NXLog Agent modules by type
This page lists all NXLog Agent modules organized by type. You can also view lists of NXLog Agent modules by operating system and installation package.
You may see the following tags on this page:
- deprecated
-
Modules that have been replaced and/or are being phased out. We encourage you to switch to an alternative as they will become obsolete.
- obsolete
-
Modules that are no longer supported and should not be used.
- experimental
-
Modules or packages that are available on request.
Input modules
Input modules start with the im_*
prefix.
Use these modules to collect events from your log sources.
Module | Description |
---|---|
im_acct — BSD/Linux Process Accounting |
Collects process accounting logs from a Linux or BSD kernel. |
im_aixaudit — AIX Auditing |
Collects AIX audit events directly from the kernel. |
im_amazons3 — Amazon S3 |
Connects to Amazon S3 and collects logs stored in objects. |
im_azure — Azure |
Collects logs from Microsoft Azure applications. |
im_batchcompress — Batched Compression over TCP or SSL |
Provides a compressed network transport for incoming messages with optional SSL/TLS encryption. Pairs with the om_batchcompress output module. |
im_bsm — Basic Security Module Auditing |
Collects audit events directly from the kernel using Sun’s Basic Security Module (BSM) Auditing API. |
im_checkpoint — Check Point OPSEC |
Provides support for collecting logs remotely from Check Point devices over the OPSEC LEA protocol. |
im_dbi — DBI |
Collects log data by reading data from an SQL database using the libdbi library. |
im_etw — Event Tracing for Windows (ETW) |
Implements ETW controller and consumer functionality to collect events from the ETW system. |
im_exec — Program |
Collects log data by executing a custom external program. The standard output of the command forms the log data. |
im_file — File |
Collects log data from a file on the local file system. |
im_fim — File Integrity Monitoring |
Scans files and directories and reports detected changes. |
im_go — Go or Golang |
Provides support for collecting log data with methods written in the Go language. |
im_googlelogging — Google Cloud Logging |
Collects logs from the Google Cloud Logging REST API. |
im_googlepubsub — Google Cloud Pub/Sub |
Collects logs from the Google Cloud Pub/Sub service. |
im_http — HTTP/HTTPS |
Accepts incoming HTTP or HTTPS connections and collects log events from client POST requests. |
im_internal — Internal |
Collect log messages from NXLog Agent. |
im_java — Java |
Provides support for processing log data with methods written in the Java language. |
im_kafka — Apache Kafka |
Implements a consumer for collecting from a Kafka cluster. |
im_kernel — Kernel (Enterprise Edition only for some platforms) |
Collects log data from the kernel log buffer. |
im_linuxaudit — Linux Audit System |
Configures and collects events from the Linux Audit System |
im_maces — macOS Endpoint Security |
Collects logs from Apple Endpoint Security on macOS 10.15 and later. |
im_maculs — macOS ULS |
Collects logs from Apple’s unified logging system (ULS) on macOS. |
im_mark — Mark |
Outputs 'boilerplate' log data periodically to indicate that the logger is still running. |
im_ms365 — Microsoft 365 |
Collects logs from Microsoft 365 services. |
im_mseventlog — Event logging for Windows XP/2000/2003 |
Collects logs from Windows Event Logs. |
im_msvistalog — Event logging for Windows 2008/Vista and later |
Collects logs from Windows Event Logs. |
im_null — Null |
Acts as a dummy input module. It does not generate any data. You can use this module for testing purposes. |
im_odbc — ODBC |
Uses the ODBC API to read log messages from database tables. |
im_pcap — Packet Capture |
Provides support to passively monitor network traffic by generating logs for various protocols. |
im_perl — Perl |
Captures event data directly into NXLog using Perl code. |
im_pipe — Named Pipes |
This module can be used to read log messages from named pipes on UNIX-like operating systems. |
im_python — Python |
Captures event data directly into NXLog Agent using Python code. Only Python version 3.x is supported. |
im_redis — Redis |
Retrieves data stored in a Redis server. |
im_regmon — Windows Registry Monitoring |
Periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected. |
im_ruby — Ruby |
Captures event data directly into NXLog Agent using Ruby code. |
im_salesforce — Salesforce |
Collects event monitoring log data from a Salesforce org. |
im_ssl — SSL/TLS |
Collects log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). |
im_systemd — Systemd |
This module accepts messages from the Linux systemd journal. |
im_tcp — TCP |
Collects log data over a TCP network connection. |
im_testgen — Test Generator |
Generates log data for testing purposes. |
im_udp — UDP |
Collects log data over a UDP network connection. |
im_uds — Unix Domain Socket |
Collects log data over a Unix domain socket (typically /dev/log). |
im_winperfcount — Windows Performance Counters |
Periodically retrieves the values of the specified Windows Performance Counters to create an event record. |
im_wseventing — Windows Event Forwarding |
Collects Windows Event Log from Windows clients that have Windows Event Forwarding configured. |
im_zmq — ZeroMQ |
Provides incoming message transport over ZeroMQ, a scalable high-throughput messaging library. |
Output modules
Output modules start with the om_*
prefix.
