NXLog Agent modules by type

This page lists all NXLog Agent modules organized by type. You can also view lists of NXLog Agent modules by operating system and installation package.

You may see the following tags on this page:

deprecated: Modules that have been replaced and/or are being phased out. We encourage you to switch to an alternative as they will become obsolete.
obsolete: Modules that are no longer supported and should not be used.
experimental: Modules or packages that are available on request.

Input modules

Input modules start with the im_* prefix. Use these modules to collect events from your log sources.

Module	Description
im_acct — BSD/Linux Process Accounting	Collects process accounting logs from a Linux or BSD kernel.
im_aixaudit — AIX Auditing	Collects AIX audit events directly from the kernel.
im_amazons3 — Amazon S3	Connects to Amazon S3 and collects logs stored in objects.
im_azure — Azure	Collects logs from Microsoft Azure applications.
im_batchcompress — Batched Compression over TCP or SSL	Provides a compressed network transport for incoming messages with optional SSL/TLS encryption. Pairs with the om_batchcompress output module.
im_bsm — Basic Security Module Auditing	Collects audit events directly from the kernel using Sun’s Basic Security Module (BSM) Auditing API.
im_checkpoint — Check Point OPSEC	Provides support for collecting logs remotely from Check Point devices over the OPSEC LEA protocol.
im_dbi — DBI	Collects log data by reading data from an SQL database using the libdbi library.
im_etw — Event Tracing for Windows (ETW)	Implements ETW controller and consumer functionality to collect events from the ETW system.
im_exec — Program	Collects log data by executing a custom external program. The standard output of the command forms the log data.
im_file — File	Collects log data from a file on the local file system.
im_fim — File Integrity Monitoring	Scans files and directories and reports detected changes.
im_go — Go or Golang	Provides support for collecting log data with methods written in the Go language.
im_googlelogging — Google Cloud Logging	Collects logs from the Google Cloud Logging REST API.
im_googlepubsub — Google Cloud Pub/Sub	Collects logs from the Google Cloud Pub/Sub service.
im_http — HTTP/HTTPS	Accepts incoming HTTP or HTTPS connections and collects log events from client POST requests.
im_internal — Internal	Collect log messages from NXLog Agent.
im_java — Java	Provides support for processing log data with methods written in the Java language.
im_kafka — Apache Kafka	Implements a consumer for collecting from a Kafka cluster.
im_kernel — Kernel (Enterprise Edition only for some platforms)	Collects log data from the kernel log buffer.
im_linuxaudit — Linux Audit System	Configures and collects events from the Linux Audit System
im_maces — macOS Endpoint Security	Collects logs from Apple Endpoint Security on macOS 10.15 and later.
im_maculs — macOS ULS	Collects logs from Apple’s unified logging system (ULS) on macOS.
im_mark — Mark	Outputs 'boilerplate' log data periodically to indicate that the logger is still running.
im_ms365 — Microsoft 365	Collects logs from Microsoft 365 services.
im_mseventlog — Event logging for Windows XP/2000/2003	Collects logs from Windows Event Logs.
im_msvistalog — Event logging for Windows 2008/Vista and later	Collects logs from Windows Event Logs.
im_null — Null	Acts as a dummy input module. It does not generate any data. You can use this module for testing purposes.
im_odbc — ODBC	Uses the ODBC API to read log messages from database tables.
im_pcap — Packet Capture	Provides support to passively monitor network traffic by generating logs for various protocols.
im_perl — Perl	Captures event data directly into NXLog using Perl code.
im_pipe — Named Pipes	This module can be used to read log messages from named pipes on UNIX-like operating systems.
im_python — Python	Captures event data directly into NXLog Agent using Python code. Only Python version 3.x is supported.
im_redis — Redis	Retrieves data stored in a Redis server.
im_regmon — Windows Registry Monitoring	Periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.
im_ruby — Ruby	Captures event data directly into NXLog Agent using Ruby code.
im_salesforce — Salesforce	Collects event monitoring log data from a Salesforce org.
im_ssl — SSL/TLS	Collects log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
im_systemd — Systemd	This module accepts messages from the Linux systemd journal.
im_tcp — TCP	Collects log data over a TCP network connection.
im_testgen — Test Generator	Generates log data for testing purposes.
im_udp — UDP	Collects log data over a UDP network connection.
im_uds — Unix Domain Socket	Collects log data over a Unix domain socket (typically /dev/log).
im_winperfcount — Windows Performance Counters	Periodically retrieves the values of the specified Windows Performance Counters to create an event record.
im_wseventing — Windows Event Forwarding	Collects Windows Event Log from Windows clients that have Windows Event Forwarding configured.
im_zmq — ZeroMQ	Provides incoming message transport over ZeroMQ, a scalable high-throughput messaging library.

