4. Available Modules
The following modules are provided with NXLog. Modules which are only available in NXLog Enterprise Edition are noted.
4.1. Extension Modules
The following extension (xm_*) modules are available.
| Module | Description |
|---|---|
xm_admin — Remote Management (Enterprise Edition only) |
Adds secure remote administration capabilities to NXLog using SOAP or JSON over HTTP/HTTPS. |
xm_aixaudit — AIX Auditing (Enterprise Edition only) |
Parses AIX audit events that have been written to file. |
xm_asl — Apple System Logs (Enterprise Edition only) |
Parses events in the Apple System Log (ASL) format. |
xm_bsm — Basic Security Module Auditing (Enterprise Edition only) |
Supports parsing of events written to file in Sun’s Basic Security Module (BSM) Auditing binary format. |
xm_cef — CEF (Enterprise Edition only) |
Provides functions for generating and parsing data in the Common Event Format (CEF) used by HP ArcSight™ products. |
xm_charconv — Character Set Conversion |
Provides functions and procedures to help you convert strings between different character sets (code pages). |
xm_csv — CSV |
Provides functions and procedures to help you process data formatted as comma-separated values (CSV), and to convert CSV data into fields. |
xm_exec — External Program Execution |
Passes log data through a custom external program for processing, either synchronously or asynchronously. |
xm_filelist — File Lists (Enterprise Edition only) |
Implements file-based blacklisting or whitelisting. |
xm_fileop — File Operations |
Provides functions and procedures to manipulate files. |
xm_gelf — GELF |
Provides an output writer function which can be used to generate output in Graylog Extended Log Format (GELF) for Graylog2 or GELF compliant tools. |
xm_grok — Grok Patterns (Enterprise Edition only) |
Provides support for parsing events with Grok patterns. |
xm_json — JSON |
Provides functions and procedures to process data that is formatted as JSON (Java Serialized Object Notation). |
xm_kvp — Key-Value Pairs |
Provides functions and procedures to parse and generate data that is formatted as key-value pairs. |
xm_leef — LEEF (Enterprise Edition only) |
Provides functions for parsing and generating data in the Log Event Extended Format (LEEF), which is used by IBM Security QRadar products. |
xm_msdns — DNS Server Debug Log Parsing (Enterprise Edition only) |
Parses Microsoft Windows DNS Server debug logs |
xm_multiline — Multi-Line Message Parser |
Parses log entries that span multiple lines. |
xm_netflow — NetFlow (Enterprise Edition only) |
Provides a parser for NetFlow payload collected over UDP. |
xm_nps — NPS (Enterprise Edition only) |
Provides functions and procedures for processing data in NPS Database Format stored in files by Microsoft Radius services. |
xm_pattern — Pattern Matcher (Enterprise Edition only) |
Applies advanced pattern matching logic to log data, which can give greater performance than normal regular expression statements. Replaces pm_pattern. |
xm_perl — Perl |
Processes log data using Perl. |
xm_python — Python (Enterprise Edition only) |
Processes log data using Python. |
xm_resolver — Resolver (Enterprise Edition only) |
Resolves key identifiers that appear in log messages into more meaningful equivalents, including IP addresses to host names, and group/user IDs to friendly names. |
xm_rewrite — Rewrite (Enterprise Edition only) |
Transforms event records by modifying or discarding specific fields. |
xm_ruby — Ruby (Enterprise Edition only) |
Processes log data using Ruby. |
xm_snmp — SNMP Traps (Enterprise Edition only) |
Parses SNMPv1 and SNMPv2c trap messages. |
xm_soapadmin — Remote Management (Enterprise Edition only) |
Adds secure remote administration capabilities to NXLog using SOAP (web services) over HTTP/HTTPS. |
xm_stdinpw — Passwords on standard input (Enterprise Edition only) |
Reads passwords on standard input. |
xm_syslog — Syslog |
Provides helpers that let you parse and output the BSD Syslog protocol as defined by RFC 3164. |
xm_w3c — W3C (Enterprise Edition only) |
Parses data in the W3C Extended Log File Format, the BRO format, and Microsoft Exchange Message Tracking logs. |
xm_wtmp — WTMP |
Provides a parser function to process binary wtmp files. |
xm_xml — XML |
Provides functions and procedures to process data that is formatted as XML. |
4.2. Input Modules
The following input (im_*) modules are available.
