Release notes

NXLog Agent 6.5

Release date

18 December 2024

New
  • Added wildcard support to the im_winperfcount module, enabling users to specify multiple Windows performance counters with a single directive. This feature includes the ability to retrieve counters in either an aggregate or individual way, and to exclude specific counters. Please note that subscribing to an excessively large number of counters may increase the CPU usage of NXLog Agent.

  • Added the new im_azuremonitor module to provide better support of the Azure log monitoring stack over the existing im_azure module. For example, it supports proxies, internal pagination of long responses, and more precise request handling.

  • Added the new om_otel module for forwarding OpenTelemetry logs and traces over both HTTP(S) and gRPC connections. This module is used in new Solution Packs that support the quick implementation of OS-level security event collection and forwarding to compatible logging and analysis systems.

  • Added the following directives to the im_msvistalog module to allow users to fine-tune the module behavior to their needs:

    • ParseEventXML allows selecting between either the slower but more accurate Windows-native event rendering or the faster but less accurate NXLog Agent method.

    • CaptureMessageFast allows selecting between either the slower but more accurate Windows-native creation of the $Message field or the faster but less accurate NXLog Agent method.

    • ResolvedIDOutput allows specifying if SID or GUID values should be resolved just in data fields or on the $Message field as well.

  • Added the following directives to TCP-based modules to better support batch data transfer or connection interruptions:

    • ConnectionIdleTimeout applies to both input and output modules, and closes inactive connections after the specified duration.

    • ReconnectOnData applies to output modules only, and prevents reconnecting unless there is new data to be sent.

    The new directives allow freeing kernel-level resources during transmission breaks, but require additional time to reconnect before sending new data.

  • Added support for macOS 15, including the new events from the corresponding Endpoint Security API update.

  • Added support for FreeBSD 14.

  • Added support for Oracle Linux 8 and 9.

Known issues
  • NXLog Agent is not yet tested on operating systems or environments that are shipped with OpenSSL 3.2.x (such as RHEL 9.5), and might have compatibility issues due to major changes introduced in OpenSSL 3.2.2. As a workaround, downgrade OpenSSL to version 3.0.*.

  • The newly introduced im_otel module is yet to support gRPC+TLS while using it with an IP address. Only domain names are allowed for now. This limitation will be fixed in a future release.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

  • The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

  • The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

  • There is a small possibility that the im_ms365 module generates multiple events or the same email caused by a duplicate Reporting Web Service API response.

  • NXLog Agent relies on an external systemd service, which is usually a part of the operating system. There are several operating systems, such as CentOS 8, CentOS 9, RHEL9, Debian 12, Ubuntu 22, Ubuntu 24, Amazon Linux 2023, and possibly others, that include a known bug causing failure during log rotation. From the agent’s perspective, this issue results in an NXLog Agent crash (version 6.2 and earlier) or manifests as a log entry containing "BAD MESSAGE" (versions 6.3 and 6.3HF1). This situation cannot be fully resolved by NXLog Agent alone. We have developed a recovery procedure to restore log acquisition, but during the failure event, NXLog Agent cannot guarantee the acquisition of all events without losses. We are ready to provide full technical support to our customers regarding this issue. Please note that some operating systems are not affected by this problem.

NXLog Agent 6.4

Release date

30 September 2024

New
  • Added two new directives, AllowIP and BlockIP, to the im_udp module:

    • Allows rejecting packets from unwanted senders.

    • It helps keep the inbound UDP buffer clean, which could prevent potential loss of messages.

  • Added a new ExitTimeout directive to the om_exec and im_exec modules:

    • Controls the time needed for the child process to properly finish its operation.

    • Prevents the timeout control for shutting down a spawned process.

  • Introduced a new MaxConnections directive to all TCP-based modules, which prevents the OS from memory usage overload and informs external nodes that the agent is not ready to receive additional connections.

  • To make installing the agent’s packages for NXLog Platform easier, two environment variables, NXP_ADDRESS and NXP_AGENT_LABEL, have been added:

    • NXP_ADDRESS sets the correct hostname in managed.conf, allowing the agent to connect to the parent host automatically after installation.

    • NXP_AGENT_LABEL assigns a host label in the xm_admin section, this method is recommended for using the auto enroll feature to assign a specific template to the agent during connection.

