Centralized logging  |  Windows  |  Windows Event Collector  |  Windows Event Forwarding

Making the most of Windows Event Forwarding for centralized log collection in 2026

Windows Event Forwarding (WEF) gives you centralized log collection with tools that ship in every supported version of Windows. There are no agents to deploy and no licenses to buy: a collector server, a Group Policy Object (GPO), and a subscription are enough to start moving events. That makes WEF one of the most accessible routes to getting Windows logs into one place. It also has hard limits in platform coverage, in resource cost, and in the kinds of data it can carry.

Telemetry pipeline management  |  NXLog Platform

Cribl competitors: 6 alternatives for SecOps teams

If you run security operations, you’re probably evaluating Cribl for one reason. The volume of telemetry hitting your SIEM is outpacing your budget, and you want to filter and reshape it before you pay to index it. Cribl is good at that. It defined the category when it launched in 2018, and for many teams, it’s still the default. Cribl works. The decision turns on three narrower questions: whether your data problem matches the one Cribl solves, what deployment model you need, and what you’ll pay per gigabyte to get there.

Telemetry collection  |  NXLog Agent

Structured logging and JSON conversion: Getting logs SIEM-ready at the source

Your detections, correlation rules, and search results are only as good as the underlying data structure. A raw log line is a string. A structured JSON event is a set of named fields you can filter, pivot, and alert on. Convert your logs to JSON at the collection layer before they reach your SIEM. Doing it early cuts ingest cost, keeps your schema consistent across sources, and makes your detections less fragile.

Log analysis  |  Telemetry collection  |  Telemetry pipeline management

Log analysis tools for SecOps: How to evaluate the whole stack in 2026

Teams usually choose a log analysis tool by comparing vendors. The more costly decision sits one level up: the category of tool. The wrong choice there surfaces months later as a source you can’t collect, data you can’t normalize, or a per-gigabyte bill for logs you never needed. Log analysis tools collect, parse, store, search, and visualize log data so teams can detect threats, investigate incidents, and troubleshoot systems. The term spans four distinct categories — collection agents, processing pipelines, storage and search engines, and analysis platforms — that each handle a different job in the same workflow.

Telemetry collection  |  Fault tolerance

How to handle log rotation without losing events

Log rotation is supposed to be routine maintenance. But if your collector reads a file while another process renames, truncates, or compresses it, events can slip through the gap — and you often won’t notice until you go looking for a log that isn’t there. For a security team, that gap is a blind spot: a detection that never fired, an audit trail with a hole in it, a control you can’t prove was working.

Telemetry collection  |  Telemetry pipeline management  |  Log aggregation

Fluentd vs Logstash: which log pipeline tool fits your stack?

Pick the wrong log collector and you pay for it on every node you deploy. A heavier agent multiplied across a thousand hosts is real memory and CPU you can’t get back, and a pipeline wired tightly to one vendor’s backend is hard to unwind later. So the Fluentd vs Logstash decision usually comes down to two questions: how much processing do you need at the collection point, and how committed are you to the Elastic Stack?

More

Multiline log parsing with regex: Keeping multiline events intact for your SIEM

Announcing NXLog Platform 1.13

From blind spot to monitored: Log collection for 32-bit Windows

Watching the agent watch you: Telemetry for OpenClaw with NXLog

All Posts