How to collect Applocker Logs from all Endpoints in one place

Applocker is a great tool to improve your security and Application Control but this is only one part of the solution that can use it efficient.

Previous week explain How to install and configure Applocker to improve Application Control & Security

Unfortunately Applocker create Logs in every Workstation or Server which applied.

How can have manage all of these Logs when you have 30 users and 10 Servers or more?.

How can read Event Logs of Applocker one by one.

The answer is YOU CAN'T and you never know what's going on

So here comes the second part which is the solution to collect and Centralize Applocker Logs in one place.

Today i will explain how can collect the Applocker Logs in one place with the Graylog which is an Open Source Log Management.

Graylog you can use it free with up to 5GB Logs per Day.


The article include the following paragraphs

  1. How to Create the Virtual Machine in HYPER-V from HYPER-V Manager
  2. How to create the Virtual Machine in HYPER-V with Powershell
  3. How to install Centos 7 in HYPER-V
  4. How to configure network settings of Centos 7 VM
  5. How to install Graylog in Centos 7
  6. How to Configure Graylog to accept Windows Event Logs of Applocker


So let's start !!!!


How to Create the Virtual Machine in HYPER-V from HYPER-V Manager


I wrote lot of articles for HYPER-V and you can find instructions of How can create a Virtual Machine.

But because never wrote how can create a virtual machine for linux i would like to repeat all the steps

  • Open HYPER-V Manager
  • Click New --- Virtual Machine


  • Click Next


  • Select the name of the VM and where will be store.Click Next


  • Select Generation 2


  • Select the RAM that you want to give.


  • Keep the default settings. Click Next.


  • Select Attach a Virtual Disk Later.Click Next


  • Click Finish


  • Now select the new VM. Click Settings from the right side.


  • Click in Processor.Increase to 2


  • Select SCSI Controller
  • Select Hard Drive. Click Add


  • Click New.


  • Click Next


  • Select Fixed Size.Click Next


  • Type the name and the location for the virtual disk.Click Next


  • Type the size that you want for the Virtual Disk.Click Next


  • Click Finish and Wait.




How to create the Virtual Machine in HYPER-V with Powershell


You can create a new VM from Powershell with the following commands

new-vm -vmname logsrv01 -Path "F:\HYPER-V" -Generation 2 -memorystartupbytes 4GB

and the virtual disk with the following command

NewVHD -Path "f:\hyper-v\logsrv01\logsrv01.vhdx" -SizeBytes 40GB -fixed


Now go in Settings and configure the Processor, RAM ,Security and add the Virtual Hard disk which create.



How to install Centos 7 in HYPER-V


After create and configure the VM it's time to setup the Centos 7 before setup the Graylog.

  • From the VM Setting select SCSI Controller
  • Select DVD Drive.Click Add


  • Select the iso for Centos 7


  • Select Security
  • Change to Microsoft UEFI Certificate Authority.


  • Start the VM
  • When boot select Install Centos 7


  • Select the Language during the installation process


  • Click in the Installation Destination


  • Click on Virtual Disk. Click Done


  • Now click Begin Installation.
  • When the installation finish give a password to the root password


  • Wait a few minutes and that's it.

You have create the VM with Centos 7 and now we must configure the network settings of the Centos 7


How to configure network settings of Centos 7 VM


The following steps describe how to configure the Ip Address , Default Gateway and DNS Server.

Depends on your network you must do the appropriate configuration in your Firewalls to connected in your Lan and give access in the Internet. 

  • First of all we must configure to give a static ip address.
  • Login with the root user and type the following command to go in the appropriate path.
    cd /etc/sysconfig/network-scripts
  • Now type ls and identify the file ifcfg-eth0


  • Type vi ifcfg-eth0
  • Click in button i to start edit the file and do the following changes
    • IPADDR = with the ipaddress that you want
    • BOOTPROTO=static
    • ONBOOT=yes


  • Now type : and wq to save the file
  • Change the default gateway
  • Type vi /etc/sysconfig/network
  • Type i to edit the file
  • Add the lines
    • NETWORKING=yes
    • HOSTNAME=whatever name you want
    • GATEWAY=your gateway
  • Once again type : and wq to save the file


  • Let's go to configure and the DNS
  • Type vi /etc/resolv.conf 
  • Type i to edit
  • Add the lines
    • nameserver <your DNS Server>

  • type : and wq to save the file


  • Now type /etc/init.d/network restart to restart the network service


If you have done all the appropriate configurations try to ping from another pc in the same subnet to verify that all it's ok.


How to install Graylog in Centos 7


The installation of Graylog is straightforward if all the above steps are completed successful

Before start i recommend to connect with SSH from a putty for better management.

