Application Control Events
In this section:
The Application Control Configuration Events feature allows you to define rules for the capture of auditing information and to raise events, and includes a filter for specifying the events you wish to capture in the log.
•Capture Centrally - Select to capture the event information centrally.
If you select to use central event logging it is recommended you use scheduled database maintenance, to help prevent the events records getting too large. For details on AC Event maintenance see Database Maintenance.
•Capture Locally - Select to capture the event information locally.
•Send events to Event Log - Select whether to send events to the Application or the IvantiEvent Log.
•Send events to the Local Log File - Select whether to send events to the local file log, the default path is %SYSTEMDRIVE%\IvantiLogs\Auditing\ApplicationControlEvents_%COMPUTERNAME%.xml. Alternatively you can specify a different path and choose between xml or csv format.
•Always use anonymous MACHINE name in events - select to omit the machine name from all events.
•Always use anonymous USER name in events - select to omit the user name from all events. Anonymous logging also searches the file path for any instances where a directory matches the username and replaces the directory name with the string
Event Selection lists all Application Control events. Select the events that you want to capture.
|Event ID||Event Name||Event Description|
|9000||Denied Execution||A request to run a file was denied.|
|9001||Allowed Execution||A request to run a file was allowed.|
|9002||Overwrite Changed Owner||An allowed executable file was overwritten. The owner of the file has been changed to the name of the user that renamed it.|
|9003||Rename Changed Owner||An allowed executable file was renamed. The owner of the file has been changed to the name of the user that renamed it.|
|9004||Application Limit Denial||A request to run an application was denied because the configured maximum number of instances are already running.|
|9005||Time Limit Denial||A request to run an application was denied because the current time is outside the access times.|
|9006||Self-Authorization||A user self-authorized an application.|
|9007||Self-Authorized allow||A request to run a file was allowed because a user has authorized it.|
|9009||Scripted Rule Timeout||A script ran for the maximum configured time without completing. The rule was not applied.|
|9010||Scripted Rule Fail||An error was encountered while running a script. The rule was not applied.|
|9011||Scripted Rule Success||A script completed successfully.|
|9015||Application Started||An allowed application started running.|
|9016||Unable to change ownership||An error occurred while trying to change the owner of a file.|
|9017||Application Termination||An application was terminated.|
|9018||Application User Privileges Changed||An application's user privileges have changed.|
|9023||Self-Elevation allowed||A user started an application with elevated (full administrator) rights.|
|9024||URL Redirection||A web-browser tried to navigate to a URL and Ivanti Application Control redirected to a different URL.|
|9030||Application Elevated||An application started with elevated (full administrator) rights.|
|9055||Service start/stop||A service was started or stopped.|
|9056||Untrusted file with metadata match||Failed to verify the certificate of a signed file. A rule-item that matches the certificate's name was not applied.|
|9099||Not licensed||Ivanti Application Control is not licensed.|
A single request for an application can generate multiple 9001 events due to the way in which Windows responds to execution requests. So it's good practice to use event 9015 to accurately audit how many times a user has run an application.
9001, 9007, and 9015 events are disabled by default as they can generate excessive event data on busy endpoints. We recommend these events are only used for troubleshooting purposes, and only for short periods of time.
Event Filtering allows you to filter the file types that you want to audit. This is particularly useful if you choose a high volume event.
The Event filter table is accessed from the Application Control Configuration Editor dialog, under Configuration Settings > Events > Filtering in the Auditing dialog.
The Enable event filtering option is enabled by default and configured to include the recommended file filters.
Select or clear the file types as required for each listed event.
You can add new file types to the list by right-click > Add.