We are trying to get our AppLocker logs into LEM. I found this article that states we need to Modify the AppLocker log file paths on the host machines. This of course would be quite fun for a large network. Does anyone have a script or easier method to do this?
Collect AppLocker events in LEM - SolarWinds Worldwide, LLC. Help and Support
Alright, so this took some fiddling with ProcMon, but I think I have an answer. You'll need to test it, though.
ProcMon got me to this part of the Windows Registry:
And you can see the "File" key has the path. Since it's in the registry, should be easy enough to set a GPO to set that on machines or use PowerShell to adjust it. I went and played in my lab domain for a bit and came up with this, which I believe makes all the required changes (see attached).
you da man, this is exactly what we were looking for. Good idea on using Procmon for finding the key. Now that we know where the reg key is we can find a way to script this change in.
Thanks again!
i have added this key and i am not seeing events in LEM
