Get rid of Event ID 5156: The Windows Filtering Platform has allowed a connection
When you install McAfee on Windows Server 2008, and probably Windows Vista also, you can get a lot of messages in your security log. Like this one:
Event ID 5156 means that WFP has allowed a connection. When most connections are allowed your security log will fill up very fast.
You can disable Object Access auditing but then you’ll miss other events which might be of interest. So, instead, let’s just disable Success Auditing for Filtering Platform Connections. It’s not possible to disable auditing subcategories with a policy or other GUI tool, but I found out that you can enable and disable specific subcategories with a special command-line tool: Auditpol.exe, which is included with Windows Vista and Windows Server 2008. I used the following command:
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable
As you can see this disables Success auditing for the Filtering Platform Connection subcategory.
For more info check out this article:
http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx
Note: copying the above line does not work because of the quotes being improperly formatted. Just type it over.
They have added this subcategory logging control (enable/disable) into Group Policy processing for Windows 7 and 2008.
I created a new GPO and set this event “Windows Filtering Platform Connection” to NO AUDITING. I linkes the GPO to my Servers OU but my servers are still logging the event when i look on the Event Log. It shows me the Success/Failure for this audit. If I cannot disable the logging of this event using GPO, do I have to run the auditpol.exe command to each server to disable logging?
Funny, on my system it says “The Windows Filtering Platform has _permitted_ a connection”