| Module | Description |
|---|---|
im_acct — BSD/Linux Process Accounting (Enterprise Edition only) |
Collects process accounting logs from a Linux or BSD kernel. |
im_aixaudit — AIX Auditing (Enterprise Edition only) |
Collects AIX audit events directly from the kernel. |
im_azure — Azure (Enterprise Edition only) |
Collects logs from Microsoft Azure applications. |
im_batchcompress — Batched Compression over TCP or SSL (Enterprise Edition only) |
Provides a compressed network transport for incoming messages with optional SSL/TLS encryption. Pairs with the om_batchcompress output module. |
im_bsm — Basic Security Module Auditing (Enterprise Edition only) |
Collects audit events directly from the kernel using Sun’s Basic Security Module (BSM) Auditing API. |
im_checkpoint — Check Point OPSEC (Enterprise Edition only) |
Provides support for collecting logs remotely from Check Point devices over the OPSEC LEA protocol. |
im_dbi — DBI |
Collects log data by reading data from an SQL database using the libdbi library. |
im_etw — Event Tracing for Windows (ETW) (Enterprise Edition only) |
Implements ETW controller and consumer functionality in order to collect events from the ETW system. |
im_exec — Program |
Collects log data by executing a custom external program. The standard output of the command forms the log data. |
im_file — File |
Collects log data from a file on the local file system. |
im_fim — File Integrity Monitoring (Enterprise Edition only) |
Scans files and directories and reports detected changes. |
im_http — HTTP/HTTPS (Enterprise Edition only) |
Accepts incoming HTTP or HTTPS connections and collects log events from client POST requests. |
im_internal — Internal |
Collect log messages from NXLog. |
im_kafka — Apache Kafka (Enterprise Edition only) |
Implements a consumer for collecting from a Kafka cluster. |
im_kernel — Kernel (Enterprise Edition only for some platforms) |
Collects log data from the kernel log buffer. |
im_linuxaudit — Linux Audit System (Enterprise Edition only) |
Configures and collects events from the Linux Audit System |
im_mark — Mark |
Outputs 'boilerplate' log data periodically to indicate that the logger is still running. |
im_mseventlog — Windows EventLog for Windows XP/2000/2003 |
Collects EventLog messages on the Windows platform. |
im_msvistalog — Windows EventLog for Windows 2008/Vista and later |
Collects EventLog messages on the Windows platform. |
im_null — Null |
Acts as a dummy log input module, which generates no log data. You can use this for testing purposes. |
im_oci — OCI (Enterprise Edition only) |
Reads log messages from an Oracle database. |
im_odbc — ODBC (Enterprise Edition only) |
Uses the ODBC API to read log messages from database tables. |
im_perl — Perl (Enterprise Edition only) |
Captures event data directly into NXLog using Perl code. |
im_python — Python (Enterprise Edition only) |
Captures event data directly into NXLog using Python code. |
im_redis — Redis (Enterprise Edition only) |
Retrieves data stored in a Redis server. |
im_regmon — Windows Registry Monitoring (Enterprise Edition only) |
Periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected. |
im_ruby — Ruby (Enterprise Edition only) |
Captures event data directly into NXLog using Ruby code. |
im_ssl — SSL/TLS |
Collects log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). |
im_tcp — TCP |
Collects log data over a TCP network connection. |
im_testgen — Test Generator |
Generates log data for testing purposes. |
im_udp — UDP |
Collects log data over a UDP network connection. |
im_uds — Unix Domain Socket |
Collects log data over a Unix domain socket (typically /dev/log). |
im_winperfcount — Windows Performance Counters (Enterprise Edition only) |
Periodically retrieves the values of the specified Windows Performance Counters to create an event record. |
im_wmi — Windows Management Instrumentation (Enterprise Edition only) |
Collects EventLog messages from Windows platforms supporting WMI mode. |
im_wseventing — Windows Event Forwarding (Enterprise Edition only) |
Collects EventLog from Windows clients that have Windows Event Forwarding configured. |
im_zmq — ZeroMQ (Enterprise Edition only) |
Provides incoming message transport over ZeroMQ, a scalable high-throughput messaging library. |
4.3. Processor Modules
The following processor (pm_*) modules are available.
