Submit a ticketCall us

Training Class Getting Started with SolarWinds Backup - February 28

This course offers customers an introduction to SolarWinds Backup, focusing on configuring the backup technology, taking backups, data restoration and data security. It is a great primer and will get you up to speed quickly on SolarWinds Backup.
Register for class.

Home > Success Center > Log & Event Manager (LEM) > Collect AppLocker events in LEM

Collect AppLocker events in LEM

Table of contents
Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 779 Votes: 1 Revisions: 4

Updated 6/14/2016


This article covers how to configure your environment and LEM to read AppLocker event logs.


  • LEM all versions
  • Windows Server all versions


Modify the AppLocker log file paths on the host machines

  1. On the host with the AppLocker log files, open Event Viewer.
  2. Browse to Applications and Services Logs > Microsoft > Windows > AppLocker.
  3. Right-click on the EXE and DLL log file and go to Properties.
  4. Remove the spaces in the Log path field and click OK.
  5. Repeat these steps for the MSI and Script log file.


Add registry keys on the host machines

  1. Go to Start > Run and launch regedit.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog.
  3. Right-click in the right pane and choose New > Key and to add each of these keys:
    1. Microsoft-Windows-AppLocker/EXEandDLL
    2. Microsoft-Windows-AppLocker/MSIandScript


Add the AppLocker connectors to the host machines in the LEM Console

  1. Open your LEM Console and go to Manage > Nodes.
  2. Locate the node for the host you've modified, click on its gear icon, and go to Connectors.
  3. Search for AppLocker to locate the connectors for MSI and EXE and MSI and Script.
  4. For each connector, click on the gear icon, click New, and click Save.
  5. Finally, start each connector by clicking on the gear icons for the new entries and selecting Start.




Last modified


This page has no custom tags.