Add a normalization policy
Create a normalization policy to parse and standardize AgentX logs using compiled normalizers from AgentX KB.
Prerequisites
AgentX KB installed in Logpoint
CNDP installed in Logpoint (for date format selection)
Administrator access to Logpoint
Understanding of which compiled normalizer applies to your log sources (Windows or Unix)
Procedure
Go to Settings > Configuration and select Normalization Policies.
Select Add.
Enter a Policy Name.
In the normalizer dropdown, select either:
AgentXWindowsCompiledNormalizer - For Windows log sources
AgentXUnixCompiledNormalizer - For Unix/Linux log sources
Select Submit.
Expected outcome
The new normalization policy appears in the Normalization Policies list and can be selected when configuring processing policies for AgentX devices.
Verification
Go to Settings > Configuration and select Normalization Policies.
Verify that your new policy appears in the list.
Select the policy name to review the configuration.
Configuration guidelines
Create separate policies for Windows and Unix Always create separate normalization policies for Windows and Unix log sources. The compiled normalizers are optimized for different log formats and cannot be used interchangeably.
Use descriptive policy names
Name policies based on the log source type they process (e.g., AgentX_Windows_Normalization, AgentX_Linux_Normalization).
Compiled normalizers support multiple sources Each compiled normalizer handles multiple log source types:
AgentXWindowsCompiledNormalizer processes:
Windows Security Auditing
MSSQL
Windows Sysmon
Generic Windows logs
Active Response
File Integrity Management
Security Configuration Assessment
OSQuery
DNS Server
DHCP
PowerShell
IIS
Exchange Message Tracking
AgentXUnixCompiledNormalizer processes:
Unix Sysmon
Unix Audit Logs
Unix Generic logs
Security Configuration Assessment
Active Response
File Integrity Management
OSQuery
NginX
Next steps
Last updated
Was this helpful?