NXLog Agent modules by type

This page lists all NXLog Agent modules organized by type. You can also view lists of NXLog Agent modules by operating system and installation package.

You may see the following tags on this page:

deprecated

Modules that have been replaced and/or are being phased out. We encourage you to switch to an alternative as they will become obsolete.

obsolete

Modules that are no longer supported and should not be used.

experimental

Modules or packages that are available on request.

Input modules

Input modules start with the im_* prefix. Use these modules to collect events from your log sources.

Module Description

im_acct — BSD/Linux Process Accounting

Collects process accounting logs from a Linux or BSD kernel.

im_aixaudit — AIX Auditing

Collects AIX audit events directly from the kernel.

im_amazons3 — Amazon S3

Connects to Amazon S3 and collects logs stored in objects.

im_azure — Azure

Collects logs from Microsoft Azure applications.

im_batchcompress — Batched Compression over TCP or SSL

Provides a compressed network transport for incoming messages with optional SSL/TLS encryption. Pairs with the om_batchcompress output module.

im_bsm — Basic Security Module Auditing

Collects audit events directly from the kernel using Sun’s Basic Security Module (BSM) Auditing API.

im_checkpoint — Check Point OPSEC

Provides support for collecting logs remotely from Check Point devices over the OPSEC LEA protocol.

im_dbi — DBI

Collects log data by reading data from an SQL database using the libdbi library.

im_etw — Event Tracing for Windows (ETW)

Implements ETW controller and consumer functionality to collect events from the ETW system.

im_exec — Program

Collects log data by executing a custom external program. The standard output of the command forms the log data.

im_file — File

Collects log data from a file on the local file system.

im_fim — File Integrity Monitoring

Scans files and directories and reports detected changes.

im_go — Go or Golang

Provides support for collecting log data with methods written in the Go language.

im_googlelogging — Google Cloud Logging

Collects logs from the Google Cloud Logging REST API.

im_googlepubsub — Google Cloud Pub/Sub

Collects logs from the Google Cloud Pub/Sub service.

im_http — HTTP/HTTPS

Accepts incoming HTTP or HTTPS connections and collects log events from client POST requests.

im_internal — Internal

Collect log messages from NXLog Agent.

im_java — Java

Provides support for processing log data with methods written in the Java language.

im_kafka — Apache Kafka

Implements a consumer for collecting from a Kafka cluster.

im_kernel — Kernel (Enterprise Edition only for some platforms)

Collects log data from the kernel log buffer.

im_linuxaudit — Linux Audit System

Configures and collects events from the Linux Audit System

im_maces — macOS Endpoint Security

Collects logs from Apple Endpoint Security on macOS 10.15 and later.

im_maculs — macOS ULS

Collects logs from Apple’s unified logging system (ULS) on macOS.

im_mark — Mark

Outputs 'boilerplate' log data periodically to indicate that the logger is still running.

im_ms365 — Microsoft 365

Collects logs from Microsoft 365 services.

im_mseventlog — Event logging for Windows XP/2000/2003

Collects logs from Windows Event Logs.

im_msvistalog — Event logging for Windows 2008/Vista and later

Collects logs from Windows Event Logs.

im_null — Null

Acts as a dummy input module. It does not generate any data. You can use this module for testing purposes.

im_odbc — ODBC

Uses the ODBC API to read log messages from database tables.

im_pcap — Packet Capture

Provides support to passively monitor network traffic by generating logs for various protocols.

im_perl — Perl

Captures event data directly into NXLog using Perl code.

im_pipe — Named Pipes

This module can be used to read log messages from named pipes on UNIX-like operating systems.

im_python — Python

Captures event data directly into NXLog Agent using Python code. Only Python version 3.x is supported.

im_redis — Redis

Retrieves data stored in a Redis server.

im_regmon — Windows Registry Monitoring

Periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.

im_ruby — Ruby

Captures event data directly into NXLog Agent using Ruby code.

im_salesforce — Salesforce

Collects event monitoring log data from a Salesforce org.

im_ssl — SSL/TLS

Collects log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

im_systemd — Systemd

This module accepts messages from the Linux systemd journal.

im_tcp — TCP

Collects log data over a TCP network connection.

im_testgen — Test Generator

Generates log data for testing purposes.

im_udp — UDP

Collects log data over a UDP network connection.

im_uds — Unix Domain Socket

Collects log data over a Unix domain socket (typically /dev/log).

im_winperfcount — Windows Performance Counters

Periodically retrieves the values of the specified Windows Performance Counters to create an event record.

im_wseventing — Windows Event Forwarding

Collects Windows Event Log from Windows clients that have Windows Event Forwarding configured.

im_zmq — ZeroMQ

Provides incoming message transport over ZeroMQ, a scalable high-throughput messaging library.

