No, I'm not looking for when the AppLocker process starts; I'm looking for any .EXE or .DLL event AppLocker identifies and logs to Event Viewer > Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL.
I'm looking to collect logs for the event below.
8002 | Information | <File name> was allowed to run. | Specifies that the .exe or .dll file is allowed by an AppLocker rule. |
Later we will want to collect logs for the events below.
8003 | Warning | <File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Applied only when the Audit only enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the Enforce rulesenforcement mode were enabled. |
8004 | Error | <File name> was not allowed to run. | Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run. |