Use these modules to forward logs to their destination.
Module | Description |
---|---|
om_amazons3 — Amazon S3 |
Forwards logs to Amazon S3 and compatible services. |
om_azure — Microsoft Azure Sentinel |
Sends data to a Microsoft Azure Sentinel server. |
om_azuremonitor — Microsoft Azure Log Ingestion |
Sends logs to the Azure Monitor Logs Ingestion API. |
om_batchcompress — Batched Compression over TCP or SSL |
Provides a compressed network transport for outgoing messages with optional SSL/TLS encryption. Pairs with the im_batchcompress input module. |
om_blocker — Blocker |
Blocks log data from being written. You can use this module for testing purposes, to simulate a blocked route. |
om_chronicle — Google Chronicle |
Sends logs to Google Chronicle via the Ingestion API. |
om_dbi — DBI |
Stores log data in an SQL database using the libdbi library. |
om_elasticsearch — Elasticsearch |
Stores logs in an Elasticsearch server. |
om_exec — Program |
Writes log data to the standard input of a custom external program. |
om_file — File |
Writes log data to a file on the file system. |
om_go — Go or Golang |
Provides support for forwarding log data with methods written in the Go language. |
om_googlelogging — Google Cloud Logging |
Sends logs to the Google Cloud Logging API. |
om_googlepubsub — Google Cloud Pub/Sub |
Sends logs to the Google Cloud Pub/Sub service. |
om_http — HTTP/HTTPS |
Send events over HTTP or HTTPS using POST requests. |
om_java — Java |
Provides support for processing log data with methods written in the Java language. |
om_kafka — Apache Kafka |
Implements a producer for publishing to a Kafka cluster. |
om_null — Null |
Acts as a dummy output module. It does not write or forward the output. You can use this module for testing purposes. |
om_odbc — ODBC |
Uses the ODBC API to write log messages to database tables. |
om_perl — Perl |
Uses Perl code to handle output log messages from NXLog Agent. |
om_pipe — Named Pipes |
This module sends logs to named pipes on UNIX-like operating systems. |
om_python — Python |
Uses Python code to handle output log messages from NXLog Agent. Only Python version 3.x is supported. |
om_raijin — Raijin |
Stores log messages in a Raijin server. |
om_redis — Redis |
Stores log messages in a Redis server. |
om_ruby — Ruby |
Uses Ruby code to handle output log messages from NXLog Agent. |
om_ssl — SSL/TLS |
Sends log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). |
om_tcp — TCP |
Sends log data over a TCP connection to a remote host. |
om_udp — UDP |
Sends log data over a UDP connection to a remote host. |
om_udpspoof — UDP with IP Spoofing |
Sends log data over a UDP connection, and spoofs the source IP address to make packets appear as if they were sent from another host. |
om_uds — UDS |
Sends log data to a Unix domain socket. |
om_webhdfs — WebHDFS |
Stores log data in Hadoop HDFS using the WebHDFS protocol. |
om_zmq — ZeroMQ |
Provides outgoing message transport over ZeroMQ, a scalable high-throughput messaging library. |
Processor modules
Processor modules start with the pm_*
prefix.
Use these modules for additional log processing between input and output modules.
