Access Linux logs

Query AgentX logs from Linux endpoints in Logpoint.

Prerequisites

• AgentX collecting logs from Linux endpoints

• Logs normalized using AgentXUnixCompiledNormalizer

• Access to Logpoint search interface

Unix generic logs

To access generic Unix logs (system logs, application logs, etc.):

"col_type"="LPAgentX" "agentx_agent_os"="linux" "norm_id"="Unix"

Unix Sysmon logs

To access Unix Sysmon logs:

"col_type"="LPAgentX" "agentx_agent_os"="linux" "event_source"="Unix-Sysmon"

To filter by Sysmon event type:

"col_type"="LPAgentX" "event_source"="Unix-Sysmon" "system_eventID"=1

Common Unix Sysmon Event IDs:

• 1 - Process creation

• 3 - Network connection

• 5 - Process termination

• 11 - File creation

Unix audit logs

To access Unix audit logs (auditd):

To filter by specific audit event type:

Common audit types: SYSCALL, EXECVE, USER_LOGIN, USER_AUTH

Unix Security Configuration Assessment logs

To access Security Configuration Assessment logs:

To filter by assessment result:

Unix OSQuery logs

To access OSQuery logs:

Unix Active Response logs

To access Active Response logs (automated remediation actions):

Unix File Integrity Management logs

To access File Integrity Management logs:

To filter by action type:

Actions: added, modified, deleted

Unix NginX logs

To access NginX web server logs:

Filter by specific endpoint

To view logs from a specific Linux endpoint:

Replace <hostname> with the endpoint hostname.

Filter by time range

To view logs from a specific time period:

This shows logs from the last 24 hours. Adjust the time value as needed (e.g., -1h, -7d, -30d).

Next steps

• AgentX Linux field mappings

• AgentX Linux labels