NXLog Enterprise Edition v4.0 released

As a result of several months' hard work we have released the NXLog Enterprise Edition v4.0 yesterday. Below is a summary of what the new release brings.

Improved user guide

The previous major version of the NXLog Enterprise Edition only had a reference manual. Now with the NXLog EE v4.0 there is a much improved User Guide which is intended to help users understand and configure NXLog by providing a more practical approach. This new guide is currently over 800 pages and we hope it will become a valuable resource for our users. See our previous post for more details.

Support for native collection of Event Tracing for Windows (ETW) logs.

The Windows Firewall, Windows DNS Service and several other software components in Microsoft Windows operating systems provide data that can be crucial for security related logging through the Windows Event Tracing subsystem only. Unfortunately ETW data is handled differently from the Windows Eventlog. As a consequence it is not possible to collect ETW data through the standard means (i.e. using im_msvistalog) or to ship it via Windows Event Forwarding. Most solutions on the market today that are capable of collecting ETW data use logman or similar methods to dump ETW data into a trace file and then parse it back. The new im_etw module in the NXLog Enterprise Edition is capable of natively collecting ETW data and it does not dump data into intermediary trace files for maximum efficiency.

Support for new operating systems

The new major version supports more operating systems with officially supported binary packages for the following additional platforms: * IBM AIX * Oracle Solaris * Apple macOS * FreeBSD * OpenBSD

Improved installer packages

Besides adding support for the above mentioned new platforms the NXLog Enterprise Edition v4.0 has improved installer packages for the various GNU/Linux flavors by adding systemd support and other fixes. For Microsoft Windows there is now a 64 bit version of the msi installer available.

Native audit log collection

There are several new input modules available in this new release that can be used to collect OS level audit data: * im_linuxaudit for GNU/Linux * im_aixaudit for IBM AIX * im_bsm and xm_bsm for macOS, Solaris and FreeBSD. Again, these modules collect audit log data natively by interfacing with the host operating system instead of collecting the data from intermediary files written by the audit daemon or third-party tools to provide a superior solution: * No performance penalty by avoiding intermediary files. * No need to allocate disk space and rotate log files. * Better security - ship data immediately when it is logged. * Preserve structured data - no need to parse files.

Python and Ruby language support

The built-in configuration language of NXLog is already quite powerful, although it was never intended to be a full-featured programming language. The perl support (xm_perl, im_perl, om_perl) added in the previous major version has helped a lot in case more complex integrations had to be implemented. The NXLog Enterprise Edition v4.0 now adds support to execute Python and Ruby code by using the embedded interpreter. See the documentation for more details: * im_python, om_python, xm_python * im_ruby, om_ruby, xm_ruby With these modules it's become much easier to integrate with third-party products and services. We have completed integrations for Cisco IPS (SDEE), Cisco eStreamer, remote FTP/SFTP, Azure OMS, Mongodb and various other REST API based cloud services.

Kafka integration

Apache Kafka has become a popular distributed message queuing solution that provides stream processing capabilities. Now with im_kafka and om_kafka the NXLog EE can be used to natively feed a Kafka broker or pull data from. The new kafka modules are supported on both GNU/Linux and Microsoft Windows platforms. These are implemented in native code and do not depend on the Java JVM or any other extra dependency to remain memory-efficient.

Several new modules

The new release brings several new modules besides those mentioned above: * xm_grok - Utilize GROK patterns. * xm_asl - Parser form Apple System Log files on macOS. * xm_admin - A reimplementation of xm_soapadmin that also adds a JSON API in addition to the SOAP API. It is compatible with xm_soapadmin and should be a drop-in replacement. * xm_pattern - pm_pattern in the form of an extension module. * xm_msdns - Provides a parser for the Windows DNS debug log which is a lot more efficient than regexp based solutions. * im_acct - Collect process accounting logs on Unix and GNU/Linux systems. Some other major enhancements: * xm_snmp now supports the SNMP v3 protocol. * im_file supports exclusion, multiple File directives can be specified and wildcards can be used in directory names. * xm_charconv has better support for multibyte character sets.

The list goes on

Besides the above mentioned enhancements there are about 120 notable enhancements and fixes that come with this new major version. For more information regarding the list of changes please consult the ChangeLog.txt file bundled with the installer and available under the downloads area. We hope this new release will make it possible to push the capabilities of your log collection environment to the next level. Happy logging!