Quick References

Service Commands

# Start the agent
Start-Service lpagentstandalone

# Stop the agent
Stop-Service lpagentstandalone

# Restart the agent
Restart-Service lpagentstandalone

# Check status
Get-Service lpagentstandalone

File Locations

Item

Path

Installation Directory

C:\Program Files\lpagentstandalone\

Configuration File

C:\Program Files\lpagentstandalone\conf\lpagentstandalone.conf

Configuration Directory

C:\Program Files\lpagentstandalone\conf\lpagentstandalone.d\

Agent Logs

C:\Program Files\lpagentstandalone\data\lpagentstandalone.log

Certificate Directory

C:\Program Files\lpagentstandalone\cert\

DHCP Logs (Source)

C:\Windows\System32\dhcp\DhcpSrvLog-*.log

DNS Logs (Source)

C:\Windows\System32\dns\dns*.log

Network Requirements

Protocol: UDP (default) or TCP
Port: 514 (configurable)
Direction: Agent → Logpoint SIEM
Firewall: Ensure port 514 UDP is open

Configuration Templates

Simple Configuration

Windows Event Logs only
Minimal filtering
UDP output
Basic agent logging

Advanced Configuration

Windows Event Logs with filtering
DHCP log collection
DNS debug log collection
Registry monitoring with FIM
Comprehensive exclusions
Enhanced log rotation

Data Verification Searches

# Windows Events
ModuleType="event_log" earliest=-15m

# Registry Changes
ModuleType="registry_scanner" earliest=-15m

# DHCP Events
SourceName="DHCPEvents" earliest=-15m

# DNS Events
SourceName="DNSDebug" earliest=-15m

Key Configuration Parameters

Parameter

Values

Purpose

LogLevel

INFO, DEBUG, WARNING, ERROR

Controls verbosity of agent logs

ResolveSID

TRUE, FALSE

Whether to resolve Security IDs to names

ReadFromLast

TRUE, FALSE

Start from last position or beginning

SavePos

TRUE, FALSE

Remember file read position

Recursive

TRUE, FALSE

Enable recursive registry scanning

64BitView

TRUE, FALSE

Use 64-bit registry view

ScanInterval

Seconds

Time between registry scans

Additional Resources

NXLog Documentation

For more detailed information on configuration options and advanced features, refer to the NXLog documentation.

Common Configuration Patterns

Collecting a single specific Event ID:

<Select Path="Security">*[System[(EventID=4624)]]</Select>

Multiple specific Event IDs:

<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>

Dropping specific Event IDs:

Exec if $EventID in (4663, 5156) drop();

Last updated 20 days ago

Was this helpful?

Good morning

hashtagService Commands

hashtagFile Locations

hashtagNetwork Requirements

hashtagConfiguration Templates

hashtagSimple Configuration

hashtagAdvanced Configuration

hashtagData Verification Searches

hashtagKey Configuration Parameters

hashtagAdditional Resources

hashtagNXLog Documentation

hashtagCommon Configuration Patterns

Service Commands

File Locations

Network Requirements

Configuration Templates

Simple Configuration

Advanced Configuration

Data Verification Searches

Key Configuration Parameters

Additional Resources

NXLog Documentation

Common Configuration Patterns