database tables. Partitioned tables store data in separate locations with their own set of metadata based on the values present in the data.
March 14, 2024
Raijin announces release of version 2.0
Raijin has announced the release of version 2.0 of its powerful, schemaless SQL-like database engine. This version introduces several performance improvements.
Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements.
Enhanced table partitioning Table partitioning is a key factor in database management, improving query performance by only searching through relevant information and optimizing storage by efficiently pruning irrelevant content.
January 26, 2024
Raijin announces release of version 1.5
Raijin has announced the release of version 1.5 of its powerful, schemaless SQL-like database engine. This version introduces several performance improvements.
Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements.
Centralized storage for simpler management Until now, Raijin stored various stateful files in different locations across the system, requiring additional effort to keep track of that content. Raijin has now been refactored to use /data as the base directory.
December 12, 2023
Raijin announces release of version 1.4
Raijin has announced the release of version 1.4 of its powerful, schemaless SQL-like database engine. This version introduces new functionality for managing users and views, among several fixes and performance improvements.
Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements.
Improved user management This release builds on the previous one to provide better user management and auditing. With the SHOW USERS command, you can now retrieve a list of your Raijin users and their authentication type.
October 6, 2023
Raijin announces release of version 1.3
Raijin has announced the release of version 1.3 of its powerful, schemaless SQL-like database engine. This version implements user authentication and permissions and focuses on enhancing performance and robustness.
New user authentication and permissions This release introduces certificate and password-based user authentication and granular user permissions. You can grant permissions at the database or table level with support for the following privileges:
ALL PRIVILEGE (superuser)
CREATE
SELECT
INSERT
DROP
August 11, 2023
Raijin announces release of version 1.2
Raijin has announced the release of version 1.2 of its powerful, schemaless SQL-like database engine. This version introduces significant performance improvements and usability enhancements.
Faster data ingestion and query performance This release optimizes data ingestion by introducing partial parallelization. Raijin Database now parses and inserts batches of data simultaneously, resulting in up to 15% faster ingestion.
The team also addressed bottlenecks in the SELECT and COPY statements and implemented several optimizations to improve overall query performance.
May 30, 2023
Raijin announces release of version 1.1
Raijin has announced the release of version 1.1 of its powerful, schemaless SQL-like database engine. Many new features have been added to version 1.1.
Let’s take a look at the highlights.
Prometheus exporter improvements Introduced disk usage statistics - Disk usage statistics about free space availability and file system size were introduced.
Introduced query statistics - Event and query statistics were introduced in the Prometheus exporter. The following statistics can be queried:
March 9, 2023
Raijin announces release of version 1.0
Raijin has announced the release of version 1.0 of its powerful schemaless SQL database engine, furthering its goal of "solving schema rigidity" in modern databases. Many new features have been added to this version 1.0 milestone release.
Let’s take a look at some of the headline features.
The power of SQL without the drawbacks SQL has been the titan of database query languages for decades, and it is still ubiquitous the world over.
August 9, 2022
Raijin vs Elasticsearch
Log collection is most closely linked to enterprise security practices—for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention.
Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.
February 22, 2022
NXLog Community Edition support for Raijin Database
Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution.
What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.
July 29, 2021
Using Raijin Database Engine to aggregate and analyze Windows security events
In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools.
A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.
Tag: red-hat
January 13, 2021
NXLog Containers were certified by Red Hat
Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them.
Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.
Tag: releases
June 9, 2026
Announcing NXLog Platform 1.13
We are happy to announce the latest release of NXLog Platform, version 1.13. This update adds NXLog Platform operating system support for Debian 13 and NXLog Agent support for legacy 32-bit Windows. Plus, you can now use NXLog Agent with the native macOS Keychain for secure certificate storage on Apple systems.
Read on for more details about these updates.
Deploy NXLog Platform on Debian 13 NXLog Platform 1.13 adds support for installation on Debian 13, the latest stable release of the Debian operating system.
April 21, 2026
Announcing NXLog Platform 1.12
We are happy to announce the latest release of NXLog Platform, version 1.12.
This release introduces full version history for agent configurations, giving you a clear audit trail and the ability to instantly restore any previous version. It also brings a redesigned Customer Portal with a streamlined onboarding experience and improved navigation.
Want a quick overview? Watch a short demo showcasing configuration version history, one of the key new features in this release:
February 23, 2026
Announcing NXLog Platform 1.11
We are happy to announce the latest release of NXLog Platform, version 1.11. This version focuses on operational visibility and compliance, smoother troubleshooting, and improved security and access controls.
Want a quick overview? Watch a short demo showcasing the new features in this release:
Read on for more details about these updates.
Monitor data volume in the NXLog Platform UI You can now monitor the volume of inbound and outbound data flowing through your agents directly in the NXLog Platform UI, either from the agent statistics view or via the data flow visualization.
December 11, 2025
Announcing NXLog Platform 1.10
We are happy to announce the latest release of NXLog Platform, version 1.10. This update introduces streamlined TLS certificate management, broader operating system support, and simplified agent configuration. It will now be even faster and easier to deploy and operate your telemetry pipeline.
Want a quick overview? Watch a short demo showcasing the new features in this release:
Read on for more details about these updates.
Centrally managed certificates for data destinations NXLog Platform 1.
October 22, 2025
Announcing NXLog Platform 1.9
We are happy to announce the latest release of NXLog Platform, version 1.9. This version transforms how you manage observability by combining metrics and logs in one platform, optimizing agent management workflows, and enabling enterprise-grade deployments for modern infrastructures.
Want a quick overview? Watch a short demo showcasing the new features in this release:
Read on for more details about these updates.
Metrics made simple NXLog Platform provides built-in support for all types of telemetry data, including metrics.
September 12, 2025
Announcing NXLog Platform 1.8
We are happy to announce the latest release of NXLog Platform, version 1.8. This release is packed with improvements to give you deeper insights into your telemetry pipeline and infrastructure, expand compatibility, and enhance the user experience.
Want a quick overview? Watch a short demo showcasing the new features in this release:
Read on for more details about these updates.
Agent metrics for telemetry pipeline observability The new Internal Metrics module supports collecting agent metrics, simplifying data flow and agent health monitoring.
June 25, 2025
Announcing NXLog Platform 1.7
We are happy to announce the latest release of NXLog Platform, version 1.7. This release introduces key enhancements focused on the usability and performance of the log discovery UI, as well as the SMTP integration with Microsoft 365. Read on for more details about these updates.
Improved log discovery NXLog Platform 1.7 introduces the beta release of a new log discovery UI with significant improvements in usability and performance:
April 22, 2025
Announcing NXLog Platform 1.6
We are happy to announce the latest release of NXLog Platform, version 1.6. This release brings several key improvements, changes, and fixes to aid usability, security, and performance. Our team has introduced changes to improve integration with third-party technologies, made packaging adjustments, and enhanced the configuration workflow. Below, we highlight the most significant changes.
Enhanced configuration editor The configuration editor in NXLog Platform has been improved with better syntax highlighting, more accurate error detection, and smarter input suggestions when operating in text mode.
February 27, 2025
Announcing NXLog Platform 1.5
We are happy to announce the latest release of NXLog Platform, version 1.5. This release brings several key improvements, changes, and fixes to aid usability, security, and performance. Our team is introducing a major change to log storage, adjustments in log retention settings, and expanded authentication options. Below, we highlight the most significant changes.