Module

Description

im_acct — BSD/Linux Process Accounting

Collects process accounting logs from a Linux or BSD kernel.

im_aixaudit — AIX Auditing

Collects AIX audit events directly from the kernel.

im_amazons3 — Amazon S3

Connects to Amazon S3 and collects logs stored in objects.

im_azure — Azure

Collects logs from Microsoft Azure applications.

im_batchcompress — Batched Compression over TCP or SSL

Provides a compressed network transport for incoming messages with optional SSL/TLS encryption. Pairs with the om_batchcompress output module.

im_bsm — Basic Security Module Auditing

Collects audit events directly from the kernel using Sun’s Basic Security Module (BSM) Auditing API.

im_checkpoint — Check Point OPSEC

Provides support for collecting logs remotely from Check Point devices over the OPSEC LEA protocol.

im_dbi — DBI

Collects log data by reading data from an SQL database using the libdbi library.

im_etw — Event Tracing for Windows (ETW)

Implements ETW controller and consumer functionality to collect events from the ETW system.

im_exec — Program

Collects log data by executing a custom external program. The standard output of the command forms the log data.

im_file — File

Collects log data from a file on the local file system.

im_fim — File Integrity Monitoring

Scans files and directories and reports detected changes.

im_go — Go or Golang

Provides support for collecting log data with methods written in the Go language.

im_googlelogging — Google Cloud Logging

Collects logs from the Google Cloud Logging REST API.

im_googlepubsub — Google Cloud Pub/Sub

Collects logs from the Google Cloud Pub/Sub service.

im_http — HTTP/HTTPS

Accepts incoming HTTP or HTTPS connections and collects log events from client POST requests.

im_internal — Internal

Collect log messages from NXLog Agent.

im_java — Java

Provides support for processing log data with methods written in the Java language.

im_kafka — Apache Kafka

Implements a consumer for collecting from a Kafka cluster.

im_kernel — Kernel (Enterprise Edition only for some platforms)

Collects log data from the kernel log buffer.

im_linuxaudit — Linux Audit System

Configures and collects events from the Linux Audit System

im_maces — macOS Endpoint Security

Collects logs from Apple Endpoint Security on macOS 10.15 and later.

im_maculs — macOS ULS

Collects logs from Apple’s unified logging system (ULS) on macOS.

im_mark — Mark

Outputs 'boilerplate' log data periodically to indicate that the logger is still running.

im_ms365 — Microsoft 365

Collects logs from Microsoft 365 services.

im_mseventlog — Event logging for Windows XP/2000/2003

Collects logs from Windows Event Logs.

im_msvistalog — Event logging for Windows 2008/Vista and later

Collects logs from Windows Event Logs.

im_null — Null

Acts as a dummy input module. It does not generate any data. You can use this module for testing purposes.

im_odbc — ODBC

Uses the ODBC API to read log messages from database tables.

im_pcap — Packet Capture

Provides support to passively monitor network traffic by generating logs for various protocols.

im_perl — Perl

Captures event data directly into NXLog using Perl code.

im_pipe — Named Pipes

This module can be used to read log messages from named pipes on UNIX-like operating systems.

im_python — Python

Captures event data directly into NXLog Agent using Python code. Only Python version 3.x is supported.

im_redis — Redis

Retrieves data stored in a Redis server.

