NXLog Agent modules by type

This page lists all NXLog Agent modules organized by type.

You may see the following tags on this page:

deprecated: Modules that have been replaced and/or are being phased out. We encourage you to switch to an alternative as they will become obsolete.
obsolete: Modules that are no longer supported and should not be used.
experimental: Modules or packages that are available on request.

Input modules

Input modules start with the im_* prefix. Use these modules to collect events from your log sources.

Module	Description
im_acct — BSD/Linux Process Accounting	Collects process accounting logs from a Linux or BSD kernel.
im_aixaudit — AIX Auditing	Collects AIX audit events directly from the kernel.
im_amazons3 — Amazon S3	Connects to Amazon S3 and collects logs stored in objects.
im_azure — Azure	Collects logs from Microsoft Azure applications.
im_batchcompress — Batched Compression over TCP or SSL	Provides a compressed network transport for incoming messages with optional SSL/TLS encryption. Pairs with the om_batchcompress output module.
im_bsm — Basic Security Module Auditing	Collects audit events directly from the kernel using Sun’s Basic Security Module (BSM) Auditing API.
im_checkpoint — Check Point OPSEC	Provides support for collecting logs remotely from Check Point devices over the OPSEC LEA protocol.
im_dbi — DBI	Collects log data by reading data from an SQL database using the libdbi library.
im_etw — Event Tracing for Windows (ETW)	Implements ETW controller and consumer functionality to collect events from the ETW system.
im_exec — Program	Collects log data by executing a custom external program. The standard output of the command forms the log data.
im_file — File	Collects log data from a file on the local file system.
im_fim — File Integrity Monitoring	Scans files and directories and reports detected changes.
im_go — Go or Golang	Provides support for collecting log data with methods written in the Go language.
im_googlelogging — Google Cloud Logging	Collects logs from the Google Cloud Logging REST API.
im_googlepubsub — Google Cloud Pub/Sub	Collects logs from the Google Cloud Pub/Sub service.
im_http — HTTP/HTTPS	Accepts incoming HTTP or HTTPS connections and collects log events from client POST requests.
im_internal — Internal	Collect log messages from NXLog Agent.
im_java — Java	Provides support for processing log data with methods written in the Java language.
im_kafka — Apache Kafka	Implements a consumer for collecting from a Kafka cluster.
im_kernel — Kernel (Enterprise Edition only for some platforms)	Collects log data from the kernel log buffer.
im_linuxaudit — Linux Audit System	Configures and collects events from the Linux Audit System
im_maces — macOS Endpoint Security	Collects logs from Apple Endpoint Security on macOS 10.15 and later.
im_maculs — macOS ULS	Collects logs from Apple’s unified logging system (ULS) on macOS.
im_mark — Mark	Outputs 'boilerplate' log data periodically to indicate that the logger is still running.
im_ms365 — Microsoft 365	Collects logs from Microsoft 365 services.
im_mseventlog — Event logging for Windows XP/2000/2003	Collects logs from Windows Event Logs.
im_msvistalog — Event logging for Windows 2008/Vista and later	Collects logs from Windows Event Logs.
im_null — Null	Acts as a dummy input module. It does not generate any data. You can use this module for testing purposes.
im_odbc — ODBC	Uses the ODBC API to read log messages from database tables.
im_pcap — Packet Capture	Provides support to passively monitor network traffic by generating logs for various protocols.
im_perl — Perl	Captures event data directly into NXLog using Perl code.
im_pipe — Named Pipes	This module can be used to read log messages from named pipes on UNIX-like operating systems.
im_python — Python	Captures event data directly into NXLog Agent using Python code. Only Python version 3.x is supported.
im_redis — Redis	Retrieves data stored in a Redis server.
im_regmon — Windows Registry Monitoring	Periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.
im_ruby — Ruby	Captures event data directly into NXLog Agent using Ruby code.
im_salesforce — Salesforce	Collects event monitoring log data from a Salesforce org.
im_ssl — SSL/TLS	Collects log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
im_systemd — Systemd	This module accepts messages from the Linux systemd journal.
im_tcp — TCP	Collects log data over a TCP network connection.
im_testgen — Test Generator	Generates log data for testing purposes.
im_udp — UDP	Collects log data over a UDP network connection.
im_uds — Unix Domain Socket	Collects log data over a Unix domain socket (typically /dev/log).
im_winperfcount — Windows Performance Counters	Periodically retrieves the values of the specified Windows Performance Counters to create an event record.
im_wseventing — Windows Event Forwarding	Collects Windows Event Log from Windows clients that have Windows Event Forwarding configured.
im_zmq — ZeroMQ	Provides incoming message transport over ZeroMQ, a scalable high-throughput messaging library.