Enhanced data storage with ClickHouse NXLog Platform 1.5 introduces a major upgrade to its data storage using ClickHouse, enhancing scalability and resilience while optimizing log storage and retrieval efficiency.
December 20, 2024
Announcing NXLog Platform 1.4
We are happy to announce the latest release of NXLog Platform, version 1.4. This release adds new features and bug fixes, including the ones highlighted below.
Improved agent onboarding This release includes a new enhanced agent onboarding wizard. The process is much simpler yet achieves much more than the previous version. The new method incorporates everything you need to install, configure, and enroll your agents in five simple, easy-to-follow steps.
October 25, 2024
Announcing NXLog Platform 1.3
We proudly announce the latest release of NXLog Platform, version 1.3. This release adds new features and bug fixes, including the ones highlighted below.
Improved installation and configuration The installation processes for NXLog Platform and NXLog Agent received the following configuration improvements:
You can now configure the NXLog Platform hostname and specify a label when running the NXLog Agent installer to ease automatic enrollment and agent configuration. This configuration is available on Windows, Debian/Ubuntu, Red Hat Enterprise Linux, and macOS.
April 20, 2023
Announcing NXLog Community Edition 3.2
We’re glad to announce the latest release of NXLog Community Edition. This release mainly fixes an issue where the file_name() function returns an unknown error.
We’ve also stopped officially supporting the Android mobile operating system.
Get in touch with our team if you have any questions, or request a free trial of our flagship log collection solution, NXLog Enterprise Edition, below.
NXLog Platform is an on-premises solution for centralized log management with versatile processing forming the backbone of security monitoring.
Tag: review
December 18, 2025
2025 and NXLog - a recap
As the new year looms large, we at NXLog are ready for one of the season’s most cherished traditions: reflecting on the year that ends. Coming off a 2024 that was centered on the NXLog Platform release, our 2025 was built on our analysis of the current state of the telemetry landscape.
The main conclusion is that while telemetry data is essential for operations and security, 35% of organizations still struggle to collect it at scale.
December 19, 2024
2024 and NXLog - a review
As another year draws to a close, we at NXLog are ready for one of the season’s traditions: reflecting on the year that was. For NXLog, 2024 marked two significant milestones: celebrating 12 years of the Company’s journey and unveiling its most ambitious product to date: NXLog Platform.
NXLog Platform launch We couldn’t start a 2024 review in any other way. The launch of NXLog Platform was the culmination of a long process of envisioning, planning, and developing what we believe is a quantum leap in our log collection management solution.
December 22, 2023
2023 and NXLog - a review
It’s finally the holiday season, and we’re down to a skeleton staff here at NXLog. It’s nearly time for us to shut down our laptops, pick up a cup of hot chocolate (or mulled wine if we’re lucky), and get ready for a week or so of reading, relaxing, opening presents, perhaps coping with distant relatives, and all-around merry-making over the holiday period.
So we hope you’ll forgive us if we keep this recap of 2023 succinct.
February 2, 2023
NXLog in the world - January 2023
A round-up of some of our favorite social media chatter about NXLog this month. Tecmint: Most notable open source log collection tools - NXLog features on the list of top centralized log collection tools
Blumira: Windows Firewall with GPOs - NXLog is recommended to be used in managing the Windows Firewall with GPOs
StationX: CompTIA Security+ Cheat Sheet - NXLog is part of the CompTIA Security+ exam
Reddit: Filter logon/logoff events from AD - How to filter logon/logoff logs from Active Directory with NXLog agent, and shipping to a syslog-ng server
December 22, 2022
NXLog - 2022 in review
We’ve come to the end of 2022, and what a year it’s been. It was a year marked by war, economic toil, and addressing the aftermath of the Covid-19 pandemic.
Europe was immediately thrust into crisis in February when the Russia-Ukraine War began. Unfortunately, as an Eastern European-based company, many of our colleagues were directly affected by it.
Then, more recently and in the United States especially, many tech companies began restructuring their organizations to deal with the looming economic problems that are forecast.
Tag: scada
April 22, 2026
The case for not ripping and replacing: Securing Win32 infrastructure in place
The default advice for any system running an unsupported operating system is simple: replace it. Upgrade to a supported platform. Move to modern hardware. Problem solved.
It’s good advice in theory. As with many other things in life however, in practice it ignores everything that makes legacy infrastructure hard to deal with in the first place.
For organizations running Windows XP, Server 2003, or other legacy 32-bit Windows systems, "just upgrade" is often the most expensive, disruptive, and operationally risky option on the table.
February 26, 2024
Digital substations and log collection
European electric power system operators supply around 2800 TWh of electricity per year and manage around 10 million kilometers of power lines - more than ten round trips to the Moon. Such electric travel is impossible without electric substations, an essential component of a power grid. Its automation becomes ultimately digitalized, so requires proper monitoring both for operational and security purposes. Let’s take a look at how a unified log collection pipeline embeds into power automation systems and helps make sure the lights stay on.
June 8, 2023
Industrial cybersecurity - The facts
In Feb 2021, a major cybersecurity incident was declared when a hacker gained malicious access to the water treatment system of Oldsmar, Florida. Officials said the hacker tried to increase the level of sodium hydroxide in the city’s water supply, putting thousands at risk of being poisoned. Fortunately, it was quickly confirmed that this potential terroristic act did not come to fruition.
Two years later, we still have no details on the malicious actor.
Tag: snare
April 9, 2025
NXLog Agent vs. Snare Agent - A practical comparison of log collection capabilities
Are you looking to replace Snare? Here’s how NXLog Agent compares in real-world environments.
This article will help if you consider a new log collection solution or evaluate alternatives to your existing deployment. It answers key questions from organizations that have migrated from Snare to NXLog solutions.
Feature comparison - Snare Agent vs. NXLog Agent Multiple log collection agents are available on the market. While both Snare Agent and NXLog Agent serve similar use cases, NXLog Agent provides broader platform support, more advanced log processing, and greater flexibility in integration.
Tag: splunk
January 16, 2023
NXLog Agent vs Splunk Universal Forwarder
NXLog Agent supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis.
If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the information you need to take the next step toward a better log collection strategy.
NXLog Agent and Splunk Universal Forwarder feature comparison Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them.
March 3, 2020
Sending ETW Logs to Splunk with NXLog
NXLog supports direct collection of Event Tracing for Windows (ETW) data. DNS Analytical logs, for example, can be forwarded to Splunk or another SIEM for monitoring and analysis.
Collecting ETW Logs Event Tracing for Windows (ETW) is a kernel-level tracing facility that provides high-performance logging of kernel and application events. ETW events can be written to a log file or collected directly from the system in realtime via the Consumers API.
Tag: syslog
May 28, 2026
Syslog forwarding over TLS: getting the operational layer right
Plaintext syslog crossing a network boundary in 2026 is a finding waiting to happen. The IETF defined encrypted syslog years ago in RFC 5425: TCP/6514, mutual TLS where the trust model needs it. What still trips teams up is rarely the protocol itself — it’s certificate lifecycle, framing mismatches, and forwarders that fall over when the collector blinks. Here’s the short version: which standards matter, where teams break the framing, and the four operational habits that decide whether the pipeline holds up.
