NXLog

NXLog
Developer(s)	Botond Botyanszki
Initial release	October 2011;; 13 years ago
Stable release	v3.1.1930
Repository	gitlab.com/nxlog-public/nxlog-ce ;
Written in	C
Operating system	Linux (CentOS, RHEL, Ubuntu (operating system), Debian), macOS, Windows, Android (operating system)
Type	Logging Tool
License	Proprietary under NXLOG PUBLIC LICENSE v1.0
Website	nxlog.co

Last updated November 30, 2024

NXLog^[1] is a multi-platform log collection and centralization tool that offers log processing features, including log enrichment (parsing, filtering, and conversion) and log forwarding.^[2] In concept NXLog is similar to syslog-ng or Rsyslog but it is not limited to UNIX and syslog only. It supports all major operating systems such as Windows,^[3] macOS,^[4] IBM AIX,^[5] etc., being compatible with virtually any SIEM, log analytics suites and many other platforms. NXLog can handle different log sources and formats,^[6] so it can be used to implement a secured, centralized,^[7] scalable logging system. NXLog Community Edition is proprietary and can be downloaded free of charge with no license costs or limitations.^[8]

Overview

NXLog can be installed on many operating systems and it is enabled to operate in a heterogeneous environment, collecting event logs from thousands of different sources in many formats. NXLog can accept event logs from TCP, UDP,^[9] file, database and various other sources in different formats such as syslog, windows event log, etc.^[10] It supports SSL/TLS encryption to make sure data security in transit.

It can perform log rewrite, correlation, alerting, and pattern matching, it can execute scheduled jobs, and can perform log rotation. It was designed to be able to fully utilize modern multi-core CPU systems. Its multi-threaded architecture enables input, log processing and output tasks to be executed in parallel. Using an I/O layer it is capable of handling thousands of simultaneous client connections and process log volumes above the 100,000 EPS range.

NXLog does not drop any log messages unless instructed to. It can process input sources in a prioritized order, meaning that a higher priority source will be always processed before others. This can further help avoiding UDP message loss for example. In case of network congestion or other log transmission problems, NXLog can buffer messages on the disk or in memory. Using loadable modules it supports different input sources and log formats, not only limited to syslog but windows event log, audit logs, and custom binary application logs.

With NXLog it is possible to use custom loadable modules similarly to the Apache Web server. In addition to the online log processing mode, it can be used to process logs in batch mode in an offline fashion. NXLog's configuration language, with an Apache style configuration file syntax, enables it to rewrite logs, send alerts or execute any external script based on the specified criteria.

History

Back in 2009 the developer of NXlog was using a modified version of msyslog to suit his needs, but when he found a requirement to implement a high performance, scalable, centralized log management solution, there was no such modern logging solution available. There were some alternatives to msyslog with some nice features (e.g. Rsyslog, syslog-ng, etc.), but none of them qualified. Most of these were still single threaded, syslog oriented, without native support for MS Windows, and came with an ambiguous configuration syntax, ugly source-code and so on.

He decided to design and write NXLog from scratch, instead of hacking something else. Thus, NXLog was born in 2009 and was a closed source product in the beginning, heavily used in several production deployments. The source code of NXLOG Community Edition was released in November 2011, and has been freely available since.

Design

Most log processing solutions are built around the same concept. The input is read from a source, then the log messages are processed. Finally output is written or sent to a sink in other terminology.

When an event occurs in an application or a device, depending on its configuration, a log message is emitted. This is usually referred to as an "event log" or "log message". These log messages can have different formats and can be transmitted over different protocols depending on the actual implementation.

There is one thing common in all event log messages. All contain important data such as user names, IP addresses, application names, etc. This way an event can be represented as a list of key-value pairs which we call a "field". The name of the field is the key and the field data is the value. In another terminology this meta-data is sometimes referred to as event property or message tag.

The following example illustrates a syslog message:

<30>Nov 21 11:40:27 log4ensics sshd[26459]: Accepted publickey for log4ensics from 192.168.1.1 port 41193 ssh2

The fields extracted from this message are as follows:

AuthMethod publickey SourceIPAddress 192.168.1.1 AccountName log4ensics SyslogFacility DAEMON SyslogSeverity INFO Severity INFO EventTime 2009-11-21 11:40:27.0 Hostname log4ensics ProcessID 26459 SourceName sshd Message Accepted publickey for log4ensics from 192.168.1.1 port 41193 ssh2

NXLog will try to use the Common Event Expression standard for the field names once the standard is stable.

