Return to

34. GNU/Linux

NXLog can collect various types of system logs on GNU/Linux platforms. For deployment details, see the supported Linux platforms and the corresponding installation page for RHEL/CentOS, Debian/Ubuntu, or SLES. Notes are also available about hardening and monitoring NXLog on Linux.

Custom Programs and Scripts

The im_exec module allows log data to be collected from custom external programs. The im_perl, im_python and im_ruby modules can also be used to implement integration with custom data sources or sources that are not supported out-of-the-box.

The Perlfcount add-on can be used to collect system information and statistics on Linux platforms.

DNS Monitoring

Logs can be collected from BIND 9 on Linux.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See Monitoring on Linux.


The im_kernel module reads logs directly from the kernel log buffer. These logs can be parsed with xm_syslog. See the Linux System Logs section.

Linux Audit System

The im_linuxaudit module can be used to collect Audit System logs directly from the kernel without using auditd or temporary log files. Audit logs can also be collected from file with im_file; or via the network with the Audit Dispatcher, the audisp-remote plugin, and im_tcp. See Linux Audit System for more details.

Local Syslog

Messages written to /dev/log can be collected with the im_uds module. Events written to file in Syslog format can be collected with im_file. In each case, the xm_syslog module can be used to parse the events. See the Linux System Logs and Collecting and Parsing Syslog sections for more information.

Log Databases

Events can be read from databases with the im_dbi, im_oci, and im_odbc modules.

Log Files

The im_file module can be used to collect events from log files.

Process Accounting

The im_acct module can be used to gather details about who runs what processes. This overlaps with Audit System logging.