December 12, 2025
rsyslog vs syslog-ng: Which is the right log shipper?
Well, no doubt logging is the nervous system of any IT infrastructure. From troubleshooting outages to satisfying compliance audits and threat management, having the right log management pipeline can make the difference between smooth operations and chaotic firefighting. For decades, syslog-ng and rsyslog have been two of the most widely used log management tools for Unix and Linux environments. Both provide implementations of the original 1980s syslog protocol and are designed to collect, process, and forward log messages across networks.
November 23, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
syslog-ng and NXLog are both powerful log collectors providing flexible log processing. However, you might be in a position where you need to switch from syslog-ng to NXLog. Whether it’s because syslog-ng doesn’t support an operating system or you want to upgrade your log collection solution to one that can be centrally managed, converting your syslog-ng configuration to NXLog is a simple task.
How do syslog-ng and NXLog differ? syslog-ng and NXLog are alike in many ways.
Tag: telemetry-analysis
July 27, 2023
Detect threats using NXLog and Sigma
The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation.
However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.
February 22, 2022
NXLog Community Edition support for Raijin Database
Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution.
What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.
July 29, 2021
Using Raijin Database Engine to aggregate and analyze Windows security events
In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools.
A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.
Tag: telemetry-auditing
April 28, 2026
From 4688 to 1102: The Windows event IDs that matter for threat detection
Most Windows detection programs are anchored on a small set of well-known event IDs: 4624, 4625, maybe 4688 if process creation auditing is turned on. The events that actually describe an intrusion (the new service, the scheduled task, the explicit credential, the share enumeration) live elsewhere on the same host, often on channels that are not enabled by default. We have written before about why a 4625-only mindset leaves most of the attack chain in the dark; this post is the catalog that picks up where that argument ended.
April 20, 2026
NIS2, HIPAA, PCI DSS: What compliance means when you can't upgrade your OS
Compliance frameworks don’t have a checkbox for "we know it’s a problem, but we can’t afford to fix it right now." Yet that’s the position thousands of organizations find themselves in — bound by regulation to meet security standards that their operating systems are physically incapable of supporting.
If you run Windows XP, Server 2003, or any other unsupported OS in a regulated environment, the compliance obligation doesn’t go away just because the upgrade path is blocked.
December 10, 2025
Identity and Access Management (IAM): Guide for 2026
Imagine a typical company: employees join, they move between offices and departments, then they leave. Each of these changes requires a systems access update for email, databases, internal tools, and more. Manually managing these transitions can be burdensome and error-prone. And where you have errors, you have inefficiencies and exposure to security breaches — neither of which is good for your business.
This is where Identity and Access Management (IAM) comes in.
September 30, 2025
Gaining valuable host performance metrics with NXLog Platform
What are performance metrics and why are they important? IT and security systems don’t just generate logs; they also produce extremely valuable performance data that helps ensure the health and stability of your business infrastructure. Host-level performance metrics provide visibility into key resources, such as:
CPU usage — Helps identify over-utilization, process bottlenecks, or underused resources.
Memory usage — Indicates whether applications are consuming excessive RAM or leaking memory over time.
July 22, 2025
Security Event Logs: Importance, best practices, and management
Understanding security event logs for stronger cybersecurity.
Whether a multinational corporation or a small business, organizations face ever-increasing risks of data theft, insider threats, and system intrusions. In 2025, the security landscape is further complicated by the growing influence of artificial intelligence, as cybercriminals are leveraging AI to enhance the sophistication and scale of attacks. One of the most powerful tools for detecting and responding to attacks is the humble security event logs.
April 30, 2025
Monitoring NXLog Agent with Zabbix using the Agent Management API
NXLog Agent plays a vital role in aggregating, processing, and forwarding logs to centralized platforms for analysis. Whether it’s system logs, application logs, or security audit trails, these agents are often the first line of visibility into what’s happening in your environment.
In many setups, especially large-scale infrastructures, NXLog Agent relays act as crucial intermediaries, collecting logs from edge systems and forwarding them to a SIEM or log analytics platform.
January 23, 2024
GLBA Compliance in 2024 - Reporting directly to the FTC
The U.S. Federal Trade Commission (FTC) approved amendments to its Safeguards Rule that require FTC-regulated non-banking financial institutions to report data breaches and other security events directly to the FTC. It was originally proposed to add a breach notification requirement back in late 2021. The rule requires financial institutions to report “notification events” to the FTC within 30 days of discovery of the notification event where the private information of 500+ consumers is involved.
January 11, 2024
The story of the $1,900,000 penalty for insufficient log management
It was late March 2021 when a phishing email was sent to a network administrator of TTEC Healthcare Solutions, Inc. (TTEC HS) - an integrated healthcare CX solutions provider - and a threat actor gained highly privileged access to the network. On September 12, 2021, a common ransomware scenario was triggered, with approximately 1,800 devices compromised via the access channel obtained almost 5 months earlier.
Prior to executing the ransomware attack, the threat actor successfully exfiltrated data from the TTEC HS network, containing non-public information (NPI) of current and former employees of TTEC HS, and for individuals who were insured by one of TTEC HS’s clients, including, importantly, some New York residents.
October 17, 2023
Log management for maritime cybersecurity compliance regulations
Historically, seaports have played a crucial role in a state’s development, and interruption in their services has a significant impact on economics. So, it’s no surprise commercial ports are regarded as a critical transport infrastructure.
One of the most significant challenges ports face today is ongoing digital transformation. The majority of tasks carried out across a port utilize autonomous and partially automated systems, including those for managing port access, vessel berthing (bridges, locks, gates, etc.
August 9, 2023
The Sarbanes-Oxley (SOX) Act and security observability
SOX - an overview Serious financial fraud was never considered a real risk while investing in U.S.-listed stocks until 2001, when energy giant Enron Corporation, which held $63.4 billion in assets, collapsed. It was revealed that the company had been misleading investors for years and the company’s stock price quickly plummeted from $90 to less than $1 per share. It was the largest bankruptcy in US history, followed by a $40 billion lawsuit and imprisonment for the corporation’s executives.
May 26, 2023
How to monitor file access in Windows
File access auditing is the process of tracking who reads, modifies, or deletes files on a system, providing a record of user activity for security and compliance purposes. On Windows systems, this is especially important for monitoring sensitive or business-critical files, such as financial records, HR data, or confidential customer information, where unauthorized access could result in a data breach or regulatory violation.
In this post, I’ll show you how to enable file access auditing on Windows and use NXLog Agent to collect and forward file access events to help you protect sensitive data and meet compliance requirements.
May 9, 2023
BROP attacks - What is it and how to defend yourself?
Have you ever locked yourself out of your car? After calling for roadside service, your tow truck driver forces the internal locking mechanism open with a slim-jim. Car thieves quickly discovered this technique and began using it to steal cars. Digital thieves have devised a similar attack called a Blind Return-Oriented Programming (Blind ROP, or just BROP) attack. It’s as quiet as a jackhammer on cement, but an attacker can open a remote shell and gain remote code execution on your server if the conditions are right.
June 1, 2022
How NXLog can help meet compliance mandates
Compliance mandates are frameworks that organizations must implement to meet industry regulations. Some of these mandates provide guidelines and best practices, while others may be tied to legislation. With the constant and rapid changes in technology, ensuring that your organization adheres to the relevant regulations is an ongoing process.