Module | Description |
---|---|
pm_blocker — Blocker |
Blocks log data from progressing through a route. You can use this module for testing purposes, to simulate when a route is blocked. |
pm_buffer — Buffer |
Caches messages in an in-memory or disk-based buffer before forwarding. This module is useful in combination with UDP data inputs. |
pm_evcorr — Event Correlator |
Perform log actions based on relationships between events. |
pm_null — Null |
Acts as a dummy processor module. It does not transform the log data in any way. You can use this module for testing purposes. |
deprecated pm_hmac — HMAC Message Integrity |
Protects messages with an HMAC cryptographic checksum. |
deprecated pm_hmac_check — HMAC Message Integrity Checker |
Checks HMAC cryptographic checksums on messages. |
deprecated pm_norepeat — Message De-Duplicator |
Drops duplicate logs based on user-specified fields. The same functionality can be implemented with module variables. |
deprecated pm_pattern — Pattern Matcher |
Applies advanced pattern-matching logic to log data. This functionality has been migrated to the xm_pattern module. |
Extension modules
Extension modules start with the xm_*
prefix.
Use these modules to implement specialized log processing.
Module | Description |
---|---|
xm_admin — Remote Management |
Adds secure remote administration capabilities to NXLog Agent using SOAP or JSON over HTTP/HTTPS. |
xm_aixaudit — AIX Auditing |
Parses AIX audit events that have been written to file. |
xm_asl — Apple System Logs |
Parses events in the Apple System Log (ASL) format. |
xm_bsm — Basic Security Module Auditing |
Supports parsing of events written to file in Sun’s Basic Security Module (BSM) Auditing binary format. |
xm_cef — CEF |
Provides functions for generating and parsing data in the Common Event Format (CEF) used by HP ArcSight™ products. |
xm_charconv — Character Set Conversion |
Provides functions and procedures to help you convert strings between different character sets (code pages). |
xm_crypto — Encryption |
Provides encryption and decryption of logs by using data converters which implement the AES symmetric-key algorithm. |
xm_csv — CSV |
Provides functions and procedures to help you process data formatted as comma-separated values (CSV), and to convert CSV data into fields. |
xm_exec — External Program Execution |
Passes log data through a custom external program for processing, either synchronously or asynchronously. |
xm_filelist — File Lists |
Implements file-based blacklisting or whitelisting. |
xm_fileop — File Operations |
Provides functions and procedures to manipulate files. |
xm_gelf — GELF |
Provides an output writer function to generate output in Graylog Extended Log Format (GELF) for Graylog2 or GELF-compliant tools. |
xm_go — Go or Golang |
Provides support for processing log data with methods written in the Go language. |
xm_grok — Grok Patterns |
Provides support for parsing events with Grok patterns. |
xm_java — Java |
Provides support for processing log data with methods written in the Java language. |
xm_json — JSON |
Provides functions and procedures to generate data in JSON (JavaScript Object Notation) format or to parse JSON data. |
xm_kvp — Key-Value Pairs |
Provides functions and procedures to parse and generate data that is formatted as key-value pairs. |
xm_leef — LEEF |
Provides functions for parsing and generating data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products. |
xm_msdns — DNS Server Debug Log Parsing |
Parses Microsoft Windows DNS Server debug logs |
xm_multiline — Multi-Line Message Parser |
Parses log entries that span multiple lines. |
xm_netflow — NetFlow |
Provides a parser for NetFlow payload collected over UDP. |
xm_nps — NPS |
Provides functions and procedures for processing data in NPS Database Format stored in files by Microsoft Radius services. |
xm_pattern — Pattern Matcher |
Applies advanced pattern-matching logic with better performance over regular expression-matching. Replaces pm_pattern. |
xm_perl — Perl |
Processes log data using Perl. |
xm_python — Python |
Processes log data using Python. Only versions 3.x of Python are supported. |
xm_resolver — Resolver |
Resolves key identifiers that appear in log messages into more meaningful equivalents, including IP addresses to host names, and group/user IDs to friendly names. |
xm_rewrite — Rewrite |
Transforms event records by modifying or discarding specific fields. |
xm_ruby — Ruby |
Processes log data using Ruby. |
xm_sap — SAP |
Registers an InputType for parsing SAP audit data. |
xm_snmp — SNMP Traps |
Parses SNMPv1 and SNMPv2c trap messages. |
xm_syslog — Syslog |
Provides helpers that let you parse and output the BSD Syslog protocol as defined by RFC 3164. |
xm_w3c — W3C |
Parses data in the W3C Extended Log File Format, the BRO format, and Microsoft Exchange Message Tracking logs. |
xm_wtmp — WTMP |
Provides a parser function to process binary WTMP files. |
xm_xml — XML |
Provides functions and procedures to process XML data. |
xm_zlib — Compression |
This module compresses and decompresses logs using the gzip data format defined in RFC 1952 and the zlib format defined in RFC 1950. |