NXLog has a special field$, raw_event. This field is handled by the transport (UDP, TCP, File, etc.) modules to read input into and write output from it. This field is also used later to parse the log message into further fields by various functions, procedures and modules.

Architecture

By utilizing loadable modules, the plugin architecture of NXLog allows it to read data from any kind of input, parse and convert the format of the messages, and then send it to any kind of output. Different input, processor and output modules can be used at the same time to cover all the requirements of the logging environment. The following figure illustrates the flow of log messages using this architecture.

The core of NXLog is responsible for parsing the configuration file, monitoring files and sockets, and managing internal events. It has an event based architecture, all modules can dispatch events to the core. The NXLog core will take care of the event and will optionally pass it to a module for processing. NXLog is a multi-threaded application, the main thread is responsible for monitoring files and sockets. These are added to the core by the different input and output modules. There is a dedicated thread handling internal events. It sleeps until the next event is to be processed then wakes up and dispatches the event to a worker thread. NXLog implements a worker thread-pool model. Worker threads receive an event which must be processed immediately. This way the NXLog core can centrally control all events and the order of their execution making prioritized processing possible. Modules which handle sockets or files are written to use non-blocking I/O in order to ensure that the worker threads never block. The files and sockets monitored by the main thread also dispatch events which are then delegated to the workers. Each event belonging to the same module is executed in sequential order, not concurrently. This ensures that message order is kept and prevents concurrency issues in modules. Yet the modules (worker threads) run concurrently, thus the global log processing flow is greatly parallelized.

When an input module receives data, it creates an internal representation of the log message which is basically a structure containing the raw event data and any optional fields. This log message is then pushed to the queue of the next module in the route and an internal event is generated to signal the availability of the data. The next module after the input module in a route, can be either a processor module or an output module. Actually an input or output module can also process data through built-in code or using the NXLog language execution framework. The only difference is that processor modules are run in another worker thread, thus parallelizing log processing even more. Considering that processor modules can also be chained, this can efficiently distribute work among multiple CPUs or CPU cores in the system.

Distributions

NXLog Community Edition is a proprietary log management tool available at no cost. It is available for various platforms including Windows and Linux. The NXLog Community Edition can be used both as a log collector agent and as a log server.^[11] Summary of features:
- Multi-platform - support for Linux, IBM AIX, Solaris, HP-UX, BSD, Android and Microsoft Windows (from XP through 2012)
- Modular architecture through dynamically loadable plugins
- Scalable, high-performance I/O - collect messages at blazing speeds (can achieve above 500k EPS)
- Message buffering and prioritization - no lost or dropped messages
- Simple configuration format with a powerful language similar to Perl
- Scheduled tasks and built-in log rotation
- Support for different formats such as Syslog, CSV, GELF, JSON, XML, Windows EventLog and even custom formats
- Offline processing mode for post processing, conversion or transfer
- Event classification and pattern matching
- Log message rewrite, conversion between different formats
- Event correlation
- Secure network transport over SSL
- Internationalization for supporting different character sets and on the fly auto-detection of encoding
NXLog Enterprise Edition: In addition to the features of NXLog Community Edition such as the flexibility, low memory footprint and high performance, the NXLog Enterprise Edition contains several enhancements which can be useful in enterprise deployments. These features are enhanced reliability, support for additional log sources such as CheckPoint LEA and SNMP events, agent management and monitoring capabilities, remote Windows EventLog collection, ODBC input and output modules to read/write data into databases (e.g. Microsoft SQL Server) and many more. Summary of features:
- Multi-platform - support for Unix/Linux, MS Windows
- Modular architecture through dynamically loadable plugins
- Scalable, high-performance I/O - collect messages above 100k events per second from thousands of sources
- Message buffering and prioritization - no lost or dropped messages
- Simple configuration format with a powerful language similar to Perl
- Scheduled tasks and built-in log rotation
- Support for different formats such as syslog, CSV, Windows EventLog, CheckPoint LEA or even custom formats
- Remote administration and statistics with a WebService API for easier integration to external monitoring tools
- Offline processing mode for post processing, conversion or transfer
- Real-time event correlation and classification
- Log message rewrite, conversion between different formats
- Secure SSL transport, message integrity and timestamping support
- Internationalization for supporting different character sets and on the fly auto-detection of encoding.
NXLog Manager: Managing and monitoring a large number of log collector agents can be tough, especially if you have a lot of servers in different roles with multiple teams in charge. NXLog Manager can remotely manage and monitor NXLog Enterprise Edition instances using a centralized web based management console.