So why should you comply? Simply put, not complying might cost you more than implementing processes to meet regulatory requirements. By not complying, you might be violating the law, and in case of a data breach, you may face litigation from affected parties.
January 25, 2022
Understanding and auditing WMI
If you’re a cyber security enthusiast, you’ve probably heard a lot about Windows Management Instrumentation (WMI) lately. There’s a good reason why this topic has gained popularity, however, this technology has been integrated into Windows operating systems for over 20 years now. In this blog post, we will delve into how WMI works, the risks resulting from misuse, and how to audit it with NXLog.
A standardization effort The first thing to clarify about WMI is that it’s not a Windows-only technology.
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
February 3, 2020
Insufficient logging and monitoring, TOP 10 security risk
"The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications."
In this article these top security risks discussed in the context of log collection.
OWASP API security top 10 most critical API security risks APIs are a critical part of modern technologies - from SaaS and web consumer applications to enterprise deployments.
Tag: telemetry-collection
June 12, 2026
Multiline log parsing with regex: Keeping multiline events intact for your SIEM
Most telemetry pipelines treat every newline as the end of an event. That assumption holds for a tidy syslog stream but breaks the moment a Java stack trace, a Python traceback, or a pretty-printed JSON payload lands in the file. One event becomes forty lines, and your SIEM ingests forty fragments instead of one record.
For a SecOps team, the cost is operational. Detection rules match on fragments or miss the event entirely, correlation loses the context that made the event worth alerting on, and the event count balloons against a volume-based license.
June 8, 2026
From blind spot to monitored: Log collection for 32-bit Windows
At NXLog, we’ve been in the log collection space long enough to know that the toughest challenges aren’t technical but political. There’s always that Windows XP machine running the ATM firmware that no one can touch. Or the Windows Server 2003 box that keeps the conveyor belt running 24/7. Then there’s the industrial SCADA system installed before smartphones existed, quietly humming along in a corner of the plant floor.
June 2, 2026
Watching the agent watch you: Telemetry for OpenClaw with NXLog
Agentic AI is now embedded across the enterprise: summarizing customer records, pulling from data warehouses, drafting on top of internal documents, calling production APIs on behalf of staff. The pitch is compelling. The reality is that you have deployed a non-deterministic process with read access to PII, trade secrets, and the business intelligence your competitors would pay for. It is a black box that reasons differently on each run, and a single misrouted tool call can move sensitive data into a context where it does not belong.
June 1, 2026
Fluent Bit vs Logstash: which pipeline fits your stack?
Fluent Bit wins on footprint. Logstash wins on parsing depth. The choice isn’t which tool is "better" — it’s where in your pipeline each one earns its keep, and what your detection tier silently misses when you put one in the wrong tier.
Pick wrong and the cost shows up in three places: detection latency when batches stall, audit evidence when collectors stop shipping, and MTTR when responders can’t tell whether a quiet endpoint is an attack indicator or a broken agent.
May 14, 2026
Network performance monitoring: metrics vs syslog logs vs traps
Every application depends on the network, yet networks are often the hardest part of the stack to diagnose when something goes wrong. Devices are up, utilization looks normal, and yet users report slowness or disconnections with no obvious cause in sight.
The instinct is to rely on metrics alone: poll devices at regular intervals, watch the dashboards, set thresholds. That approach catches obvious outages, but it struggles with the harder questions: Why did latency spike when nothing looked congested?
April 28, 2026
From 4688 to 1102: The Windows event IDs that matter for threat detection
Most Windows detection programs are anchored on a small set of well-known event IDs: 4624, 4625, maybe 4688 if process creation auditing is turned on. The events that actually describe an intrusion (the new service, the scheduled task, the explicit credential, the share enumeration) live elsewhere on the same host, often on channels that are not enabled by default. We have written before about why a 4625-only mindset leaves most of the attack chain in the dark; this post is the catalog that picks up where that argument ended.
April 23, 2026
Filebeat vs Logstash: when the shipper is enough and when you need a pipeline
The choice here is not between two interchangeable log tools. It is a choice about where you want parsing, routing, and failure handling to live. Filebeat runs close to the source and keeps collection small. Logstash sits in the middle of the flow and takes on filtering, enrichment, and fan-out.
That architectural difference matters more than a feature checklist. Pick the narrower tool when your logs have one destination and your parsing rules are modest.
April 22, 2026
The case for not ripping and replacing: Securing Win32 infrastructure in place
The default advice for any system running an unsupported operating system is simple: replace it. Upgrade to a supported platform. Move to modern hardware. Problem solved.
It’s good advice in theory. As with many other things in life however, in practice it ignores everything that makes legacy infrastructure hard to deal with in the first place.
For organizations running Windows XP, Server 2003, or other legacy 32-bit Windows systems, "just upgrade" is often the most expensive, disruptive, and operationally risky option on the table.
April 20, 2026
NIS2, HIPAA, PCI DSS: What compliance means when you can't upgrade your OS
Compliance frameworks don’t have a checkbox for "we know it’s a problem, but we can’t afford to fix it right now." Yet that’s the position thousands of organizations find themselves in — bound by regulation to meet security standards that their operating systems are physically incapable of supporting.
If you run Windows XP, Server 2003, or any other unsupported OS in a regulated environment, the compliance obligation doesn’t go away just because the upgrade path is blocked.
February 24, 2026
Centralized log management: What it is, how centralized logging works, and how to choose the right system
Centralized log management is the practice of collecting logs from across an environment, including applications, servers, containers, networks, and cloud services, and storing them in a single location where they can be searched and analyzed.
For operations and security teams, centralized logging is now a core requirement. Without it, logs are scattered across hosts, ephemeral containers, cloud consoles, and disconnected tools. This fragmentation slows troubleshooting, complicates incident response, and limits visibility during security investigations.
September 18, 2025
From network event logs to insights: Visualizing OpenVPN logs with Elasticsearch and Kibana
At NXLog, we help customers solve real-world telemetry data challenges and bring value to the table with NXLog Platform. One of the recurring problems we see is that while network event logs contain a wealth of information, turning them into actionable insights isn’t straightforward. Security operations teams often struggle to make sense of these logs in a way that directly supports threat detection, response, and investigation.
A perfect example of this challenge is VPN logs.
July 22, 2025
Security Event Logs: Importance, best practices, and management
Understanding security event logs for stronger cybersecurity.
Whether a multinational corporation or a small business, organizations face ever-increasing risks of data theft, insider threats, and system intrusions. In 2025, the security landscape is further complicated by the growing influence of artificial intelligence, as cybercriminals are leveraging AI to enhance the sophistication and scale of attacks. One of the most powerful tools for detecting and responding to attacks is the humble security event logs.
June 16, 2025
Leveraging Okta logs for improved security monitoring
Most corporate environments require a login, and Identity and Access Management (IAM) is a solution that helps manage that process in different ways. IAM ensures that only the necessary people can access the relevant IT resources.
Each user, device or service is assigned a unique digital identity. So, when an employee logs into a company system, IAM confirms that person’s identity. This might involve a login/password check, multi-factor authentication, or both.
