circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Visit the old documentation portal.arrow-up-right
search

Collect Data

hashtag
Windows Event Log Collection

hashtag
What's Collected

The agent monitors these Windows Event Log channels:

  • Application - Application errors, warnings, and information

  • System - System-level events and service state changes

  • Security - Authentication events, access control, and audit logs

  • Windows PowerShell - PowerShell engine activity

  • PowerShell Operational - Detailed PowerShell command execution

hashtag
What You'll See

This provides visibility into:

  • User authentication attempts (successful and failed)

  • Service starts, stops, and failures

  • Process creation and termination

  • Application crashes and errors

  • PowerShell script execution and commands

hashtag
Noise Reduction (Advanced Configuration Only)

The advanced configuration automatically filters out high-volume, low-value events to reduce storage costs:

Filtered Event IDs:

  • 5145 - Network share object access check

  • 5156 - Windows Filtering Platform permitted connection

  • 5447 - Windows Filtering Platform filter change

  • 4656 - Handle to object requested

  • 4658 - Handle to object closed

  • 4663 - Attempt to access object

  • 4660 - Object deleted

  • 4670 - Permissions on object changed

  • 4690 - Duplicate handle to object requested

  • 4703 - Token right adjusted

  • 4907 - Auditing settings changed

  • 5152 - Windows Filtering Platform blocked packet

  • 5157 - Windows Filtering Platform blocked connection

To customize this list:

Add or remove Event IDs in the configuration:

hashtag
Configuration Parameters

  • ResolveSID: FALSE - Does not resolve Security Identifiers to usernames (improves performance)

  • ReadFromLast: TRUE - Starts reading from the last known position (avoids duplicates on restart)

  • $ModuleType = 'event_log' - Tags events for Logpoint normalization

hashtag
DHCP Log Collection

hashtag
Prerequisites

  • DHCP Server role must be installed

  • DHCP logging must be enabled (enabled by default)

hashtag
What's Collected

DHCP server logs from:

The wildcard * matches log files with different day names (e.g., DhcpSrvLog-Mon.log, DhcpSrvLog-Tue.log)

hashtag
Parsed Fields

The agent parses these CSV fields from DHCP logs:

  • ID, Date, Time, Description

  • IPAddress, Hostname, MACAddress

  • UserName, TransactionID, QResult

  • ProbationTime, CorrelationID, DHCID

  • VendorClassHex, VendorClassASCII

  • UserClassHex, UserClassASCII

  • RelayAgentInformation, DnsRegError

hashtag
What You'll See

  • DHCP lease requests and grants

  • IP address assignments

  • DHCP client information

  • Lease renewals and releases

  • DHCP server activity

hashtag
When to Use This

Enable DHCP collection on servers running the DHCP Server role to track:

  • Device network connections

  • IP address usage patterns

  • Unauthorized DHCP activity

  • DHCP troubleshooting

hashtag
DNS Debug Log Collection

hashtag
Prerequisites

CRITICAL: DNS debug logging must be manually enabled on your DNS server.

To Enable DNS Debug Logging:

  1. Open DNS Manager

  2. Right-click the DNS server

  3. Select Properties → Debug Logging tab

  4. Enable desired logging options

  5. Set log file location to default or specify custom path

hashtag
What's Collected

DNS debug logs from:

hashtag
Data Validation

The agent validates DNS log entries before forwarding:

  • Drops empty lines

  • Drops lines that don't start with a date pattern

  • Only forwards properly formatted DNS debug entries

hashtag
What You'll See

  • DNS queries and responses

  • Query types and destinations

  • Response codes

  • DNS resolution flows

  • Client IP addresses making queries

hashtag
When to Use This

Enable DNS collection for:

  • Investigating DNS-based threats (tunneling, DGA domains)

  • Tracking domain resolution patterns

  • Detecting DNS exfiltration

  • Network troubleshooting

  • Compliance and auditing

Performance Note: DNS debug logging can generate high volumes of data. Enable selectively on critical DNS servers.

hashtag
Registry Monitoring

hashtag
What's Monitored

The agent performs continuous FIM-style scanning of critical registry locations to detect:

  • Persistence mechanisms - Malware auto-start locations

  • Execution hijacking - File handler and association tampering

  • Service modifications - Changes to Windows services

  • Policy tampering - Group policy and security policy changes

  • Protocol handler abuse - Custom protocol handler manipulation

hashtag
Registry Areas Monitored

Category
Example Paths
Purpose

File Execution

HKLM\Software\Classes\batfile\*

HKLM\Software\Classes\cmdfile\*

HKLM\Software\Classes\exefile\*

Detect file association attacks

Monitor command file handlers

Track executable file handlers

Persistence

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\*

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\*

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*

Catch auto-start malware

Monitor one-time startup items

Track Winlogon changes

Last updated

Was this helpful?