circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Visit the old documentation portal.arrow-up-right
search

Configure Logpoint Agent (Centralized)

hashtag
Configuring a Repo for Logpoint Agent

Repositories define where incoming logs are stored and how long they are retained.

  1. Go to Settings >> Configuration from the navigation bar and click Repos.

  2. Click Add.

  3. Enter a Repo Name.

  4. Select a Repo Path to store incoming logs.

  5. Set a Retention Day to specify how long logs are kept before automatic deletion. Note: You can add and remove multiple Repo Path and Retention Day configurations.

  6. Select a Remote LogPoint and set Available for (day).

  7. Click Submit.

hashtag
Adding a Normalization Policy for Logpoint Agent

Normalization policies standardize logs from Windows systems for efficient storage, analysis, and retrieval.

  1. Go to Settings >> Configuration from the navigation bar and click Normalization Policies.

  2. Click Add.

  3. Enter a Policy Name.

  4. Select LPA_Windows from the normalization package list.

  5. Click Submit.

The LPA_Windows normalization package handles logs from Windows Event Logs, File Collection, File Integrity Scanner, and Windows Registry Scanner.

hashtag
Configuring a Processing Policy for Logpoint Agent

Processing policies define how logs are handled, processed, and stored after collection.

  1. Go to Settings >> Configuration from the navigation bar and click Processing Policies.

  2. Click Add.

  3. Enter a Policy Name.

  4. Select the previously created normalization policy.

  5. Select an Enrichment Policy (optional).

  6. Select a Routing Policy.

  7. Click Submit.

hashtag
Adding Windows Device in Logpoint

Before collecting logs, you must register the Windows device in Logpoint.

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click Add.

  3. Enter the device Name.

  4. Enter the Windows IP address(es).

  5. Select Device Groups (optional).

  6. Select a Log Collection Policy (optional).

  7. Select a collector or forwarder from the Distributed Collector dropdown (optional).

  8. Select a Time Zone. The timezone must match the Windows device timezone to prevent log timestamp mismatches.

  9. Configure Risk Values for Confidentiality, Integrity, and Availability. These values calculate alert risk levels for events from this device.

  10. Click Submit.

Important: Matching the device timezone with the log source timezone prevents discrepancies between log timestamp (log_ts) and event received timestamp (event_received_ts), ensuring accurate temporal analysis.

hashtag
Configuring the Logpoint Agent Collector

After adding the Windows device, configure the collector to begin log ingestion.

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click the Add collectors/fetchers icon under Actions for the previously added device.

  3. Click Logpoint Agent Powered by NxLog.

  4. Select the previously created Processing Policy.

  5. Select the Charset (typically UTF-8 for Windows logs).

  6. Select a Template to define what logs to collect (created in the Templates section).

  7. Click Submit.

  8. Click Yes to confirm.

hashtag
Certificate Management

Certificates enable encrypted TLS communication between Windows agents and the Logpoint server, protecting sensitive log data in transit.

Generating Certificates

  1. Go to Settings >> System Settings from the navigation bar and click Plugins.

  2. Find Logpoint Agent Powered by NxLog and click Manage.

  3. Select Certificates.

  4. Click Generate.

  5. Enter a custom password in Certificate Passphrase to encrypt the certificates.

Alternatively, click Browse to upload existing certificates from your local device, then click Upload.

After generation, Logpoint Agent (Centralized) pushes the certificates to Windows agents. The certificates are stored in the cert folder under C:\Program Files (x86)\lpagent.

Important Certificate Rotation:

  • If regenerating certificates after removing existing ones, temporarily change all agent connections to TCP mode

  • After certificate deployment, manually enable TLS encryption mode in the Template configuration for required devices

  • If processes are running during certificate generation, you'll receive a confirmation warning. Wait for processes to complete or force generation if necessary

Managing Certificates

You can Download or Remove certificates from the Certificates interface.

Note: When removing and regenerating certificates, communication with agents may be temporarily interrupted. Plan certificate rotation during maintenance windows.

hashtag
Global Settings

Global Settings define agent behavior across all deployed instances, including configuration update frequency, batch processing, and buffering.

  1. Go to Settings >> System Settings from the navigation bar and click Plugins.

  2. Find Logpoint Agent Powered by NxLog and click Manage.

  3. Select Global Settings.

  4. Configure the following settings:

Configuration Update Settings

  • Configuration update interval: How frequently agents check for configuration updates from Logpoint

Batch Processing Settings

  • Enable Batching: Enable to send logs in compressed batches (recommended for high-volume environments)

  • Flush Limit: Maximum number of logs compressed in a single batch

  • Flush interval (seconds): Maximum time the agent waits before sending a batch, even if Flush Limit is not reached

Buffering Settings

  • Enable Buffering: Enable to buffer logs during network outages, preventing log loss when Logpoint is unavailable

  • Max Size (MB): Maximum buffer size in megabytes

  • Type: Buffer type (disk-based or memory-based)

  • Warn Limit (MB): Optional threshold smaller than Max Size that triggers a warning when reached. Warnings stop until buffer drops to half the warn limit to prevent message floods.

  1. Click Submit.

Recommended Settings:

  • Enable batching for environments with >1000 events per second

  • Enable buffering for endpoints with intermittent network connectivity

  • Use disk-based buffering for critical systems where log loss is unacceptable

hashtag
Templates

Templates define what logs to collect and how to collect them. Each template can include multiple collection types and can be applied to one or more Windows devices.

Creating a Template

  1. Go to Settings >> System Settings from the navigation bar and click Plugins.

  2. Find Logpoint Agent Powered by NxLog and click Manage.

  3. Select Templates.

  4. Click Add.

  5. Configure the template:

    • Template Name: Descriptive name for the collection policy

    • Hostname: Logpoint server hostname (if empty, agent uses IP address)

    • Encryption: Select encryption format if certificates are configured. TLS encryption applies to both logs and management commands.

