Version:

Best Practices

Configuration Selection

Use Simple Configuration when:

  • You only need Windows Event Log collection

  • Deploying to non-server systems (workstations)

  • Testing or proof-of-concept

  • Minimal overhead is critical

Use Advanced Configuration when:

  • Deploying to servers with DHCP/DNS roles

  • Security monitoring is a priority

  • You need registry change detection

  • Comprehensive visibility is required

Deployment Strategy

  • Test first - Deploy to test systems before production

  • Start simple - Begin with simple configuration, add complexity as needed

  • Staged rollout - Deploy to small groups, then expand

  • Document settings - Keep records of IP addresses and customizations

  • Baseline behavior - Understand normal event volumes before alerts

Security Considerations

  • Protect configuration files - Restrict access to agent config files

  • Monitor agent logs - Watch for unexpected errors or warnings

  • Regular updates - Keep agent software updated

  • Backup configurations - Save working configs before changes

  • Review exclusions - Ensure sensitive data is properly excluded

Performance Optimization

  • Start with defaults - The default filters are optimized for most environments

  • Monitor volume - Watch data ingestion rates in Logpoint

  • DNS logging caution - Enable DNS debug logging selectively (high volume)

  • Filter appropriately - Add filters for environment-specific noisy events

  • Registry scan interval - Default 10-day interval balances detection and performance

Customization Guidelines

Adding Event ID Filters

To filter additional Event IDs in advanced configuration:

Exec if $EventID in (5145, 5156, YOUR_EVENT_ID) drop();

Adding Registry Paths

To monitor additional registry paths:

RegValue 'HKLM\Your\Custom\Path\*'

Adding Registry Exclusions

To exclude noisy or sensitive paths:

Exclude 'HKLM\Your\Noisy\Path\*'

Maintenance

  • Review exclusions - Periodically review Event ID filters

  • Check log rotation - Verify agent logs are rotating properly

  • Test after changes - Always verify data flow after configuration changes

  • Document customizations - Keep notes on why filters were added

  • Monitor resource usage - Track CPU and memory consumption

Troubleshooting Workflow

  1. Check service status - Is the agent running?

  2. Review agent logs - Any errors or warnings?

  3. Verify configuration - Is the syntax correct?

  4. Test connectivity - Can the agent reach Logpoint?

  5. Use local file output - Temporarily output to file to verify data collection

  6. Check Logpoint - Is data being received and parsed?

  7. Enable DEBUG - Temporarily raise log level if needed

  8. Restart service - After making changes

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support