im_regmon — Windows Registry Monitoring

Periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.

im_ruby — Ruby

Captures event data directly into NXLog Agent using Ruby code.

im_salesforce — Salesforce

Collects event monitoring log data from a Salesforce org.

im_ssl — SSL/TLS

Collects log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

im_systemd — Systemd

This module accepts messages from the Linux systemd journal.

im_tcp — TCP

Collects log data over a TCP network connection.

im_testgen — Test Generator

Generates log data for testing purposes.

im_udp — UDP

Collects log data over a UDP network connection.

im_uds — Unix Domain Socket

Collects log data over a Unix domain socket (typically /dev/log).

im_winperfcount — Windows Performance Counters

Periodically retrieves the values of the specified Windows Performance Counters to create an event record.

im_wseventing — Windows Event Forwarding

Collects Windows Event Log from Windows clients that have Windows Event Forwarding configured.

im_zmq — ZeroMQ

Provides incoming message transport over ZeroMQ, a scalable high-throughput messaging library.

Output modules

Output modules start with the om_* prefix. Use these modules to forward logs to their destination.

Module	Description
om_amazons3 — Amazon S3	Forwards logs to Amazon S3 and compatible services.
om_azure — Microsoft Azure Sentinel	Sends data to a Microsoft Azure Sentinel server.
om_azuremonitor — Microsoft Azure Log Ingestion	Sends logs to the Azure Monitor Logs Ingestion API.
om_batchcompress — Batched Compression over TCP or SSL	Provides a compressed network transport for outgoing messages with optional SSL/TLS encryption. Pairs with the im_batchcompress input module.
om_blocker — Blocker	Blocks log data from being written. You can use this module for testing purposes, to simulate a blocked route.
om_chronicle — Google Chronicle	Sends logs to Google Chronicle via the Ingestion API.
om_dbi — DBI	Stores log data in an SQL database using the libdbi library.
om_elasticsearch — Elasticsearch	Stores logs in an Elasticsearch server.
om_exec — Program	Writes log data to the standard input of a custom external program.
om_file — File	Writes log data to a file on the file system.
om_go — Go or Golang	Provides support for forwarding log data with methods written in the Go language.
om_googlelogging — Google Cloud Logging	Sends logs to the Google Cloud Logging API.
om_googlepubsub — Google Cloud Pub/Sub	Sends logs to the Google Cloud Pub/Sub service.
om_http — HTTP/HTTPS	Send events over HTTP or HTTPS using POST requests.
om_java — Java	Provides support for processing log data with methods written in the Java language.
om_kafka — Apache Kafka	Implements a producer for publishing to a Kafka cluster.
om_null — Null	Acts as a dummy output module. It does not write or forward the output. You can use this module for testing purposes.
om_odbc — ODBC	Uses the ODBC API to write log messages to database tables.
om_perl — Perl	Uses Perl code to handle output log messages from NXLog Agent.
om_pipe — Named Pipes	This module sends logs to named pipes on UNIX-like operating systems.
om_python — Python	Uses Python code to handle output log messages from NXLog Agent. Only Python version 3.x is supported.
om_raijin — Raijin	Stores log messages in a Raijin server.
om_redis — Redis	Stores log messages in a Redis server.
om_ruby — Ruby	Uses Ruby code to handle output log messages from NXLog Agent.
om_ssl — SSL/TLS	Sends log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
om_tcp — TCP	Sends log data over a TCP connection to a remote host.
om_udp — UDP	Sends log data over a UDP connection to a remote host.
om_udpspoof — UDP with IP Spoofing	Sends log data over a UDP connection, and spoofs the source IP address to make packets appear as if they were sent from another host.
om_uds — UDS	Sends log data to a Unix domain socket.
om_webhdfs — WebHDFS	Stores log data in Hadoop HDFS using the WebHDFS protocol.
om_zmq — ZeroMQ	Provides outgoing message transport over ZeroMQ, a scalable high-throughput messaging library.

