05 Nisan 2012 Perşembe 17:40
I am using AppLocker for application control on a network of Windows 7 Ultimate machines. This network also has a SIEM for centralized logging and data reporting for the whole network. I am trying to set the network up so that the SIEM can pull the AppLocker logs from the workstations to run reports and create alerts on unathorized programs.
In the Windows Event Viewer, I can see that the AppLocker logs are viewable in Application and Service Logs/Microsoft/Windows/AppLocker/EXE and DLL - I also see that they have their own .evtx file in the systemroot/system32/winevt/logs directory. There is a limitation on my SIEM - because of the API it uses, it can only pull the logs in the Windows Logs portion of the Event Viewer (Application, System, Security, etc) - the SIEM can already successfully pull these logs. I have contacted the SIEM vendor and have been told that this limitation exists.
Is there a way to change the AppLocker so that it logs its events to the Application or Security log, rather than its own specialized log that my SIEM cannot access?
09 Nisan 2012 Pazartesi 08:04Moderatör
There is no method to change the path of AppLocker log. However, I suggest configuring computers to forward and collect events. You can refer to this article.
TechNet Community Support
- Yanıt Olarak İşaretleyen Niki HanMicrosoft Contingent Staff, Moderator 13 Nisan 2012 Cuma 02:56
- Yanıt İşaretini Geri Alan CyberSecurityNovice 13 Nisan 2012 Cuma 13:42
- Yanıt Olarak İşaretleyen Niki HanMicrosoft Contingent Staff, Moderator 24 Nisan 2012 Salı 08:40
- Yanıt İşaretini Geri Alan Niki HanMicrosoft Contingent Staff, Moderator 08 Mayıs 2012 Salı 05:57
13 Nisan 2012 Cuma 13:44
I was able to set up the computers to subscribe to themselves, and to get the AppLocker logs to show up in the Application Log in the event viewer through that subscription. However, my SIEM is still not seeing these events. When creating a subscription, does it actually copy the events into the destination log file, or is simply showing events from more than one log file in the Event Viewer?
17 Nisan 2012 Salı 20:12
I have a subscription set up on my Windows 7 workstations to copy event data from the Windows Firewall and Applocker logs into the Application Log. The reason I did this is that I have a ESM that can only pull data from the Application, Security, and System log files using the WMI API. However, this ESM is not seeing the Windows Firewall and Applocker events that I can see locally on the workstation using the Event Viewer.
When creating a subscription (http://technet.microsoft.com/en-us/library/cc748890.aspx) - does this actually COPY the events from the source log into the destination log .evtx FILE, or does it simply create a custom view where the event viewer is showing events from multiple log files in the Application Log view?
- Birleştiren Niki HanMicrosoft Contingent Staff, Moderator 19 Nisan 2012 Perşembe 05:55 related question
19 Nisan 2012 Perşembe 06:02Moderatör
Events raised on the forwarder computers that meet the criteria of the subscription will be copied to the collector computer log specified in Destination Log.
I have tested your situation. I forwarded Event sources: Windows Firewall With Advanced Security to Application log. After the new events raised, it copied to Application log. I suggest you check the configuration of the Subscription. You can right click the subscription and select Runtime Status. If the operation was successful, the Status of the subscription will be Active.
TechNet Community Support