Input Modules
Input modules are responsible for collecting event log data from various sources.
Each module provides a set of fields for each log message, these are documented in the corresponding sections below. The NXLog core creates a set of core fields which are available to each module.
Each NXLog module on Windows can create multiple TCP connections on |
-
Process Accounting (im_acct) — Collects process accounting logs from a Linux or BSD kernel
-
AIX Auditing (im_aixaudit) — Reads AIX Audit events directly from the kernel
-
Azure (im_azure) — Connects to Azure and collects logs stored in a blob or table
-
Batched compression (im_batchcompress) — Accepts compressed log batches from another NXLog agent
-
Basic Security Module Auditing (im_bsm) — Reads BSM Auditing logs directly from the kernel
-
Check Point OPSEC LEA (im_checkpoint) — Collects logs remotely from Check Point devices
-
DBI (im_dbi) — Collects log data from an external database with the libdbi library
-
Event Tracing for Windows (im_etw) — Collects logs from ETW on Windows systems
-
External programs (im_exec) — Executes a program or script and reads log data from standard output
-
File (im_file) — Reads log messages from files
-
File Integrity Monitoring (im_fim) — Scans files and directories and generates events for detected changes
-
Go (im_go) — Provides a Go API for generating log data
-
HTTP(s) (im_http) — Accepts log messages via HTTP or HTTPS connections
-
Internal (im_internal) — Provides NXLog’s internal logs as an input source
-
Java (im_java) — Provides a Java API for processing log data
-
Kafka (im_kafka) — Collects event records from an Apache Kafka topic
-
Kernel (im_kernel) — Reads messages from the kernel log buffer on Linux, BSD, or macOS
-
Linux Audit System (im_linuxaudit) — Configures Linux Auditing and collects logs without requiring auditd
-
macOS Endpoint Security (im_maces) — Collects logs from Apple Endpoint Security on macOS 10.15 and later
-
macOS ULS (im_maculs) — Collects logs from ULS on macOS 10.12 and later
-
Mark (im_mark) — Generates mark messages periodically
-
Event Log for Windows XP/2000/2003 (im_mseventlog) — Collects EventLog messages from Windows 2003 and earlier
-
Event Log for Windows 2008/Vista/later (im_msvistalog) — Collects Windows Event Log messages from recent versions of Windows
-
Null (im_null) — Provides a dummy input for testing or scheduled execution
-
ODBC (im_odbc) — Uses the ODBC abstraction layer to read log data from a database
-
Packet capture (im_pcap) — Collects logs using PCAP
-
Perl (im_perl) — Provides a Perl API for generating log data
-
Named Pipes (im_pipe) — Reads log messages from a named pipe
-
Python (im_python) — Provides a Python API for generating log data
-
Redis (im_redis) — Retrieves log data from a Redis server
-
Windows Registry Monitoring (im_regmon) — Scans the Registry and generates events for detected changes
-
Ruby (im_ruby) — Provides a Ruby API for generating log data
-
TLS/SSL (im_ssl) — Accepts log data over SSL/TLS-secured connections
-
Systemd (im_systemd) — Accepts logs from the systemd journal
-
TCP (im_tcp) — Accepts log data over TCP connections
-
Test Generator (im_testgen) — Generates log data for testing purposes
-
UDP (im_udp) — Accepts log data via UDP datagrams
-
Unix Domain Sockets (im_uds) — Receives log messages over a local Unix domain socket
-
Windows Performance Counters (im_winperfcount) — Generates event records containing Performance Counter values
-
Windows Event Collector (im_wseventing) — Uses WEF to collect Event Log events from remote Windows systems
-
ZeroMQ (im_zmq) — Provides a log data input via ZeroMQ message transport