Module

Description

om_amazons3 — Amazon S3

Forwards logs to Amazon S3 and compatible services.

om_azure — Microsoft Azure Sentinel

Sends data to a Microsoft Azure Sentinel server.

om_azuremonitor — Microsoft Azure Log Ingestion

Sends logs to the Azure Monitor Logs Ingestion API.

om_batchcompress — Batched Compression over TCP or SSL

Provides a compressed network transport for outgoing messages with optional SSL/TLS encryption. Pairs with the im_batchcompress input module.

om_blocker — Blocker

Blocks log data from being written. You can use this module for testing purposes, to simulate a blocked route.

om_chronicle — Google Chronicle

Sends logs to Google Chronicle via the Ingestion API.

om_dbi — DBI

Stores log data in an SQL database using the libdbi library.

om_elasticsearch — Elasticsearch

Stores logs in an Elasticsearch server.

om_exec — Program

Writes log data to the standard input of a custom external program.

om_file — File

Writes log data to a file on the file system.

om_go — Go or Golang

Provides support for forwarding log data with methods written in the Go language.

om_googlelogging — Google Cloud Logging

Sends logs to the Google Cloud Logging API.

om_googlepubsub — Google Cloud Pub/Sub

Sends logs to the Google Cloud Pub/Sub service.

om_http — HTTP/HTTPS

Send events over HTTP or HTTPS using POST requests.

om_java — Java

Provides support for processing log data with methods written in the Java language.

om_kafka — Apache Kafka

Implements a producer for publishing to a Kafka cluster.

om_null — Null

Acts as a dummy output module. It does not write or forward the output. You can use this module for testing purposes.

om_odbc — ODBC

Uses the ODBC API to write log messages to database tables.

om_perl — Perl

Uses Perl code to handle output log messages from NXLog Agent.

om_pipe — Named Pipes

This module sends logs to named pipes on UNIX-like operating systems.

om_python — Python

Uses Python code to handle output log messages from NXLog Agent. Only Python version 3.x is supported.

om_raijin — Raijin

Stores log messages in a Raijin server.

om_redis — Redis

Stores log messages in a Redis server.

om_ruby — Ruby

Uses Ruby code to handle output log messages from NXLog Agent.

om_ssl — SSL/TLS

Sends log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

om_tcp — TCP

Sends log data over a TCP connection to a remote host.

om_udp — UDP

Sends log data over a UDP connection to a remote host.

om_udpspoof — UDP with IP Spoofing

Sends log data over a UDP connection, and spoofs the source IP address to make packets appear as if they were sent from another host.

om_uds — UDS

Sends log data to a Unix domain socket.

om_webhdfs — WebHDFS

Stores log data in Hadoop HDFS using the WebHDFS protocol.

om_zmq — ZeroMQ

Provides outgoing message transport over ZeroMQ, a scalable high-throughput messaging library.

Processor modules

Processor modules start with the pm_* prefix. Use these modules for additional log processing between input and output modules.

Module	Description
pm_blocker — Blocker	Blocks log data from progressing through a route. You can use this module for testing purposes, to simulate when a route is blocked.
pm_buffer — Buffer	Caches messages in an in-memory or disk-based buffer before forwarding. This module is useful in combination with UDP data inputs.
pm_evcorr — Event Correlator	Perform log actions based on relationships between events.
pm_null — Null	Acts as a dummy processor module. It does not transform the log data in any way. You can use this module for testing purposes.
deprecated pm_hmac — HMAC Message Integrity	Protects messages with an HMAC cryptographic checksum.
deprecated pm_hmac_check — HMAC Message Integrity Checker	Checks HMAC cryptographic checksums on messages.
deprecated pm_norepeat — Message De-Duplicator	Drops duplicate logs based on user-specified fields. The same functionality can be implemented with module variables.
deprecated pm_pattern — Pattern Matcher	Applies advanced pattern-matching logic to log data. This functionality has been migrated to the xm_pattern module.

