GNU/Linux

NXLog can collect various types of Linux logs on GNU/Linux platforms. For deployment details, see the supported Linux platforms and the corresponding installation page for RHEL/CentOS, Debian/Ubuntu, or SLES. Notes are also available about hardening and monitoring on Linux.

Custom programs and scripts

The im_exec module allows log data to be collected from custom external programs. The im_go module provides support for collecting log data with methods written in the Go language (Golang). The im_perl, im_python and im_ruby modules can also be used to implement integration with custom data sources or sources that are not supported out-of-the-box.

The perlfcount add-on can be used to collect system information and statistics on Linux platforms.

DNS Monitoring

DNS logs can be collected from BIND 9 on Linux.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File integrity monitoring on Linux.

Kernel

The im_kernel module reads logs directly from the kernel log buffer. These logs can be parsed with xm_syslog. See the Linux system logs section.

Linux Audit System

The im_linuxaudit module can be used to collect Audit System logs directly from the kernel without using auditd or temporary log files. Audit logs can also be collected from file with im_file, or over the network by using im_tcp in conjunction with audisp-remote (a plugin for the audit event dispatcher daemon, audispd, that performs remote logging). See Linux Audit System for more details.

Local syslog

Messages written to /dev/log can be collected with the im_uds module. Events written to file in Syslog format can be collected with im_file. In each case, the xm_syslog module can be used to parse the events. See the Linux system logs and Collecting and Parsing Syslog sections for more information.

Log databases

Events can be read from databases with the im_dbi and im_odbc modules.

Log files

The im_file module can be used to collect events from log files.

Process Accounting

The im_acct module can be used to gather details about which owner (user and group) runs what processes. This overlaps with Audit System logging.