circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

AgentX architecture

hashtag
Component interaction

AgentX Client runs on Windows or Linux endpoints and collects data according to configured templates. The client includes OSSEC for security event collection and osquery for system state queries. AgentX Client communicates with AgentX Server over TLS-encrypted connections on ports 1514 and 1515.

AgentX Server manages all client connections and coordinates data collection. The server authenticates clients using SSL certificates, receives incoming logs and telemetry, and forwards data to AgentX Manager for processing. AgentX Server maintains the registry of all connected clients and their configurations.

AgentX Manager receives logs from AgentX Server and applies processing policies. The manager uses compiled normalizers to parse and standardize logs into the Logpoint data model. Normalized logs are then enriched with compliance mappings (GDPR, NIST 800-53, PCI-DSS) and MITRE ATT&CK framework data before storage.

AgentX KB provides the intelligence layer for log processing. The knowledge base contains compiled normalizers for parsing logs from various sources, pre-built dashboards for visualizing security data, and search templates for common investigation workflows. AgentX KB normalizers are compatible with CNDP (Cloud Native Data Platform).

hashtag
Data flow

  1. AgentX Client collects logs from event channels, log files, file integrity monitors, and registry scanners

  2. AgentX Client connects to AgentX Server on port 1514 using TLS encryption

  3. AgentX Server authenticates the client using SSL certificates

  4. AgentX Client sends logs to AgentX Server

  5. AgentX Server forwards logs to AgentX Manager

  6. AgentX Manager applies processing policies and normalization rules from AgentX KB

  7. Normalized logs are enriched with compliance and threat intelligence data

  8. Enriched logs are stored in Logpoint repositories for search and analysis

hashtag
Template synchronization

When you create or modify a template in Logpoint, AgentX Server automatically synchronizes the configuration to all clients using that template. Clients check for configuration updates every few minutes and apply changes without requiring manual intervention or restarts.

hashtag
Certificate-based authentication

AgentX uses SSL certificates to authenticate clients and encrypt communications:

  • rootCA.pem - Root Certificate Authority certificate stored on AgentX Server to validate client authenticity

  • sslagent.cert - Client authentication certificate stored on each AgentX Client

  • sslagent.key - Private key corresponding to the client certificate

All communication between clients and server uses TLS encryption to protect log data in transit.

hashtag
Distributed architecture

In distributed Logpoint deployments, AgentX can operate in cluster mode with master and worker nodes:

Master node manages the cluster, coordinates agent registrations, and executes automated response or SOAR commands across all agents in the cluster. Only the master node accepts new agent registrations on port 1515.

Worker nodes receive and process log data from agents on port 1514. Worker nodes forward processed logs to Logpoint for storage and analysis. Each worker node can process logs independently, enabling horizontal scaling.

Load balancers can distribute agent connections across worker nodes to balance processing load and provide high availability.

hashtag
Next steps

Last updated

Was this helpful?