May 21, 2024
Ingesting log data from Debian UFW to Loki and Grafana
An excellent way to get started in a new technology area or refresh our knowledge is to devise a solution based on a small idea or need. This blog post covers such a situation, with a small personal project demonstrating how to use NXLog’s powerful features.
I embarked on a small pet project centered around a cloud machine running Debian 10. It connects telemetry from my home, country house, and notebook.
March 11, 2024
NXLog Agent on Submarines
I always wondered what happens to our software when a company purchases it. Okay, I know they will install it and use it. But where do they install it? On what kind of machines? In what kind of environment? And why is it important for them to collect and handle logs? The possibilities are endless. We have customers worldwide; from shoemakers to telecom companies, NXLog is everywhere. But where are the most remarkable places NXLog Agent is employed?
February 6, 2024
The evolution of event logging: from clay tablets to Taylor Swift
Event logs are our breakfast, lunch, and dinner at NXLog. Before NXLog, I worked on an API that collected software usage logs. And before that, on a centralized log management application. Today, after a career of dealing with logs, I wondered, "How did our world come to rely so much on event logging?"
I mean, in the vast landscape of technological progress, the history of event logging is only a minor subplot.
January 23, 2024
GLBA Compliance in 2024 - Reporting directly to the FTC
The U.S. Federal Trade Commission (FTC) approved amendments to its Safeguards Rule that require FTC-regulated non-banking financial institutions to report data breaches and other security events directly to the FTC. It was originally proposed to add a breach notification requirement back in late 2021. The rule requires financial institutions to report “notification events” to the FTC within 30 days of discovery of the notification event where the private information of 500+ consumers is involved.
October 17, 2023
Log management for maritime cybersecurity compliance regulations
Historically, seaports have played a crucial role in a state’s development, and interruption in their services has a significant impact on economics. So, it’s no surprise commercial ports are regarded as a critical transport infrastructure.
One of the most significant challenges ports face today is ongoing digital transformation. The majority of tasks carried out across a port utilize autonomous and partially automated systems, including those for managing port access, vessel berthing (bridges, locks, gates, etc.
July 27, 2023
Detect threats using NXLog and Sigma
The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation.
However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.
November 8, 2022
Looking beyond Cybersecurity Awareness Month
Cybersecurity Awareness Month has come and gone again. October marks that festive time of year when companies circulate their mandatory think pieces, remind their employees of the dangers of clicking questionable links, and pat themselves on the back and call it a day. Here’s your friendly November reminder to keep your wits about you year-round.
A (brief) history of Cybersecurity Awareness Month The Cybersecurity Awareness Month story began as a partnership between an American governmental agency—the Cybersecurity and Infrastructure Agency (CISA)--and the National Cyber Security Alliance non-profit.
September 30, 2022
Assertive compliance - using frameworks to extend your coverage
So, it happened again. You got an internal audit finding or a regulatory notice. Or you just had a nagging feeling and found customer data somewhere it shouldn’t have been. Morale sinks. Are you forced to choose between serving your customers and addressing compliance weaknesses? Nobody said IT Compliance was easy. But don’t sign up to do any more work than is necessary. Use Frameworks to identify the activities, like logging, that demonstrate compliance for multiple domains and get the absolute best coverage without extra work.
August 18, 2022
The disappearing Windows DNS debug log
The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging.
Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
June 28, 2022
Security logging on Windows - beyond 4625
As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log. You might even go as far as filtering for specific event IDs, such as EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source.
The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.
June 1, 2022
How NXLog can help meet compliance mandates
Compliance mandates are frameworks that organizations must implement to meet industry regulations. Some of these mandates provide guidelines and best practices, while others may be tied to legislation. With the constant and rapid changes in technology, ensuring that your organization adheres to the relevant regulations is an ongoing process.
So why should you comply? Simply put, not complying might cost you more than implementing processes to meet regulatory requirements. By not complying, you might be violating the law, and in case of a data breach, you may face litigation from affected parties.
February 3, 2022
How to prevent and detect Log4j vulnerabilities
The Apache Log4j vulnerability has attracted a lot of media attention as a result of recent security incidents that were reported by some organizations using versions 2.0-beta9 through 2.14.1. This security flaw has the potential to affect thousands of applications since some of the world’s largest databases rely on Log4j.
Because so many organizations are affected, cybercriminals are actively exploiting this well-known vulnerability.
Why is this so dangerous? In addition to the threat of malware and ransomware, hackers can also perform remote code execution due to the Log4j vulnerability.
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
September 6, 2021
Collecting Kubernetes logs with NXLog
Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.
August 25, 2021
File-based logs? Yes, they're still being used!
File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches.
In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.
July 15, 2021
Top 5 Windows Security logs everyone should collect
It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component.
Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer.
June 14, 2021
Windows Event Log collection in a nutshell
Unquestionably, Microsoft Windows is the number one desktop operating system in the world, as well as having a significant share of the server operating system market. Multi-million-dollar organizations rely heavily on Windows Server and Active Directory to provide a safe, secure networked environment for their business operations. Such an enterprise infrastructure alone can generate thousands of events per second that range anywhere from benign user authentication events to logs indicating a severe software failure, or even more serious events such as DoS attacks or intrusion attempts.
June 5, 2021
Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python
Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic.
What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
May 31, 2020
DNS Log Collection and Parsing
DNS Log Collection and Parsing DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include:
Operations and Support Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.
May 28, 2020
DNS Log Collection on Windows
Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.
DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform.
While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.
May 14, 2020
DNS Log Collection on Linux
Be sure to read Part 1 and Part 2 of our series in case you missed them.
DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.
January 24, 2020
What is File Integrity Monitoring (FIM)? Why do you need it?
About File Integrity Monitoring (FIM) File integrity monitoring is implemented as a detection mechanism to monitor changes to important files and folders. File integrity monitoring is largely used as a security measure for detection and for meeting obligations such as compliance. By using file integrity monitoring, better control measures can be taken due to being able to track and provide data for alerts of activities on assets that are being monitored, such as potential unauthorized changes.
October 22, 2019
Agent-based versus agentless log collection - which option is best?
One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes.
Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?
Tag: telemetry-pipeline-management
June 12, 2026
Multiline log parsing with regex: Keeping multiline events intact for your SIEM
Most telemetry pipelines treat every newline as the end of an event. That assumption holds for a tidy syslog stream but breaks the moment a Java stack trace, a Python traceback, or a pretty-printed JSON payload lands in the file. One event becomes forty lines, and your SIEM ingests forty fragments instead of one record.
For a SecOps team, the cost is operational. Detection rules match on fragments or miss the event entirely, correlation loses the context that made the event worth alerting on, and the event count balloons against a volume-based license.
April 23, 2026
Filebeat vs Logstash: when the shipper is enough and when you need a pipeline
The choice here is not between two interchangeable log tools. It is a choice about where you want parsing, routing, and failure handling to live. Filebeat runs close to the source and keeps collection small. Logstash sits in the middle of the flow and takes on filtering, enrichment, and fan-out.
That architectural difference matters more than a feature checklist. Pick the narrower tool when your logs have one destination and your parsing rules are modest.
April 6, 2026
Filebeat vs Vector: Routing, transforms, and the better fit for your pipeline
Filebeat and Vector both move logs, but they solve different design problems. Filebeat is a shipper that fits neatly into Elastic-centric pipelines. Vector is a data pipeline runtime that can collect, reshape, split, and forward the same stream to several destinations before storage.