Module

Description

im_acct — BSD/Linux Process Accounting

Collects process accounting logs from a Linux or BSD kernel.

im_aixaudit — AIX Auditing

Collects AIX audit events directly from the kernel.

im_amazons3 — Amazon S3

Connects to Amazon S3 and collects logs stored in objects.

im_azure — Azure

Collects logs from Microsoft Azure applications.

im_batchcompress — Batched Compression over TCP or SSL

Provides a compressed network transport for incoming messages with optional SSL/TLS encryption. Pairs with the om_batchcompress output module.

im_bsm — Basic Security Module Auditing

Collects audit events directly from the kernel using Sun’s Basic Security Module (BSM) Auditing API.

im_checkpoint — Check Point OPSEC

Provides support for collecting logs remotely from Check Point devices over the OPSEC LEA protocol.

im_dbi — DBI

Collects log data by reading data from an SQL database using the libdbi library.

im_etw — Event Tracing for Windows (ETW)

Implements ETW controller and consumer functionality to collect events from the ETW system.

im_exec — Program

Collects log data by executing a custom external program. The standard output of the command forms the log data.

im_file — File

Collects log data from a file on the local file system.

im_fim — File Integrity Monitoring

Scans files and directories and reports detected changes.

im_go — Go or Golang

Provides support for collecting log data with methods written in the Go language.

im_googlelogging — Google Cloud Logging

Collects logs from the Google Cloud Logging REST API.

im_googlepubsub — Google Cloud Pub/Sub

Collects logs from the Google Cloud Pub/Sub service.

im_http — HTTP/HTTPS

Accepts incoming HTTP or HTTPS connections and collects log events from client POST requests.

im_internal — Internal

Collect log messages from NXLog Agent.

im_java — Java

Provides support for processing log data with methods written in the Java language.

im_kafka — Apache Kafka

Implements a consumer for collecting from a Kafka cluster.

im_kernel — Kernel (Enterprise Edition only for some platforms)

Collects log data from the kernel log buffer.

im_linuxaudit — Linux Audit System

Configures and collects events from the Linux Audit System

im_maces — macOS Endpoint Security

Collects logs from Apple Endpoint Security on macOS 10.15 and later.

im_maculs — macOS ULS

Collects logs from Apple’s unified logging system (ULS) on macOS.

im_mark — Mark

Outputs 'boilerplate' log data periodically to indicate that the logger is still running.

im_ms365 — Microsoft 365

Collects logs from Microsoft 365 services.

im_mseventlog — Event logging for Windows XP/2000/2003

Collects logs from Windows Event Logs.

im_msvistalog — Event logging for Windows 2008/Vista and later

Collects logs from Windows Event Logs.

im_null — Null

Acts as a dummy input module. It does not generate any data. You can use this module for testing purposes.

im_odbc — ODBC

Uses the ODBC API to read log messages from database tables.

im_pcap — Packet Capture

Provides support to passively monitor network traffic by generating logs for various protocols.

im_perl — Perl

Captures event data directly into NXLog using Perl code.

im_pipe — Named Pipes

This module can be used to read log messages from named pipes on UNIX-like operating systems.

im_python — Python

Captures event data directly into NXLog Agent using Python code. Only Python version 3.x is supported.

im_redis — Redis

Retrieves data stored in a Redis server.

im_regmon — Windows Registry Monitoring

Periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.

