NXLog Agent modules by type
This page lists all NXLog Agent modules organized by type.
You may see the following tags on this page:
|
Input modules
Input modules start with the im_*
prefix.
Use these modules to collect events from your log sources.
Module | Description |
---|---|
im_acct — BSD/Linux Process Accounting |
Collects process accounting logs from a Linux or BSD kernel. |
im_aixaudit — AIX Auditing |
Collects AIX audit events directly from the kernel. |
im_amazons3 — Amazon S3 |
Connects to Amazon S3 and collects logs stored in objects. |
im_azure — Azure |
Collects logs from Microsoft Azure applications. |
im_batchcompress — Batched Compression over TCP or SSL |
Provides a compressed network transport for incoming messages with optional SSL/TLS encryption. Pairs with the om_batchcompress output module. |
im_bsm — Basic Security Module Auditing |
Collects audit events directly from the kernel using Sun’s Basic Security Module (BSM) Auditing API. |
im_checkpoint — Check Point OPSEC |
Provides support for collecting logs remotely from Check Point devices over the OPSEC LEA protocol. |
im_dbi — DBI |
Collects log data by reading data from an SQL database using the libdbi library. |
im_etw — Event Tracing for Windows (ETW) |
Implements ETW controller and consumer functionality to collect events from the ETW system. |
im_exec — Program |
Collects log data by executing a custom external program. The standard output of the command forms the log data. |
im_file — File |
Collects log data from a file on the local file system. |
im_fim — File Integrity Monitoring |
Scans files and directories and reports detected changes. |
im_go — Go or Golang |
Provides support for collecting log data with methods written in the Go language. |
im_googlelogging — Google Cloud Logging |
Collects logs from the Google Cloud Logging REST API. |
im_googlepubsub — Google Cloud Pub/Sub |
Collects logs from the Google Cloud Pub/Sub service. |
im_http — HTTP/HTTPS |
Accepts incoming HTTP or HTTPS connections and collects log events from client POST requests. |
im_internal — Internal |
Collect log messages from NXLog Agent. |
im_java — Java |
Provides support for processing log data with methods written in the Java language. |
im_kafka — Apache Kafka |
Implements a consumer for collecting from a Kafka cluster. |
im_kernel — Kernel (Enterprise Edition only for some platforms) |
Collects log data from the kernel log buffer. |
im_linuxaudit — Linux Audit System |
Configures and collects events from the Linux Audit System |
im_maces — macOS Endpoint Security |
Collects logs from Apple Endpoint Security on macOS 10.15 and later. |
im_maculs — macOS ULS |
Collects logs from Apple’s unified logging system (ULS) on macOS. |
im_mark — Mark |
Outputs 'boilerplate' log data periodically to indicate that the logger is still running. |
im_ms365 — Microsoft 365 |
Collects logs from Microsoft 365 services. |
im_mseventlog — Event logging for Windows XP/2000/2003 |
Collects logs from Windows Event Logs. |
im_msvistalog — Event logging for Windows 2008/Vista and later |
Collects logs from Windows Event Logs. |
im_null — Null |
Acts as a dummy input module. It does not generate any data. You can use this module for testing purposes. |
im_odbc — ODBC |
Uses the ODBC API to read log messages from database tables. |
im_pcap — Packet Capture |
Provides support to passively monitor network traffic by generating logs for various protocols. |
im_perl — Perl |
Captures event data directly into NXLog using Perl code. |
im_pipe — Named Pipes |
This module can be used to read log messages from named pipes on UNIX-like operating systems. |
im_python — Python |
Captures event data directly into NXLog Agent using Python code. Only Python version 3.x is supported. |
im_redis — Redis |
Retrieves data stored in a Redis server. |
im_regmon — Windows Registry Monitoring |
Periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected. |
im_ruby — Ruby |
Captures event data directly into NXLog Agent using Ruby code. |
im_salesforce — Salesforce |
Collects event monitoring log data from a Salesforce org. |
im_ssl — SSL/TLS |
Collects log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). |
im_systemd — Systemd |
This module accepts messages from the Linux systemd journal. |
im_tcp — TCP |
Collects log data over a TCP network connection. |
im_testgen — Test Generator |
Generates log data for testing purposes. |
im_udp — UDP |
Collects log data over a UDP network connection. |
im_uds — Unix Domain Socket |
Collects log data over a Unix domain socket (typically /dev/log). |
im_winperfcount — Windows Performance Counters |
Periodically retrieves the values of the specified Windows Performance Counters to create an event record. |
im_wseventing — Windows Event Forwarding |
Collects Windows Event Log from Windows clients that have Windows Event Forwarding configured. |
im_zmq — ZeroMQ |
Provides incoming message transport over ZeroMQ, a scalable high-throughput messaging library. |
Output modules
Output modules start with the om_*
prefix.