  • Introduced a new ShowExtendedInfo directive for the im_etw module, which will expose service fields for reasons of consistency.

  • Introduced initial support for the OpenTelemetry protocol with the new im_otel module. This module allows for the collection of logs and traces over both HTTPS and gRPC transport. Future updates will expand this functionality, including adding an om_otel module for sending data and subsequent support for metrics collection.

  • Added support for declarative event structure rewriting in the new xm_transform module:

    • A new Schema directive allows setting a static schema for the event structure.

    • A new SchemaMap directive with a selector function that enables dynamic schema selection using a <SchemaMap> table and the process(selector) function.

    • Option for using a set_schema_file for complex cases. Schemas can be directly selected from an external file with set_schema_file(filename).

Known issues
  • The newly introduced im_otel module is yet to support gRPC+TLS while using it with an IP address. Only domain names are allowed for now. This limitation will be fixed in a future release.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

  • The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

  • The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

  • There is a small possibility that the im_ms365 module generates multiple events or the same email caused by a duplicate Reporting Web Service API response.

  • NXLog Agent relies on an external systemd service, which is usually a part of the operating system. There are several operating systems, such as CentOS 8, CentOS 9, RHEL9, Debian 12, Ubuntu 22, Ubuntu 24, Amazon Linux 2023, and possibly others, that include a known bug causing failure during log rotation. From the agent’s perspective, this issue results in an NXLog Agent crash (version 6.2 and earlier) or manifests as a log entry containing "BAD MESSAGE" (versions 6.3 and 6.3HF1). This situation cannot be fully resolved by NXLog Agent alone. We have developed a recovery procedure to restore log acquisition, but during the failure event, NXLog Agent cannot guarantee the acquisition of all events without losses. We are ready to provide full technical support to our customers regarding this issue. Please note that some operating systems are not affected by this problem.

NXLog Agent 6.3

Release date

13 May 2024

New
  • Added new functionality to the xm_nps module:

    • Parsing of DTS (XML-style) log format

    • Automatic detection of the log format

  • Enhanced the event coverage of the im_maces module up to macOS API v13

  • Added new functionality to the xm_pattern module and configuration language:

    • Exact string matching can now be performed using contains, startswith, and endswith

    • Case sensitivity can be turned off

  • Modules that support TLS/SSL on the Windows platform now accept patterns to match the host and CA certificates, in addition to the exact thumbprint

  • Enhanced internal log messages:

    • The message "Host not resolved" now includes the hostname

    • It’s now possible to enable logging the exact cipher and protocol version of SSL connections for audit purposes

  • Added support for Debian 12

Known issues
  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

  • The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

  • The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

  • There is a small possibility that the im_ms365 module generates multiple events or the same email caused by a duplicate Reporting Web Service API response.

  • NXLog Agent relies on the external systemd library, which is usually a part of the operating system. Some container-related software may truncate the systemd journal and trigger an operating system-level SIGBUS error, which in turn may cause NXLog Agent to crash. This bug is already fixed on some operating systems, but the following were still affected on May 1 2024: Amazon Linux 2023, Debian 11.

NXLog Agent 6.2

Release date

4 December 2023

New
  • Added new functionality to im_file and im_fim modules:

    • Implemented new FollowSymlinks directive to uniformly support file and folder symlinks

    • Improved Recursive directive to support traversing nested folders

  • Added new functionality to the om_azuremonitor module:

    • Added an alias StreamName to the TableName directive to match the log stream name configured in the data collection rule (DCR) in Azure Monitor

    • Implemented autofill feature for the mandatory TimeGenerated outgoing message field if the field is empty or has incompatible data

  • Improved the om_kafka module to handle incompatible Compression options.

  • Improved the im_wseventing module to stop ignoring authentication

  • Modified the SetUid function of the xm_admin module to remove forceful reboot of NXLog Agent

Known issues
  • The change from using event batches to bytes in the LogqueueSize directive is not backward-compatible. If updating from NXLog Agent agent version 5 or older, you must modify your configuration accordingly.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

  • The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

  • The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

  • There is a small possibility that the im_ms365 module generates multiple events or the same email caused by a duplicate Reporting Web Service API response.