im_ruby — Ruby

Captures event data directly into NXLog Agent using Ruby code.

im_salesforce — Salesforce

Collects event monitoring log data from a Salesforce org.

im_ssl — SSL/TLS

Collects log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

im_systemd — Systemd

This module accepts messages from the Linux systemd journal.

im_tcp — TCP

Collects log data over a TCP network connection.

im_testgen — Test Generator

Generates log data for testing purposes.

im_udp — UDP

Collects log data over a UDP network connection.

im_uds — Unix Domain Socket

Collects log data over a Unix domain socket (typically /dev/log).

im_winperfcount — Windows Performance Counters

Periodically retrieves the values of the specified Windows Performance Counters to create an event record.

im_wseventing — Windows Event Forwarding

Collects Windows Event Log from Windows clients that have Windows Event Forwarding configured.

im_zmq — ZeroMQ

Provides incoming message transport over ZeroMQ, a scalable high-throughput messaging library.

Output modules

Output modules start with the om_* prefix. Use these modules to forward logs to their destination.

Module	Description
om_amazons3 — Amazon S3	Forwards logs to Amazon S3 and compatible services.
om_azure — Microsoft Azure Sentinel	Sends data to a Microsoft Azure Sentinel server.
om_azuremonitor — Microsoft Azure Log Ingestion	Sends logs to the Azure Monitor Logs Ingestion API.
om_batchcompress — Batched Compression over TCP or SSL	Provides a compressed network transport for outgoing messages with optional SSL/TLS encryption. Pairs with the im_batchcompress input module.
om_blocker — Blocker	Blocks log data from being written. You can use this module for testing purposes, to simulate a blocked route.
om_chronicle — Google Chronicle	Sends logs to Google Chronicle via the Ingestion API.
om_dbi — DBI	Stores log data in an SQL database using the libdbi library.
om_elasticsearch — Elasticsearch	Stores logs in an Elasticsearch server.
om_exec — Program	Writes log data to the standard input of a custom external program.
om_file — File	Writes log data to a file on the file system.
om_go — Go or Golang	Provides support for forwarding log data with methods written in the Go language.
om_googlelogging — Google Cloud Logging	Sends logs to the Google Cloud Logging API.
om_googlepubsub — Google Cloud Pub/Sub	Sends logs to the Google Cloud Pub/Sub service.
om_http — HTTP/HTTPS	Send events over HTTP or HTTPS using POST requests.
om_java — Java	Provides support for processing log data with methods written in the Java language.
om_kafka — Apache Kafka	Implements a producer for publishing to a Kafka cluster.
om_null — Null	Acts as a dummy output module. It does not write or forward the output. You can use this module for testing purposes.
om_odbc — ODBC	Uses the ODBC API to write log messages to database tables.
om_perl — Perl	Uses Perl code to handle output log messages from NXLog Agent.
om_pipe — Named Pipes	This module sends logs to named pipes on UNIX-like operating systems.
om_python — Python	Uses Python code to handle output log messages from NXLog Agent. Only Python version 3.x is supported.
om_raijin — Raijin	Stores log messages in a Raijin server.
om_redis — Redis	Stores log messages in a Redis server.
om_ruby — Ruby	Uses Ruby code to handle output log messages from NXLog Agent.
om_ssl — SSL/TLS	Sends log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
om_tcp — TCP	Sends log data over a TCP connection to a remote host.
om_udp — UDP	Sends log data over a UDP connection to a remote host.
om_udpspoof — UDP with IP Spoofing	Sends log data over a UDP connection, and spoofs the source IP address to make packets appear as if they were sent from another host.
om_uds — UDS	Sends log data to a Unix domain socket.
om_webhdfs — WebHDFS	Stores log data in Hadoop HDFS using the WebHDFS protocol.
om_zmq — ZeroMQ	Provides outgoing message transport over ZeroMQ, a scalable high-throughput messaging library.

