AppLocker Dashboard Issue - No Policy Review Data #3021
Labels
bug
Something isn't working
Comments
|
@matchstickboy - Are you able to run the searches from the dashboard manually ? I wonder if you dont have any events specific to show in your environment. Is this a live splunk environment or a splunk lab with applocker data? The dashboard works fine in our test environment! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Dashboard is mostly working as expected, seeing Audit Events and Event Code Analysis data. but no data displayed in Policy Review
###**Screen Shot
Expected behavior
Expect to see logged events in the Policy Review section, but only seeing "no search results returned"
App Version:
Additional context
Have a single windows server collecting forwarded Applocker events from multiple endpoints and writing them to the "Forwarded Events" log on the server acting as the Windows Event Collector.
Splunk UF on the server has the following inputs.conf:
[WinEventLog://ForwardedEvents]
disabled =0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = applocker
renderXml = 1
The applocker SearchMacro has definition has been set to:
index=applocker
The text was updated successfully, but these errors were encountered: