circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Visit the old documentation portal.arrow-up-right
search

Set Up Logpoint NDR Endpoint Agent for Windows

hashtag
Purpose

This document describes how to install, configure, and deploy the Logpoint NDR Endpoint Agent on Windows systems and connect it to a Logpoint NDR sensor.

The Endpoint Agent extends network visibility by capturing network traffic directly on endpoints and forwarding network metadata securely to Logpoint NDR. It does not provide endpoint detection or response (EDR) capabilities.

For small proof-of-value deployments, follow the instructions in the Installation section only.

circle-check

Agent version: 2.0.0

hashtag
How the Endpoint Agent Works

The Logpoint NDR Endpoint Agent captures network traffic metadata from Windows endpoints and forwards it securely to a Logpoint NDR sensor.

Key characteristics:

  • Uses Npcap to capture network traffic on Windows

  • Establishes an encrypted QUIC connection to the Logpoint NDR sensor

  • Forwards data over UDP port 443

  • Runs as a Windows service named Monitoring Endpoint Agent

Npcap is installed automatically during agent installation. Due to licensing restrictions, it must not be used for other purposes.

Once connected, the agent captures traffic from the default network interface and forwards it continuously to the sensor. If the connection is interrupted, the agent automatically attempts to reconnect after 10 seconds.

All data collected by the agent is processed as network metadata in Logpoint NDR. There is no difference between metadata collected by endpoint agents and metadata collected by network-based sensors.

hashtag
Installation Overview

The Logpoint NDR Endpoint Agent is distributed as a Windows MSI package and can be installed using:

  • A graphical installer (recommended for small deployments)

  • Command-line installation

  • Automated deployment using Group Policy or third-party tools

hashtag
Prerequisites

Before installing the Endpoint Agent, ensure the following information is available:

  • The Endpoint Agent MSI installer

  • The SERVER_URL of the Logpoint NDR sensor

  • The HOST value used to validate the sensor’s identity

Derive the required values as follows:

  • SERVER_URL Prefix the sensor IP address or internal hostname with quic://

    • Example: quic://192.0.2.10

  • HOST Append .sensor.wehowsky.com to the sensor serial number

    • Example: <SERIAL>.sensor.wehowsky.com

hashtag
Graphical Installation

Use the graphical installer when deploying the agent to a small number of endpoints.

  1. Double-click the MSI installer.

  2. Follow the on-screen instructions.

  3. When prompted, enter the SERVER_URL and HOST values.

  4. Complete the installation.

Npcap is installed automatically as part of the setup process.

After installation completes, the agent starts immediately and begins capturing and forwarding network traffic.

hashtag
Troubleshooting

hashtag
Endpoint Logs

On the endpoint, agent logs are available in:

Event Viewer → Windows Logs → Application

Log source: Monitoring Endpoint Agent Log

Review log details for connection or installation errors.

hashtag
Sensor Validation

On the Logpoint NDR sensor, verify that data is being received by running a metadata search.

If no data appears:

  • Confirm that the sensor firewall allows incoming UDP traffic on port 443.

  • Verify that the SERVER_URL and HOST values are correct.

hashtag
Automated Deployment

For large-scale deployments, use automated installation methods.

hashtag
Command-Line Installation (Headless)

The installer supports silent and semi-silent installation modes.

hashtag
Initial Installation

Run one of the following commands:

Show progress bar

Silent installation

Important The installer must be invoked using an absolute path. Relative paths (for example, .\Monitoring_Endpoint_Agent_VERSION.msi) are not supported.

hashtag
Deployment Using Group Policy

To deploy the Endpoint Agent using Group Policy:

  1. Copy the installer to a network share with appropriate permissions.

  2. Create a new Group Policy Object (GPO) and link it to the domain.

  3. Assign the policy to the required security groups.

  4. Navigate to: Computer Configuration → Policies → Software Settings → Software Installation

  5. Add a new package using the UNC path to the installer.

  6. Select Assigned.

  7. In the deployment options, enable Install this application at logon.

The agent installs automatically the next time the target systems log on.

You may also deploy the agent using third-party tools such as PDQ, KACE, or SCCM.

hashtag
Verification

After installation, the Endpoint Agent appears as an asset in the Logpoint NDR Central Dashboard.

Verify the following:

  • The endpoint is listed

  • Network metadata is visible and searchable

Last updated

Was this helpful?