circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Default templates reference

This reference describes the pre-configured templates included with AgentX.

hashtag
Context

Default templates provide ready-to-use configurations for common monitoring scenarios. Use these templates as-is for standard deployments or as starting points for custom templates.

hashtag
Linux templates

vendor_template_linux

Operating system: Debian Linux (Ubuntu 22.04, 20.04, 18.04)

Collection sources:

  • File Collection - Collects logs from flat files

  • File Integrity Scanner - Monitors files and directories for changes

Agent services:

  • OSQuery: Not enabled by default

  • Active Response: Not enabled by default

  • SCA: Not enabled by default

Use case: Lightweight Linux endpoint monitoring without resource-intensive osquery or compliance scans. Suitable for Linux servers where file integrity monitoring is the primary concern.

Log format: Newline-separated only (for multiline logs, enable multiline option)

Typical EPS: 100-300 EPS per endpoint

hashtag
Windows templates

vendor_template_default_windows

Operating system: Windows Server 2016/2019/2022, Windows 10/11

Collection sources:

  • Windows Eventlog Collection - Collects Windows Event Channels

  • File Collection - Collects logs from flat files

  • File Integrity Scanner - Monitors files and directories

  • Windows Registry Scanner - Monitors registry keys

Agent services:

  • OSQuery: Not enabled by default

  • Active Response: Not enabled by default

  • SCA: Not enabled by default

Use case: Comprehensive Windows monitoring with full visibility into events, file changes, and registry modifications. Suitable for Windows servers requiring deep security monitoring.

Log format: Newline-separated only (for multiline logs, enable multiline option)

Typical EPS: 500-1,500 EPS per endpoint

vendor_template_minimal_windows

Operating system: Windows Server 2016/2019/2022, Windows 10/11

Collection sources:

  • Windows Eventlog Collection - Collects Windows Event Channels

  • File Collection - Collects logs from flat files

Agent services:

  • OSQuery: Not enabled by default

  • Active Response: Not enabled by default

  • SCA: Not enabled by default

Use case: Lightweight Windows monitoring focused on event logs and application logs. Suitable for workstations or servers where registry and file integrity monitoring are not required.

Log format: Newline-separated only (for multiline logs, enable multiline option)

Typical EPS: 200-500 EPS per endpoint

vendor_template_baseline_windows_workstation

Operating system: Windows 10, Windows 10 Pro, Windows 11, Windows 11 Pro

Collection sources:

  • Windows Eventlog Collection - Configured for Security, Application, System, PowerShell, Sysmon, and Microsoft Defender channels

Agent services:

  • OSQuery: Not enabled by default

  • Active Response: Not enabled by default

  • SCA: Not enabled by default

Use case: Threat detection on Windows workstations. Collects security-relevant events for detecting malicious PowerShell execution, suspicious process creation, malware activity, and security violations.

Monitored channels:

  • Security - Authentication and authorization events

  • Application - Application-specific events

  • System - System component and service events

  • PowerShell - PowerShell execution and script block logging

  • Microsoft-Windows-Sysmon/Operational - Sysmon events (requires Sysmon installation)

  • Microsoft-Windows-Windows Defender/Operational - Windows Defender events

Log format: Newline-separated only (for multiline logs, enable multiline option)

Typical EPS: 300-800 EPS per endpoint

hashtag
Enabling multiline log collection

Default templates collect only newline-separated logs. To collect multiline logs:

  1. Select the template in Settings > Configuration > AgentX > Templates

  2. In File Collection sources, select Is Multiline?

  3. Enter a Multiline Regex pattern matching the start of log entries

  4. Select Save

hashtag
Customizing default templates

To customize a default template:

  1. Clone the template by creating a new template with a custom name

  2. Select the same operating system as the default template

  3. Modify collection sources, paths, schedules, or agent services as needed

  4. Save the custom template

Do not modify default templates directly. Cloning preserves the original for future reference.

Last updated

Was this helpful?