Access Windows logs

Query AgentX logs from Windows endpoints in Logpoint.

Prerequisites

AgentX collecting logs from Windows endpoints
Logs normalized using AgentXWindowsCompiledNormalizer
Access to Logpoint search interface

Windows logs

To access all collected Windows logs:

"col_type"="LPAgentX" "agentx_agent_os"="windows"

Windows generic logs

To access generic Windows logs (third-party applications, web servers, DNS, DHCP, etc.):

"col_type"="LPAgentX" "norm_id"="WinServer"

Windows Event Channel logs

To access Windows Event Channel logs (system, security, application, etc.):

"col_type"="LPAgentX" "location"="EventChannel"

To filter by specific channel:

"col_type"="LPAgentX" "location"="EventChannel" "system_channel"="Security"

Common channels: Security, System, Application, PowerShell

Windows Sysmon logs

To access Windows Sysmon logs:

"col_type"="LPAgentX" "event_source"="Microsoft-Windows-Sysmon"

To filter by Sysmon event type:

"col_type"="LPAgentX" "event_source"="Microsoft-Windows-Sysmon" "system_eventID"=1

Common Sysmon Event IDs:

1 - Process creation
3 - Network connection
7 - Image loaded (DLL)
8 - CreateRemoteThread
11 - File created

Windows Security Auditing logs

To access Windows Security Auditing logs:

"col_type"="LPAgentX" "event_source"="Microsoft-Windows-Security-Auditing"

To filter by specific Event ID:

"col_type"="LPAgentX" "event_source"="Microsoft-Windows-Security-Auditing" "system_eventID"=4624

Common Security Event IDs:

4624 - Successful logon
4625 - Failed logon
4688 - Process creation
4720 - User account created
4732 - User added to security group

Windows Security Configuration Assessment logs

To access Security Configuration Assessment logs:

"col_type"="LPAgentX" "agentx_agent_os"="windows" "event_source"="Security-Configuration-Assessment"

To filter by assessment result:

"col_type"="LPAgentX" "event_source"="Security-Configuration-Assessment" "check_result"="failed"

Windows OSQuery logs

To access OSQuery logs:

"col_type"="LPAgentX" "agentx_agent_os"="windows" "event_source"="OSQuery"

Windows Active Response logs

To access Active Response logs (automated remediation actions):

"col_type"="LPAgentX" "agentx_agent_os"="windows" "event_source"="Active-Response"

Windows File Integrity Management logs

To access File Integrity Management logs:

"col_type"="LPAgentX" "agentx_agent_os"="windows" "event_source"="File-Integrity-Management"

To filter by action type:

"col_type"="LPAgentX" "event_source"="File-Integrity-Management" "syscheck_event"="modified"

Actions: added, modified, deleted

Windows DNS Server logs

To access Windows DNS Server logs:

"col_type"="LPAgentX" "norm_id"="WindowsDNS"

Windows IIS logs

To access Windows IIS logs:

"col_type"="LPAgentX" "norm_id"="WindowsIIS"

Windows DHCP logs

To access Windows DHCP logs:

"col_type"="LPAgentX" "norm_id"="WindowsDHCP"

Windows MSSQL logs

To access Microsoft SQL Server logs:

"col_type"="LPAgentX" "norm_id"="WindowsMSSQL"

Filter by specific endpoint

To view logs from a specific Windows endpoint:

"col_type"="LPAgentX" "agentx_agent_os"="windows" "agentx_agent"="<hostname>"

Replace <hostname> with the endpoint hostname.

Next steps

Last updated 19 days ago

Was this helpful?

Good morning

hashtagPrerequisites

hashtagWindows logs

hashtagWindows generic logs

hashtagWindows Event Channel logs

hashtagWindows Sysmon logs

hashtagWindows Security Auditing logs

hashtagWindows Security Configuration Assessment logs

hashtagWindows OSQuery logs

hashtagWindows Active Response logs

hashtagWindows File Integrity Management logs

hashtagWindows DNS Server logs

hashtagWindows IIS logs

hashtagWindows DHCP logs

hashtagWindows MSSQL logs

hashtagFilter by specific endpoint

hashtagNext steps