Module

Description

pm_blocker — Blocker

Blocks log data from progressing through a route. You can use this module for testing purposes, to simulate when a route is blocked.

pm_buffer — Buffer

Caches messages in an in-memory or disk-based buffer before forwarding. This module is useful in combination with UDP data inputs.

pm_evcorr — Event Correlator

Perform log actions based on relationships between events.

pm_null — Null

Acts as a dummy processor module. It does not transform the log data in any way. You can use this module for testing purposes.

deprecated pm_hmac — HMAC Message Integrity

Protects messages with an HMAC cryptographic checksum.

deprecated pm_hmac_check — HMAC Message Integrity Checker

Checks HMAC cryptographic checksums on messages.

deprecated pm_norepeat — Message De-Duplicator

Drops duplicate logs based on user-specified fields. The same functionality can be implemented with module variables.

deprecated pm_pattern — Pattern Matcher

Applies advanced pattern-matching logic to log data. This functionality has been migrated to the xm_pattern module.

Extension modules

Extension modules start with the xm_* prefix. Use these modules to implement specialized log processing.

Module	Description
xm_admin — Remote Management	Adds secure remote administration capabilities to NXLog Agent using SOAP or JSON over HTTP/HTTPS.
xm_aixaudit — AIX Auditing	Parses AIX audit events that have been written to file.
xm_asl — Apple System Logs	Parses events in the Apple System Log (ASL) format.
xm_bsm — Basic Security Module Auditing	Supports parsing of events written to file in Sun’s Basic Security Module (BSM) Auditing binary format.
xm_cef — CEF	Provides functions for generating and parsing data in the Common Event Format (CEF) used by HP ArcSight™ products.
xm_charconv — Character Set Conversion	Provides functions and procedures to help you convert strings between different character sets (code pages).
xm_crypto — Encryption	Provides encryption and decryption of logs by using data converters which implement the AES symmetric-key algorithm.
xm_csv — CSV	Provides functions and procedures to help you process data formatted as comma-separated values (CSV), and to convert CSV data into fields.
xm_exec — External Program Execution	Passes log data through a custom external program for processing, either synchronously or asynchronously.
xm_filelist — File Lists	Implements file-based blacklisting or whitelisting.
xm_fileop — File Operations	Provides functions and procedures to manipulate files.
xm_gelf — GELF	Provides an output writer function to generate output in Graylog Extended Log Format (GELF) for Graylog2 or GELF-compliant tools.
xm_go — Go or Golang	Provides support for processing log data with methods written in the Go language.
xm_grok — Grok Patterns	Provides support for parsing events with Grok patterns.
xm_java — Java	Provides support for processing log data with methods written in the Java language.
xm_json — JSON	Provides functions and procedures to generate data in JSON (JavaScript Object Notation) format or to parse JSON data.
xm_kvp — Key-Value Pairs	Provides functions and procedures to parse and generate data that is formatted as key-value pairs.
xm_leef — LEEF	Provides functions for parsing and generating data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products.
xm_msdns — DNS Server Debug Log Parsing	Parses Microsoft Windows DNS Server debug logs
xm_multiline — Multi-Line Message Parser	Parses log entries that span multiple lines.
xm_netflow — NetFlow	Provides a parser for NetFlow payload collected over UDP.
xm_nps — NPS	Provides functions and procedures for processing data in NPS Database Format stored in files by Microsoft Radius services.
xm_pattern — Pattern Matcher	Applies advanced pattern-matching logic with better performance over regular expression-matching. Replaces pm_pattern.
xm_perl — Perl	Processes log data using Perl.
xm_python — Python	Processes log data using Python. Only versions 3.x of Python are supported.
xm_resolver — Resolver	Resolves key identifiers that appear in log messages into more meaningful equivalents, including IP addresses to host names, and group/user IDs to friendly names.
xm_rewrite — Rewrite	Transforms event records by modifying or discarding specific fields.
xm_ruby — Ruby	Processes log data using Ruby.
xm_sap — SAP	Registers an InputType for parsing SAP audit data.
xm_snmp — SNMP Traps	Parses SNMPv1 and SNMPv2c trap messages.
xm_syslog — Syslog	Provides helpers that let you parse and output the BSD Syslog protocol as defined by RFC 3164.
xm_w3c — W3C	Parses data in the W3C Extended Log File Format, the BRO format, and Microsoft Exchange Message Tracking logs.
xm_wtmp — WTMP	Provides a parser function to process binary WTMP files.
xm_xml — XML	Provides functions and procedures to process XML data.
xm_zlib — Compression	This module compresses and decompresses logs using the gzip data format defined in RFC 1952 and the zlib format defined in RFC 1950.

