1

I've set up one of the servers in our domain to be an event collector for AppLocker events from the client computers. I've then (via a GPO) configured two clients to forward their events to the event collector.

This works just fine, I'm receiving events from both clients on the event collector. However, the events from one of the clients do not display the filename in the event details. Instead, it contains something like this:

%11 was allowed to run.

When viewing the event logs locally on the client, the event details contain a path and filename for the file that was allowed or blocked. Why is this information not being forwarded with the events? (Edit: It turns out if I switch to the Details tab, the FilePath among other information is being displayed just fine in both Friendly View and XML View, but I would like for it to display on the General tab as well.)

Also, the events from the other client are not displaying properly either. Instead of getting the actual event details, the events contain this:

The description for Event ID 8020 from source Microsoft-Windows-AppLocker cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

The locale specific resource for the desired message is not present

These events also display properly locally on the computer. Here I can also switch to the Details tab on the event collector and see all the information included in the event, but not on the General tab.

I found a possible fix for this, which was to run wecutil ss <subscriptionName> /cf:Events to change the ContentFormat of the subscription, but this did not resolve the issue.

Update: I've added a third machine to the setup, and it is showing the same as the first client, such as %11 was allowed to run. I then tried changing the ContentFormat of the subscription from RenderedText (default) to Events, and now the events from the second clients are displaying the same as the events from the other two clients, such as:

%11 was allowed to run.

But sadly, still no file path is shown on the General tab.

Update: I just tried configuring my own computer (which is subject to the AppLocker policy) as an event collector, but here I also have the problem with events being shown as "%11 was allowed to run".

The event collector is running Windows Server 2012 R2, and the clients are running Windows 10 Enterprise.

Any suggestions?

krsi
  • 11
  • 4
  • You're getting the information you need, in the XML view. If the required feature/component is not installed on the server where you are viewing the event, it may not display correctly on the General tab. – Greg Askew Feb 05 '16 at 14:17
  • @GregAskew That is true, but then I would have to export the logs in XML format to preserve this information, which is not an option in this case. The server is not subject to the AppLocker policy, but I don't see why that would be necessary, since it displays the event message just fine, apart from the missing file path. – krsi Feb 05 '16 at 14:25
  • @GregAskew Please post your comment as an answer so I can accept it. It turned out I was able to use the XML format anyway. – krsi Feb 18 '16 at 08:45

0 Answers0