Added two new directives, AllowIP and BlockIP, to the im_udp module:

Added a new ExitTimeout directive to the om_exec and im_exec modules:

Introduced a new MaxConnections directive to all TCP-based modules, which prevents the OS from memory usage overload and informs external nodes that the agent is not ready to receive additional connections.

Introduced a new ShowExtendedInfo directive for the im_etw module, which will expose service fields for reasons of consistency.

Introduced initial support for the OpenTelemetry protocol with the new im_otel module. This module allows for the collection of logs and traces over both HTTPS and gRPC transport. Future updates will expand this functionality, including adding an om_otel module for sending data and subsequent support for metrics collection.

Added support for declarative event structure rewriting in the new xm_transform module:

The newly introduced im_otel module is yet to support gRPC+TLS while using it with an IP address. Only domain names are allowed for now. This limitation will be fixed in a future release.

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

There is a small possibility that the im_ms365 module generates multiple events or the same email caused by a duplicate Reporting Web Service API response.

NXLog Enterprise Edition relies on an external systemd service, which is usually a part of the operating system. There are several operating systems, such as CentOS 8, CentOS 9, RHEL9, Debian 12, Ubuntu 22, Ubuntu 24, Amazon Linux 2023, and possibly others, that include a known bug causing failure during log rotation. From the agent’s perspective, this issue results in an NXLog Enterprise Edition crash (EE6.2 and earlier) or manifests as a log entry containing "BAD MESSAGE" (EE6.3 and EE6.3HF1). This situation cannot be fully resolved by NXLog Enterprise Edition alone. We have developed a recovery procedure to restore log acquisition, but during the failure event, NXLog Enterprise Edition cannot guarantee the acquisition of all events without losses. We are ready to provide full technical support to our customers regarding this issue. Please note that some operating systems are not affected by this problem.

Added new functionality to the xm_nps module:

Enhanced the event coverage of the im_maces module up to macOS API v13

Added new functionality to the xm_pattern module and configuration language:

Modules that support TLS/SSL on the Windows platform now accept patterns to match the host and CA certificates, in addition to the exact thumbprint

Enhanced internal log messages:

Added support for Debian 12

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

There is a small possibility that the im_ms365 module generates multiple events or the same email caused by a duplicate Reporting Web Service API response.

NXLog Enterprise Edition relies on an external systemd service, which is usually a part of the operating system. There are several operating systems, such as CentOS 8, CentOS 9, RHEL9, Debian 12, Ubuntu 22, Ubuntu 24, Amazon Linux 2023, and possibly others, that include a known bug causing failure during log rotation. From the agent’s perspective, this issue results in an NXLog Enterprise Edition crash (EE6.2 and earlier) or manifests as a log entry containing "BAD MESSAGE" (EE6.3 and EE6.3HF1). This situation cannot be fully resolved by NXLog Enterprise Edition alone. We have developed a recovery procedure to restore log acquisition, but during the failure event, NXLog Enterprise Edition cannot guarantee the acquisition of all events without losses. We are ready to provide full technical support to our customers regarding this issue. Please note that some operating systems are not affected by this problem.

Added new functionality to im_file and im_fim modules:

Added new functionality to the om_azuremonitor module:

Improved the om_kafka module to handle incompatible Compression options.

Improved the im_wseventing module to stop ignoring authentication

Modified the SetUid function of the xm_admin module to remove forceful reboot of NXLog

The error in NXLog Enterprise Edition versions 6.0.8997 and 6.1.9138 of being unable to set up a connection to NXLog Manager 5.6.5633 was fixed with NXLog Manager 5.7.5801, which is available for download on our website.

The change from using event batches to bytes in the LogqueueSize directive is not backward-compatible. If updating from NXLog agent version 5 or older, you must modify your configuration accordingly.

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

There is a small possibility that the im_ms365 module generates multiple events or the same email caused by a duplicate Reporting Web Service API response.

Added new functionality to the om_chronicle module:

Implemented a new OutputRequestSize directive to supersede the module-specific batch size directives ChronicleBatchSize, S3BatchSize, GoogleLoggingBatchSize, and GooglePubSubBatchSize

Added a new procedure to the om_kafka module that lets you set the Kafka topic dynamically

Added new procedures to retrieve the HTTP request headers in the im_http module

Added the ability to use non-exportable encryption keys generated with TPM for the Windows version of NXLog Enterprise Edition.

NXLog Enterprise Edition version 6.0 and later are not compatible with NXLog Manager version 5.6.5633 and older. If you add a version 6 agent in NXLog Manager, you will see a java.lang.NullPointerException error when you access the agents' page. The next release of NXLog Manager will address this problem.

