Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > Collect AppLocker events in LEM

Collect AppLocker events in LEM

Table of contents
Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 87 Votes: 1 Revisions: 4

Updated 6/14/2016


This article covers how to configure your environment and LEM to read AppLocker event logs.


  • LEM all versions
  • Windows Server all versions


Modify the AppLocker log file paths on the host machines

  1. On the host with the AppLocker log files, open Event Viewer.
  2. Browse to Applications and Services Logs > Microsoft > Windows > AppLocker.
  3. Right-click on the EXE and DLL log file and go to Properties.
  4. Remove the spaces in the Log path field and click OK.
  5. Repeat these steps for the MSI and Script log file.


Add registry keys on the host machines

  1. Go to Start > Run and launch regedit.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog.
  3. Right-click in the right pane and choose New > Key and to add each of these keys:
    1. Microsoft-Windows-AppLocker/EXEandDLL
    2. Microsoft-Windows-AppLocker/MSIandScript


Add the AppLocker connectors to the host machines in the LEM Console

  1. Open your LEM Console and go to Manage > Nodes.
  2. Locate the node for the host you've modified, click on its gear icon, and go to Connectors.
  3. Search for AppLocker to locate the connectors for MSI and EXE and MSI and Script.
  4. For each connector, click on the gear icon, click New, and click Save.
  5. Finally, start each connector by clicking on the gear icons for the new entries and selecting Start.




Last modified
19:56, 22 Jun 2016


This page has no custom tags.