Can you provide a log sample? On Fri, Apr 22, 2016 at 11:30 AM, Rob B <[email protected]> wrote: > Hi Folks, > > I have a rule for applocker created as follows: > > <rule id="100046" level="12"> > <if_sid>18103</if_sid> > <status>^8004$</status> > <description>AppLocker - blocked program.</description> > </rule> > > Problem: I only see the windows "error event" as a level "5" coming in > from sid 18103, the error event contains all teh information I am looking > for. > But my rule 100046 above does nothing. > > As additional info, I also have the following rule: > > <rule id="100045" level="12" > > <if_sid>18100</if_sid> > <status>^8003$|^8004$</status> > <description>Applocker - blocked program.</description> > </rule> > > (Could this possibly cause a conflict?) > > > Question: Overall, Could someone shed some light here as to why rule 100046 > does not fire? > > Thanks!!! > > Rob > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
