Submit a ticketCall us

AnnouncementsWeb Help Desk Integrations eCourse

Looking to reduce response times? Sign up for our eCourse to learn how integrating Web Help Desk with Dameware Remote Support, Network Configuration Manager, Network Performance Monitor, and Server & Application Monitor can improve communication efficiencies.

Register for your free eCourse.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Collect AppLocker events in LEM

Collect AppLocker events in LEM

Table of contents
Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 913 Votes: 1 Revisions: 4

Updated 6/14/2016

Overview

This article covers how to configure your environment and LEM to read AppLocker event logs.

Environment

  • LEM all versions
  • Windows Server all versions

Steps

Modify the AppLocker log file paths on the host machines

  1. On the host with the AppLocker log files, open Event Viewer.
  2. Browse to Applications and Services Logs > Microsoft > Windows > AppLocker.
  3. Right-click on the EXE and DLL log file and go to Properties.
  4. Remove the spaces in the Log path field and click OK.
  5. Repeat these steps for the MSI and Script log file.

 

Add registry keys on the host machines

  1. Go to Start > Run and launch regedit.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog.
  3. Right-click in the right pane and choose New > Key and to add each of these keys:
    1. Microsoft-Windows-AppLocker/EXEandDLL
    2. Microsoft-Windows-AppLocker/MSIandScript

 

Add the AppLocker connectors to the host machines in the LEM Console

  1. Open your LEM Console and go to Manage > Nodes.
  2. Locate the node for the host you've modified, click on its gear icon, and go to Connectors.
  3. Search for AppLocker to locate the connectors for MSI and EXE and MSI and Script.
  4. For each connector, click on the gear icon, click New, and click Save.
  5. Finally, start each connector by clicking on the gear icons for the new entries and selecting Start.

 

 

 

Last modified

Tags

This page has no custom tags.

Classifications

Public