Module

Description

om_amazons3 — Amazon S3

Forwards logs to Amazon S3 and compatible services.

om_azure — Microsoft Azure Sentinel

Sends data to a Microsoft Azure Sentinel server.

om_azuremonitor — Microsoft Azure Log Ingestion

Sends logs to the Azure Monitor Logs Ingestion API.

om_batchcompress — Batched Compression over TCP or SSL

Provides a compressed network transport for outgoing messages with optional SSL/TLS encryption. Pairs with the im_batchcompress input module.

om_blocker — Blocker

Blocks log data from being written. You can use this module for testing purposes, to simulate a blocked route.

om_chronicle — Google Chronicle

Sends logs to Google Chronicle via the Ingestion API.

om_dbi — DBI

Stores log data in an SQL database using the libdbi library.

om_elasticsearch — Elasticsearch

Stores logs in an Elasticsearch server.

om_exec — Program

Writes log data to the standard input of a custom external program.

om_file — File

Writes log data to a file on the file system.

om_go — Go or Golang

Provides support for forwarding log data with methods written in the Go language.

om_googlelogging — Google Cloud Logging

Sends logs to the Google Cloud Logging API.

om_googlepubsub — Google Cloud Pub/Sub

Sends logs to the Google Cloud Pub/Sub service.

om_http — HTTP/HTTPS

Send events over HTTP or HTTPS using POST requests.

om_java — Java

Provides support for processing log data with methods written in the Java language.

om_kafka — Apache Kafka

Implements a producer for publishing to a Kafka cluster.

om_null — Null

Acts as a dummy output module. It does not write or forward the output. You can use this module for testing purposes.

om_odbc — ODBC

Uses the ODBC API to write log messages to database tables.

om_perl — Perl

Uses Perl code to handle output log messages from NXLog Agent.

om_pipe — Named Pipes

This module sends logs to named pipes on UNIX-like operating systems.

om_python — Python

Uses Python code to handle output log messages from NXLog Agent. Only Python version 3.x is supported.

om_raijin — Raijin

Stores log messages in a Raijin server.

om_redis — Redis

Stores log messages in a Redis server.

om_ruby — Ruby

Uses Ruby code to handle output log messages from NXLog Agent.

om_ssl — SSL/TLS

Sends log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

om_tcp — TCP

Sends log data over a TCP connection to a remote host.

om_udp — UDP

Sends log data over a UDP connection to a remote host.

om_udpspoof — UDP with IP Spoofing

Sends log data over a UDP connection, and spoofs the source IP address to make packets appear as if they were sent from another host.

om_uds — UDS

Sends log data to a Unix domain socket.

om_webhdfs — WebHDFS

Stores log data in Hadoop HDFS using the WebHDFS protocol.

om_zmq — ZeroMQ

Provides outgoing message transport over ZeroMQ, a scalable high-throughput messaging library.

Processor modules

Processor modules start with the pm_* prefix. Use these modules for additional log processing between input and output modules.

Module	Description
pm_blocker — Blocker	Blocks log data from progressing through a route. You can use this module for testing purposes, to simulate when a route is blocked.
pm_buffer — Buffer	Caches messages in an in-memory or disk-based buffer before forwarding. This module is useful in combination with UDP data inputs.
pm_evcorr — Event Correlator	Perform log actions based on relationships between events.
pm_null — Null	Acts as a dummy processor module. It does not transform the log data in any way. You can use this module for testing purposes.
deprecated pm_hmac — HMAC Message Integrity	Protects messages with an HMAC cryptographic checksum.
deprecated pm_hmac_check — HMAC Message Integrity Checker	Checks HMAC cryptographic checksums on messages.
deprecated pm_norepeat — Message De-Duplicator	Drops duplicate logs based on user-specified fields. The same functionality can be implemented with module variables.
deprecated pm_pattern — Pattern Matcher	Applies advanced pattern-matching logic to log data. This functionality has been migrated to the xm_pattern module.