The cost of choosing badly does not show up on day one. It shows up later as duplicate agents, extra relay tiers, backend-specific parsing rules, or migration work when a second destination appears.
March 23, 2026
How to visualize telemetry data flow and volume with NXLog Platform
As organizations collect more telemetry data, their pipelines grow in complexity and scale. Telemetry pipelines are dynamic, continually adjusted to improve data quality, reduce costs, and meet evolving observability requirements. At this scale, even small configuration changes can significantly affect how much data moves through your pipeline.
Without clear visibility, you rely on assumptions. Did the new filtering rule actually reduce the amount of data you’re sending to the SIEM?
March 16, 2026
Fluent Bit vs Filebeat: Architecture, trade-offs, and the better default
If you are choosing between Fluent Bit and Filebeat, the real question is where you want routing, parsing, and failure handling to live. Pick the wrong default, and you create config sprawl, brittle pipelines, and extra work every time your backend or deployment model changes.
Choose Fluent Bit when the agent itself needs to behave like a small pipeline, and choose Filebeat when your log path ends inside Elastic and you want the shipper to match Elastic’s operating model.
March 11, 2026
What is telemetry data? A practical guide for modern systems
Telemetry data is the stream of measurements that instrumented devices, applications, and services continuously emit to a central system so engineers can monitor behavior, diagnose problems, and make informed decisions in real time and over the long term.
In this article, we’ll look at what telemetry data means in practice for modern software, networks, and cloud platforms: how it’s produced, what kinds of signals it carries (logs, metrics, traces, and more), and why it has become essential for observability, performance, and security at scale.
March 9, 2026
Beyond basic ingestion: Advanced OpenTelemetry data processing with NXLog
Most discussions about OpenTelemetry pipelines focus on getting data from point A to point B. Collect telemetry, maybe convert the format, forward it to a backend. That’s the minimum viable pipeline, and it’s where most tooling stops.
But a pipeline that only moves data is a pipe, not a processing layer. The telemetry arriving at your observability platform or SIEM is only as useful as the context it carries. A raw log entry saying "connection from 198.
March 5, 2026
How NXLog simplifies your OpenTelemetry journey
OpenTelemetry has become the de facto standard for telemetry data. Nearly 50% of surveyed cloud-native end-user companies have adopted it, and the project ranks as the second-highest-velocity initiative in the CNCF, behind only Kubernetes. The direction is clear: if your infrastructure doesn’t speak OpenTelemetry, it will increasingly be left out of the observability conversation.
But adopting OpenTelemetry across an entire infrastructure is a different problem than adopting it in a greenfield application.
March 3, 2026
Fluent Bit vs Fluentd: How to choose the right tool for your log pipeline
Choosing between Fluent Bit and Fluentd is an architecture decision, not a product shootout. Both projects live under the CNCF Fluent umbrella and share a common lineage at Treasure Data, but they target different roles in a logging pipeline. Fluent Bit is a C-based telemetry agent designed for low-overhead collection at the edge. Fluentd is a Ruby-and-C data collector built for aggregation, transformation, and multi-destination routing.
The practical question is not which one is better — it’s where each one belongs in your stack, and whether you need both.
March 2, 2026
Data format chaos costs you weeks of visibility
Why the federal agency breach shows that standardized telemetry formats aren’t optional anymore
When CISA analyzed the federal agency breach that went undetected for three weeks, they identified a familiar pattern: EDR alerts existed but weren’t continuously reviewed. Security teams had visibility tools, but critical signals got lost in the noise.
What the advisory doesn’t detail—but every security practitioner knows—is the infrastructure nightmare hiding behind that simple statement. Those unreviewed alerts likely came from dozens of sources, each speaking its own dialect of security telemetry.
February 25, 2026
Building a practical OpenTelemetry pipeline with NXLog Platform
Collecting, processing, and forwarding logs and metrics at scale.
OpenTelemetry provides a common instrumentation model that makes it easier to collect telemetry data across distributed systems, and many modern applications are adopting it as a standard for generating logs and metrics. However, in practice, you still need to collect, process, and shape the data before it becomes useful. You cannot simply forward raw telemetry data downstream without risking that your observability platform becomes expensive storage instead of a means of maintaining visibility into your environment.
February 10, 2026
Adopting OpenTelemetry without changing your applications
A practical approach to converting existing logs into modern observability.
OpenTelemetry promises a vendor-neutral standard for observability, consistent telemetry, and the flexibility to change backends without rewriting everything. In practice, however, OpenTelemetry adoption often runs into a familiar obstacle: reality.
Here’s a common scenario. You’re eager to improve observability, but your environment includes a mix of legacy applications, network devices, and third-party systems. Many of these were never designed for modern instrumentation, and changing them is risky, expensive, or simply not an option.
January 29, 2026
The GeoServer breach that could have been stopped in hours, not weeks
How a federal agency’s monitoring gaps turned a containable incident into a three-week nightmare
In September 2025, CISA responded to a federal agency breach that security teams could have stopped in hours. Instead, threat actors roamed the network undetected for three weeks.
The damage? Multiple compromised servers, web shells planted across the infrastructure, and a persistent foothold that took significant resources to remediate.
The root cause wasn’t a zero-day exploit or sophisticated malware.
January 5, 2026
Telemetry is evolving; is your business ready?
Some still think telemetry is a futuristic concept, but it isn’t. It’s already integral to the smooth running of everything from websites, e-commerce platforms and mobile apps to manufacturing, traffic control and much, much more. And it all begins with the humble data log.
From the earliest days of computing, programmers have recorded useful information — often in a file — to help track and react to potential threats and understand what’s going on "under the hood" of their IT infrastructures.
October 30, 2025
The shadow IT haunting your network: A Halloween horror story
It’s Halloween season, and while everyone else is worried about ghosts and goblins, you—the sysadmin holding the fort—know the real terror: that dusty print server in the corner that’s been running firmware from 2014. Or the Raspberry Pi someone set up to monitor the server room temperature "temporarily" three years ago. Or the CEO’s personal tablet that absolutely must connect to the internal network because "it’s just easier this way.
October 29, 2025
Watching the watchers: The need for telemetry system observability
Organizations invest heavily in sophisticated monitoring platforms, deploy countless agents across their infrastructure, and build elaborate dashboards to track every metric imaginable. Yet amid this pursuit of comprehensive visibility, a dangerous blind spot often emerges: the observability system itself becomes unobservable.
This meta-problem represents one of the most insidious risks in modern infrastructure management. When telemetry collection fails silently—whether due to misconfiguration, infrastructure changes, or system failures—operations teams continue making critical decisions based on incomplete or stale data, unaware that their digital nervous system has developed gaps in coverage.
October 28, 2025
Beyond the silicon: Why monitoring the infrastructure powering AI is critical to ROI
The AI gold rush has arrived, and organizations worldwide are making unprecedented investments in cutting-edge accelerator hardware. GPU clusters worth millions of dollars are being deployed at breakneck speed, with companies betting their competitive futures on these silicon powerhouses. Yet beneath the excitement of acquiring the latest H100s or MI300s lies a sobering reality: the most expensive part of your AI investment isn’t the initial purchase—it’s ensuring that hardware delivers value every single moment it’s operational.
