To configure the settings of Logpoint Agent (Standalone), edit its configuration file located at:
C:\Program Files\lpagentstandalone\conf\lpagentstandalone.conf
The configuration file controls all aspects of the agent’s behavior, including which logs to collect, how to process them, and where to send them.
Note
If you are currently using NXLog v6.7.9957 provided by Logpoint and migrating to Logpoint Agent (Standalone) v6.7.9957, you can copy the content of nxlog.conf backup into lpagentstandalone.conf. Make sure to define the INSTALLDIR, CONFDIR, and MYLOGFILE macros as follows:
define INSTALLDIR C:\Program Files\lpagentstandalone
define CONFDIR %INSTALLDIR%\conf\lpagentstandalone.d
define MYLOGFILE %LOGDIR%\lpagentstandalone.log
The agent offers two primary configuration approaches to match different deployment need.
Best for: Basic log collection with minimal overhead
What’s Included:
Windows Event Log collection (Application, System, Security, PowerShell)
JSON formatting
Syslog wrapping for compatibility
UDP forwarding to Logpoint
Basic agent logging
When to Use:
Small to medium deployments
When you only need Windows Event Logs
Testing and proof-of-concept environments
Systems where DHCP/DNS/Registry monitoring is not required
Edit the configuration file:
C:\Program Files\lpagentstandalone\conf\lpagentstandalone.conf
Set your Logpoint IP address:
define LOGPOINT_IP xx.xx.xx.xx:514
Replace xx.xx.xx.xx with your Logpoint collector’s IP address.
Key configuration sections:
Installation paths:
define INSTALLDIR C:\Program Files\lpagentstandalone
define CERTDIR %INSTALLDIR%\cert
define CONFDIR %INSTALLDIR%\conf\lpagentstandalone.d
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\lpagentstandalone.log
Logging level:
LogLevel INFO
LogFile %MYLOGFILE%
Windows Event Log collection:
<Input in_win>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Windows PowerShell">*</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ResolveSID False
Exec $Message=to_json(); \
to_syslog_bsd();
Exec $ModuleType = 'event_log';
ReadFromLast TRUE
</Input>
Output to Logpoint:
<Output out_win>
Module om_udp
Host %LOGPOINT_IP%
</Output>
Save the file and restart the agent.
Best for: Production environments requiring extensive logging and monitoring
Additional Features Beyond Simple Configuration:
Event filtering - Drop list to remove high-volume, low-value event IDs
DHCP server logs - CSV parsing with predefined field structure
DNS debug logs - File-based collection with validation rules
Registry monitoring - Track changes to specified registry paths with FIM-style checksums
Exclusions - Avoid sensitive or noisy registry areas
Enhanced log rotation - Automatic management of log file sizes
When to Use:
Production environments
Security-focused deployments
When you need comprehensive visibility across multiple data sources
Environments with DHCP/DNS servers requiring monitoring
When registry change detection is critical for security
The advanced configuration includes all components from the simple setup plus additional data sources.
Key Differences:
Event ID Filtering:
# Drop noisy Event IDs (exclusion list)
Exec if $EventID in (5145, 5156, 5447, 4656, 4658, 4663, 4660, 4670, 4690, 4703, 4907, 5152, 5157) drop();
DHCP Log Collection:
<Extension ParseDHCP>
Module xm_csv
Fields ID, Date, Time, Description, IPAddress, Hostname, MACAddress, \
UserName, TransactionID, QResult, ProbationTime, CorrelationID, \
DHCID, VendorClassHex, VendorClassASCII, UserClassHex, \
UserClassASCII, RelayAgentInformation, DnsRegError
</Extension>
<Input in_dhcp>
Module im_file
File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
SavePos TRUE
InputType LineBased
ReadFromLast TRUE
<Exec>
if not ($raw_event=~ /^\d+,/)
{
drop();
}
</Exec>
</Input>
DNS Debug Log Collection:
Warning
DNS log formats vary significantly across Windows versions and regional settings. The default configuration below collects all DNS debug log entries without filtering to ensure reliable data collection during initial deployment.
