Additional features in the NXLog Enterprise Edition

In addition to the feature set that our NXLog Community Edition users love such as the flexibility, low memory footprint and high performance, the NXLog Enterprise Edition provides several features and enhancements which can be useful in enterprise deployments. The NXLog Enterprise Edition receives regular hot fixes and updates. If log collection is critical to you or your organization, please consider upgrading.

Together with NXLog Manager and an NXLog Enterprise Support subscription you will be able to tackle log management challenges at scale. Below is a summary of its additional features over the NXLog Community Edition.

ElasticSearch integration

A native om_elasticsearch module is available in the NXLog Enterprise Edition that allows bulk loading data into an ElasticSearch server. The ELK stack has become quite popular lately. By using the om_elasticsearch module with NXLog, Logstash is no longer a requirement to load data into ElasticSearch.

Signed installer packages

Installer packages are certificate signed to ensure that the binaries are not corrupted or compromised.

Name resolution

Cached DNS lookup functions are available to translate between IP addresses and host names. User and group names can be mapped to/from user and group ids.

On-the-wire compression

Two dedicated modules are available to help with bandwidth issues if that's a concern in your environment.

UDP source IP address spoofing

Some SIEM and log collection systems depend on the IP address of the UDP syslog packet sent by the client. When used as a server or relay, the NXLog Enterprise Edition can be configured to retain the original IP address of the sender.

SNMP input

Allows to receive SNMP traps which can then be converted to syslog, stored, forwarded, alerted on, etc.

ODBC input and output

The ODBC output and input modules (om_odbc and im_odbc) are similar to the dbi modules available in the Community Edition. These allow to read/insert data from/into any ODBC compliant database. The primary purpose of the im_odbc module is native Windows MSSQL support to enable log collection from windows applications which write logs to MSSQL. The odbc output module can be used to insert data into an ODBC database. The modules are available on Windows as well as Linux.

Remote collection of Windows EventLog

The im_wmi module allows remote collection of Windows EventLog over the WMI protocol on Linux hosts without the need to install an agent on the windows target. This feature is only available in the Linux version. The im_msvistalog module in the NXLog Enterprise Edition can query and collect Windows EventLog remotely over MSRPC on Windows Vista and later versions while the im_msvistalog module in the NXLog Community Edition can only collect EventLog locally.

Read Windows EventLog files directly

The im_msvistalog module can read .evt, .evtx and .etl eventlog files directly, this can be particularly useful for forensics purposes.

More data from the Windows EventLog

The im_msvistalog module in the NXLog Enterprise Edition can collect more data from the Windows EventLog and it also retrieves the EventData and UserData parts which can contain important data in some specific log sources. In addition, SID values in the eventlog Message can be resolved to account names to produce the same output that EventViewer gives.

Better control over SSL and TLS

The recent vulnerabilities discovered in the SSL protocols urged the security concious to disable the unsafe protocols (e.g. SSLv3). The various SSL/TLS networking modules in the NXLog Enterprise Edition can explicitly require the use of a specific protocol via the SSLProtocol directive and forbid the rest. The Windows version of the NXLog Enterprise Edition can utilize TLSv1.2 while the the NXLog Community Edition on Windows supports TLSv1.0 only.

Checkpoint LEA input

Enables the remote collection of Checkpoint firewall logs over the OPSEC/LEA protocol. This feature is only available in the Linux version.

Support for external Timestamp Authority Servers

RFC 3161 compliant trusted timestamping support.

Message integrity protection

Provides a chained HMAC based Message integrity protection for tamper-proof logs.

Event correlation

A dedicated event correlation module can efficiently solve complex tasks and has similar capabilities as the open-source SEC tool.

HTTP(s) protocol support

Restful services are becoming increasingly popular even for logging. The Enterprise Editon comes with two modules im_http and om_http which make it possible to send or recieve log message data over HTTP or HTTPS.