The change from using event batches to bytes in the LogqueueSize directive is not backward-compatible. If updating from NXLog agent version 5 or older, you must modify your configuration accordingly.

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

There is a small possibility that the im_ms365 module generates multiple events for the same email caused by a duplicate Reporting Web Service API response.

The LogqueSize is now calculated in bytes

Added support for Amazon Linux 2023 and macOS Ventura

The om_elasticsearch module now supports data streams with the new DataStream directive

Implemented built-in support for maps and arrays

Added a new Health check (xm_hc) module

Added compression support to the Google Logging, Google Chronicle, and Salesforce modules

Added a new BlockIP directive to the im_tcp and im_ssl modules

Added a new AllowHostnameValidation directive to the om_ssl module to check the certificate FQDN against the server hostname

Restructured and added new fields to the xm_admin ServerInfo and ModuleInfo response

Added support for .etl files to the im_etw module

Support for MultiLine Data Converter in the xm_charconv module

The im_etw module now supports Windows software trace preprocessor (WPP) providers with the new EnableWppSupport directive

NXLog Enterprise Edition version 6.0 and later are not compatible with NXLog Manager version 5.6.5633 and older. If you add a version 6 agent in NXLog Manager, you will see a java.lang.NullPointerException error when you access the agents' page. The next release of NXLog Manager will address this problem.

The change from using event batches to bytes in the LogqueueSize directive is not backward-compatible. If updating from an older NXLog agent version, you must modify your configuration accordingly.

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

There is a small possibility that the im_ms365 module generates multiple events for the same email caused by a duplicate Reporting Web Service API response.

Added support for parsing the new events included in the macOS 13 Endpoint Security API using im_maces

Added the ShowExtendedInfo directive in im_etw to enable the module to output additional Event Tracing for Windows (ETW) fields

Numerous bug fixes and improvements

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

BatchFlushInterval directive is not supported in om_googlelogging and om_googlepubsub modules.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3 and om_azuremonitor.

HTTPSCAFile and HTTPSCADir directives have no effect for the amazons3, chronicle, azuremonitor, ms365 salesforce, googlelogging, googlepubsub modules.

Added the stream support to om_elasticsearch

Added dynamic topic support at om_kafka

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

BatchFlushInterval directive is not supported in om_googlelogging and om_googlepubsub modules.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3 and om_azuremonitor.

HTTPSCAFile and HTTPSCADir directives have no effect for the amazons3, chronicle, azuremonitor, ms365 salesforce, googlelogging, googlepubsub modules.

Added ARM64 architecture support for Debian 10 and Debian 11

Added the option to disable the ReversionTimeout

Added a new ReuseAddress directive for the im_tcp and im_udp modules on Windows platforms

Added IBM POWER PC architecture support for Suse Linux Enterprise Server 15

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

BatchFlushInterval directive is not supported in om_googlelogging and om_googlepubsub modules.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3 and om_azuremonitor.

HTTPSCAFile and HTTPSCADir directives have no effect for the amazons3, chronicle, azuremonitor, ms365 salesforce, googlelogging, googlepubsub modules

Added a new im_salesforce module for Salesforce REST API

Added the OnError directive to om_elasticsearch to support custom handling of errors returned by the Elastic server

Added support for the new Azure Monitor Logs Ingestion API version with the om_azuremonitor module

NXLog now uses the KeyChain Access Application as the default system CA certificate store on macOS

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

BatchFlushInterval directive is not supported in om_googlelogging and om_googlepubsub modules.

The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

On SLES 12 and macOS operating systems, NXLog Enterprise Edition may crash when an HTTP(s) (im_http) module accepts a gzip HTTP compression header. As a workaround, you can use the deflate HTTP compression header.

Added input and output modules for Google Cloud Pub/Sub instances

Support SASL_OAUTH2 in om_kafka

Added input and output modules for Google Logging API

Added im_ms365 module for Microsoft 365 services

Added input and output modules for Amazon S3 services

Added MIT kerberos support to im_wseventing module on Windows

When processing large files (over 1GB) from Amazon S3 buckets with the im_amazons3 module, the NXLog agent may consume a large amount of memory.

The amazons3, googlepubsub, googlelogging, and ms365 modules do not check for the presence of invalid directives in the configuration, and any such directives will be ignored without an error being logged.

