Templates
Templates define what data AgentX collects from Windows and Linux endpoints. AgentX only collects logs and telemetry specified in the template assigned to each endpoint.
How templates work
When you configure AgentX for a device in Logpoint, you select a template that determines the collection behavior. The template specifies:
Which event logs or log files to collect
Which files and directories to monitor for integrity changes
Which registry keys to monitor (Windows only)
How frequently to run security configuration assessments
Whether to enable osquery, active response, and security configuration assessment
AgentX Client on the endpoint receives the template configuration from AgentX Server and begins collecting data according to those settings. If you change the template in Logpoint, AgentX Client automatically syncs the new configuration.
Default templates
AgentX includes pre-configured templates for common collection scenarios:
vendor_template_linux Collects file collection and file integrity scanner logs from Debian Linux endpoints.
vendor_template_default_windows Collects event logs, file collection, file integrity scanner, and registry scanner logs from Windows endpoints. This template provides comprehensive visibility across Windows systems.
vendor_template_minimal_windows Collects event logs and file collection logs from Windows endpoints. Use this template for lightweight monitoring when registry scanning and file integrity monitoring are not required.
vendor_template_baseline_windows_workstation Collects logs from Security, Application, System, PowerShell, Sysmon, and Microsoft Defender on Windows endpoints. Use this template to detect threats including malicious PowerShell execution and suspicious process creation.
Default templates collect only newline-separated logs. For multiline logs, enable the multiline option in the template configuration.
Custom templates
Create custom templates when:
Default templates collect too much or too little data
You need different collection settings for different endpoint groups
You need to collect logs from specific applications or services
You need custom registry monitoring paths or file integrity monitoring configurations
Custom templates use the same configuration options as default templates but allow you to specify exactly which data sources, paths, and schedules to use.
Template components
Templates contain one or more of the following collection configurations:
Windows Eventlog Collection (Windows only) Specifies which Windows Event Channels, severity levels, and Event IDs to collect.
File Collection (Windows and Linux) Specifies paths to log files that AgentX should read and forward to Logpoint. Supports both single-line and multi-line logs.
File Integrity Scanner (Windows and Linux) Specifies files and directories to monitor for changes. AgentX detects modifications to content, permissions, ownership, and attributes.
Windows Registry Scanner (Windows only) Specifies registry keys to monitor for changes. AgentX detects modifications to registry values, permissions, and ownership.
Agent Service Configuration (Windows and Linux) Enables osquery for system state queries, active response for automated actions, and security configuration assessment (SCA) for compliance scanning.
Use cases
Baseline Windows workstation monitoring
Use vendor_template_baseline_windows_workstation to collect security-relevant events from Windows workstations without the overhead of file integrity monitoring or registry scanning.
Comprehensive Windows server monitoring
Use vendor_template_default_windows or create a custom template that includes all collection types to gain full visibility into server activity, file changes, and registry modifications.
Lightweight Linux endpoint monitoring
Use vendor_template_linux to collect file integrity events without enabling resource-intensive osquery or SCA scans.
Compliance-focused monitoring Create a custom template that enables SCA and specifies critical file paths and registry keys relevant to your compliance requirements (PCI-DSS, NIST 800-53, etc.).
Next steps
Last updated
Was this helpful?