# Start the agent
Start-Service lpagentstandalone
# Stop the agent
Stop-Service lpagentstandalone
# Restart the agent
Restart-Service lpagentstandalone
# Check status
Get-Service lpagentstandalone
Item |
Path |
|---|---|
Installation Directory |
|
Configuration File |
|
Configuration Directory |
|
Agent Logs |
|
Certificate Directory |
|
DHCP Logs (Source) |
|
DNS Logs (Source) |
|
Protocol: UDP (default) or TCP
Port: 514 (configurable)
Direction: Agent → Logpoint SIEM
Firewall: Ensure port 514 UDP is open
Windows Event Logs only
Minimal filtering
UDP output
Basic agent logging
Windows Event Logs with filtering
DHCP log collection
DNS debug log collection
Registry monitoring with FIM
Comprehensive exclusions
Enhanced log rotation
# Windows Events
ModuleType="event_log" earliest=-15m
# Registry Changes
ModuleType="registry_scanner" earliest=-15m
# DHCP Events
SourceName="DHCPEvents" earliest=-15m
# DNS Events
SourceName="DNSDebug" earliest=-15m
Parameter |
Values |
Purpose |
|---|---|---|
LogLevel |
INFO, DEBUG, WARNING, ERROR |
Controls verbosity of agent logs |
ResolveSID |
TRUE, FALSE |
Whether to resolve Security IDs to names |
ReadFromLast |
TRUE, FALSE |
Start from last position or beginning |
SavePos |
TRUE, FALSE |
Remember file read position |
Recursive |
TRUE, FALSE |
Enable recursive registry scanning |
64BitView |
TRUE, FALSE |
Use 64-bit registry view |
ScanInterval |
Seconds |
Time between registry scans |
For more detailed information on configuration options and advanced features, refer to the NXLog documentation.
Collecting a single specific Event ID:
<Select Path="Security">*[System[(EventID=4624)]]</Select>
Multiple specific Event IDs:
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
Dropping specific Event IDs:
Exec if $EventID in (4663, 5156) drop();