Redis Support

Redis is often used for caching an intermediate queue to store log data. Two native modules are available to push and pull data from Redis servers.

Parse IIS and other W3C logs easily

An additional xm_w3c parser module is bundled that can be used to parse IIS and other W3C formatted logs easily without the need to specify all fields that the log contains.

Remote management

A dedicated module allows the NXLog agents to be managed remotely over a secure SOAP/SSL connection and makes it possible to update the configuration, correlation rules, patterns and certificates remotely from the NXLog Manager web interface or from scripts. In addition, the NXLog agent and the individual modules can be stopped/started and log collection statistics can be queried for real-time statistics.

Extra reliability

The Enterprise Edition can save the position marker periodically or after each operation to reduce the chance of duplication or skipping of log messages in the event of an unclean shutdown. It supports disk-based persistent queues to prevent message loss with in-memory queues.

List of recent bug fixes and enhancements

Some large eventlog entries caused a crash or hang with im_msvistalog.
Updated openssl libraries on windows to 1.0.2a to support TLSv1.2.
The om_tcp and om_ssl modules now provide a reconnect() procedure.
Added a File directive to im_msvistalog to allow reading .evt, .evtx and .etl log files directly.
Fixed a regression in im_file which was causing excessive memory usage with a large number of files.
Do not swallow empty lines in LineBased reader.
All SSL networking modules allow TLS by default.
A BufferSize directive can be used with input and output modules to help in situations where the 65K default is insufficient.
Fixed an issue with oversized binary messages generating "ASSERTION FAILED: "logqueue->needpop == TRUE".
All tcp based network modules are now using TCP_KEEPALIVE to detect dead peers.
Null-dereference and error handling fixes for im_file to handle error conditions better (e.g. errors from network shares).
Added an output module for ElasticSearch: om_elasticsearch.
The xm_gelf extension now supports GELF_TCP and a ShortMessageLength directive has been added.
Enhanced im_msvistalog to save in $EventData if it contains unnamed values.
The parser did not handle "\/" properly inside regular expressions.
The persistent logqueue is now more robust with respect to corrupted queue files.
Fixed the assertion failure "logqueue.c/nx_logqueue_push(): "logdata->link.prev == NULL" in pm_buffer.
Reloading on windows caused pm_buffer to emit "ERROR couldn't open disk buffer file - Access is denied".
Oversized UDP packets are dropped by om_udpspoof instead of retrying endlessly.
Removed the libdrizzle dependency needed by om_eventdb.
A new extension module xm_resolver to translate between IP address and hostname, and user/group name and id.
New SSLProtocol configuration directive to explicitly set the allowed protocols for modules using SSL/TLS.
The Syslog_TLS input reader has been fixed to correctly parse data instead of reporting "invalid header received by Syslog_TLS input reader".
Fixed an off-by-one error in the CSV parser which resulted in a crash on invalid input in some cases.
Added missing error checking to the config parser when Schedule block did not contain When or Every.
Fixed a race condition issue with multiple im_wmi instances.
Two new modules to help with on-the-wire compression: im_batchcompress and om_batchcompress.
The im_wmi module could get stuck when the eventlog did not start from recordnumber 1.
The MSI package is now certificate signed in addition to nxlog.exe.
Added file information (version, icon etc) to the windows nxlog.exe.
New output module for UDP IP addess spoofing (om_udpspoof).
There was a possible infinite loop when sending zero length data (i.e. empty udp packet).
Fixed a crash in im_msvistalog when "Failed to retrieve eventlog user data" was encountered.
The year was uninitialized when parsing an rfc3164 date with microsecond precision in nx_date_parse_cisco.
Hexadecimal ASCII character codes in the character specification are now accepted by xm_csv.
The csv parser does not swallow the escape character in an invalid escape sequence.
Fixed a crash when the File directive for om_file contained an invalid string expression.
The om_http module could leak the SSL context when the remote socket was forcibly closed.