Event log and AppLocker

TG1 · ‎08-22-2024

Looking to capture AppLocker related events in LANSweeper. Not only for asset reference, but so we can setup event log alerts when certain event id's are found. We've already enabled warning event log capture in the scan settings, but We have yet to see AppLocker in the Asset > Event Log > Event Sources list, nor any entries from machines that have confirmed entries in that log.

Four AppLocker logs in question:

Mister_Nobody · ‎08-23-2024

My report for SRP:

Select Top 10000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.IPAddress,
  tblAssets.Username,
  tblADusers.OU,
  tblNtlogSource.Sourcename,
  tblNtlog.Eventcode,
  tblNtlog.TimeGenerated,
  tblNtlogMessage.Message
From tblAssets
  Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
  Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
  Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
      tblNtlog.SourcenameID And (tblNtlogSource.Sourcename =
        'Microsoft-Windows-SoftwareRestrictionPolicies' Or
        tblNtlogSource.Sourcename = 'Software Restriction Policies')
  Left Join tblADusers On tblADusers.Username = tblAssets.Username
Order By tblNtlog.TimeGenerated Desc

TG1 · ‎08-23-2024

Unfortunately won't be able to adapt that to AppLocker.

Mister_Nobody · ‎08-23-2024

I think you have to create feture request to support collecting Application and Services Logs.

I'm waiting about 10 years...

TG1 · ‎08-23-2024

I'm guessing that was your original community post I stumbled across that was about 10 years ago.

I'll see what I can do.

Event log and AppLocker

New to Lansweeper?

Try Lansweeper For Free