Monitor for application control events

By default, when you enable application control, it will log events such as when it detects software change. App control also logs when it blocks software from executing. Software change events will appear on the Actions and Events & Reports tabs. If configured, it will also trigger an alert.

You can configure some of which application control event logs are recorded, and which are forwarded to external SIEM systems, syslog servers, or SNMP managers.

To monitor for software changes on computers, the basic steps are:

  1. Choose which application control events to log
  2. Monitor application control alerts

Choose which application control events to log

  1. Go to Administration > System Settings > System Events.
  2. Scroll down to the application control events such as Event ID 7000 “Application Control Events Exported”.
  3. If you want to record event logs for that type of event, enable Record.

    When those events occur, they will appear on Events & Reports > Events > System Events. Logs will be kept until they meet maximum log age criteria, which varies by Deep Security Manager platform. For details, see How long are my events stored?.

    Events that appear on Computers > Details > Application Control > Events are not configured here. They will always be logged.
  4. If you want to forward event logs to an SIEM, SNMP, or syslog server, enable Forward.
  5. If you use an external SIEM, you may need to load the list of possible application control event logs, and indicate what action to take. For a list of application control events, see System events.

View application control event logs

Location of application events varies by whether they are an:

  • audit event (history of configuration changes or software updates): Events & Reports > Events > System Events
  • security event (application control blocked or allowed unrecognized software, or blocked software in a block rule): Events & Reports > Events > Application Control Events > Security Events

For a list of application control events, see System events.

If an event shows that application control is blocking software, but it should not, you can undo the rule.

Monitor application control alerts

Dashboard's Alert Status widget showing application control alerts.

To configure which application control events or severity levels cause an alert, go to the Alerts tab, click the Configure Alerts button, and then select an event and click Properties. For details, see Configure email notifications for alerts.

When alerts are enabled for application control events, any software change that the application control engine detects and any software that it blocks from executing will appear in the Alerts tab. If you have enabled the Alert Status widget, application control alerts will also appear on your dashboard.

To monitor which computers are in maintenance mode, you can also click Add/Remove Widgets and enable the Application Control Maintenance Mode widget, which will display a list of the computers and their scheduled maintenance windows.

Alerts (and counts of their associated events) are kept until your configured maximum age of alerts (or the hard-coded maximum age).