Policy Logging

Expand Logging to configure the following policy settings for matched users and endpoints:

Policy Setting

Details

Log the following

Endpoint Application Control collects logs from endpoints at a regular interval.

Select one of the following logging limitations:

  • Select None to log no actions.

  • Select Block to log any blocked application start or access that does not originate from an excluded directory.

    This is the default setting for a new policy.

  • Select Selected to log any selected application start or access that does not originate from an excluded directory. Use the list that appears to select the rules to match.

  • Select Any to log any application start or access that does not originate from an excluded directory.

    Note:

    Selecting this option may generate large log files and substantially increase network data transfers.

See About Logs and Log Types.

Exclude the following directories from logs

To exclude specific paths from logging, do the following:

  1. Under Log the following, select one of the following logging limitations:

    • Block

    • Selected

    • Any

  2. Select Exclude the following directories from logs and then type the application paths to exclude. Separate each path with a carriage return.

    The default paths are %SYSTEMROOT% and %WINDIR%.

Collect aggregated logs every

Endpoint Application Control collects logs from endpoints at a regular interval.

Select the interval for collecting the logs aggregated by endpoints.

The default setting is 2 hours. The suggested setting depends on the number of deployed agents.

See Server Requirements.

Use the following log transfer options to dynamically add "Known Applications" to rules using the Known application dynamic search filter.

The log transfer options provide methods that allow you to create dynamically-updated application lists that you can then use in dynamic rules to circumvent the need of manually updating policies every time you need to approve a new application.

Note:

Ensure that you enable Log-only mode in new rules to correctly log and tag log data received by agents.

Enable "Policy action" log transfer to monitor applications with the Allow action

Automatically applies the policy-action, action-allow, and any specified Additional tags to log data

Use case:

After applying a Lockdown rule, you can use the policy-action and action-allow tags to determine whether users and endpoints have correctly applied policy settings for allowed applications.

Enable "Policy action" log transfer to monitor applications with the Block action

Automatically applies the policy-action, action-block, and any specified Additional tags to log data

Use case:

Authorized IT administrators intentionally install new applications to a test endpoint that trigger the "Block" action. Through use of the automatically added tags, the IT administrator creates an "Allow" rule using the Known and dynamic search filter that searches for the policy-action and action-block tags. The agent dynamically updates the "Allow" list and allows all applications with the applied tags.

For detailed steps, see Creating Dynamically Updated Allowed Application Rules.

Enable "Endpoint inventory" log transfer to monitor existing applications on agents

Automatically applies the inventory and any specified Additional tags to log data sent after endpoint inventory scans are complete on agents

Use case:

After performing inventory scans on agents, create a new allow rule and policy using the Known and dynamic search filter that searches for the inventory tag to allow all applications currently installed on endpoints to run on other agents.