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

Support for basic authentication in HTTP modules​

Compatibility with Elasticsearch 8

Added support for Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022

Added DataTimeout directive in xm_admin​ to help detect stale connections to the agent manager

Symmetric encryption in xm_crypto​

Updated the Kafka modules and librdkafka​

Fixed a bug in the AVG statistical counter​

Numerous stability improvements

The extract_json() function cannot currently extract key names containing a dot (.). This issue will be addressed in the next release.

Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem.

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

om_chronicle output module for sending logs to Google Chronicle

The Python modules are now available for Windows.

Improvements to the xm_sap module

om_kafka now supports the CAThumbprint directive to load certificates on Windows

Added functions to extract parts of JSON and XML data

NXLog Enterprise Edition can now write events to a file in a JSON array

New documentation format

The Python modules on Windows require manual configuration. See Python prerequisites for Windows in the reference manual.

Bugs in the Apache Portable Runtime that may cause high NXLog CPU usage have been fixed in the upstream project:

Go integration modules are currently not available on Windows.

Our documentation builds moved from Asciidoctor to Antora. Consequently, we cannot ship single-page HTML or PDF documentation with the installation package. A multi-page HTML version is bundled instead.

The new Google Chronicle output module currently can process a maximum of ~1200 EPS. The performance will be improved in later releases. The Google Chronicle module is unavailable in the ARMv7 packages because of compiler limitations.

The om_elasticsearch module is currently incompatible with Elasticsearch 8.x. This issue will be addressed in the next release. Please get in touch with NXLog support if you require assistance.

im_maces input module for collecting logs from the macOS Endpoint Security auditing system

Added support for Windows 2022 Server and Debian 11

Added support for Red Hat Enterprise 8 and Ubuntu 20 ARM64

Added to_snare() procedure for creating Snare formatted log messages

Added support for pulling data from Azure Monitor Log Analytics workspaces (technology preview) with the im_azure module

The Amazon Linux 2 AMD64 package does not include the im_checkpoint module due to missing build dependencies.

The macOS Endpoint Security (im_maces) proc_check, pty_grant, and pty_close events are currently unsupported.

Issues in the im_azure module:

om_azure output module for sending logs to Log Analytics workspaces in Azure Monitor

Added support for Apple Silicon M1 and macOS BigSur

The im_pcap module now supports parsing the IEC-61860 protocol

Added functionality to the im_http and om_http modules:

Improved the im_maculs module for macOS

Various observability improvements in xm_admin

im_maculs input module for collecting logs from Apple’s Unified Logging System

Improvements to the im_pcap module focusing on Industrial Control System protocols:

xm_python extension module for integrating Python scripts

NXLog Manager integration is now enabled by default

Individually signed packages for Debian

Improvements to the im_pcap module:

The xm_python module is currently disabled for Amazon Linux (ARM64).

Updates to the core event processing enabled us to increase event throughput by up to 40%

Support for collecting logs directly from the systemd journal

Support for reading and writing logs to named pipes

Support for passive network monitoring

Support for resolving SID and GUID values on Windows

Support for resolving numeric IDs in Linux audit logs

Improved and simplified flow control implementation

Improved IP version 6 support

Numerous bug fixes and improvements

The functionality of om_pattern is now provided by xm_pattern. Migration of the configuration needs to be done manually.

The functionality of pm_filter is now included in the base NXLog language with the drop() procedure. See Filtering logs in the NXLog User Guide.

The xm_soapadmin module has been replaced by xm_admin and is a drop-in replacement.

The im_oci and om_oci modules are no longer supported.

The Solaris package currently leaves the NXLog process running after reinstalling. Execute pkill nxlog to remedy the problem. This issue will be addressed in a later release.

om_kafka is currently suffering from low throughput. In our benchmarks, it was performing at 5k EPS, whereas kafka-console-producer.sh was able to push 100k EPS in the same test. We aim to improve this in the next release.

libdrkafka is not currently supported on AIX forcing us to stop building om_kafka on that platform.

The Python modules are currently not available on OpenBSD and FreeBSD.

The im_systemd module is not available on generic Linux and non-systemd based Linux versions.

xm_crypto and xm_zlib limitations:

When the ListenAddr directive is not specified for network modules, they will default to localhost, leading NXLog to bind to and listen on [::1] on some operating systems.

The im_pipe and om_pipe modules create new pipes owned by the user running NXLog. If you need to read or write to the pipe with a different user, you can create the pipe beforehand and set the permissions accordingly using Unix tools (mkfifo, chown, chmod). Existing pipes will not be modified by these modules.

The xm_asl extension module causes NXLog to exit with a segmentation fault on macOS.

The im_pcap module is not available on OpenBSD due to insufficient demand for this OS. Get in touch with our support if your use-case requires it.