Use these modules to forward logs to their destination.
Module | Description |
---|---|
om_amazons3 — Amazon S3 |
Forwards logs to Amazon S3 and compatible services. |
om_azure — Microsoft Azure Sentinel |
Sends data to a Microsoft Azure Sentinel server. |
om_azuremonitor — Microsoft Azure Log Ingestion |
Sends logs to the Azure Monitor Logs Ingestion API. |
om_batchcompress — Batched Compression over TCP or SSL |
Provides a compressed network transport for outgoing messages with optional SSL/TLS encryption. Pairs with the im_batchcompress input module. |
om_blocker — Blocker |
Blocks log data from being written. You can use this module for testing purposes, to simulate a blocked route. |
om_chronicle — Google Chronicle |
Sends logs to Google Chronicle via the Ingestion API. |
om_dbi — DBI |
Stores log data in an SQL database using the libdbi library. |
om_elasticsearch — Elasticsearch |
Stores logs in an Elasticsearch server. |
om_exec — Program |
Writes log data to the standard input of a custom external program. |
om_file — File |
Writes log data to a file on the file system. |
om_go — Go or Golang |
Provides support for forwarding log data with methods written in the Go language. |
om_googlelogging — Google Cloud Logging |
Sends logs to the Google Cloud Logging API. |
om_googlepubsub — Google Cloud Pub/Sub |
Sends logs to the Google Cloud Pub/Sub service. |
om_http — HTTP/HTTPS |
Send events over HTTP or HTTPS using POST requests. |
om_java — Java |
Provides support for processing log data with methods written in the Java language. |
om_kafka — Apache Kafka |
Implements a producer for publishing to a Kafka cluster. |
om_null — Null |
Acts as a dummy output module. It does not write or forward the output. You can use this module for testing purposes. |
om_odbc — ODBC |
Uses the ODBC API to write log messages to database tables. |
om_perl — Perl |
Uses Perl code to handle output log messages from NXLog Agent. |
om_pipe — Named Pipes |
This module sends logs to named pipes on UNIX-like operating systems. |
om_python — Python |
Uses Python code to handle output log messages from NXLog Agent. Only Python version 3.x is supported. |
om_raijin — Raijin |
Stores log messages in a Raijin server. |
om_redis — Redis |
Stores log messages in a Redis server. |
om_ruby — Ruby |
Uses Ruby code to handle output log messages from NXLog Agent. |
om_ssl — SSL/TLS |
Sends log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). |
om_tcp — TCP |
Sends log data over a TCP connection to a remote host. |
om_udp — UDP |
Sends log data over a UDP connection to a remote host. |
om_udpspoof — UDP with IP Spoofing |
Sends log data over a UDP connection, and spoofs the source IP address to make packets appear as if they were sent from another host. |
om_uds — UDS |
Sends log data to a Unix domain socket. |
om_webhdfs — WebHDFS |
Stores log data in Hadoop HDFS using the WebHDFS protocol. |
om_zmq — ZeroMQ |
Provides outgoing message transport over ZeroMQ, a scalable high-throughput messaging library. |
Processor modules
Processor modules start with the pm_*
prefix.
Use these modules for additional log processing between input and output modules.
Module | Description |
---|---|
pm_blocker — Blocker |
Blocks log data from progressing through a route. You can use this module for testing purposes, to simulate when a route is blocked. |
pm_buffer — Buffer |
Caches messages in an in-memory or disk-based buffer before forwarding. This module is useful in combination with UDP data inputs. |
pm_evcorr — Event Correlator |
Perform log actions based on relationships between events. |
pm_null — Null |
Acts as a dummy processor module. It does not transform the log data in any way. You can use this module for testing purposes. |
deprecated pm_hmac — HMAC Message Integrity |
Protects messages with an HMAC cryptographic checksum. |
deprecated pm_hmac_check — HMAC Message Integrity Checker |
Checks HMAC cryptographic checksums on messages. |
deprecated pm_norepeat — Message De-Duplicator |
Drops duplicate logs based on user-specified fields. The same functionality can be implemented with module variables. |
deprecated pm_pattern — Pattern Matcher |
Applies advanced pattern-matching logic to log data. This functionality has been migrated to the xm_pattern module. |
Extension modules
Extension modules start with the xm_*
prefix.
