Oturum Aç
 
Ana SayfaKütüphaneEğitimIndirinSorun GidermeForumlar
BT Uzmanları için Kaynaklar >
AppLocker Audit Logs

Yanıt AppLocker Audit Logs

  • 05 Nisan 2012 Perşembe 17:40
     
     
    Oylamak İçin Oturum Aç
    0

    Hello,

    I am using AppLocker for application control on a network of Windows 7 Ultimate machines.  This network also has a SIEM for centralized logging and data reporting for the whole network.  I am trying to set the network up so that the SIEM can pull the AppLocker logs from the workstations to run reports and create alerts on unathorized programs.

    In the Windows Event Viewer, I can see that the AppLocker logs are viewable in Application and Service Logs/Microsoft/Windows/AppLocker/EXE and DLL - I also see that they have their own .evtx file in the systemroot/system32/winevt/logs directory.  There is a limitation on my SIEM - because of the API it uses, it can only pull the logs in the Windows Logs portion of the Event Viewer (Application, System, Security, etc) - the SIEM can already successfully pull these logs.  I have contacted the SIEM vendor and have been told that this limitation exists.

    Is there a way to change the AppLocker so that it logs its events to the Application or Security log, rather than its own specialized log that my SIEM cannot access?

    Thanks!

     

Tüm Yanıtlar

  • 09 Nisan 2012 Pazartesi 08:04
    Moderatör
     
     
    Oylamak İçin Oturum Aç
    0

    Hi,

    There is no method to change the path of AppLocker log. However, I suggest configuring computers to forward and collect events. You can refer to this article.
    http://technet.microsoft.com/en-us/library/cc748890.aspx

    Niki Han

    TechNet Community Support

     
  • 13 Nisan 2012 Cuma 13:44
     
     
    Oylamak İçin Oturum Aç
    0

    Hi Niki,

    I was able to set up the computers to subscribe to themselves, and to get the AppLocker logs to show up in the Application Log in the event viewer through that subscription.  However, my SIEM is still not seeing these events.  When creating a subscription, does it actually copy the events into the destination log file, or is simply showing events from more than one log file in the Event Viewer?

    Thanks

     
  • 17 Nisan 2012 Salı 20:12
     
     
    Oylamak İçin Oturum Aç
    0

    Hello,

    I have a subscription set up on my Windows 7 workstations to copy event data from the Windows Firewall and Applocker logs into the Application Log.  The reason I did this is that I have a ESM that can only pull data from the Application, Security, and System log files using the WMI API.  However, this ESM is not seeing the Windows Firewall and Applocker events that I can see locally on the workstation using the Event Viewer.

    When creating a subscription (http://technet.microsoft.com/en-us/library/cc748890.aspx) - does this actually COPY the events from the source log into the destination log .evtx FILE, or does it simply create a custom view where the event viewer is showing events from multiple log files in the Application Log view?

    Thanks!

     
  • 19 Nisan 2012 Perşembe 06:02
    Moderatör
     
     Yanıt
    Oylamak İçin Oturum Aç
    0

    Hi

    Events raised on the forwarder computers that meet the criteria of the subscription will be copied to the collector computer log specified in Destination Log.

    I have tested your situation. I forwarded Event sources: Windows Firewall With Advanced Security to Application log. After the new events raised, it copied to Application log. I suggest you check the configuration of the Subscription. You can right click the subscription and select Runtime Status. If the operation was successful, the Status of the subscription will be Active.

    Niki Han

    TechNet Community Support