Hi Folks, I have a rule for applocker created as follows:
<rule id="100046" level="12"> <if_sid>18103</if_sid> <status>^8004$</status> <description>AppLocker - blocked program.</description> </rule> Problem: I only see the windows "error event" as a level "5" coming in from sid 18103, the error event contains all teh information I am looking for. But my rule 100046 above does nothing. As additional info, I also have the following rule: <rule id="100045" level="12" > <if_sid>18100</if_sid> <status>^8003$|^8004$</status> <description>Applocker - blocked program.</description> </rule> (Could this possibly cause a conflict?) Question: Overall, Could someone shed some light here as to why rule 100046 does not fire? Thanks!!! Rob -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
