My clients are sending their applocker logs in cf:Events format to a windows event collector which runs an UF.
When running with renderXml=0 I only get the message %11 was allowed to run instead of the binary that ran.
This seems to be a WEC quirk and not Splunk related.
In this mode I get a proper sid resolution for the User field (setting evt_resolve_ad_obj = 0 results in NOT_RESOLVED)
When I turn the logs to XML mode by setting renderXml=1 I get the correct information in the logs and I can parse it out using xmlkv.
However no sid translation is done and I'm stuck with the numeric SID.
Thanks
Ronny
For the %11 issue, change your regional settings to English (United States).
I personally use renderXml but couldn't find anything regarding SID translation. I guess the SID matching is hardcoded in the application and it's not able to match in the applocker logs due to the difference in how the SID is presented there.
I had already tried changing the system local on both the clients and the WEC server... no luck