circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Visit the old documentation portal.arrow-up-right
search

Configure

To configure the settings of Logpoint Agent (Standalone), edit its configuration file located at:

C:\Program Files\lpagentstandalone\conf\lpagentstandalone.conf

The configuration file controls all aspects of the agent's behavior, including which logs to collect, how to process them, and where to send them.

circle-info

If you are currently using NXLog v6.7.9957 and migrating to Logpoint Agent (Standalone) v6.7.9957, you can copy the content of nxlog.conf backup into lpagentstandalone.conf. Make sure to define the INSTALLDIR, CONFDIR, and MYLOGFILE macros as follows:

define INSTALLDIR C:\Program Files\lpagentstandalone
define CONFDIR %INSTALLDIR%\conf\lpagentstandalone.d
define MYLOGFILE %LOGDIR%\lpagentstandalone.log

hashtag
Configuration Options

The agent offers two primary configuration approaches to match different deployment need.

hashtag
Simple Configuration

Overview

Best for: Basic log collection with minimal overhead

What's Included:

  • Windows Event Log collection (Application, System, Security, PowerShell)

  • JSON formatting

  • Syslog wrapping for compatibility

  • UDP forwarding to Logpoint

  • Basic agent logging

When to Use:

  • Small to medium deployments

  • When you only need Windows Event Logs

  • Testing and proof-of-concept environments

  • Systems where DHCP/DNS/Registry monitoring is not required

Simple Configuration Setup

  1. Edit the configuration file:

  2. Set your Logpoint IP address:

    Replace xx.xx.xx.xx with your Logpoint collector's IP address.

  3. Key configuration sections:

    Installation paths:

    Logging level:

    Windows Event Log collection:

    Output to Logpoint:

  4. Save the file and restart the agent.

hashtag
Advanced Configuration

Overview

Best for: Production environments requiring extensive logging and monitoring

Additional Features Beyond Simple Configuration:

  • Event filtering - Drop list to remove high-volume, low-value event IDs

  • DHCP server logs - CSV parsing with predefined field structure

  • DNS debug logs - File-based collection with validation rules

  • Registry monitoring - Track changes to specified registry paths with FIM-style checksums

  • Exclusions - Avoid sensitive or noisy registry areas

  • Enhanced log rotation - Automatic management of log file sizes

When to Use:

  • Production environments

  • Security-focused deployments

  • When you need comprehensive visibility across multiple data sources

  • Environments with DHCP/DNS servers requiring monitoring

  • When registry change detection is critical for security

Advanced Configuration Setup

The advanced configuration includes all components from the simple setup plus additional data sources.

Key Differences:

  1. Event ID Filtering:

  2. DHCP Log Collection:

  3. DNS Debug Log Collection:

  4. Registry Monitoring:

hashtag
Tuning the UDP Send Buffer with SockBufSize

In high-volume logging environments, Windows may report socket errors such as:

triangle-exclamation

ERROR: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.

This error indicates that the system’s network buffers are exhausted or queue was full. When logs are sent over UDP, this can lead to dropped packets or interrupted log forwarding. To reduce the likelihood of these issues, you can increase the UDP send buffer size by configuring the SockBufSize directive on the output.

Example: Increasing the UDP Send Buffer for a Logpoint Output

The following example shows how to increase the UDP send buffer on the default output that forwards logs to Logpoint:

If your configuration uses a different output block name (for example, out_win), add SockBufSize inside that output block instead:

For more details on configuring NXlog Agent buffers, refer to the NXLog documentationarrow-up-right.

hashtag
Selecting a Specific Event ID

If you need to collect only specific Event IDs from a particular channel, you can use this pattern:

This is useful when you need to target a single event type from a specific Windows event log channel (e.g., Security, System, Application, PowerShell, etc.).

Example - Collecting only successful logon events (4624) from Security log:

hashtag
Debugging Configuration

If you need to test your configuration locally before sending to Logpoint, you can temporarily output to a local file:

Comment out the UDP output:

Enable file output:

This allows you to inspect the formatted output before sending it to your SIEM.

Simple Configuration

The following configuration provides a minimal setup focusing on Windows Event Log collection and forwarding.

Use case: Basic log collection with minimal overhead

Features:

  • Collects from standard Windows Event Log channels (Application, System, Security, PowerShell)

  • Converts events to JSON format

  • Wraps events in Syslog format for compatibility

  • Forwards via UDP to Logpoint collector

  • Basic agent logging enabled

Simple Configuration:

Advanced Configuration

The following configuration provides a comprehensive setup with multiple log sources, filtering, and monitoring.

Use case: Production environments requiring extensive logging and monitoring

Additional features beyond Simple Configuration:

  • Event filtering: Drop list to remove high-volume, low-value event IDs

  • DHCP server logs: CSV parsing with predefined field structure

  • DNS debug logs: File-based collection with validation rules

  • Registry monitoring: Track changes to specified registry paths

  • Exclusions: Avoid sensitive or noisy registry areas

  • Log rotation: Automatic management of log file sizes

Registry monitoring includes:

  • Multiple monitored registry paths for change detection

  • Exclusion rules to reduce noise and avoid sensitive data

  • Structured output for SIEM integration

Advanced Configuration :

Last updated

Was this helpful?