Module

Description

xm_admin — Remote Management

Adds secure remote administration capabilities to NXLog Agent using SOAP or JSON over HTTP/HTTPS.

xm_aixaudit — AIX Auditing

Parses AIX audit events that have been written to file.

xm_asl — Apple System Logs

Parses events in the Apple System Log (ASL) format.

xm_bsm — Basic Security Module Auditing

Supports parsing of events written to file in Sun’s Basic Security Module (BSM) Auditing binary format.

xm_cef — CEF

Provides functions for generating and parsing data in the Common Event Format (CEF) used by HP ArcSight™ products.

xm_charconv — Character Set Conversion

Provides functions and procedures to help you convert strings between different character sets (code pages).

xm_crypto — Encryption

Provides encryption and decryption of logs by using data converters which implement the AES symmetric-key algorithm.

xm_csv — CSV

Provides functions and procedures to help you process data formatted as comma-separated values (CSV), and to convert CSV data into fields.

xm_exec — External Program Execution

Passes log data through a custom external program for processing, either synchronously or asynchronously.

xm_filelist — File Lists

Implements file-based blacklisting or whitelisting.

xm_fileop — File Operations

Provides functions and procedures to manipulate files.

xm_gelf — GELF

Provides an output writer function to generate output in Graylog Extended Log Format (GELF) for Graylog2 or GELF-compliant tools.

xm_go — Go or Golang

Provides support for processing log data with methods written in the Go language.

xm_grok — Grok Patterns

Provides support for parsing events with Grok patterns.

xm_java — Java

Provides support for processing log data with methods written in the Java language.

xm_json — JSON

Provides functions and procedures to generate data in JSON (JavaScript Object Notation) format or to parse JSON data.

xm_kvp — Key-Value Pairs

Provides functions and procedures to parse and generate data that is formatted as key-value pairs.

xm_leef — LEEF

Provides functions for parsing and generating data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products.

xm_msdns — DNS Server Debug Log Parsing

Parses Microsoft Windows DNS Server debug logs

xm_multiline — Multi-Line Message Parser

Parses log entries that span multiple lines.

xm_netflow — NetFlow

Provides a parser for NetFlow payload collected over UDP.

xm_nps — NPS

Provides functions and procedures for processing data in NPS Database Format stored in files by Microsoft Radius services.

xm_pattern — Pattern Matcher

Applies advanced pattern-matching logic with better performance over regular expression-matching. Replaces pm_pattern.

xm_perl — Perl

Processes log data using Perl.

xm_python — Python

Processes log data using Python. Only versions 3.x of Python are supported.

xm_resolver — Resolver

Resolves key identifiers that appear in log messages into more meaningful equivalents, including IP addresses to host names, and group/user IDs to friendly names.

xm_rewrite — Rewrite

Transforms event records by modifying or discarding specific fields.

xm_ruby — Ruby

Processes log data using Ruby.

xm_sap — SAP

Registers an InputType for parsing SAP audit data.

xm_snmp — SNMP Traps

Parses SNMPv1 and SNMPv2c trap messages.

xm_syslog — Syslog

Provides helpers that let you parse and output the BSD Syslog protocol as defined by RFC 3164.

xm_w3c — W3C

Parses data in the W3C Extended Log File Format, the BRO format, and Microsoft Exchange Message Tracking logs.

xm_wtmp — WTMP

Provides a parser function to process binary WTMP files.

xm_xml — XML

Provides functions and procedures to process XML data.

xm_zlib — Compression

This module compresses and decompresses logs using the gzip data format defined in RFC 1952 and the zlib format defined in RFC 1950.