Use these modules to implement specialized log processing.
Module | Description |
---|---|
xm_admin — Remote Management |
Adds secure remote administration capabilities to NXLog Agent using SOAP or JSON over HTTP/HTTPS. |
xm_aixaudit — AIX Auditing |
Parses AIX audit events that have been written to file. |
xm_asl — Apple System Logs |
Parses events in the Apple System Log (ASL) format. |
xm_bsm — Basic Security Module Auditing |
Supports parsing of events written to file in Sun’s Basic Security Module (BSM) Auditing binary format. |
xm_cef — CEF |
Provides functions for generating and parsing data in the Common Event Format (CEF) used by HP ArcSight™ products. |
xm_charconv — Character Set Conversion |
Provides functions and procedures to help you convert strings between different character sets (code pages). |
xm_crypto — Encryption |
Provides encryption and decryption of logs by using data converters which implement the AES symmetric-key algorithm. |
xm_csv — CSV |
Provides functions and procedures to help you process data formatted as comma-separated values (CSV), and to convert CSV data into fields. |
xm_exec — External Program Execution |
Passes log data through a custom external program for processing, either synchronously or asynchronously. |
xm_filelist — File Lists |
Implements file-based blacklisting or whitelisting. |
xm_fileop — File Operations |
Provides functions and procedures to manipulate files. |
xm_gelf — GELF |
Provides an output writer function to generate output in Graylog Extended Log Format (GELF) for Graylog2 or GELF-compliant tools. |
xm_go — Go or Golang |
Provides support for processing log data with methods written in the Go language. |
xm_grok — Grok Patterns |
Provides support for parsing events with Grok patterns. |
xm_java — Java |
Provides support for processing log data with methods written in the Java language. |
xm_json — JSON |
Provides functions and procedures to generate data in JSON (JavaScript Object Notation) format or to parse JSON data. |
xm_kvp — Key-Value Pairs |
Provides functions and procedures to parse and generate data that is formatted as key-value pairs. |
xm_leef — LEEF |
Provides functions for parsing and generating data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products. |
xm_msdns — DNS Server Debug Log Parsing |
Parses Microsoft Windows DNS Server debug logs |
xm_multiline — Multi-Line Message Parser |
Parses log entries that span multiple lines. |
xm_netflow — NetFlow |
Provides a parser for NetFlow payload collected over UDP. |
xm_nps — NPS |
Provides functions and procedures for processing data in NPS Database Format stored in files by Microsoft Radius services. |
xm_pattern — Pattern Matcher |
Applies advanced pattern-matching logic with better performance over regular expression-matching. Replaces pm_pattern. |
xm_perl — Perl |
Processes log data using Perl. |
xm_python — Python |
Processes log data using Python. Only versions 3.x of Python are supported. |
xm_resolver — Resolver |
Resolves key identifiers that appear in log messages into more meaningful equivalents, including IP addresses to host names, and group/user IDs to friendly names. |
xm_rewrite — Rewrite |
Transforms event records by modifying or discarding specific fields. |
xm_ruby — Ruby |
Processes log data using Ruby. |
xm_sap — SAP |
Registers an InputType for parsing SAP audit data. |
xm_snmp — SNMP Traps |
Parses SNMPv1 and SNMPv2c trap messages. |
xm_syslog — Syslog |
Provides helpers that let you parse and output the BSD Syslog protocol as defined by RFC 3164. |
xm_w3c — W3C |
Parses data in the W3C Extended Log File Format, the BRO format, and Microsoft Exchange Message Tracking logs. |
xm_wtmp — WTMP |
Provides a parser function to process binary WTMP files. |
xm_xml — XML |
Provides functions and procedures to process XML data. |
xm_zlib — Compression |
This module compresses and decompresses logs using the gzip data format defined in RFC 1952 and the zlib format defined in RFC 1950. |