NXLog Documentation

Release notes

NXLog Enterprise Edition 5.7

Release date

20 January 2023

New
  • Added input and output modules for Google Cloud Pub/Sub instances.

  • Support SASL_OAUTH2 in om_kafka.

  • Added input and output modules for Google Logging API.

  • Added im_ms365 module for Microsoft 365 services.

  • Added input and output modules for Amazon S3 services.

  • Added MIT kerberos support to im_wseventing module on Windows.

Known issues
  • When processing large files (over 1GB) from Amazon S3 buckets with the im_amazons3 module, the NXLog agent may consume a large amount of memory.

  • The amazons3, googlepubsub, googlelogging and ms365 modules do not check for the presence of the unrecognised directives in the configuration, and any such directives will be ignored without an error being logged.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

NXLog Enterprise Edition 5.6

Release date

15 September 2022

New
  • Support for basic authentication in HTTP modules​

  • Compatibility with Elasticsearch 8

  • Added support for Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022

  • Added DataTimeout directive in xm_admin​ to help detect stale connections to the agent manager

  • Symmetric encryption in xm_crypto​

  • Updated the Kafka modules and librdkafka​

  • Fixed a bug in the AVG statistical counter​

  • Numerous stability improvements

Known issues
  • The extract_json() function cannot currently extract key names containing a dot (.). This issue will be addressed in the next release.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem.

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

NXLog Enterprise Edition 5.5

Release date

29 April 2022

New
  • om_chronicle output module for sending logs to Google Chronicle

  • The Python modules are now available for Windows.

  • Improvements to the xm_sap module

  • om_kafka now supports the CAThumbprint directive to load certificates on Windows

  • Added functions to extract parts of JSON and XML data

  • NXLog Enterprise Edition can now write events to a file in a JSON array

  • New documentation format

Known issues
  • The Python modules on Windows require manual configuration. See Python prerequisites for Windows in the reference manual.

  • Bugs in the Apache Portable Runtime that may cause high NXLog CPU usage have been fixed in the upstream project:

    These fixes may or may not have made their way into your Linux distribution. Our generic packages ship a fixed version of APR.

  • Go integration modules are currently not available on Windows.

  • Our documentation builds moved from Asciidoctor to Antora. Consequently, we cannot ship single-page HTML or PDF documentation with the installation package. A multi-page HTML version is bundled instead.

  • The new Google Chronicle output module currently can process a maximum of ~1200 EPS. The performance will be improved in later releases. The Google Chronicle module is unavailable in the ARMv7 packages because of compiler limitations.

  • The om_elasticsearch module is currently incompatible with Elasticsearch 8.x. This issue will be addressed in the next release. Please get in touch with NXLog support if you require assistance.

NXLog Enterprise Edition 5.4

Release date

2 September 2021

New
  • im_maces input module for collecting logs from the macOS Endpoint Security auditing system

  • Added support for Windows 2022 Server and Debian 11

  • Added support for Red Hat Enterprise 8 and Ubuntu 20 ARM64

  • Added to_snare() procedure for creating Snare formatted log messages

  • Added support for pulling data from Azure Monitor Log Analytics workspaces (technology preview) with the im_azure module

Known issues
  • The Amazon Linux 2 AMD64 package does not include the im_checkpoint module due to missing build dependencies.

  • The macOS Endpoint Security (im_maces) proc_check, pty_grant, and pty_close events are currently unsupported.

  • Issues in the im_azure module:

    • The module does not save the last read position, resulting in it retrieving all of the accessible data at every start.

    • Analytics mode fails to validate server certificates. The HTTPSAllowUntrusted directive must be set to TRUE to establish a connection to the service.

    • Blob mode cannot retrieve data beyond the first Blob in the container.

NXLog Enterprise Edition 5.3

Release date

15 April 2021

New
  • om_azure output module for sending logs to Log Analytics workspaces in Azure Monitor

  • Added support for Apple Silicon M1 and macOS BigSur

  • The im_pcap module now supports parsing the IEC-61860 protocol

  • Added functionality to the im_http and om_http modules:

    • Support for data compression with the HTTPSSSLCompression directive

    • Transmission of structured logs with NXLog’s binary format

  • Improved the im_maculs module for macOS

  • Various observability improvements in xm_admin

NXLog Enterprise Edition 5.2

Release date

18 December 2020

New
  • im_maculs input module for collecting logs from Apple’s Unified Logging System

  • Improvements to the im_pcap module focusing on Industrial Control System protocols:

    • Added support for parsing the S7 and IEC104 protocols

    • Added LLDP parsing for the PROFINET protocol

    • Additional parsing for PROFINET RTC-PDU, PROFINET RTA-PDU and UDP-RTA-PDU

NXLog Enterprise Edition 5.1

Release date

17 September 2020

New
  • xm_python extension module for integrating Python scripts

  • NXLog Manager integration is now enabled by default

  • Individually signed packages for Debian

  • Improvements to the im_pcap module:

    • Added support for parsing the BACNET and PROFINET protocols

    • Improved handling of complex data in Modbus packets

    • The module is now available for Windows

Known issues
  • The xm_python module is currently disabled for Amazon Linux (ARM64).

