NXLog Legacy Documentation

Release notes

NXLog Enterprise Edition 6.1

Release date

20 October 2023

New
  • Added new functionality to the om_chronicle module:

    • Added OAuth support for authenticating with Chronicle Ingestion API v2

    • Added a new procedure that lets you set the Chronicle schema dynamically

    • Updated the default UDM schema

  • Implemented a new OutputRequestSize directive to supersede the module-specific batch size directives ChronicleBatchSize, S3BatchSize, GoogleLoggingBatchSize, and GooglePubSubBatchSize

  • Added a new procedure to the om_kafka module that lets you set the Kafka topic dynamically

  • Added new procedures to retrieve the HTTP request headers in the im_http module

  • Added the ability to use non-exportable encryption keys generated with TPM for the Windows version of NXLog Enterprise Edition.

Known issues
  • NXLog Enterprise Edition version 6.0 and later are not compatible with NXLog Manager version 5.6.5633 and older. If you add a version 6 agent in NXLog Manager, you will see a java.lang.NullPointerException error when you access the agents' page. The next release of NXLog Manager will address this problem.

  • The change from using event batches to bytes in the LogqueueSize directive is not backward-compatible. If updating from NXLog agent version 5 or older, you must modify your configuration accordingly.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

  • The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

  • The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

  • There is a small possibility that the im_ms365 module generates multiple events for the same email caused by a duplicate Reporting Web Service API response.

NXLog Enterprise Edition 6.0

Release date

11 September 2023

New
  • The LogqueSize is now calculated in bytes

  • Added support for Amazon Linux 2023 and macOS Ventura

  • The om_elasticsearch module now supports data streams with the new DataStream directive

  • Implemented built-in support for maps and arrays

  • Added a new Health check (xm_hc) module

  • Added compression support to the Google Logging, Google Chronicle, and Salesforce modules

  • Added a new BlockIP directive to the im_tcp and im_ssl modules

  • Added a new AllowHostnameValidation directive to the om_ssl module to check the certificate FQDN against the server hostname

  • Restructured and added new fields to the xm_admin ServerInfo and ModuleInfo response

  • Added support for .etl files to the im_etw module

  • Support for MultiLine Data Converter in the xm_charconv module

  • The im_etw module now supports Windows software trace preprocessor (WPP) providers with the new EnableWppSupport directive

Known issues
  • NXLog Enterprise Edition version 6.0 and later are not compatible with NXLog Manager version 5.6.5633 and older. If you add a version 6 agent in NXLog Manager, you will see a java.lang.NullPointerException error when you access the agents' page. The next release of NXLog Manager will address this problem.

  • The change from using event batches to bytes in the LogqueueSize directive is not backward-compatible. If updating from an older NXLog agent version, you must modify your configuration accordingly.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. Microsoft fixed this issue from the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739.

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

  • The om_googlelogging and om_googlepubsub modules do not support the BatchFlushInterval directive.

  • The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

  • There is a small possibility that the im_ms365 module generates multiple events for the same email caused by a duplicate Reporting Web Service API response.

NXLog Enterprise Edition 5.9

Release date

20 June 2023

New
  • Added ARM64 architecture support for Debian 10 and Debian 11

  • Added the option to disable the ReversionTimeout

  • Added a new ReuseAddress directive for the im_tcp and im_udp modules on Windows platforms

  • Added IBM POWER PC architecture support for Suse Linux Enterprise Server 15

Known issues
  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

  • BatchFlushInterval directive is not supported in om_googlelogging and om_googlepubsub modules.

  • The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3 and om_azuremonitor.

  • HTTPSCAFile and HTTPSCADir directives have no effect for the amazons3, chronicle, azuremonitor, ms365 salesforce, googlelogging, googlepubsub modules

NXLog Enterprise Edition 5.8

Release date

24 April 2023

New
  • Added a new im_salesforce module for Salesforce REST API

  • Added the OnError directive to om_elasticsearch to support custom handling of errors returned by the Elastic server

  • Added support for the new Azure Monitor Logs Ingestion API version with the om_azuremonitor module

  • NXLog now uses the KeyChain Access Application as the default system CA certificate store on macOS

Known issues
  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

  • BatchFlushInterval directive is not supported in om_googlelogging and om_googlepubsub modules.

  • The following modules are not supported on Debian 8 Jesse and Debian 9 Stretch: om_chronicle, im_ms365, im_salesforce, im_googlelogging, om_googlelogging, im_googlepubsub, om_googlepubsub, im_amazons3, om_amazons3, and om_azuremonitor.

  • On SLES 12 and macOS operating systems, NXLog Enterprise Edition may crash when an HTTP(s) (im_http) module accepts a gzip HTTP compression header. As a workaround, you can use the deflate HTTP compression header.