Module

Description

pm_blocker — Blocker

Blocks log data from progressing through a route. You can use this module for testing purposes, to simulate when a route is blocked.

pm_buffer — Buffer

Caches messages in an in-memory or disk-based buffer before forwarding. This module is useful in combination with UDP data inputs.

pm_evcorr — Event Correlator

Perform log actions based on relationships between events.

pm_null — Null

Acts as a dummy processor module. It does not transform the log data in any way. You can use this module for testing purposes.

deprecated pm_hmac — HMAC Message Integrity

Protects messages with an HMAC cryptographic checksum.

deprecated pm_hmac_check — HMAC Message Integrity Checker

Checks HMAC cryptographic checksums on messages.

deprecated pm_norepeat — Message De-Duplicator

Drops duplicate logs based on user-specified fields. The same functionality can be implemented with module variables.

deprecated pm_pattern — Pattern Matcher

Applies advanced pattern-matching logic to log data. This functionality has been migrated to the xm_pattern module.

Extension modules

Extension modules start with the xm_* prefix. Use these modules to implement specialized log processing.

Module	Description
xm_admin — Remote Management	Adds secure remote administration capabilities to NXLog Agent using SOAP or JSON over HTTP/HTTPS.
xm_aixaudit — AIX Auditing	Parses AIX audit events that have been written to file.
xm_asl — Apple System Logs	Parses events in the Apple System Log (ASL) format.
xm_bsm — Basic Security Module Auditing	Supports parsing of events written to file in Sun’s Basic Security Module (BSM) Auditing binary format.
xm_cef — CEF	Provides functions for generating and parsing data in the Common Event Format (CEF) used by HP ArcSight™ products.
xm_charconv — Character Set Conversion	Provides functions and procedures to help you convert strings between different character sets (code pages).
xm_crypto — Encryption	Provides encryption and decryption of logs by using data converters which implement the AES symmetric-key algorithm.
xm_csv — CSV	Provides functions and procedures to help you process data formatted as comma-separated values (CSV), and to convert CSV data into fields.
xm_exec — External Program Execution	Passes log data through a custom external program for processing, either synchronously or asynchronously.
xm_filelist — File Lists	Implements file-based blacklisting or whitelisting.
xm_fileop — File Operations	Provides functions and procedures to manipulate files.
xm_gelf — GELF	Provides an output writer function to generate output in Graylog Extended Log Format (GELF) for Graylog2 or GELF-compliant tools.
xm_go — Go or Golang	Provides support for processing log data with methods written in the Go language.
xm_grok — Grok Patterns	Provides support for parsing events with Grok patterns.
xm_hc — Health check	Provides health status checking.
xm_java — Java	Provides support for processing log data with methods written in the Java language.
xm_json — JSON	Provides functions and procedures to generate data in JSON (JavaScript Object Notation) format or to parse JSON data.
xm_kvp — Key-Value Pairs	Provides functions and procedures to parse and generate data that is formatted as key-value pairs.
xm_leef — LEEF	Provides functions for parsing and generating data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products.
xm_msdns — DNS Server Debug Log Parsing	Parses Microsoft Windows DNS Server debug logs
xm_multiline — Multi-Line Message Parser	Parses log entries that span multiple lines.
xm_netflow — NetFlow	Provides a parser for NetFlow payload collected over UDP.
xm_nps — NPS	Provides functions and procedures for processing data in NPS Database Format stored in files by Microsoft Radius services.
xm_pattern — Pattern Matcher	Applies advanced pattern-matching logic with better performance over regular expression-matching. Replaces pm_pattern.
xm_perl — Perl	Processes log data using Perl.
xm_python — Python	Processes log data using Python. Only versions 3.x of Python are supported.
xm_resolver — Resolver	Resolves key identifiers that appear in log messages into more meaningful equivalents, including IP addresses to host names, and group/user IDs to friendly names.
xm_rewrite — Rewrite	Transforms event records by modifying or discarding specific fields.
xm_ruby — Ruby	Processes log data using Ruby.
xm_sap — SAP	Registers an InputType for parsing SAP audit data.
xm_snmp — SNMP Traps	Parses SNMPv1 and SNMPv2c trap messages.
xm_syslog — Syslog	Provides helpers that let you parse and output the BSD Syslog protocol as defined by RFC 3164.
xm_w3c — W3C	Parses data in the W3C Extended Log File Format, the BRO format, and Microsoft Exchange Message Tracking logs.
xm_wtmp — WTMP	Provides a parser function to process binary WTMP files.
xm_xml — XML	Provides functions and procedures to process XML data.
xm_zlib — Compression	This module compresses and decompresses logs using the gzip data format defined in RFC 1952 and the zlib format defined in RFC 1950.

