The im_exec module allows log data to be collected from custom external programs. The im_go module provides support for collecting log data with methods written in the Go language (Golang). The im_perl, im_python and im_ruby modules can also be used to implement integration with custom data sources or sources that are not supported out-of-the-box.

DNS logs can be collected from BIND 9 on Linux.

File and directory changes can be detected and logged for auditing with the im_fim module. See File integrity monitoring on Linux.

The im_kernel module reads logs directly from the kernel log buffer. These logs can be parsed with xm_syslog. See the Linux system logs section.

The im_linuxaudit module can be used to collect Audit System logs directly from the kernel without using auditd or temporary log files. Audit logs can also be collected from file with im_file, or over the network by using im_tcp in conjunction with audisp-remote (a plugin for the audit event dispatcher daemon, audispd, that performs remote logging). See Linux Audit System for more details.

Messages written to /dev/log can be collected with the im_uds module. Events written to file in Syslog format can be collected with im_file. In each case, the xm_syslog module can be used to parse the events. See the Linux system logs and Collecting and Parsing Syslog sections for more information.

Events can be read from databases with the im_dbi and im_odbc modules.

The im_file module can be used to collect events from log files.

The im_acct module can be used to gather details about which owner (user and group) runs what processes. This overlaps with Audit System logging.