Hello, I am using AppLocker for application control on a network of Windows 7 Ultimate machines. This network also has a SIEM for centralized logging and data reporting for the whole network. I am trying to set the network up so that the SIEM can pull the AppLocker logs from the workstations to run reports and create alerts on unathorized programs. In the Windows Event Viewer, I can see that the AppLocker logs are viewable in Application and Service Logs/Microsoft/Windows/AppLocker/EXE and DLL - I also see that they have their own .evtx file in the systemroot/system32/winevt/logs directory. There is a limitation on my SIEM - because of the API it uses, it can only pull the logs in the Windows Logs portion of the Event Viewer (Application, System, Security, etc) - the SIEM can already successfully pull these logs. I have contacted the SIEM vendor and have been told that this limitation exists. Is there a way to change the AppLocker so that it logs its events to the Application or Security log, rather than its own specialized log that my SIEM cannot access? Thanks!

Hi, There is no method to change the path of AppLocker log. However, I suggest configuring computers to forward and collect events. You can refer to this article. http://technet.microsoft.com/en-us/library/cc748890.aspxNiki Han TechNet Community Support

Hello Niki, Thank you for your response. Unfortunately, the domain controller I am working with uses Windows Server 2008 Standard, not R2, so the information about creating collectors and subscriptions does not appear to apply. I believe this will simply have to be a known limitation in our system. Thank you for your help.

Hi, There is no method to change the path of AppLocker log. However, I suggest configuring computers to forward and collect events. You can refer to this article. http://technet.microsoft.com/en-us/library/cc748890.aspxNiki Han TechNet Community Support

Hi Niki, I was able to set up the computers to subscribe to themselves, and to get the AppLocker logs to show up in the Application Log in the event viewer through that subscription. However, my SIEM is still not seeing these events. When creating a subscription, does it actually copy the events into the destination log file, or is simply showing events from more than one log file in the Event Viewer? Thanks

Hello, I have a subscription set up on my Windows 7 workstations to copy event data from the Windows Firewall and Applocker logs into the Application Log. The reason I did this is that I have a ESM that can only pull data from the Application, Security, and System log files using the WMI API. However, this ESM is not seeing the Windows Firewall and Applocker events that I can see locally on the workstation using the Event Viewer. When creating a subscription (http://technet.microsoft.com/en-us/library/cc748890.aspx) - does this actually COPY the events from the source log into the destination log .evtx FILE, or does it simply create a custom view where the event viewer is showing events from multiple log files in the Application Log view? Thanks!

Hi Events raised on the forwarder computers that meet the criteria of the subscription will be copied to the collector computer log specified in Destination Log. I have tested your situation. I forwarded Event sources: Windows Firewall With Advanced Security to Application log. After the new events raised, it copied to Application log. I suggest you check the configuration of the Subscription. You can right click the subscription and select Runtime Status. If the operation was successful, the Status of the subscription will be Active. Niki Han TechNet Community Support

Hi Events raised on the forwarder computers that meet the criteria of the subscription will be copied to the collector computer log specified in Destination Log. I have tested your situation. I forwarded Event sources: Windows Firewall With Advanced Security to Application log. After the new events raised, it copied to Application log. I suggest you check the configuration of the Subscription. You can right click the subscription and select Runtime Status. If the operation was successful, the Status of the subscription will be Active. Niki Han TechNet Community Support