Features

Feature	NXLog Community Edition	NXLog Enterprise Edition
Scalable, multi-threaded and high-performance architecture
Multi platform
Modular architecture
Support for different message formats
Client-server mode
Log message sources and destinations
Secure operation, secured messages
Lightweight
Message buffering and prioritization
No message loss
Simple configuration
Built-in config language
Scheduled tasks and built-in log rotation
Event classification and pattern matching
Offline processing mode for post processing, conversion or transfer
Internationalization support
Real-time event correlation and classification
Remote administration and statistics

Releases

License

NXLog Community Edition is licensed under the NXLOG PUBLIC LICENSE v1.0.^[12]

Related Research Articles

<span class="mw-page-title-main">CUPS</span> Computer printing system

CUPS is a modular printing system for Unix-like computer operating systems which allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer.

Btrieve is a transactional database software product. It is based on Indexed Sequential Access Method (ISAM), which is a way of storing data for fast retrieval. There have been several versions of the product for DOS, Linux, older versions of Microsoft Windows, 32-bit IBM OS/2 and for Novell NetWare.

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level.

Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.

A Java logging framework is a computer data logging package for the Java platform. This article covers general purpose logging frameworks.

An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems (DCSs) with many thousands of field connections. Control systems receive data from remote sensors measuring process variables (PVs), compare the collected data with desired setpoints (SPs), and derive command functions that are used to control a process through the final control elements (FCEs), such as control valves.

logparser is a flexible command line utility that was initially written by Gabriele Giuseppini, a Microsoft employee, to automate tests for IIS logging. It was intended for use with the Windows operating system, and was included with the IIS 6.0 Resource Kit Tools. The default behavior of logparser works like a "data processing pipeline", by taking an SQL expression on the command line, and outputting the lines containing matches for the SQL expression.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data is composed of entries (records), and each entry contains information related to a specific event that occur within an organization's computing assets, including physical and virtual platforms, networks, services, and cloud environments.

syslog-ng is a free and open-source implementation of the syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport. Syslog-ng is developed in the Budapest office of One Identity LLC. It has three editions with a common codebase. The first is called syslog-ng, also referred as syslog-ng Open Source Edition (OSE) with the license LGPL + GPLv2. The second is called syslog-ng Premium Edition (PE) and has additional plugins (modules) under a proprietary license. The third is called syslog-ng Storebox (SSB), which comes as an appliance with a Web-based UI as well as additional features including ultra-fast-text search, unified search, content-based alerting and a premier tier support.

PowerShell is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on August 18, 2016, with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET.

Toybox is a free and open-source software implementation of over 200 Unix command line utilities such as ls, cp, and mv. The Toybox project was started in 2006, and became a 0BSD licensed BusyBox alternative. Toybox is used for most of Android's command-line tools in all currently supported Android versions, and is also used to build Android on Linux and macOS. All of the tools are tested on Linux, and many of them also work on BSD and macOS.

Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, queued operations to handle offline outputs, support for different module outputs, flexible configuration options and adds features such as using TCP for transport.

The Log Management Knowledge Base is a free database of detailed descriptions on over 20,000 event logs generated by Windows systems, syslog devices and applications. Provided as a free service to the IT community by Prism Microsystems, the aim of the Knowledge Base is to help IT personnel make sense of the large amounts of cryptic and arcane log data generated by network systems and IT infrastructures.

Shinken is an open source computer system and network monitoring software application compatible with Nagios. It watches hosts and services, gathers performance data and alerts users when error conditions occur and again when the conditions clear.