| Module | Description |
|---|---|
pm_blocker — Blocker |
Blocks log data from progressing through a route. You can use this module for testing purposes, to simulate when a route is blocked. |
pm_buffer — Buffer |
Caches messages in an in-memory or disk-based buffer before forwarding it. This module is useful in combination with UDP data inputs. |
pm_evcorr — Event Correlator |
Perform log actions based on relationships between events. |
pm_filter — Filter |
Forwards the log data only if the condition specified in the Filter module configuration evaluates to true. This module has been deprecated. Use the NXLog language drop() procedure instead. |
pm_hmac — HMAC Message Integrity (Enterprise Edition only) |
Protect messages with HMAC cryptographic checksumming. This module has been deprecated. |
pm_hmac_check — HMAC Message Integrity Checker (Enterprise Edition only) |
Check HMAC cryptographic checksums on messages. This module has been deprecated. |
pm_norepeat — Message De-Duplicator |
Drops messages that are identical to previously-received messages. This module has been deprecated. This functionality can be implemented with module variables. |
pm_null — Null |
Acts as a dummy log processing module, which does not transform the log data in any way. You can use this module for testing purposes. |
pm_pattern — Pattern Matcher |
Applies advanced pattern matching logic to log data, which can give
greater performance than normal regular expression statements in
|
pm_transformer — Message Format Converter |
Provides parsers for various log formats, and converts between them. This module has been deprecated. Use the xm_syslog, xm_csv, xm_json, and xm_xml modules instead. |
pm_ts — Timestamping (Enterprise Edition only) |
Add cryptographic Time-Stamp signatures to messages. This module has been deprecated. |
4.4. Output Modules
The following output (om_*) modules are available.
| Module | Description |
|---|---|
om_batchcompress — Batched Compression over TCP or SSL (Enterprise Edition only) |
Provides a compressed network transport for outgoing messages with optional SSL/TLS encryption. Pairs with the im_batchcompress input module. |
om_blocker — Blocker |
Blocks log data from being written. You can use this module for testing purposes, to simulate when a route is blocked. |
om_dbi — DBI |
Stores log data in an SQL database using the libdbi library. |
om_elasticsearch — Elasticsearch (Enterprise Edition only) |
Stores logs in an Elasticsearch server. |
om_eventdb — EventDB (Enterprise Edition only) |
Uses libdrizzle to insert log message data into a MySQL database with a special schema. |
om_exec — Program |
Writes log data to the standard input of a custom external program. |
om_file — File |
Writes log data to a file on the file system. |
om_http — HTTP/HTTPS |
Send events over HTTP or HTTPS using POST requests. |
om_kafka — Apache Kafka (Enterprise Edition only) |
Implements a producer for publishing to a Kafka cluster. |
om_null — Null |
Acts as a dummy log output module. The output is not written or sent anywhere. You can use this module for testing purposes. |
om_oci — OCI (Enterprise Edition only) |
Writes log messages to an Oracle database. |
om_odbc — ODBC (Enterprise Edition only) |
Uses the ODBC API to write log messages to database tables. |
om_perl — Perl (Enterprise Edition only) |
Uses Perl code to handle output log messages from NXLog. |
om_python — Python (Enterprise Edition only) |
Uses Python code to handle output log messages from NXLog. |
om_raijin — Raijin (Enterprise Edition only) |
Stores log messages in a Raijin server. |
om_redis — Redis (Enterprise Edition only) |
Stores log messages in a Redis server. |
om_ruby — Ruby (Enterprise Edition only) |
Uses Ruby code to handle output log messages from NXLog. |
om_ssl — SSL/TLS |
Sends log data over a TCP connection that is secured with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). |
om_tcp — TCP |
Sends log data over a TCP connection to a remote host. |
om_udp — UDP |
Sends log data over a UDP connection to a remote host. |
om_udpspoof — UDP with IP Spoofing (Enterprise Edition only) |
Sends log data over a UDP connection, and spoofs the source IP address to make packets appear as if they were sent from another host. |
om_uds — UDS |
Sends log data to a Unix domain socket. |
om_webhdfs — WebHDFS (Enterprise Edition only) |
Stores log data in Hadoop HDFS using the WebHDFS protocol. |
om_zmq — ZeroMQ (Enterprise Edition only) |
Provides outgoing message transport over ZeroMQ, a scalable high-throughput messaging library. |