Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > Collect AppLocker events in LEM

Collect AppLocker events in LEM

Table of contents
Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 113 Votes: 1 Revisions: 4

Updated 6/14/2016

Overview

This article covers how to configure your environment and LEM to read AppLocker event logs.

Environment

  • LEM all versions
  • Windows Server all versions

Steps

Modify the AppLocker log file paths on the host machines

  1. On the host with the AppLocker log files, open Event Viewer.
  2. Browse to Applications and Services Logs > Microsoft > Windows > AppLocker.
  3. Right-click on the EXE and DLL log file and go to Properties.
  4. Remove the spaces in the Log path field and click OK.
  5. Repeat these steps for the MSI and Script log file.

 

Add registry keys on the host machines

  1. Go to Start > Run and launch regedit.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog.
  3. Right-click in the right pane and choose New > Key and to add each of these keys:
    1. Microsoft-Windows-AppLocker/EXEandDLL
    2. Microsoft-Windows-AppLocker/MSIandScript

 

Add the AppLocker connectors to the host machines in the LEM Console

  1. Open your LEM Console and go to Manage > Nodes.
  2. Locate the node for the host you've modified, click on its gear icon, and go to Connectors.
  3. Search for AppLocker to locate the connectors for MSI and EXE and MSI and Script.
  4. For each connector, click on the gear icon, click New, and click Save.
  5. Finally, start each connector by clicking on the gear icons for the new entries and selecting Start.

 

 

 

Last modified

Tags

This page has no custom tags.

Classifications

Public