NXLog vs Snare

How does NXLog CE and EE compare to the Snare Enterprise Agent?

If you are reading this article, you may either be looking for a new log collection agent solution or seeking to replace and improve an existing deployment. This article provides information based on some fairly common questions from those who have migrated from Snare to NXLog.

Feature Comparison

There are multiple choices of log collection agents available on the market, some are free and have paid versions that come with official support. Similar to the Snare Enterprise edition, the NXLog Enterprise edition is actively maintained by NXLog and frequently enhanced by features demanded by the market.

In stark contrast to the legacy, open source Snare Lite agent (which is no longer secure and compliant according to Snare Lite on Sourceforge), the NXLog Community Edition offers superior features, such as a secure log collection agent supporting the latest major operating systems as well as providing both agent-based and agent-less logging solutions.

The NXLog Community and Enterprise Editions includes, and in many cases supersedes, the majority of the features of their Snare counterparts.

Note
As the Snare Lite agent is no longer supported by Snare, it is not included in the comparison table below. It would be unfair to compare any of our products to an insecure non-compliant product, as none of its features would be useful in any real-life scenario.
Table 1. Snare Enterprise vs NXLog Manager/CE and EE
Feature Snare Enterprise Agent NXLog Community Edition NXLog Enterprise Edition

Operating System Support

Microsoft Windows

20

20

20

MSI for Windows Platforms

20

20

20

Linux

20

20

20

Ubuntu

20

20

20

Debian

20

20

20

RHEL

20

20

20

CentOS

20

20

20

AWS - Amazon Linux

20

20

20

Docker

20

20

20

Apple macOS

20

20

20

Solaris

20

20

20

SLES

20

20

20

Windows Nano Server

20

20

20

IBM AIX

20

20

20

FreeBSD and OpenBSD

20

20

20

Android

20

20

20

Certifications and Partnerships

Technology Alliance partner with Splunk

20

20

20

Partner Product with RSA NetWitness

20

20

20

Part of the McAfee Security Innovation Alliance Partner Directory

20

20

20

Certified with the SUSE Linux Enterprise Ready Mark

20

20

20

Technology Certified with Red Hat Enterprise Linux

20

20

20

Certified on Windows Server 2016 and Windows Server 2019

20

20

20

Output Format Support

Snare Output Support

20

20

20

Syslog Formatting (RFC5424)

20

20

20

Syslog Formatting (RFC3164)

20

20

20

JSON Output Support

20

20

20

GELF Output Support

20

20

20

XML Output Support

20

20

20

Log Processing Features

Log Caching

20

20

20

Custom Windows Event Log Sources

20

20

20

UTC Logging

20

20

20

Truncation of Verbose Event Text

20

20

20

Filter for Events of Interest

20

20

20

Debug Mode

20

20

20

Message re-write

20

20

20

Correlation/Alerting

20

20

20

Event Tracing for Windows (ETW)

20

20

20

Browser-based UI Configuration

20

20

20*

Auditing Features

USB Monitoring

20

20

20

File Integrity Monitoring

20

20

20

Linux Auditing

20

20

20

Collect from Windows Auditing Events

20

20

20

Windows Registry Monitoring

20

20

20

Group Policy Support

20

20

20

Linux or BSD kernel Auditing

20

20

20

AIX Auditing

20

20

20

Audit logs from Sun’s Basic Security Module auditing

20

20

20

Agent Networking and Output Features

Failover

20

20

20

TCP/UDP Message Delivery

20

20

20

Delivery Over SSL/TLS

20

20

20

SSL/TLS Encryption

20

20

20

Log Message Simulcasting

20

20

20

Centralized Configuration Management

20

20

20

Enhanced Event Throttling

20

20

20

Agent Heartbeat

20

20

20

Windows Event Collector Support

20

20

20

*Using NXLog Manager

Support Writing in Multiple Formats

One of the most important aspect of logs is the format, it is crucial to achieving readable log files. And, above all it is best if logs are in a structured format, rather than as unstructured text. The format affects information availability, readability, manageability and size as well. As opposed to the limited output formats supported by Snare, NXLog supports multiple industry-standard formats such as:

  • CEF - Common Event Format (ArcSight)

  • LEEF - Log Event Extended Format (IBM QRadar)

  • GELF - Graylog Extended Log Format (Graylog)

  • Syslog RFC3164 - BSD Syslog protocol

  • Syslog RFC5424 - Syslog Protocol

  • JSON - JavaScript Object Notation

  • Snare or "Snare over Syslog" - Snare format with or without a Syslog header

The wider format support by NXLog also enables greater flexibility for the end-user and easier integration with third party products.

NXLog’s core design embraces structured logging, while Snare was primarily designed around its propritery Snare syslog format. In contrast, NXLog provides structured data support - such as JSON and KVP, as well as CSV and XML. Using structured logging can dramatically reduce the operation cost of a SIEM.

Integration with Third Party Products

In the world of Information Technology, infrastructure is dynamic. It is constantly being enhanced, upgraded, or even completely redesigned.

NXLog’s forte is its support for practically any operating system found in enterprise computing environments and its seamless integration with third party solutions such as IBM QRadar, Rapid7, Splunk Enterprise, FireEye, Helix, and Securonix just to name a few. For a comprehensive list, visit our integrations page.

NXLog also provides extensive documentation to help with the integrations. See the Integration section in the NXLog User Guide.

Footprint and Configuration

NXLog agents are lightweight and operate using minimal resources and can be run as a service practically unnoticeable in the background. With NXLog, you can get started right away with the text-based configuration, rather than going through the Snare setup wizard that ends up with a generic configuration that is unlikely to be tailored to your specific needs. In addition, any further NXLog installation instances will only require the custom configuration file that was created once to be deployed, potentially to thousands of agents, in an enterprise environment, which results in conserving considerable time and money.

Documentation and Product Support

Our constantly updated, ever-growing documentation, already well above 1,000 pages, is a stand-alone product in itself. It is complete with configuration samples, real-world examples, and integration guides offering much more than a generic manual. Alongside this self-help resource, there is also the Community Forum for the Community Edition users, as well as the dedicated support team for our Enterprise customers which is available 24/7 with a world-class, 4-hour SLA.

Conclusion

In light of the information presented, it is now readily apparent that NXLog is a viable alternative to Snare for logging in an enterprise environment.

For further information or questions, please contact us.

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.

Download a fully functional trial of the Enterprise Edition for free