August 27, 2025
How to reduce log noise and fight SOC alert fatigue
Do you ever feel like you’re drowning in data? From endpoint logs and firewall events to database auditing and cloud metrics, the sheer amount of data is overwhelming. While telemetry data is crucial for threat detection, incident response, and compliance, it also brings a major challenge: log noise.
Log noise obscures meaningful security signals. If left unchecked, you risk increased false positives, overloading security tools, higher SIEM licensing costs, and, most importantly, SOC alert fatigue.
June 24, 2025
Current challenges in log and telemetry data management
Today, most enterprises use a security log analytics solution or SIEM (Security Information & Event Management), but analytics are only as good as the data fed into your solution. If you’re missing data sources or are failing to extract full value from the data, you won’t see the big picture.
This is an issue new customers commonly mention to NXLog. That’s why one of our key goals is to provide a solid data collection layer that ensures all relevant data is collected and properly fed into the SIEM.
April 30, 2025
Monitoring NXLog Agent with Zabbix using the Agent Management API
NXLog Agent plays a vital role in aggregating, processing, and forwarding logs to centralized platforms for analysis. Whether it’s system logs, application logs, or security audit trails, these agents are often the first line of visibility into what’s happening in your environment.
In many setups, especially large-scale infrastructures, NXLog Agent relays act as crucial intermediaries, collecting logs from edge systems and forwarding them to a SIEM or log analytics platform.
March 12, 2025
Log management best practices
People think about logs as one of the biggest chores in the IT industry. Well, that does not necessarily need to be true. If you adhere to some fundamental log management best practices, the value you could get out of them quickly outweighs the effort put into managing them. Logs can easily become the best friend of IT teams looking to keep their systems secure, meet compliance requirements, and maintain a smoothly running network.
January 6, 2025
How to choose a log management solution
Logs play a critical role in IT infrastructure, and choosing the right log management solution is key to effective operations. This guide explores the core principles for selecting a solution that aligns with your log collection and management needs. Given the wide range of options available, we categorize them into three main groups for clarity.
End-to-end Log Management Solutions
Security Information & Event Management (SIEM)
Application Performance Monitoring and Observability (APM)
December 19, 2024
NXLog redefines log management for the digital age
New CEO appointed as the company’s founder, former CEO & CTO, transitions to a dedicated CTO role, focusing on innovation in observability and telemetry pipeline management market.
(LONDON, UK) – 19th December 2024 - NXLog, a leading technology provider of log management solutions, announced the appointment of Harald Reisinger as its new Chief Executive Officer. Co-founder and former CEO Botond Botyánszki will transition to the Chief Technology Officer (CTO) role.
December 16, 2024
World of OpenTelemetry
With an ever-expanding choice of technologies on the market, navigating the range of open-source observability tools can be a challenge. Which is why, when it comes to managing complex multicloud environments and their services, standardization is crucial. Here’s where OpenTelemetry (OTel) can play a key role. Developed through the merger of OpenCensus and OpenTracing, OpenTelemetry has become the new standard for open-source telemetry.
Discover what OTel is, the types of telemetry data it encompasses, its potential benefits, and how NXLog can support your OpenTelemetry ecosystem.
November 12, 2024
Optimize log management and cut costs
Data logging and event monitoring have become essential to provide security and performance monitoring of business operations. However, the vast volume of logs generated can lead to significant challenges, including high costs and inefficiencies.
Many companies collect an excessive number of logs, often missing out on the most critical security-related events. The majority of these logs, known as log noise, offer little to no value to security analysts and can obstruct timely access to high-priority security events.
September 26, 2024
What is a telemetry pipeline? Understanding and building effective telemetry data pipelines
Back in the day, Gordon Moore made relatively accurate observations and projections about the exponential growth of transistors on semiconductors. It still amazes me, yet very few predicted the incredible growth of system interconnectedness and the vast amount of data it generates. It is estimated that 90% of all data was created in the last two years. Given that everything is connected, the need for telemetry is growing at an unprecedented rate, and so is the need to efficiently channel and manage telemetry data.
February 13, 2023
Avoid vendor lock-in and declare SIEM independence
The global Security Information and Event Management (SIEM) market is big business. In 2022, it was valued at $5.2 billion, with analysts projecting that it will reach $8.5 billion dollars within five years.
It’s a highly consolidated market dominated by a few major players in the information security field. They want your business, and they don’t want to lose it.
As companies ship more and more data to their respective solutions and make use of more and more features, they become specialized and dependent on a vendor.
September 23, 2022
GDPR compliance and log management best practices
The European Union’s General Data Protection Regulation (EU GDPR) came into force on 25 May 2018. Many of us remember the influx of marketing emails around this time, with companies updating their privacy policies and asking for the consent of around 450 million Europeans to continue using their personal data.
An often misunderstood participant of this compliance quest is log data—a source potentially rich in protected personal data. So, how does the GDPR apply to an organization’s log data?
Tag: windows
June 8, 2026
From blind spot to monitored: Log collection for 32-bit Windows
At NXLog, we’ve been in the log collection space long enough to know that the toughest challenges aren’t technical but political. There’s always that Windows XP machine running the ATM firmware that no one can touch. Or the Windows Server 2003 box that keeps the conveyor belt running 24/7. Then there’s the industrial SCADA system installed before smartphones existed, quietly humming along in a corner of the plant floor.
April 28, 2026
From 4688 to 1102: The Windows event IDs that matter for threat detection
Most Windows detection programs are anchored on a small set of well-known event IDs: 4624, 4625, maybe 4688 if process creation auditing is turned on. The events that actually describe an intrusion (the new service, the scheduled task, the explicit credential, the share enumeration) live elsewhere on the same host, often on channels that are not enabled by default. We have written before about why a 4625-only mindset leaves most of the attack chain in the dark; this post is the catalog that picks up where that argument ended.
April 22, 2026
The case for not ripping and replacing: Securing Win32 infrastructure in place
The default advice for any system running an unsupported operating system is simple: replace it. Upgrade to a supported platform. Move to modern hardware. Problem solved.
It’s good advice in theory. As with many other things in life however, in practice it ignores everything that makes legacy infrastructure hard to deal with in the first place.
For organizations running Windows XP, Server 2003, or other legacy 32-bit Windows systems, "just upgrade" is often the most expensive, disruptive, and operationally risky option on the table.
April 20, 2026
NIS2, HIPAA, PCI DSS: What compliance means when you can't upgrade your OS
Compliance frameworks don’t have a checkbox for "we know it’s a problem, but we can’t afford to fix it right now." Yet that’s the position thousands of organizations find themselves in — bound by regulation to meet security standards that their operating systems are physically incapable of supporting.
If you run Windows XP, Server 2003, or any other unsupported OS in a regulated environment, the compliance obligation doesn’t go away just because the upgrade path is blocked.
April 9, 2026
Legacy Windows systems: Enterprise security's biggest blind spot
Somewhere in a hospital basement, an MRI machine hums along on Windows XP. Down the road, a CNC controller on a factory floor runs Windows Server 2003. Across town, a municipal utility manages water treatment with software that hasn’t seen an update since the second Bush administration.
These aren’t edge cases. They’re everywhere — and they represent one of the most underestimated risks in enterprise security today.
