circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

AgentX overview

hashtag
What is AgentX?

AgentX is an endpoint monitoring and response solution that enables security teams to detect threats, investigate suspicious activity, and respond to incidents across Windows and Linux environments in real-time.

hashtag
How it works

AgentX collects logs and telemetry from endpoints, enriches them with security context, and forwards them to Logpoint SIEM for analysis. The system operates in a client-server architecture where AgentX Clients on endpoints communicate with AgentX Server in Logpoint.

When you install AgentX Client on an endpoint, it begins collecting data according to configured templates. The client bundles OSSEC for security event collection and osquery for system state queries. Data flows through AgentX Server to AgentX Manager, where compiled normalizers process and standardize the logs before storage in Logpoint.

hashtag
Key components

AgentX Server Manages communication with AgentX Clients and coordinates data collection across all registered endpoints.

AgentX Manager Collects and analyzes logs from Windows or Debian Linux endpoints, applying processing policies and normalization rules.

AgentX Client Runs on Windows or Linux endpoints to collect logs, monitor file integrity, and execute security configuration assessments. Includes OSSEC and osquery.

AgentX KB Contains compiled normalizers for log processing, pre-built dashboards for visualization, and search templates for common security investigations.

OSSEC Collects security events, alerts, and anomalies from monitored systems. Integrated with AgentX Client.

osquery Exposes endpoint data as SQL-queryable tables, enabling real-time system state queries and investigation.

hashtag
Capabilities

Log and telemetry collection

AgentX collects Windows Event Logs, Linux system logs, and application logs from services like IIS, DHCP, and DNS. You can collect logs stored as flat files or from event channels.

File and registry monitoring

File Integrity Monitoring (FIM) detects changes to file content, permissions, ownership, and attributes. On Windows, AgentX also monitors registry modifications. Both capabilities identify which users or applications made changes.

Security configuration assessment

AgentX scans endpoints against CIS Critical Security Controls v8 and provides assessment reports with remediation steps for policy violations and configuration issues.

Compliance enrichment

Logs are enriched with compliance mappings for GDPR, NIST 800-53, and PCI-DSS. You can also define custom compliance rules.

MITRE ATT&CK enrichment

AgentX automatically enriches incoming logs with MITRE ATT&CK framework data, including attack categories, IDs, and tactics, techniques, and procedures (TTPs).

hashtag
Use cases

Detecting unauthorized file changes Monitor critical system files and directories to detect tampering or malicious modifications. Use FIM to identify which user or process modified files and receive immediate alerts.

Investigating process execution Query endpoint process trees, loaded DLLs, and network connections to investigate suspicious process behavior or malware execution.

Ensuring compliance posture Run security configuration assessments against CIS benchmarks to identify configuration drift and policy violations across your endpoint fleet.

Responding to threats Use SOAR playbooks to automatically isolate compromised hosts, terminate malicious processes, or remove malicious files when threats are detected.

hashtag
How AgentX differs from other Logpoint agents

Logpoint provides multiple agents, each designed for a distinct operational role. AgentX serves a different purpose than the Logpoint Agents used for log collection and should not be treated as a replacement for them.

AgentX is not a log collection agent. Logpoint Agent (Standalone) and Logpoint Agent (Centralized) are built to collect and forward logs at scale. They support high event throughput, load balancing, reliable log delivery, and central management across complex and distributed environments. AgentX does not provide these capabilities and is not intended for high-volume log ingestion.

Use AgentX when endpoint detection and response capabilities are required. Use Logpoint Agent (Standalone) or Logpoint Agent (Centralized) when the primary requirement is scalable, reliable log collection, or central management.

For guidance on selecting the appropriate agent for your environment, see Choosing the right agent.

hashtag
Next steps

Last updated

Was this helpful?