Cupfighter.net » Event ID 5156 http://www.cupfighter.net A blog by Schuberg Philis colleagues Thu, 09 Feb 2012 14:27:59 +0000 en hourly 1 http://wordpress.org/?v= Get rid of Event ID 5156: The Windows Filtering Platform has allowed a connection http://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-has-allowed-a-connection/ http://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-has-allowed-a-connection/#comments Mon, 05 Oct 2009 12:47:49 +0000 Cupfighter http://www.cupfighter.net/?p=568 When you install McAfee on Windows Server 2008, and probably Windows Vista also, you can get a lot of messages in your security log. Like this one:

ID 5156

Event ID 5156 means that WFP has allowed a connection. When most connections are allowed your security log will fill up very fast.

You can disable Object Access auditing but then you’ll miss other events which might be of interest. So, instead, let’s just disable Success Auditing for Filtering Platform Connections. It’s not possible to disable auditing subcategories with a policy or other GUI tool, but I found out that you can enable and disable specific subcategories with a special command-line tool: Auditpol.exe, which is included with Windows Vista and Windows Server 2008. I used the following command:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

As you can see this disables Success auditing for the Filtering Platform Connection subcategory.

For more info check out this article:

http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx

]]> http://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-has-allowed-a-connection/feed/ 3