Submit a ticketCall us

Training ClassSign up for Network Performance Monitor (NPM) and Scalability instructor-led classes

Attend our instructor-led classes, provided by SolarWinds® Academy, to discuss the more advanced monitoring mechanisms available in NPM as well as how to tune your equipment to optimize its polling capabilities. NPM classes offered:
NPM Custom Monitoring and Polling
Orion Platform Scalability

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Collect AppLocker events in LEM

Collect AppLocker events in LEM

Table of contents
Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 974 Votes: 1 Revisions: 4

Updated 6/14/2016


This article covers how to configure your environment and LEM to read AppLocker event logs.


  • LEM all versions
  • Windows Server all versions


Modify the AppLocker log file paths on the host machines

  1. On the host with the AppLocker log files, open Event Viewer.
  2. Browse to Applications and Services Logs > Microsoft > Windows > AppLocker.
  3. Right-click on the EXE and DLL log file and go to Properties.
  4. Remove the spaces in the Log path field and click OK.
  5. Repeat these steps for the MSI and Script log file.


Add registry keys on the host machines

  1. Go to Start > Run and launch regedit.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog.
  3. Right-click in the right pane and choose New > Key and to add each of these keys:
    1. Microsoft-Windows-AppLocker/EXEandDLL
    2. Microsoft-Windows-AppLocker/MSIandScript


Add the AppLocker connectors to the host machines in the LEM Console

  1. Open your LEM Console and go to Manage > Nodes.
  2. Locate the node for the host you've modified, click on its gear icon, and go to Connectors.
  3. Search for AppLocker to locate the connectors for MSI and EXE and MSI and Script.
  4. For each connector, click on the gear icon, click New, and click Save.
  5. Finally, start each connector by clicking on the gear icons for the new entries and selecting Start.




Last modified


This page has no custom tags.