NXLog Enterprise Edition 5.0

Release date

23 June 2020

New
  • Updates to the core event processing enabled us to increase event throughput by up to 40%

  • Support for collecting logs directly from the systemd journal

  • Support for reading and writing logs to named pipes

  • Support for passive network monitoring

  • Support for resolving SID and GUID values on Windows

  • Support for resolving numeric IDs in Linux audit logs

  • Improved and simplified flow control implementation

  • Improved IP version 6 support

  • Numerous bug fixes and improvements

Upgrading from version 4.x

NXLog Enterprise Edition 5.0 contains substantial configuration file changes. Please make sure to use the new nxlog.conf file provided by the version 5.0 package.

The configuration file managed by NXLog Enterprise Edition, previously located in /opt/nxlog/var/lib/nxlog/log4ensics.conf, has been moved to /opt/nxlog/etc/conf.d/managed.conf in version 5.0.

If you are using NXLog Manager, you must migrate the content of log4ensics.conf to managed.conf and update any NXLog Manager-related configuration in the main nxlog.conf file. Version 5.0 ships with a default nlog.conf file with disabled NXLog Manager integration.

Linux packages automatically migrate log4ensics.conf to managed.conf.

On Solaris, you can back up your current configuration to /opt/nxlog/bin/backup. After removing version 4.x and installing version 5.0, you need to manually migrate your configuration to the new NXLog directory and file structure:

  • /opt/nxlog-backup{date}/lib/nxlog/log4ensics.conf to /opt/nxlog/etc/nxlog.d/managed.conf

  • /opt/nxlog-backup{date}/nxlog/cert/* to /opt/nxlog/var/lib/nxlog/cert/

We streamlined the configuration syntax across a number of network modules to use the ListenAddr and Host directives. The old syntax will be supported in version 5.x but will be retired in version 6.0. Although the old syntax will work in version 5.x, it will result in a deprecation warning in the logs. Please refer to the respective module documentation for configuration details.

Discontinued modules
  • The functionality of om_pattern is now provided by xm_pattern. Migration of the configuration needs to be done manually.

  • The functionality of pm_filter is now included in the base NXLog language with the drop() procedure. See Filtering logs in the NXLog User Guide.

  • The xm_soapadmin module has been replaced by xm_admin and is a drop-in replacement.

  • The im_oci and om_oci modules are no longer supported.

Known issues
  • The Solaris package currently leaves the NXLog process running after reinstalling. Execute pkill nxlog to remedy the problem. This issue will be addressed in a later release.

  • om_kafka is currently suffering from low throughput. In our benchmarks, it was performing at 5k EPS, whereas kafka-console-producer.sh was able to push 100k EPS in the same test. We aim to improve this in the next release.

  • libdrkafka is not currently supported on AIX forcing us to stop building om_kafka on that platform.

  • The Python modules are currently not available on OpenBSD and FreeBSD.

  • The im_systemd module is not available on generic Linux and non-systemd based Linux versions.

  • xm_crypto and xm_zlib limitations:

    • Converters provided by these modules output logs in binary files. Currently, appending to binary files is not possible once the file is closed. Therefore, these modules must rotate the output file on startup.

    • Due to the internal rotation by these modules, they should not be used in conjunction with the file_cycle() procedure of xm_fileop.

    • If NXLog crashes, the content of its output buffers is lost, which could result in data loss. We will be implementing additional safeguards in a future release.

  • When the ListenAddr directive is not specified for network modules, they will default to localhost, leading NXLog to bind to and listen on [::1] on some operating systems.

  • The im_pipe and om_pipe modules create new pipes owned by the user running NXLog. If you need to read or write to the pipe with a different user, you can create the pipe beforehand and set the permissions accordingly using Unix tools (mkfifo, chown, chmod). Existing pipes will not be modified by these modules.

  • The xm_asl extension module causes NXLog to exit with a segmentation fault on macOS.

  • The im_pcap module is not available on OpenBSD due to insufficient demand for this OS. Get in touch with our support if your use-case requires it.