Output modules

Output modules start with the om_* prefix. Use these modules to forward logs to their destination.

Module Description

om_amazons3 — Amazon S3

Forwards logs to Amazon S3 and compatible services.

om_azure — Microsoft Azure Sentinel

Sends data to a Microsoft Azure Sentinel server.

om_azuremonitor — Microsoft Azure Log Ingestion

Sends logs to the Azure Monitor Logs Ingestion API.

om_batchcompress — Batched Compression over TCP or SSL

Provides a compressed network transport for outgoing messages with optional SSL/TLS encryption. Pairs with the im_batchcompress input module.

om_blocker — Blocker

Blocks log data from being written. You can use this module for testing purposes, to simulate a blocked route.

om_chronicle — Google Chronicle

Sends logs to Google Chronicle via the Ingestion API.

om_dbi — DBI

Stores log data in an SQL database using the libdbi library.

om_elasticsearch — Elasticsearch

Stores logs in an Elasticsearch server.

om_exec — Program

Writes log data to the standard input of a custom external program.

om_file — File

Writes log data to a file on the file system.

om_go — Go or Golang

Provides support for forwarding log data with methods written in the Go language.

om_googlelogging — Google Cloud Logging

Sends logs to the Google Cloud Logging API.

om_googlepubsub — Google Cloud Pub/Sub

Sends logs to the Google Cloud Pub/Sub service.

om_http — HTTP/HTTPS

Send events over HTTP or HTTPS using POST requests.

om_java — Java

Provides support for processing log data with methods written in the Java language.

om_kafka — Apache Kafka

Implements a producer for publishing to a Kafka cluster.

om_null — Null

Acts as a dummy output module. It does not write or forward the output. You can use this module for testing purposes.

om_odbc — ODBC

Uses the ODBC API to write log messages to database tables.

om_perl — Perl

Uses Perl code to handle output log messages from NXLog Agent.

om_pipe — Named Pipes

This module sends logs to named pipes on UNIX-like operating systems.

om_python — Python

Uses Python code to handle output log messages from NXLog Agent. Only Python version 3.x is supported.

om_raijin — Raijin

Stores log messages in a Raijin server.

om_redis — Redis

Stores log messages in a Redis server.

om_ruby — Ruby

Uses Ruby code to handle output log messages from NXLog Agent.

om_ssl — SSL/TLS

Sends log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

om_tcp — TCP

Sends log data over a TCP connection to a remote host.

om_udp — UDP

Sends log data over a UDP connection to a remote host.

om_udpspoof — UDP with IP Spoofing

Sends log data over a UDP connection, and spoofs the source IP address to make packets appear as if they were sent from another host.

om_uds — UDS

Sends log data to a Unix domain socket.

om_webhdfs — WebHDFS

Stores log data in Hadoop HDFS using the WebHDFS protocol.

om_zmq — ZeroMQ

Provides outgoing message transport over ZeroMQ, a scalable high-throughput messaging library.

Processor modules

Processor modules start with the pm_* prefix. Use these modules for additional log processing between input and output modules.

Module Description

pm_blocker — Blocker

Blocks log data from progressing through a route. You can use this module for testing purposes, to simulate when a route is blocked.

pm_buffer — Buffer

Caches messages in an in-memory or disk-based buffer before forwarding. This module is useful in combination with UDP data inputs.

pm_evcorr — Event Correlator

Perform log actions based on relationships between events.

pm_null — Null

Acts as a dummy processor module. It does not transform the log data in any way. You can use this module for testing purposes.

deprecated  pm_hmac — HMAC Message Integrity

Protects messages with an HMAC cryptographic checksum.

deprecated  pm_hmac_check — HMAC Message Integrity Checker

Checks HMAC cryptographic checksums on messages.

deprecated  pm_norepeat — Message De-Duplicator

Drops duplicate logs based on user-specified fields. The same functionality can be implemented with module variables.

deprecated  pm_pattern — Pattern Matcher

Applies advanced pattern-matching logic to log data. This functionality has been migrated to the xm_pattern module.