Windows Eventlog Collection

Collects event logs from Windows Event Log API (Windows 2008/Vista or later), including System, Application, Security, and Custom event logs.

Configuration Options:

  1. Category: Select event log categories to collect (System, Application, Security, or custom channels). Use Add to manually create categories.

  2. Levels: Select severity levels to collect:

    • Critical

    • Error

    • Warning

    • Information

    • Verbose

  3. Event ID: Specify event IDs to Include or Exclude. Use this to filter for specific events or exclude noisy events.

  4. Resolve SID: Enable to resolve Security IDs to account names in log messages.

Default buffer size: 200,000 log messages

Examples:

  • Collect only Security logs with Critical and Error levels

  • Include Event ID 4624 (successful logon) and exclude Event ID 4662 (object access)

  • Collect PowerShell logs from custom channel: Microsoft-Windows-PowerShell/Operational

File Collection

Collects standard and custom flat files in ASCII format. Supports wildcards and recursive directory scanning.

Configuration Options:

  1. Name: Descriptive name for this file collection source

  2. Path: Full path to target file or directory. Use wildcards (*) for Unicode characters or multiple files.

  3. Poll Interval (seconds): How frequently the agent checks for changes or new events

  4. Save Position: Enable to remember file position when agent stops, preventing duplicate log collection

  5. Recursive: Enable to include files and directories nested inside specified paths

Use Add New to create additional file collection sources or Delete to remove existing ones.

Path Examples:

  • C:\inetpub\logs\LogFiles\W3SVC1\*.log - IIS logs

  • C:\MyApp\logs\ - Application log directory

  • C:\Logs\*\error.log - All error.log files in subdirectories

Important: File paths are limited to 256 characters. Paths exceeding this limit are ignored with a "no file specified" error.

File Integrity Scanner

Monitors files and directories for changes, generating event records when modifications or deletions occur. Uses checksum comparison to detect changes.

Monitored Actions:

  • New Directory

  • Delete Directory

  • Rename Directory

  • New File

  • Change in File Content

  • Rename File

  • Delete File

Configuration Options:

  1. Name: Descriptive name for this integrity scanner source

  2. Include Path: Path to files or directories to monitor. Use wildcards (*) for Unicode characters.

  3. Exclude Path: Paths to exclude from monitoring (useful for excluding temporary files or system directories)

  4. Schedule: How frequently the agent scans for changes (hourly, daily, etc.)

  5. Recursive: Enable to monitor nested files and directories

Use Add New to create additional scanner sources or Delete to remove existing ones.

Use Cases:

  • Monitor critical system files for unauthorized changes

  • Detect malware modifying executables

  • Track configuration file changes

  • Audit sensitive document access and modification

Important: File paths are limited to 256 characters. Paths exceeding this limit are ignored with a "no file specified" error.

Windows Registry Scanner

Scans Windows registry for changes and deletions, generating event records when modifications occur.

Configuration Options:

  1. Name: Descriptive name for this registry scanner source

  2. Include Reg Value: Select root key (HKLM, HKCU, etc.) and enter registry path to monitor. Use Add to include multiple registry paths.

  3. Exclude Reg Value: Select root key and enter registry path to exclude from monitoring. Use Add to exclude multiple paths.

  4. Schedule: How frequently the agent scans for registry changes

  5. 32-Bit System: Enable to scan registries on 32-bit Windows devices

Use Add New to create additional registry scanner sources or Delete to remove existing ones.

Common Registry Paths to Monitor:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run - Startup programs

  • HKLM\System\CurrentControlSet\Services - System services

  • HKCU\Software - User application settings

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies - Group policies

Saving Templates

After configuring all collection types:

  • Click Save to save the template

  • Click Save As to save with a different name

  • Click Cancel to abort without saving

Templates can be applied to multiple Windows devices and modified at any time.

hashtag
Agents

The Agents interface displays all Windows devices configured with Logpoint Agent (Centralized), including active and disconnected agents.

Viewing Agents

  1. Go to Settings >> System Settings from the navigation bar and click Plugins.

  2. Find Logpoint Agent Powered by NxLog and click Manage.

  3. Select Agents.

  4. Enable Show Crashed Agents to view disconnected devices.

Managing Agent Configurations

Edit Template: Click the device name to modify its template configuration, then click Save.

Actions Available:

  • Push Icon: Push configuration changes from Logpoint to the Windows device immediately

  • Export Icon: Export the current device configuration to your local device

  • Details Icon: View all associated information about the device, including connection status, last communication time, and active modules

Use Cases:

  • Troubleshoot disconnected agents by checking last communication time

  • Export configurations for backup or documentation

  • Force configuration updates after template changes

hashtag
Verify Ingestion

hashtag
Check Log Ingestion

Use the following query to verify Logpoint Agent logs are being ingested:

hashtag
Verify Data Flow by Collection Type

Windows Event Log Collection:

File Collection:

File Integrity Scanner:

Windows Registry Scanner:

hashtag
Verify Agent Status

  1. Check Collector Status: Ensure the Logpoint Agent Powered by NxLog collector is running without errors under Settings >> Configuration >> Devices.

  2. Monitor Log Volume: Verify expected log volumes are being processed for each collection type.

  3. Validate Normalization: Confirm logs are correctly parsed and normalized using the LPA_Windows normalization package.

  4. Check Certificate Status: For TLS-encrypted connections, verify certificates are deployed to C:\Program Files (x86)\lpagent\cert.

  5. Review Agent Configuration: Use the Agents interface to confirm templates are applied and agents show as connected.

Last updated

Was this helpful?