NXLog Manager 5.6 Hot-fix 5.6.5633

This hot-fix corrects two bugs as well as replaces Log4j with Logback in order to handle security concerns and address compliance issues.
The Logback implementation also gives us better performance than the existing Log4j 1.2 while giving us additional features to compete with Log4j2.


Configuration changes

log4j.xml

  • left in place on upgrade to 5.6.5621

Existing Log4j configuration example:

    <appender name="internalAppender" class="org.apache.log4j.DailyRollingFileAppender">
        <param name="File" value="${logs.root}.log"/>
        <param name="Threshold" value="INFO"/> 
        <param name="DatePattern" value="'.'yyyy-MM"/>
        <layout class="com.nxsec.log4ensics.common.logging.ContextPatternLayout">
            <param name="ConversionPattern" value="%d %p $host $user [%c] - %m %n"/>
        </layout>
    </appender>

logback.xml

  • Adds compression by naming the fileNamePattern with .gz
  • Adds maxHistory
  • Adds totalSizeCap
  • Collapsed the Java components in log entries to save space

Example of a new event line:

2022-03-27 17:50:49,342 INFO  mgr1 unknown [c.n.l.s.a.c.CommAgent] - getServerInfo from agent agent-1825 succeeded. 

New Logback format:

    <appender name="internalAppender" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <file>${logs.root}.log</file>
        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
            <fileNamePattern>${logs.root}.log.%d{yyyy-MM-dd}.gz</fileNamePattern>
            <maxHistory>30</maxHistory>
            <totalSizeCap>3GB</totalSizeCap>
        </rollingPolicy>
        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
            <level>INFO</level>
        </filter>
        <encoder class="com.nxsec.log4ensics.common.logging.encoder.ContextPatternLayoutEncoder">
            <pattern>%d %-5p %host %user [%c{15}] - %m %n</pattern>
            <!-- %highlight and %cyan can distinguish log fields (priority/level and class) in a terminal output if this pattern is enabled instead -->
<!--            <pattern>%d %highlight(%-5p) %host %user [%cyan(%c{15})] - %m %n</pattern>-->
        </encoder>
    </appender>

Filtering:

Example filter to remove getServerInfo queries from the log files:

        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
            <evaluator>
                <matcher>
                    <Name>serverinfo</Name>
                    <!-- filter out odd numbered statements -->
                    <regex>getServerInfo from agent agent-[\d]{1,4}</regex>
                </matcher>
                <expression>serverinfo.matches(formattedMessage)</expression>
            </evaluator>
            <OnMismatch>NEUTRAL</OnMismatch>
            <OnMatch>DENY</OnMatch>
        </filter>

Please see the release notes for important information

If you have feedback, would like to see additional improvements, reach out to us.

Download a fully functional trial version of NXLog Manager 5.6 here.

Changelog

# **NXLog Manager 5.6.5633**

04-02-2022

## **Changed**

  - [3834] Removed Log4j and replaced it with Logback

## **Fixed**

  - [3783] Fixed an issue causing Manager to show routes incorrectly 
  - [3837] Fixed an issue where Global configuration changes were not sent to the Agent

Share this post