Application Control
This page refers to an older version of the product.View the current version of the online Help.
Auditing
In this section:
About Auditing
The Application Control Auditing feature allows you to define rules for the capture of auditing information and to raise events, and includes a filter for specifying the events you wish to capture in the log. Auditing is accessed from the Manage ribbon.
Control General Auditing Behavior
Use the following options to control the general auditing behavior and select the events to be raised:
- Send events to the Application Event Log - Select whether to send events to the Application Event Log.
- Send events to the AppSense Event Log - Select whether to send events to the AppSense Event Log. You can only send the events to the Application Event Log or the AppSense Event Log.
- Make events anonymous - Specify whether events are to be anonymous. If, Yes, the computer name and user name is omitted from all events. Anonymous logging also searches the file path for any instances where a directory matches the username and replaces the directory name with the string
- Send events to local file log - Select whether to send events to the local file log. If Yes, the events are sent to the local log file specified in the Text box. The default location is: %SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTERNAME%
- Local file log format- Specify whether the event log is to be saved in XML format or CSV format.
In Enterprise installations, events can be forwarded to the Management Center via the Deployment Agent (CCA). When using this method for auditing, event data storage and filtering is configured through the Management Center console.
For more information, see the Management Center Help.
Select Events to Raise
This section of the dialog lists all Application Control events. Select the Log Locally checkbox for the events you want to raise locally, in accordance with the selected auditing behavior options.
Available Events
Event ID | Event Name | Event Description |
---|---|---|
9000 | Denied Execution | Denied execution request. |
9001 | Allowed Execution | Allowed execution request. A single request for an application can generate multiple 9001 events due to the way in which Windows responds to execution requests. So it's good practice to use event 9015 to accurately audit how many times a user has run an application. |
9002 | Overwrite Changed Owner | Overwrite of an allowed executable. |
9003 | Rename Changed Owner | Rename of a denied executable. |
9004 | Application Limit Denial | Application limit denial. |
9005 | Time Limit Denial | Time limit denial. |
9006 | Self-Authorization | Self-authorization decision by user. |
9007 | Self-Authorized allow | Self-authorization execution request. |
9009 | Scripted Rule Timeout | Script execution timed out. |
9010 | Scripted Rule Fail | Script failed to complete. This event is only raised for VB script failures. |
9011 | Scripted Rule Success | Script completed successfully. |
9012 | Trusted Vendor Denial | Digital Certificate failed Trusted Vendor check. |
9013 | Network Item denied | Denied Network Item request. |
9014 | Network Item allowed | Allowed Network Item request. |
9015 | Application Started | An allowed application started running. A single request for an application can generate multiple 9001 events due to the way in which Windows responds to execution requests. So it's good practice to use event 9015 to accurately audit how many times a user has run an application. |
9016 | Unable to change ownership | The file's ownership could not be changed. |
9017 | Application Termination | A denied application has been terminated by Application Control. |
9018 | Application User Privileges Changed | The application's user privileges have changed. |
9019 | Web Installation allowed | Allowed Web Installation request. |
9020 | Web Installation restricted | Restricted Web Installation request. |
9021 | Web Installation restricted | Windows Restricted Web Installation request. |
9022 | Web Installation fail | Web Installation failed to complete. |
9023 | Self-Elevation allowed | Self-Elevation request. |
9024 | URL Redirection | URL Redirection has occurred. |
9051 | Policy Change granted | A Policy Change Request has been granted |
9052 | Policy Change invalid response code | An invalid response code has been entered for a Policy Change Request |
9053 | User-requested allow | An allowed Policy Change application has started |
9054 | User-requested elevate | An elevated Policy Change application has started |
9055 | Service start/stop | A service has been started or stopped. |
9056 | Untrusted file with metadata match | Failed to verify the certificate of a signed file when matching metadata |
9096 | Configuration merge success | The configuration merge has completed successfully. |
9097 | Configuration merge fail | The configuration merge has failed. |
9098 | Configuration merge timeout | The configuration merge has timed out waiting for expected files. |
9099 | Agent not licensed | Application Control is not licensed. |
A single request for an application can generate multiple 9001 events due to the way in which Windows responds to execution requests. So it's good practice to use event 9015 to accurately audit how many times a user has run an application.
9001, 9007, 9014 and 9015 events are disabled by default as they can generate excessive event data on busy endpoints. We recommend these events are only used for troubleshooting purposes, and only for short periods of time.
Event Filtering
Event Filtering allows you to filter the file types that you want to audit. This is particularly useful if you choose a high volume event. The Event filter table is accessed by clicking Event Filtering in the Auditing dialog. The Enable event filtering is enabled by default and configured to ally the recommended file filters. Update the settings as required, selecting the file types to audit for each listed event. Click Add to specify new file types for the required event types.
System Events
The following are non-configurable system events:
Event ID | Event Name | Event Description |
---|---|---|
8000 | Service Started | Application Control Agent: Service Started. |
8001 | Service Stopped | Application Control Agent: Service stopped. |
8095 | No Configuration found | Application Control cannot find a valid configuration. |
8099 | Invalid License | Application Control software is not licensed. |
This page refers to an older version of the product.View the current version of the online Help.
The topic was:
Inaccurate
Incomplete
Not what I expected
Other
Copyright © 2019, Ivanti. All rights reserved.