NXLog User Guide

The im_exec module allows log data to be collected from custom external programs.

DHCP logging can be set up for Windows DHCP Server, using the im_file module if reading DHCP audit logs directly from CSV files. Alternatively, the im_msvistalog module can be used to collect DHCP Server or Client event logs from the built in channels in Windows Event Log.

DNS logging can be set up for Windows DNS Server, using either ETW tracing or debug logging.

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity Monitoring on Windows.

Events can be read from databases with the im_odbc module. Some products write logs into SQL Server databases; see the Microsoft System Center Operations Manager section for example.

The im_file module can be used to collect events from log files.

Troubleshoot Active Directory domain controllers by integrating DCs as log sources.

Logs generated by Microsoft Exchange can be used as a source for log collection with many log types supported.

IIS can be configured to write logs in W3C format, which can be read with im_file and parsed with xm_w3c or xm_csv. Other formats can be parsed with other methods; see Microsoft IIS.

Capture logs directly from Microsoft .NET applications using third-party utilities.

Collect the many different types of logs generated by Microsoft SharePoint, parse the ULS into another format and send.

Log messages can be collected from the Microsoft SQL Server error log files with the im_file module. See Microsoft SQL Server.

Logs recorded in Microsoft System Center Operations Manager databases can be collected with the im_odbc module.

The Windows Registry can be monitored for changes; see the im_regmon module. For an example ruleset, see the regmon-rules add-on.

Windows EventLog data can be converted to Snare format if necessary for a third-party integration.

Many additional audit events can be generated with the Sysmon utility, including process creation, system driver loading, network connections, and modification of file creation timestamps. These events are written to the EventLog. See the Sysmon section for more information.

Collecting event logs from Windows AppLocker is supported by using the im_msvistalog or the other Windows Event Log modules.

Events logged through ETW can be collected with the im_etw module. This includes events logged to the Analytical and Debug logs.

See the Windows Event Log section, which covers both local and remote event collection with the im_msvistalog, im_wseventing, im_mseventlog, and im_wmi modules.

Windows Firewall logs can be collected with the im_file module from the Advanced Security log. In addition, the im_msvistalog module can be used to collect Windows Firewall events from Windows Event Log.

WMI event logs can be read directly from Windows Event Log by using the im_msvistalog module. In addition, WMI events can also be collected via ETW directly using the im_etw module. Reading WMI log files utilizing the im_file module is also supported.

The im_winperfcount module can be used for collecting data such as CPU and memory usage.

PowerShell scripts can be integrated for log processing tasks and configuration generation (for example, Azure SQL Database); see Using PowerShell Scripts. It is also possible to collect Powershell activity logs.