circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Visit the old documentation portal.arrow-up-right
search

Access Linux logs

Query AgentX logs from Linux endpoints in Logpoint.

hashtag
Prerequisites

  • AgentX collecting logs from Linux endpoints

  • Logs normalized using AgentXUnixCompiledNormalizer

  • Access to Logpoint search interface

hashtag
Unix generic logs

To access generic Unix logs (system logs, application logs, etc.):

"col_type"="LPAgentX" "agentx_agent_os"="linux" "norm_id"="Unix"

hashtag
Unix Sysmon logs

To access Unix Sysmon logs:

"col_type"="LPAgentX" "agentx_agent_os"="linux" "event_source"="Unix-Sysmon"

To filter by Sysmon event type:

"col_type"="LPAgentX" "event_source"="Unix-Sysmon" "system_eventID"=1

Common Unix Sysmon Event IDs:

  • 1 - Process creation

  • 3 - Network connection

  • 5 - Process termination

  • 11 - File creation

hashtag
Unix audit logs

To access Unix audit logs (auditd):

To filter by specific audit event type:

Common audit types: SYSCALL, EXECVE, USER_LOGIN, USER_AUTH

hashtag
Unix Security Configuration Assessment logs

To access Security Configuration Assessment logs:

To filter by assessment result:

hashtag
Unix OSQuery logs

To access OSQuery logs:

hashtag
Unix Active Response logs

To access Active Response logs (automated remediation actions):

hashtag
Unix File Integrity Management logs

To access File Integrity Management logs:

To filter by action type:

Actions: added, modified, deleted

hashtag
Unix NginX logs

To access NginX web server logs:

hashtag
Filter by specific endpoint

To view logs from a specific Linux endpoint:

Replace <hostname> with the endpoint hostname.

hashtag
Filter by time range

To view logs from a specific time period:

This shows logs from the last 24 hours. Adjust the time value as needed (e.g., -1h, -7d, -30d).

hashtag
Next steps

Last updated

Was this helpful?