NXLog Enterprise Edition 5.7

Release date

20 January 2023

New
  • Added input and output modules for Google Cloud Pub/Sub instances

  • Support SASL_OAUTH2 in om_kafka

  • Added input and output modules for Google Logging API

  • Added im_ms365 module for Microsoft 365 services

  • Added input and output modules for Amazon S3 services

  • Added MIT kerberos support to im_wseventing module on Windows

Known issues
  • When processing large files (over 1GB) from Amazon S3 buckets with the im_amazons3 module, the NXLog agent may consume a large amount of memory.

  • The amazons3, googlepubsub, googlelogging, and ms365 modules do not check for the presence of invalid directives in the configuration, and any such directives will be ignored without an error being logged.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem. A fix has been implemented by Microsoft starting with the following versions: Windows Server 2022 - Version 10.0.20348.740, Windows 11 - Version 10.0.22000.739

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

NXLog Enterprise Edition 5.6

Release date

15 September 2022

New
  • Support for basic authentication in HTTP modules​

  • Compatibility with Elasticsearch 8

  • Added support for Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022

  • Added DataTimeout directive in xm_admin​ to help detect stale connections to the agent manager

  • Symmetric encryption in xm_crypto​

  • Updated the Kafka modules and librdkafka​

  • Fixed a bug in the AVG statistical counter​

  • Numerous stability improvements

Known issues
  • The extract_json() function cannot currently extract key names containing a dot (.). This issue will be addressed in the next release.

  • Microsoft Windows Server 2022 and Windows 11 exhibit an error, causing the Event Log API to return fewer fields than expected. A workaround has been implemented for the problem.

  • Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the im_checkpoint module.

NXLog Enterprise Edition 5.5

Release date

29 April 2022

New
  • om_chronicle output module for sending logs to Google Chronicle

  • The Python modules are now available for Windows.

  • Improvements to the xm_sap module

  • om_kafka now supports the CAThumbprint directive to load certificates on Windows

  • Added functions to extract parts of JSON and XML data

  • NXLog Enterprise Edition can now write events to a file in a JSON array

  • New documentation format

Known issues
  • The Python modules on Windows require manual configuration. See Python prerequisites for Windows in the reference manual.

  • Bugs in the Apache Portable Runtime that may cause high NXLog CPU usage have been fixed in the upstream project:

    These fixes may or may not have made their way into your Linux distribution. Our generic packages ship a fixed version of APR.

  • Go integration modules are currently not available on Windows.

  • Our documentation builds moved from Asciidoctor to Antora. Consequently, we cannot ship single-page HTML or PDF documentation with the installation package. A multi-page HTML version is bundled instead.

  • The new Google Chronicle output module currently can process a maximum of ~1200 EPS. The performance will be improved in later releases. The Google Chronicle module is unavailable in the ARMv7 packages because of compiler limitations.

  • The om_elasticsearch module is currently incompatible with Elasticsearch 8.x. This issue will be addressed in the next release. Please get in touch with NXLog support if you require assistance.

NXLog Enterprise Edition 5.4

Release date

2 September 2021

New
  • im_maces input module for collecting logs from the macOS Endpoint Security auditing system

  • Added support for Windows 2022 Server and Debian 11

  • Added support for Red Hat Enterprise 8 and Ubuntu 20 ARM64

  • Added to_snare() procedure for creating Snare formatted log messages

  • Added support for pulling data from Azure Monitor Log Analytics workspaces (technology preview) with the im_azure module

Known issues
  • The Amazon Linux 2 AMD64 package does not include the im_checkpoint module due to missing build dependencies.

  • The macOS Endpoint Security (im_maces) proc_check, pty_grant, and pty_close events are currently unsupported.

  • Issues in the im_azure module:

    • The module does not save the last read position, resulting in it retrieving all of the accessible data at every start.

    • Analytics mode fails to validate server certificates. The HTTPSAllowUntrusted directive must be set to TRUE to establish a connection to the service.

    • Blob mode cannot retrieve data beyond the first Blob in the container.

NXLog Enterprise Edition 5.3

Release date

15 April 2021

New
  • om_azure output module for sending logs to Log Analytics workspaces in Azure Monitor

  • Added support for Apple Silicon M1 and macOS BigSur

  • The im_pcap module now supports parsing the IEC-61860 protocol

  • Added functionality to the im_http and om_http modules:

    • Support for data compression with the HTTPSSSLCompression directive

    • Transmission of structured logs with NXLog’s binary format

  • Improved the im_maculs module for macOS

  • Various observability improvements in xm_admin

NXLog Enterprise Edition 5.2

Release date

18 December 2020

New
  • im_maculs input module for collecting logs from Apple’s Unified Logging System

  • Improvements to the im_pcap module focusing on Industrial Control System protocols:

    • Added support for parsing the S7 and IEC104 protocols

    • Added LLDP parsing for the PROFINET protocol

    • Additional parsing for PROFINET RTC-PDU, PROFINET RTA-PDU and UDP-RTA-PDU

NXLog Enterprise Edition 5.1

Release date

17 September 2020

New
  • xm_python extension module for integrating Python scripts

  • NXLog Manager integration is now enabled by default

  • Individually signed packages for Debian

  • Improvements to the im_pcap module:

    • Added support for parsing the BACNET and PROFINET protocols

    • Improved handling of complex data in Modbus packets

    • The module is now available for Windows

Known issues
  • The xm_python module is currently disabled for Amazon Linux (ARM64).

NXLog Enterprise Edition 5.0

Release date

23 June 2020

New
  • Updates to the core event processing enabled us to increase event throughput by up to 40%

  • Support for collecting logs directly from the systemd journal

  • Support for reading and writing logs to named pipes

  • Support for passive network monitoring

  • Support for resolving SID and GUID values on Windows

  • Support for resolving numeric IDs in Linux audit logs

  • Improved and simplified flow control implementation

  • Improved IP version 6 support

  • Numerous bug fixes and improvements

Upgrading from version 4.x

NXLog Enterprise Edition 5.0 contains substantial configuration file changes. Please make sure to use the new nxlog.conf file provided by the version 5.0 package.

The configuration file managed by NXLog Enterprise Edition, previously located in /opt/nxlog/var/lib/nxlog/log4ensics.conf, has been moved to /opt/nxlog/etc/conf.d/managed.conf in version 5.0.

If you are using NXLog Manager, you must migrate the content of log4ensics.conf to managed.conf and update any NXLog Manager-related configuration in the main nxlog.conf file. Version 5.0 ships with a default nlog.conf file with disabled NXLog Manager integration.

Linux packages automatically migrate log4ensics.conf to managed.conf.

On Solaris, you can back up your current configuration to /opt/nxlog/bin/backup. After removing version 4.x and installing version 5.0, you need to manually migrate your configuration to the new NXLog directory and file structure:

  • /opt/nxlog-backup{date}/lib/nxlog/log4ensics.conf to /opt/nxlog/etc/nxlog.d/managed.conf

  • /opt/nxlog-backup{date}/nxlog/cert/* to /opt/nxlog/var/lib/nxlog/cert/

We streamlined the configuration syntax across a number of network modules to use the ListenAddr and Host directives. The old syntax will be supported in version 5.x but will be retired in version 6.0. Although the old syntax will work in version 5.x, it will result in a deprecation warning in the logs. Please refer to the respective module documentation for configuration details.

Discontinued modules
  • The functionality of om_pattern is now provided by xm_pattern. Migration of the configuration needs to be done manually.

  • The functionality of pm_filter is now included in the base NXLog language with the drop() procedure. See Filtering logs in the NXLog User Guide.

  • The xm_soapadmin module has been replaced by xm_admin and is a drop-in replacement.

  • The im_oci and om_oci modules are no longer supported.

Known issues
  • The Solaris package currently leaves the NXLog process running after reinstalling. Execute pkill nxlog to remedy the problem. This issue will be addressed in a later release.

  • om_kafka is currently suffering from low throughput. In our benchmarks, it was performing at 5k EPS, whereas kafka-console-producer.sh was able to push 100k EPS in the same test. We aim to improve this in the next release.

  • libdrkafka is not currently supported on AIX forcing us to stop building om_kafka on that platform.

  • The Python modules are currently not available on OpenBSD and FreeBSD.

  • The im_systemd module is not available on generic Linux and non-systemd based Linux versions.

  • xm_crypto and xm_zlib limitations:

    • Converters provided by these modules output logs in binary files. Currently, appending to binary files is not possible once the file is closed. Therefore, these modules must rotate the output file on startup.

    • Due to the internal rotation by these modules, they should not be used in conjunction with the file_cycle() procedure of xm_fileop.

    • If NXLog crashes, the content of its output buffers is lost, which could result in data loss. We will be implementing additional safeguards in a future release.

  • When the ListenAddr directive is not specified for network modules, they will default to localhost, leading NXLog to bind to and listen on [::1] on some operating systems.

  • The im_pipe and om_pipe modules create new pipes owned by the user running NXLog. If you need to read or write to the pipe with a different user, you can create the pipe beforehand and set the permissions accordingly using Unix tools (mkfifo, chown, chmod). Existing pipes will not be modified by these modules.

  • The xm_asl extension module causes NXLog to exit with a segmentation fault on macOS.

  • The im_pcap module is not available on OpenBSD due to insufficient demand for this OS. Get in touch with our support if your use-case requires it.