NXLog can collect various types of Linux logs on GNU/Linux platforms. For deployment details, see the supported Linux platforms and the corresponding installation page for RHEL/CentOS, Debian/Ubuntu, or SLES. Notes are also available about hardening and monitoring on Linux.
- Custom programs and scripts
The im_exec module allows log data to be collected from custom external programs. The im_go module provides support for collecting log data with methods written in the Go language (Golang). The im_perl, im_python and im_ruby modules can also be used to implement integration with custom data sources or sources that are not supported out-of-the-box.
The perlfcount add-on can be used to collect system information and statistics on Linux platforms.
- DNS Monitoring
DNS logs can be collected from BIND 9 on Linux.
- File Integrity Monitoring
File and directory changes can be detected and logged for auditing with the im_fim module. See File integrity monitoring on Linux.
The im_kernel module reads logs directly from the kernel log buffer. These logs can be parsed with xm_syslog. See the Linux system logs section.
- Linux Audit System
The im_linuxaudit module can be used to collect Audit System logs directly from the kernel without using
auditdor temporary log files. Audit logs can also be collected from file with im_file, or over the network by using im_tcp in conjunction with
audisp-remote(a plugin for the audit event dispatcher daemon,
audispd, that performs remote logging). See Linux Audit System for more details.
- Local syslog
Messages written to
/dev/logcan be collected with the im_uds module. Events written to file in Syslog format can be collected with im_file. In each case, the xm_syslog module can be used to parse the events. See the Linux system logs and Collecting and Parsing Syslog sections for more information.
- Log databases
Events can be read from databases with the im_dbi and im_odbc modules.
- Log files
The im_file module can be used to collect events from log files.
- Process Accounting
The im_acct module can be used to gather details about which owner (user and group) runs what processes. This overlaps with Audit System logging.