I found how to run the agent in debug mode. It seems like the issue lies with the agent, and the server is faithfully accepting whatever the agent is sending across.
Event ID 8002 (AppLocker) from agent debug log: 2017 Feb 23 16:51:53 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: INFORMATION(8002): Microsoft-Windows-AppLocker: Username: HOSTNAME: Hostname: %PROGRAMFILES%\WINDOWS\RESOURCE KITS\TOOLS\TAIL.EXE was allowed to run. Format is identical to what is reported on the ossec-server. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
