Get-Content "C:\Program Files\lpagentstandalone\data\lpagentstandalone.log" -Tail 50
Get-Service lpagentstandalone
Get-Process | Where-Object {$_.ProcessName -like "*lpagent*"}
Check if the agent is sending data:
Get-Content "C:\Program Files\lpagentstandalone\data\lpagentstandalone.log" | Select-String "sent"
Temporarily change the output to a local file to verify data collection:
Edit configuration file
Comment out UDP output
Enable file output (see Configuration Options section)
Restart agent
Check the debug log file
Capture incoming syslog traffic:
sudo tcpdump -i any udp port 514 -nnvv
You should see packets from your agent’s IP address.
Run searches for each data type to verify ingestion:
ModuleType="event_log" earliest=-5m
ModuleType="registry_scanner" earliest=-5m
SourceName="DHCPEvents" earliest=-5m
SourceName="DNSDebug" earliest=-5m
Possible Causes:
Firewall blocking - Check UDP 514 is open
Wrong IP address - Verify LOGPOINT_IP configuration
Agent not running - Check service status
Network connectivity - Test ping to Logpoint server
Configuration syntax error - Check agent logs for errors
Resolution Steps:
# 1. Check service
Get-Service lpagentstandalone
# 2. Check agent logs for errors
Get-Content "C:\Program Files\lpagentstandalone\data\lpagentstandalone.log" -Tail 100 | Select-String "ERROR"
# 3. Test connectivity
Test-NetConnection -ComputerName <logpoint_ip> -Port 514
# 4. Restart agent
Restart-Service lpagentstandalone
Symptoms:
Agent service fails to start
Error messages in agent log
Common Issues:
Missing closing tags (</Input>, </Output>, etc.)
Incorrect path separators (use \\ for Windows paths in strings)
Mismatched quotes or brackets
Resolution:
Review agent logs for specific error messages
Validate configuration syntax
Compare with working examples
Test with simple configuration first
Error Message:
RegOpenKeyEx Access Denied
Note
This is Normal: Some registry hives are protected even from SYSTEM. The agent logs these but continues without impact. These errors do not affect functionality.
The agent automatically rotates logs when:
Log file exceeds 5MB (checked hourly)
Weekly at midnight on Sunday
If logs are still growing:
Check if DEBUG logging is enabled (change to INFO)
Review for error loops in the log file
Increase rotation frequency if needed
Check:
Verify ModuleType="registry_scanner" in Logpoint
Ensure registry monitoring input is active in configuration
Check for registry changes on the monitored paths
Verify scan has completed (check logs for “scan completed”)
Confirm route is properly configured
Note
Registry events only appear when changes occur. The scan interval is 10 days (864000 seconds), so only changes detected during scans generate events.
Prerequisites:
DNS debug logging must be enabled on the DNS server
DNS server role must be installed
Log file must exist at C:\Windows\System32\dns\dns.log
To Enable DNS Debug Logging:
Open DNS Manager
Right-click the DNS server
Select Properties → Debug Logging tab
Enable desired logging options
Prerequisites:
DHCP Server role must be installed
DHCP logging must be enabled
Log files must exist at C:\Windows\System32\dhcp\DhcpSrvLog-*.log
Check:
Verify DHCP Server service is running
Confirm DHCP logging is enabled in DHCP console
Check that log files exist and are being written to
In the configuration file, change:
LogLevel INFO
to:
LogLevel DEBUG
Important
Remember to change back to INFO after troubleshooting, as DEBUG generates verbose logging.
Always restart the agent after configuration changes:
Restart-Service lpagentstandalone