In addition to the feature set that our NXLog Community Edition users love such as the flexibility, low memory footprint and high performance, the NXLog Enterprise Edition provides several features and enhancements which can be useful in enterprise deployments. The NXLog Enterprise Edition receives regular hot fixes and updates. If log collection is critical to you or your organization, please consider upgrading.
Together with NXLog Manager and an NXLog Enterprise Support subscription you will be able to tackle log management challenges at scale. Below is a summary of its additional features over the NXLog Community Edition.
ElasticSearch integration
A native om_elasticsearch module is available in the NXLog Enterprise Edition that allows bulk loading data into an ElasticSearch server. The ELK stack has become quite popular lately. By using the om_elasticsearch module with NXLog, Logstash is no longer a requirement to load data into ElasticSearch.
Signed installer packages
Installer packages are certificate signed to ensure that the binaries are not corrupted or compromised.
Name resolution
Cached DNS lookup functions are available to translate between IP addresses and host names. User and group names can be mapped to/from user and group ids.
On-the-wire compression
Two dedicated modules are available to help with bandwidth issues if that's a concern in your environment.
UDP source IP address spoofing
Some SIEM and log collection systems depend on the IP address of the UDP syslog packet sent by the client. When used as a server or relay, the NXLog Enterprise Edition can be configured to retain the original IP address of the sender.
SNMP input
Allows to receive SNMP traps which can then be converted to syslog, stored, forwarded, alerted on, etc.
ODBC input and output
The ODBC output and input modules (om_odbc and im_odbc) are similar to the dbi modules available in the Community Edition. These allow to read/insert data from/into any ODBC compliant database. The primary purpose of the im_odbc module is native Windows MSSQL support to enable log collection from windows applications which write logs to MSSQL. The odbc output module can be used to insert data into an ODBC database. The modules are available on Windows as well as Linux.
Remote collection of Windows EventLog
The im_wmi module allows remote collection of Windows EventLog over the WMI protocol on Linux hosts without the need to install an agent on the windows target. This feature is only available in the Linux version.
The im_msvistalog module in the NXLog Enterprise Edition can query and collect Windows EventLog remotely over MSRPC on Windows Vista and later versions while the im_msvistalog module in the NXLog Community Edition can only collect EventLog locally.
Read Windows EventLog files directly
The im_msvistalog module can read .evt, .evtx and .etl eventlog files directly, this can be particularly useful for forensics purposes.
More data from the Windows EventLog
The im_msvistalog module in the NXLog Enterprise Edition can collect more data from the Windows EventLog and it also retrieves the EventData and UserData parts which can contain important data in some specific log sources. In addition, SID values in the eventlog Message can be resolved to account names to produce the same output that EventViewer gives.
Better control over SSL and TLS
The recent vulnerabilities discovered in the SSL protocols urged the security concious to disable the unsafe protocols (e.g. SSLv3). The various SSL/TLS networking modules in the NXLog Enterprise Edition can explicitly require the use of a specific protocol via the SSLProtocol directive and forbid the rest.
The Windows version of the NXLog Enterprise Edition can utilize TLSv1.2 while the the NXLog Community Edition on Windows supports TLSv1.0 only.
Checkpoint LEA input
Enables the remote collection of Checkpoint firewall logs over the OPSEC/LEA protocol. This feature is only available in the Linux version.
Support for external Timestamp Authority Servers
RFC 3161 compliant trusted timestamping support.
Message integrity protection
Provides a chained HMAC based Message integrity protection for tamper-proof logs.
Event correlation
A dedicated event correlation module can efficiently solve complex tasks and has similar capabilities as the open-source SEC tool.
HTTP(s) protocol support
Restful services are becoming increasingly popular even for logging. The Enterprise Editon comes with two modules im_http and om_http which make it possible to send or recieve log message data over HTTP or HTTPS.
Redis Support
Redis is often used for caching an intermediate queue to store log data. Two native modules are available to push and pull data from Redis servers.
Parse IIS and other W3C logs easily
An additional xm_w3c parser module is bundled that can be used to parse IIS and other W3C formatted logs easily without the need to specify all fields that the log contains.
Remote management
A dedicated module allows the NXLog agents to be managed remotely over a secure SOAP/SSL connection and makes it possible to update the configuration, correlation rules, patterns and certificates remotely from the NXLog Manager web interface or from scripts. In addition, the NXLog agent and the individual modules can be stopped/started and log collection statistics can be queried for real-time statistics.
Extra reliability
The Enterprise Edition can save the position marker periodically or after each operation to reduce the chance of duplication or skipping of log messages in the event of an unclean shutdown. It supports disk-based persistent queues to prevent message loss with in-memory queues.