Announcing NXLog Enterprise Edition v3.0

We are proud to announce the general availability of NXLog Enterprise Edition v3.0 which is a major step forward to enhance the features and reliability of our flagship product. Below is a list of highlights in the new major release.

Multi platform support for Windows Event Forwarding

A new input module (im_wseventing) can be used to collect forwarded events from Windows hosts. The Windows clients can be configured from Group Policy to send Windows EventLog using Windows Event Forwarding. NXLog already supported collecting Windows EventLog remotely in earlier versions over WMI and MSRPC but this new capability is a major step for secure data collection from Windows machines in agentless mode supporting both Kerberos and HTTPS data transfer. Moreover the new im_wseventing module is platform independent and works on GNU/Linux as well whereby a single NXLog server running on GNU/Linux can be used to collect all your event data in the enterprise including Syslog and Windows EventLog.

More support for SIEM products

NXLog has been popular due to its support of various data formats and protocols which allows it to be used to forward data to different SIEM and log management products. Two new extension modules are now available in v3.0 to parse and generate CEF and LEEF formatted data. CEF (Common Event Format) was introduced by HP Arcsight and LEEF (Log Event Extended Format) is used by IBM Security QRadar.

HDFS output

A new output module called om_webhdfs is available to support the Hadoop ecosystem.

Handling structured data formats better

The xm_xml extension has been enhanced so that it can now parse nested XML and data stored in XML attributes. Parsing of nested JSON has been also implemented in xm_json and UTF-8 validation can be enforced in order to avoid parser failures caused by invalid UTF-8 in other tools.

More flexible data processing with xm_rewrite and xm_filelist

Two new extension modules were introduced to help simplify the configuration. The xm_rewrite module allows fields to be renamed, kept (whitelisted) or deleted (blacklisted) and it also supports the Exec directive so that log processing logic can be localized and to avoid duplicated statements. The xm_filelist extension module provides two functions, contains() and matches(), that can be invoked to check whether a string is present in a text file. This can be a username, ip address or similar. The files are cached in memory and any changes to the file(s) are automatically picked up without the need to reload NXLog. This can be particularly useful when a list of values need to be checked that are often updated. The introduction of these two new modules will be hopefully useful to maintain cleaner configuration files.

File integrity and registry monitoring

Several compliance standards mandate file integrity monitoring.  With the new im_fim module the NXLog Enterprise Edition v3.0 can be used to detect modification to files or directories. This module is cross platform and works on Windows as well as GNU/Linux. A similar functionality is provided by im_regmon for Windows to enable monitoring the Windows Registry.

Support for Perl to write custom input and output modules

Perl has a vast number of libraries that can be used to easily implement integration with varios APIs, formats and protocols. With the introduction of the im_perl and om_perl modules it is now possible to utilize Perl to collect and output data without the need to run this code as an external script.

Windows Performance counters

A new input module called im_winperfcount can collect metrics from Windows Performance Counters such as CPU, disk and memory statistics.

Native W3C parser

The W3C format is widely used in various Microsoft products and perhaps IIS is the most well-known producer. Parsing of W3C was already possible with xm_csv but that required defining the fields upfront in the configuration and this had to be adjusted if the IIS configuration was changed. The new xm_w3c module can automatically parse the logs using the field information stored in the headers. It also supports the data format produced by BRO for automatic parsing which is very similar to the W3C format.

ZeroMQ support

ZeroMQ has become a popular high performance message queue library. An input and corresponding output modules are available that can utilize the ZeroMQ protocol.

Netflow data ingestion

A new xm_netflow extension module has been added that can parse netflow packets received over UDP. It supports Netflow v1, v5, v7, v9 and ipfix.

In addition to the above features a lot of other improvements and bug fixes come with this new major release such as the following.

  • SNI support in modules using TLS,
  • Performance enhancements to om_file with dynamic filenames,
  • Environment variables can now be used in the configuration,
  • Enhanced MSI installer that also supports custom installation paths,
  • Better handling of datetime formats through enhancements to parsedate(), strftime() and the new DateFormat configuration directive,
  • Named capturing in regular expressions,
  • Microsoft Azure Blob and Table storage input support,
  • UUID generation,
  • Native parser for Microsoft IAS (Internet Authentication Services, formerly called as NPS) formatted data.
  • Configurable line terminator in om_ssl and om_tcp.
  • DEB/RPM installers are now split into multiple packages in order to alleviate the dependency requirements of unnecessary modules.

We hope that the new release will make NXLog an even more powerful tool in your IT security arsenal and makes log collection less painful for you and your organization.

Happy logging!

Share this post