Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > LEM Manager crashes after a high number of alerts from Windows 7 or Windows Server 2008

LEM Manager crashes after a high number of alerts from Windows 7 or Windows Server 2008

Updated: September 28, 2018


Tune Windows Advanced Audit Policy Configuration on computers running Windows 7 and Windows Server 2008 to avoid overloading your LEM Manager with unnecessary alerts. 


All LEM versions running on Windows 7 and Windows Server 2008


Advanced Audit Policy Configuration interacts with Windows Filtering Platform (WFP), a new application in Windows 7 and Windows Server 2008 that logs firewall and IPsec related events to the System Security Log. This advanced auditing is turned on by default, so if you have a LEM Agent on a server or workstation with WFP and you have not tuned it properly, it will log an extremely high number of events, eventually causing your LEM Manager to crash. 


For additional information about Advanced Audit Policy Configuration, see the Microsoft TechNet article on Advanced Security Auditing FAQ.

For information about tuning standard Windows audit policies for your LEM implementation on a non-WFP computer, see Audit Policies and Best Practices. 


By making a single change to Windows Advanced Audit Policy Configuration, you are telling Windows to favor Advance Audit Policy over your basic or standard audit policies, which causes the default Advanced Audit Policy to override any custom settings in Local Security Settings > Local Policies > Audit Policies. If you implement the following recommendation, you must also replicate your current basic/standard audit policies using Advanced Audit Policy Configuration.

Set the following subcategories to No Auditing to tune Windows Advanced Audit Policy logging for your LEM implementation:

  • Logon/Logoff > Audit IPsec Extended Mode
  • Logon/Logoff > Audit IPsec Main Mode
  • Logon/Logoff > Audit IPsec Quick Mode
  • Object Access > Audit Filtering Platform Connection
  • Object Access > Audit Filtering Platform Packet Drop
  • Policy Change > Audit Filtering Platform Policy Change
  • System > Audit IPsec Driver

To set a WFP subcategory to No Auditing using Group Policies (recommended):

  1. Launch Group Policy Management from Control Panel > Administrative Tools.
  2. Open Group Policy Management Editor for the domain policy you want to edit. For example, click Default Domain Policy, and then click Action > Edit.
  3. Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  4. Click each policy under this node to view and edit its subcategories.
  5. In the right pane, click the subcategory you want to edit, and then click Action > Properties.
  6. On the Policy tab, select Configure the following audit events.

    Do not select Success or Failure.


To edit WFP auditing using local policy instead, open Administrative Tools > Local Security Policy, and then expand Advanced Audit Policy Configuration.



Last modified