<Input in_dns_debug>
Module im_file
File "C:\Windows\System32\dns\dns*.log"
SavePos TRUE
InputType LineBased
ReadFromLast TRUE
# Optional filtering (COMMENTED OUT BY DEFAULT)
# Only enable after verifying your DNS log format matches the regex pattern
#
#<Exec>
# #Drop empty lines
# if $raw_event =~ /(^$|^\s+$)/ {
# drop();
# }
# #Drop lines not matching date format (MM/DD/YYYY)
# #WARNING: This regex assumes US date format - verify before enabling
# else if $raw_event=~ /^(?!\d+\/\d+\/\d+).+/{
# drop();
# }
#</Exec>
</Input>
Registry Monitoring:
<Input in_regmon>
Module im_regmon
# Monitored registry areas
RegValue 'HKLM\Software\Classes\batfile\*'
RegValue 'HKLM\Software\Classes\cmdfile\*'
RegValue 'HKLM\Software\Classes\exefile\*'
# ... additional paths ...
# Exclusions to reduce noise / avoid secrets
Exclude 'HKLM\Security\Policy\Secrets\*'
Exclude 'HKLM\Security\SAM\Domains\Account\Users\*'
# ... additional exclusions ...
Recursive TRUE
64BitView TRUE
ScanInterval 864000
Digest SHA512
<Schedule>
When @startup
Exec start_scan();
</Schedule>
Exec $SourceName = "RegistryMonitor";
Exec $ModuleType = "registry_scanner";
</Input>
If you need to collect only specific Event IDs from a particular channel, you can use this pattern:
<Select Path="Security">*[System[(EventID=4624)]]</Select>
This is useful when you need to target a single event type from a specific Windows event log channel, including Security, System, Application, and PowerShell.
Example - Collecting only successful logon events (4624) from Security log:
<Input in_specific_event>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=4624)]]</Select>
</Query>
</QueryList>
</QueryXML>
ResolveSID False
Exec $Message=to_json(); \
to_syslog_bsd();
Exec $ModuleType = 'event_log';
ReadFromLast TRUE
</Input>
If you need to test your configuration locally before sending to Logpoint, you can temporarily output to a local file:
Comment out the UDP output:
# <Output out_logpoint>
# Module om_udp
# Host %LOGPOINT_IP%
# Exec to_syslog_bsd();
# </Output>
Enable file output:
<Output out_logpoint>
Module om_file
File "C:\\Program Files\\lpagentstandalone\\data\\debug.log"
Exec to_syslog_bsd();
</Output>
This allows you to inspect the formatted output before sending it to your SIEM.
Panic Soft
define INSTALLDIR C:\Program Files\lpagentstandalone
#ModuleDir %INSTALLDIR%\modules
#CacheDir %INSTALLDIR%\data
#SpoolDir %INSTALLDIR%\data
define CERTDIR %INSTALLDIR%\cert
define CONFDIR %INSTALLDIR%\conf\lpagentstandalone.d
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\lpagentstandalone.log
# If you are using Logpoint Agent Manager, enable the `include` line
# and disable LogLevel and LogFile.
#include %CONFDIR%\*.conf
LogLevel INFO
LogFile %MYLOGFILE%
# Logpoint/collector IP
define LOGPOINT_IP xx.xx.xx.xx:xxx
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_win>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Windows PowerShell">*</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ResolveSID False
Exec $Message=to_json(); \
to_syslog_bsd();
Exec $ModuleType = 'event_log';