Extension modules

Extension modules start with the xm_* prefix. Use these modules to implement specialized log processing.

Module Description

xm_admin — Remote Management

Adds secure remote administration capabilities to NXLog Agent using SOAP or JSON over HTTP/HTTPS.

xm_aixaudit — AIX Auditing

Parses AIX audit events that have been written to file.

xm_asl — Apple System Logs

Parses events in the Apple System Log (ASL) format.

xm_bsm — Basic Security Module Auditing

Supports parsing of events written to file in Sun’s Basic Security Module (BSM) Auditing binary format.

xm_cef — CEF

Provides functions for generating and parsing data in the Common Event Format (CEF) used by HP ArcSight™ products.

xm_charconv — Character Set Conversion

Provides functions and procedures to help you convert strings between different character sets (code pages).

xm_crypto — Encryption

Provides encryption and decryption of logs by using data converters which implement the AES symmetric-key algorithm.

xm_csv — CSV

Provides functions and procedures to help you process data formatted as comma-separated values (CSV), and to convert CSV data into fields.

xm_exec — External Program Execution

Passes log data through a custom external program for processing, either synchronously or asynchronously.

xm_filelist — File Lists

Implements file-based blacklisting or whitelisting.

xm_fileop — File Operations

Provides functions and procedures to manipulate files.

xm_gelf — GELF

Provides an output writer function to generate output in Graylog Extended Log Format (GELF) for Graylog2 or GELF-compliant tools.

xm_go — Go or Golang

Provides support for processing log data with methods written in the Go language.

xm_grok — Grok Patterns

Provides support for parsing events with Grok patterns.

xm_java — Java

Provides support for processing log data with methods written in the Java language.

xm_json — JSON

Provides functions and procedures to generate data in JSON (JavaScript Object Notation) format or to parse JSON data.

xm_kvp — Key-Value Pairs

Provides functions and procedures to parse and generate data that is formatted as key-value pairs.

xm_leef — LEEF

Provides functions for parsing and generating data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products.

xm_msdns — DNS Server Debug Log Parsing

Parses Microsoft Windows DNS Server debug logs

xm_multiline — Multi-Line Message Parser

Parses log entries that span multiple lines.

xm_netflow — NetFlow

Provides a parser for NetFlow payload collected over UDP.

xm_nps — NPS

Provides functions and procedures for processing data in NPS Database Format stored in files by Microsoft Radius services.

xm_pattern — Pattern Matcher

Applies advanced pattern-matching logic with better performance over regular expression-matching. Replaces pm_pattern.

xm_perl — Perl

Processes log data using Perl.

xm_python — Python

Processes log data using Python. Only versions 3.x of Python are supported.

xm_resolver — Resolver

Resolves key identifiers that appear in log messages into more meaningful equivalents, including IP addresses to host names, and group/user IDs to friendly names.

xm_rewrite — Rewrite

Transforms event records by modifying or discarding specific fields.

xm_ruby — Ruby

Processes log data using Ruby.

xm_sap — SAP

Registers an InputType for parsing SAP audit data.

xm_snmp — SNMP Traps

Parses SNMPv1 and SNMPv2c trap messages.

xm_syslog — Syslog

Provides helpers that let you parse and output the BSD Syslog protocol as defined by RFC 3164.

xm_w3c — W3C

Parses data in the W3C Extended Log File Format, the BRO format, and Microsoft Exchange Message Tracking logs.

xm_wtmp — WTMP

Provides a parser function to process binary WTMP files.

xm_xml — XML

Provides functions and procedures to process XML data.

xm_zlib — Compression

This module compresses and decompresses logs using the gzip data format defined in RFC 1952 and the zlib format defined in RFC 1950.