You can find all the steps of how can install Graylog in Centos 7 from Graylog Documentation

But i prefer to write down all the steps here

For the Graylog you must install the following

  1. Java
  2. MongoDB
  3. Elasticsearch
  4. Graylog
  • Login in Centos 7 with the root user
  • Install the java with the following command
    sudo yum install java-1.8.0-openjdk-headless.x86_64



How to install MongoDB for the Graylog

  • Type the following command to edit the file and add the repository
    vi /etc/yum.repos.d/mongodb-org.repo


  • Add the following 
    [mongodb-org-4.0] name=MongoDB Repository baseurl=$releasever/mongodb-org/4.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=
  • Save and exit from file
  • Type the following command to install the Mongodb
     sudo yum install mongodb-org.
  • After finish the installation run the following commands to start the Mongodb automatically during the boot of operating system
    sudo systemctl daemon-reload
    sudo systemctl enable mongod.service
    sudo systemctl start mongod.service
    sudo systemctl --type=service --state=active | grep mongod



How to install Elasticsearch

Graylog can be used with Elasticsearch. Follow the steps to install the open source version of Elasticsearch


  • Edit the repository file
    vi /etc/yum.repos.d/elasticsearch.repo



  • After finish the installation modify the elastic search configuration file with the following command
    vi /etc/elasticsearch/elasticsearch.yml
  • Set the cluster name to graylog and uncomment the action.auto_create_index: false
  • Save and exit from file


  • Type the following commands to start the Elasticsearch
    sudo systemctl daemon-reload
    sudo systemctl enable elasticsearch.service
    sudo systemctl restart elasticsearch.service
    sudo systemctl --type=service --state=active | grep elasticsearch


How to install Graylog

We are in the final step which must install Graylog. 

Let's go

Type the following commands to install Graylog repository configuration and Graylog application with the Enterpise plugin that we need to archive the Logs 



How to edit the Configuration file of Graylog

You must be very careful here because if you miss something the Graylog will not start

  • Graylog to start we must change the configuration file
  • Type the following command to edit the file
    vi /etc/graylog/server/server.conf
  • Find the password_secret and the root_password_sha2


  • Add a password in the password_secret base on the instruction of the configuration file
  • Run the following command to create the root_password_sha2 and add in the file.
  • Note that the password that you will give before create the root_password_sha2 you will use it to connect in the Web Portal when the Graylog will start.
    echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1


  • Find and uncomment http_bind_address
  • Type the ip address which use for the Graylog


  • Save and exit from the file
  • The last step to enable Graylog during the operating system startup
    sudo systemctl daemon-reload
    sudo systemctl enable graylog-server.service
    sudo systemctl start graylog-server.service
    sudo systemctl --type=service --state=active | grep graylog


Configure Sellinux and firewall for the Graylog

Base on the Graylog Documentation you must enter the following command to the web server to access the network but never works for me

sudo setsebool -P httpd_can_network_connect 1


To verify that Graylog is up and running i was follow the steps

  • Disable the selinux
  • Restart the operating system 
  • From your pc i open the Graylog from Web browser in the address http:///<Ip Address of Graylog>:9000
  • If working then you must see something like this


  • If you can't open the Web Page then the most common problem is to  the firewall of the Centos
  • To check the status of the firewall type the following command
    systemctl status firewalld
  • If it's active stop the firewall and open the Graylog from your Web Browse to verify that is active.
    systemctl stop firewalld
  • If the problem resolved then you must create rule in the firewall to publish the http.


How to Configure Graylog to accept Windows Event Logs of Applocker


We are almost in the end.

We have setup Graylog and configure it to has access in the Web Page.

So let's finis it.

How to find Api token for the Agent installation

  • Open Graylog from your Web Browser
  • Click on System/Authentication
  • In the Administrator click Edit Tokens


  • Type a Token Name and click Create Token.


  • Uncheck the Hide Token and copy the token to use it in the installation of Graylog Sidecar


How to install Graylog Sidecar agent


This is the agent that must be setup in every Workstation/Server that want to collect Event Logs.

  • Download the sidecar from here
  • Start the installation in one of the Servers or Workstation that you have already execute Applocker
  • The installation it's the common steps of every Wizard.
  • The only thing that you must know is in the following step
    • Url Address:Change only the ip address with the ip address of your Graylog Server
    • Api token: Describe where you can find in the above instruction
  • After finish the installation open a command prompt as Administrator and run the following commands to create and start the Service of the agent
    • "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
    •  "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start


  • Now go in Graylog System --Sidecar and verify that the server appear



How to collect Logs from Workstations or Servers

After finish with the above steps you must create the Sidecar in the Graylog to accept the Logs from the Workstation or Servers

  • Go in System --- Sidecar
  • Click Configuration


  • Click Create Configuration


  • Type  a prefer name.
  • Click in Collector and select winlogbeat on Windows


  • In the Configuration change the hosts with the ip address of the Graylog Server
  • Also add the following line to collect and the logs for the Applocker
    - name:  Microsoft-Windows-AppLocker/EXE and DLL


  • In this line you can add any type of the Event Logs just to write the Log Name.
  • In this article you explain how can collect Applocker logs.
  • If you want to add more Event Logs then just decide what Logs you want and add the Log Name in the winogbeat configration.


  • Click Update.
  • Click Overview and you must see the Name of the Windows that you have install the agent.
  • Click Manage Sidecar


  • Check the winlogbeat.
  • From the right side click in configuration and select the configuration which create before.


  • Click Confirm


  • Wait few minutes and click Show messages to verify that Grayog collect the Event Logs from your Workstation or Server


  • From now on all the Event Logs will be collected here if it's not block any firewall the connection.


It will take sometime to finish but now you can collect Event Logs from your Windows Server and any other Device in your network.

Have a nice weekend!!











Disqus Comments