AgentXKB
Prasuna Dahal
April 22, 2026 07:28
Release Details
Version: v1.6.0
Release date: April 22, 2026
Supported On: Logpoint v7.1.0 and later
SHA 256: bdf822ed84bb74f5d95d2817d12c01ff8fbbb4926d836afbe11c4a0b389eb85a
Bug Fixes
When onboarding OSQuery logs with AgentX, some OSQuery events were parsed inconsistently for the same event type.
In AgentX Windows and AgentX Unix logs, raw log entries containing non-ASCII characters were displayed as escaped Unicode sequences.
File path values in AgentX Unix logs were captured incorrectly, with missing leading / characters or additional escaped sequences.
Past Releases
AgentXKB v1.5.1
▾
Version: 1.5.1
Release date: January 9, 2026
Supported On: Logpoint v7.1.0 and later
SHA 256: 91abfec7fdb2197242c78e80d466cee723475cb2240bba1117d4a6c23c48ed8b
Enhancement
Minor bug fixes and enhancements.
AgentXKB v1.5.0
▾
Version: v1.5.0
Release date: August 15, 2025
Supported On: Logpoint v7.1.0 and later
SHA 256: 6827e22e0bc2952b11e607640c3ad79e07eaeb45c0c6ab116ec2603d1f073c0a
Enhancement
AgentXWindowsCompiledNormalizer now supports normalization of SMS Passcode logs.
Bug Fixes
Raw logs were displayed in search results because AgentXUnixCompiledNormalizer did not normalize Unix logs.
The Caller Computer Name field in Windows Event ID 4740 was not normalized as Workstation, preventing alerts from being triggered.
AgentX did not apply the date and time configured in CNDP to Windows logs, resulting in incorrect timestamps.
AgentXWindowsCompiledNormalizer did not display search results due to an incorrect double quote in the value of the Reason field.
AgentXKB v1.4.2
▾
Version: v1.4.2
Release date: December 2, 2024
Supported On: Logpoint v7.1.0 and later
SHA 256: df6d32345afcbe62f640b1c4649bbdc4271997656a74454381691bc6d9709a72
Enhancements
The mapping of the following fields is updated:
eventdata{product Name} to product
eventdata{product Version} to product_version
eventdata_new_value to new_value
eventdata_old_value to old_value
The event id for these fields is 5007 and the normalizer is "AgentXWindowsCompiledNormalizer".
The fields eventdata_access_granted and eventdata_access_removed are now mapped to the privilege field.
The taxonomy of normalized fields is updated for AgentX Windows Security Audit.
eventdata_new_target_user_name → new_user
eventdata_old_target_user_name → target_user
eventdata_home_directory → home_directory
eventdata_home_path → home_path
eventdata_profile_path → path
eventdata_script_path → script_path
eventdata_user_parameters → parameter
eventdata_user_workstations → workstation
The taxonomy of normalized fields is updated for AgentXWindowsCompiledNormalizer.
eventdata_nASIPv4Address → nas_ipv4_address
eventdata_clientIPAddress → client_address
eventdata_nASPortType → nas_port_type
eventdata_eAPType → eap_type
eventdata_nASIdentifier → nas_identifier
eventdata_nASPort → nas_port
log_file_cleared_client_process_id → process_id
log_file_cleared_client_process_start_key → process_start_key
log_file_cleared_subject_logon_id -> logon_id
Bug Fixes
In event_id 5007, “//” in paths was not parsed properly.
The fields user, user_id and caller_user_id were not properly normalized by AgentXUnixCompiledNormalizer.
For event_id 7000, eventdata fields were not normalized, resulting in the event source name not being collected.
For event_id 4656, file related events didn’t have labels, resulting in collecting logs without human-readable values.
In Oracle DB (Windows), specific fields like user, action, RETCODE, and OBJName were not normalized.
Event logs from MS Exchange were not normalized correctly.
Logs from Ubuntu were not normalized correctly.
When the UNIX template was improperly configured, AgentX UNIX logs were not normalized.
Support
Comments
Article is closed for comments.
Comments
Article is closed for comments.