Still here, still running It would be reasonable to assume that operating systems from the early 2000s have no place in a modern network.
December 18, 2025
Security advisory for CVE-2025-67900 affecting NXLog Agent 6.10 and older on Windows
We are committed to the security of our customers, and wish to inform you of CVE-2025-67900, a recently published vulnerability affecting the Windows version of NXLog Agent 6.10 and older.
Technical description The Windows version of NXLog Agent 6.10.10368 and older includes a Privilege Escalation vulnerability because it attempts to load an OpenSSL configuration file from the hardcoded and unintended directory C:\nxlog4\x64\ on startup.
This is a legacy installation directory that may not exist in clean NXLog Agent installations.
November 27, 2025
End-to-end Windows file monitoring with FIM and Windows Security Auditing
In the past, we’ve written about monitoring file access in Windows. However, monitoring file access events alone doesn’t capture the full lifecycle of changes that matter for security and compliance.
To gain true end-to-end visibility, you need to track not only when a file is accessed, but also when it’s modified, renamed, or deleted. In this guide, we’ll show how combining File Integrity Monitoring (FIM) with Windows Security Auditing delivers a complete file monitoring solution and how NXLog Agent ties these log sources together.
September 22, 2025
Windows security monitoring: Collecting and visualizing events in Elasticsearch and Kibana
In our previous blog post, From network logs to insights: Visualizing OpenVPN logs with Elasticsearch and Kibana, we explored how you can gain visibility into VPN activity by collecting and analyzing network logs. Windows security monitoring is another common use case we encounter at NXLog.
Windows workstations and servers generate security event logs ranging from authentication attempts and privilege escalations to policy changes and process executions. Such events can reveal external intrusions and insider threats, and for security analysts, they are the first line of evidence in investigating suspicious activity.
June 10, 2025
Enhancing security with Microsoft's Expanded Cloud Logs
Nation-state-sponsored hacking stories are everyone’s favorite Hollywood movies — until our personal or corporate sensitive data shows up on the dark web for sale, being compromised. In real life, cyber espionage groups’s activities trigger security enforcement. First in the government sector, then the government standards slowly shift industry norms starting by gently forcing vendors who are also selling into government contracts.
In the case of the recently announced playbook on MICROSOFT EXPANDED CLOUD LOGS IMPLEMENTATION PLAYBOOK, issued by the US Cybersecurity and Infrastructure Security Agency (CISA), it all started in July 2023, when the Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft’s Outlook email system to gain unauthorized access to email accounts belonging to U.
May 15, 2025
Remote Desktop logs – A comprehensive guide to RDP logging and monitoring
Monitoring and centralizing Remote Desktop logs is critical for IT security, compliance, and operational efficiency, and NXLog Platform makes it simple and scalable.
Remote Desktop Protocol (RDP) is a powerful Windows feature that allows users to access a computer remotely over the network. While convenient and widely used, it’s also a potential entry point for attackers. Understanding how to check and analyze RDP connection logs can help detect unauthorized access, troubleshoot issues, and maintain system integrity.
November 27, 2024
Centralized Windows log collection - NXLog Platform vs. WEF
One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems.
WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:
June 26, 2024
Onboarding Microsoft NPS logs
For those of us who manage network authentication and authorization, RADIUS is a familiar term. This protocol was introduced in the last century, and many of us from those days still remember the old-school diagrams, which surprisingly remain on the Cisco Systems website today.
Figure 1. Interaction between dial-in user requests, the RADIUS client and server © Cisco RADIUS, which stands for Remote Authentication Dial-In User Service, was developed to address a specific challenge.
November 8, 2023
Three easy ways to optimize your Windows logs - Reduce cost, network load, and time
If you are capturing Windows Event Logs on a large scale, you know that the more logs you collect, the more resources you need. Thus, the more expensive your SIEM becomes. The main issue is a large amount of the log data you are sending to your SIEM contains no valuable information. This means you waste a sizable portion of your cost on what the industry calls “log noise”.
May 26, 2023
How to monitor file access in Windows
File access auditing is the process of tracking who reads, modifies, or deletes files on a system, providing a record of user activity for security and compliance purposes. On Windows systems, this is especially important for monitoring sensitive or business-critical files, such as financial records, HR data, or confidential customer information, where unauthorized access could result in a data breach or regulatory violation.
In this post, I’ll show you how to enable file access auditing on Windows and use NXLog Agent to collect and forward file access events to help you protect sensitive data and meet compliance requirements.
April 21, 2023
Our customers asked - Execution of PowerShell scripts inside NXLog Exec modules
PowerShell scripts can be used with NXLog for generating, processing, and forwarding logs, as well as for generating configuration content. In this article, we will take a look at how to execute PowerShell directly from NXLog.
You can run a PowerShell script in multiple NXLog instances without using any PowerShell script file, and is achievable through having the script code directly in NXLog’s exec modules. This is ideal because if you need to make any change to the script, it’s easier to modify just the NXLog module rather than change the script on every computer used.
February 20, 2023
Our customers asked - Collecting Windows DNS resolved address with NXLog Agent
Windows DNS Server log collection is essential yet complex, primarily because Windows DNS Server provides logs in various places in different forms containing a vast amount of information. Nevertheless, we all know that DNS Server log collection is paramount in IT security. Getting it right can be challenging.
The Windows DNS Server section in the NXLog Integrations Guides offers a comprehensive guide on collecting log records from a Windows DNS Server.
August 18, 2022
The disappearing Windows DNS debug log
The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging.
Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
June 28, 2022
Security logging on Windows - beyond 4625
As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log. You might even go as far as filtering for specific event IDs, such as EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source.
The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.
January 25, 2022
Understanding and auditing WMI
If you’re a cyber security enthusiast, you’ve probably heard a lot about Windows Management Instrumentation (WMI) lately. There’s a good reason why this topic has gained popularity, however, this technology has been integrated into Windows operating systems for over 20 years now. In this blog post, we will delve into how WMI works, the risks resulting from misuse, and how to audit it with NXLog.
A standardization effort The first thing to clarify about WMI is that it’s not a Windows-only technology.
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
July 15, 2021
Top 5 Windows Security logs everyone should collect
It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component.
Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer.
June 14, 2021
Windows Event Log collection in a nutshell
Unquestionably, Microsoft Windows is the number one desktop operating system in the world, as well as having a significant share of the server operating system market. Multi-million-dollar organizations rely heavily on Windows Server and Active Directory to provide a safe, secure networked environment for their business operations. Such an enterprise infrastructure alone can generate thousands of events per second that range anywhere from benign user authentication events to logs indicating a severe software failure, or even more serious events such as DoS attacks or intrusion attempts.
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
May 28, 2020
DNS Log Collection on Windows
Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.
DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform.
While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.
December 17, 2018
Making the most of Windows Event Forwarding for centralized log collection
Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.
Tag: windows-event-collector
November 27, 2024
Centralized Windows log collection - NXLog Platform vs. WEF
One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems.
WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
December 17, 2018
Making the most of Windows Event Forwarding for centralized log collection
Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.
Tag: windows-event-forwarding
November 27, 2024
Centralized Windows log collection - NXLog Platform vs. WEF
One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems.
WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
December 17, 2018
Making the most of Windows Event Forwarding for centralized log collection
Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.
Follow us
© Copyright NXLog Ltd.