NXLog Enterprise Edition v4.0 released
As a result of several months' hard work we have released the NXLog Enterprise Edition v4.0 yesterday. Below is a summary of what the new release brings.
Improved user guide
The previous major version of the NXLog Enterprise Edition only had a reference manual. Now with the NXLog EE v4.0 there is a much improved User Guide which is intended to help users understand and configure NXLog by providing a more practical approach. This new guide is currently over 800 pages and we hope it will become a valuable resource for our users. See our previous post for more details.
Support for native collection of Event Tracing for Windows (ETW) logs.
The Windows Firewall, Windows DNS Service and several other software components
in Microsoft Windows operating systems provide data that can be crucial for
security related logging through the Windows Event Tracing subsystem only.
Unfortunately ETW data is handled differently from the Windows Eventlog.
As a consequence it is not possible to collect ETW data through the standard means
(i.e. using im_msvistalog
) or to ship it via Windows Event Forwarding.
Most solutions on the market today that are capable of collecting ETW data
use logman
or similar methods to dump ETW data into a trace file and then
parse it back.
The new im_etw module
in the NXLog Enterprise Edition is capable of natively collecting ETW data
and it does not dump data into intermediary trace files for maximum efficiency.
Support for new operating systems
The new major version supports more operating systems with officially supported binary packages for the following additional platforms: * IBM AIX * Oracle Solaris * Apple macOS * FreeBSD * OpenBSD
Improved installer packages
Besides adding support for the above mentioned new platforms the NXLog Enterprise Edition v4.0 has improved installer packages for the various GNU/Linux flavors by adding systemd support and other fixes. For Microsoft Windows there is now a 64 bit version of the msi installer available.
Native audit log collection
There are several new input modules available in this new release that can be used to collect OS level audit data: * im_linuxaudit for GNU/Linux * im_aixaudit for IBM AIX * im_bsm and xm_bsm for macOS, Solaris and FreeBSD. Again, these modules collect audit log data natively by interfacing with the host operating system instead of collecting the data from intermediary files written by the audit daemon or third-party tools to provide a superior solution: * No performance penalty by avoiding intermediary files. * No need to allocate disk space and rotate log files. * Better security - ship data immediately when it is logged. * Preserve structured data - no need to parse files.
Python and Ruby language support
The built-in configuration language of NXLog is already quite powerful, although it was never intended to be a full-featured programming language. The perl support (xm_perl, im_perl, om_perl) added in the previous major version has helped a lot in case more complex integrations had to be implemented. The NXLog Enterprise Edition v4.0 now adds support to execute Python and Ruby code by using the embedded interpreter. See the documentation for more details: * im_python, om_python, xm_python * im_ruby, om_ruby, xm_ruby With these modules it's become much easier to integrate with third-party products and services. We have completed integrations for Cisco IPS (SDEE), Cisco eStreamer, remote FTP/SFTP, Azure OMS, Mongodb and various other REST API based cloud services.
Kafka integration
Apache Kafka has become a popular distributed message queuing solution that provides stream processing capabilities. Now with im_kafka and om_kafka the NXLog EE can be used to natively feed a Kafka broker or pull data from. The new kafka modules are supported on both GNU/Linux and Microsoft Windows platforms. These are implemented in native code and do not depend on the Java JVM or any other extra dependency to remain memory-efficient.
Several new modules
The new release brings several new modules besides those mentioned above:
* xm_grok - Utilize GROK patterns.
* xm_asl -
Parser form Apple System Log files on macOS.
* xm_admin - A reimplementation
of xm_soapadmin that also adds a JSON API in addition to the SOAP API.
It is compatible with xm_soapadmin
and should be a drop-in replacement.
* xm_pattern - pm_pattern
in the form of an extension module.
* xm_msdns - Provides a parser
for the Windows DNS debug log which is a lot more efficient than regexp
based solutions.
* im_acct - Collect process
accounting logs on Unix and GNU/Linux systems.
Some other major enhancements:
* xm_snmp now supports the SNMP v3
protocol.
* im_file supports exclusion,
multiple File
directives can be specified and wildcards can be used in
directory names.
* xm_charconv has better support
for multibyte character sets.
The list goes on
Besides the above mentioned enhancements there are about 120 notable
enhancements and fixes that come with this new major version.
For more information regarding the list of changes please consult the
ChangeLog.txt
file bundled with the installer and available under the
downloads area.
We hope this new release will make it possible to push the capabilities of
your log collection environment to the next level.
Happy logging!