ReadFromLast TRUE
</Input>
<Output out_win>
Module om_udp
Host %LOGPOINT_IP%
</Output>
<Route 1>
Path in_win => out_win
</Route>
# ---------------- Agent log rotation ----------------
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
Panic Soft
define INSTALLDIR C:\Program Files\lpagentstandalone
define CERTDIR %INSTALLDIR%\cert
define CONFDIR %INSTALLDIR%\conf\lpagentstandalone.d
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\lpagentstandalone.log
LogLevel INFO
LogFile %MYLOGFILE%
# Logpoint/collector IP
define LOGPOINT_IP xx.xxx.xx.xx:514
# If you are using Logpoint Agent Manager, enable the `include` line
# and disable LogLevel and LogFile.
# include %CONFDIR%\*.conf
# ------------------------------------------------------------------
# Example: How to select ONE specific Event ID from ONE event channel
#
# <Select Path="Security">*[System[(EventID=4624)]]</Select>
#
# This pattern is useful when you need to target a single event type
# from a specific Windows event log channel (e.g., Security, System,
# Application, PowerShell, etc.). It can be added inside a QueryXML
# block when defining a dedicated input.
# ------------------------------------------------------------------
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
#Default Route to logpoint
<Output out_logpoint>
Module om_udp
Host %LOGPOINT_IP%
Exec to_syslog_bsd();
</Output>
# Debugging output to local file
# <Output out_logpoint>
# Module om_file
# File "C:\\Program Files\\nxlog\\data\\default.log"
# Exec to_syslog_bsd();
# </Output>
# ---------------- Windows Event Logs (broad collection) ----------------
<Input in_win>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Windows PowerShell">*</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ResolveSID FALSE
ReadFromLast TRUE
# Drop noisy Event IDs (exclusion list)
Exec if $EventID in (5145, 5156, 5447, 4656, 4658, 4663, 4660, 4670, 4690, 4703, 4907, 5152, 5157) drop();
# Normalization metadata + formatting
Exec $ModuleType = 'event_log';
Exec $Message = to_json();
</Input>
# ---------------- Windows Event output (syslog to Logpoint) ----------------
<Route r1>
Path in_win => out_logpoint
</Route>
#---------------- DHCP Logs (CSV files) ----------------
<Extension ParseDHCP>
Module xm_csv
Fields ID, Date, Time, Description, IPAddress, Hostname, MACAddress, \
UserName, TransactionID, QResult, ProbationTime, CorrelationID, \
DHCID, VendorClassHex, VendorClassASCII, UserClassHex, \
UserClassASCII, RelayAgentInformation, DnsRegError
</Extension>
<Input in_dhcp>
Module im_file
# Default DHCP log location with weekday rotation:
File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
SavePos TRUE
InputType LineBased
ReadFromLast TRUE
<Exec>
if not ($raw_event=~ /^\d+,/)
{
drop();
}
</Exec>
</Input>
<Route DHCP>
Path in_dhcp => out_logpoint
</Route>
# ---------------- DNS Debug Log (file-based) ----------------
# Requires DNS Server > Properties > Debug Logging enabled.
<Input in_dns_debug>
Module im_file
File "C:\Windows\System32\dns\dns*.log"
SavePos TRUE
InputType LineBased
ReadFromLast TRUE
# Optional filtering disabled by default
# Only enable after verifying your DNS log format matches the regex pattern
#
#<Exec>
# #Drop empty lines
# if $raw_event =~ /(^$|^\s+$)/ {
# drop();
# }
# #Drop lines not matching date format (MM/DD/YYYY)
# #WARNING: This regex assumes US date format - verify before enabling
# else if $raw_event=~ /^(?!\d+\/\d+\/\d+).+/{
# drop();
# }
#</Exec>
#Since raw_event are sent to Logpoint disabling the following part that adds extra field to message which is unused.
#Exec $SourceName = "DNSDebug";
#Exec $ModuleType = "dns_debug";
# Optional additional parsing could be added here
</Input>
<Route r_dns_debug>
Path in_dns_debug => out_logpoint
</Route>
# ---------------- Registry Monitoring (im_regmon) ----------------
# Uses FIM-style checksum monitoring of selected registry value paths.
<Input in_regmon>
Module im_regmon
#
# Monitored registry areas (as RegValue paths, wildcard at value position)
#
RegValue 'HKLM\Software\Classes\batfile\*'
RegValue 'HKLM\Software\Classes\cmdfile\*'
RegValue 'HKLM\Software\Classes\comfile\*'
RegValue 'HKLM\Software\Classes\exefile\*'
RegValue 'HKLM\Software\Classes\piffile\*'
RegValue 'HKLM\Software\Classes\AllFilesystemObjects\*'
RegValue 'HKLM\Software\Classes\Directory\*'
RegValue 'HKLM\Software\Classes\Folder\*'
RegValue 'HKLM\Security\*'
RegValue 'HKLM\Software\Classes\Protocols\*'
RegValue 'HKLM\Software\Policies\*'
RegValue 'HKLM\System\CurrentControlSet\Services\*'
RegValue 'HKLM\System\CurrentControlSet\Control\Session Manager\KnownDLLs\*'
RegValue 'HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg\*'
RegValue 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\*'
RegValue 'HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*'
RegValue 'HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*'
RegValue 'HKLM\Software\Microsoft\Windows\CurrentVersion\URL\*'
RegValue 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\*'
RegValue 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\*'
RegValue 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*'
RegValue 'HKLM\Software\Microsoft\Active Setup\Installed Components\*'
#
# Exclusions to reduce noise / avoid secrets
#
Exclude 'HKLM\Security\Policy\Secrets\*'
Exclude 'HKLM\Security\SAM\Domains\Account\Users\*'
Exclude 'HKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\*'
Exclude 'HKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\*'
Exclude 'HKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn\*'
Exclude 'HKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut\*'
Exclude 'HKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\*'
Exclude 'HKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\*'
Exclude 'HKLM\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache\*'
Exclude 'HKLM\System\CurrentControlSet\Services\ADOVMPPackage\Final\*'
#
# Scan configuration
#
Recursive TRUE
64BitView TRUE
ScanInterval 864000
Digest SHA512
<Schedule>
When @startup
Exec start_scan();
</Schedule>
#
# Metadata for Logpoint normalization
# (match the state where you saw correct normalization)
#
Exec $SourceName = "RegistryMonitor";
Exec $ModuleType = "registry_scanner";
# No to_json() / to_syslog_bsd() here – keep the original formatting that Logpoint expects.
</Input>
<Route r_regmon>
Path in_regmon => out_logpoint
</Route>
# ---------------- Agent log rotation ----------------
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
For more details on configuration examples and guidance, refer to the NXLog documentation.