The Linux console is a system console internal to the Linux kernel. A system console is the device which receives all kernel messages and warnings and which allows logins in single user mode. The Linux console provides a way for the kernel and other processes to send text output to the user, and to receive text input from the user. The user typically enters text with a computer keyboard and reads the output text on a computer monitor. The Linux kernel supports virtual consoles – consoles that are logically separate, but which access the same physical keyboard and display. The Linux console are implemented by the VT subsystem of the Linux kernel, and do not rely on any user space software. This is in contrast to a terminal emulator, which is a user space process that emulates a terminal, and is typically used in a graphical display environment.

Canigó is the name chosen for the Java EE framework of the Generalitat de Catalunya.

Checkmk is a software system developed in Python and C++ for IT Infrastructure monitoring. It is used for the monitoring of servers, applications, networks, cloud infrastructures, containers, storage, databases and environment sensors.

RTP-MIDI is a protocol to transport MIDI messages within Real-time Transport Protocol (RTP) packets over Ethernet and WiFi networks. It is completely open and free, and is compatible both with LAN and WAN application fields. Compared to MIDI 1.0, RTP-MIDI includes new features like session management, device synchronization and detection of lost packets, with automatic regeneration of lost data. RTP-MIDI is compatible with real-time applications, and supports sample-accurate synchronization for each MIDI message.

Enduro/X is an open-source middleware platform for distributed transaction processing. It is built on proven APIs such as X/Open group's XATMI and XA. The platform is designed for building real-time microservices based applications with a clusterization option. Enduro/X functions as an extended drop-in replacement for Oracle Tuxedo. The platform uses in-memory POSIX message queues which insures high inter-process communication throughput.

<span class="mw-page-title-main">Octopussy (software)</span> Log analysis software

Octopussy, also known as 8Pussy, is a free and open-source computer-software which monitors systems, by constantly analyzing the syslog data they generate and transmit to such a central Octopussy server. Therefore, software like Octopussy plays an important role in maintaining an information security management system within ISO/IEC 27001-compliant environments.

References

↑ "nxlog - A multi-platform universal log collector and forwarder". Windows Remix. Retrieved 30 April 2021.
↑ "Complex log processing with PostSharp and NXLog | PostSharp Blog". 10 December 2020.
↑ "Using NXLog to Collect Windows Event Logs".
↑ "Apple's Mac security warning shows that closed beats open". 21 May 2021.
↑ "NXLog Enterprise Edition 5.0".
↑ Messier, Ric (2017). Network forensics. Indianapolis, IN: Wiley. p. 256. ISBN 9781119328285 . Retrieved 30 April 2021.
↑ "Centralizing Windows Logs".
↑ "NXLog Community Version". Symtrex Inc. Retrieved 30 April 2021.
↑ Messier, Ric (2017). Network forensics. Indianapolis, IN: WILEY. p. 219. ISBN 9781119328285 . Retrieved 30 April 2021.
↑ "Using NXLog to enhance Azure Sentinel's ingestion capabilities". 2 February 2021.
↑ "NXLog Community Version".
↑ https://nxlog.co/nxlog-public-license NXLOG PUBLIC LICENSE v1.0

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "nxlog - A multi-platform universal log collector and forwarder". Windows Remix. Retrieved 30 April 2021.

[2] "Complex log processing with PostSharp and NXLog | PostSharp Blog". 10 December 2020.

[3] "Using NXLog to Collect Windows Event Logs".

[4] "Apple's Mac security warning shows that closed beats open". 21 May 2021.

[5] "NXLog Enterprise Edition 5.0".

[6] Messier, Ric (2017). Network forensics. Indianapolis, IN: Wiley. p. 256. ISBN 9781119328285 . Retrieved 30 April 2021.

[7] "Centralizing Windows Logs".

[8] "NXLog Community Version". Symtrex Inc. Retrieved 30 April 2021.

[9] Messier, Ric (2017). Network forensics. Indianapolis, IN: WILEY. p. 219. ISBN 9781119328285 . Retrieved 30 April 2021.

[10] "Using NXLog to enhance Azure Sentinel's ingestion capabilities". 2 February 2021.

[11] "NXLog Community Version".

[12] ttps://nxlog.co/nxlog-public-license NXLOG PUBLIC LICENSE v1.0

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]