Module

Description

xm_admin — Remote Management

Adds secure remote administration capabilities to NXLog Agent using SOAP or JSON over HTTP/HTTPS.

xm_aixaudit — AIX Auditing

Parses AIX audit events that have been written to file.

xm_asl — Apple System Logs

Parses events in the Apple System Log (ASL) format.

xm_bsm — Basic Security Module Auditing

Supports parsing of events written to file in Sun’s Basic Security Module (BSM) Auditing binary format.

xm_cef — CEF

Provides functions for generating and parsing data in the Common Event Format (CEF) used by HP ArcSight™ products.

xm_charconv — Character Set Conversion

Provides functions and procedures to help you convert strings between different character sets (code pages).

xm_crypto — Encryption

Provides encryption and decryption of logs by using data converters which implement the AES symmetric-key algorithm.

xm_csv — CSV

Provides functions and procedures to help you process data formatted as comma-separated values (CSV), and to convert CSV data into fields.

xm_exec — External Program Execution

Passes log data through a custom external program for processing, either synchronously or asynchronously.

xm_filelist — File Lists

Implements file-based blacklisting or whitelisting.

xm_fileop — File Operations

Provides functions and procedures to manipulate files.

xm_gelf — GELF

Provides an output writer function to generate output in Graylog Extended Log Format (GELF) for Graylog2 or GELF-compliant tools.

xm_go — Go or Golang

Provides support for processing log data with methods written in the Go language.

xm_grok — Grok Patterns

Provides support for parsing events with Grok patterns.

xm_hc — Health check

Provides health status checking.

xm_java — Java

Provides support for processing log data with methods written in the Java language.

xm_json — JSON

Provides functions and procedures to generate data in JSON (JavaScript Object Notation) format or to parse JSON data.

xm_kvp — Key-Value Pairs

Provides functions and procedures to parse and generate data that is formatted as key-value pairs.

xm_leef — LEEF

Provides functions for parsing and generating data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products.

xm_msdns — DNS Server Debug Log Parsing

Parses Microsoft Windows DNS Server debug logs

xm_multiline — Multi-Line Message Parser

Parses log entries that span multiple lines.

xm_netflow — NetFlow

Provides a parser for NetFlow payload collected over UDP.

xm_nps — NPS

Provides functions and procedures for processing data in NPS Database Format stored in files by Microsoft Radius services.

xm_pattern — Pattern Matcher

Applies advanced pattern-matching logic with better performance over regular expression-matching. Replaces pm_pattern.

xm_perl — Perl

Processes log data using Perl.

xm_python — Python

Processes log data using Python. Only versions 3.x of Python are supported.

xm_resolver — Resolver

Resolves key identifiers that appear in log messages into more meaningful equivalents, including IP addresses to host names, and group/user IDs to friendly names.

xm_rewrite — Rewrite

Transforms event records by modifying or discarding specific fields.

xm_ruby — Ruby

Processes log data using Ruby.

xm_sap — SAP

Registers an InputType for parsing SAP audit data.

xm_snmp — SNMP Traps

Parses SNMPv1 and SNMPv2c trap messages.

xm_syslog — Syslog

Provides helpers that let you parse and output the BSD Syslog protocol as defined by RFC 3164.

xm_w3c — W3C

Parses data in the W3C Extended Log File Format, the BRO format, and Microsoft Exchange Message Tracking logs.

xm_wtmp — WTMP

Provides a parser function to process binary WTMP files.

xm_xml — XML

Provides functions and procedures to process XML data.

xm_zlib — Compression

This module compresses and decompresses logs using the gzip data format defined in RFC 1952 and the zlib format defined in RFC 1950.