Submit a ticketCall us

AnnouncementsFace your biggest database issues head-on

Our new eCourse helps you navigate SQL Server performance blocks by teaching you how to recognize and deal with the three DBA Disruptors: Performance Hog, Blame Shifter, and Query Blocker. Register today to learn how to defend your environment and fend off menacing disruptions.

Register for your free eCourse.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > LEM Manager crashes after a high number of alerts from Windows 7 or Windows Server 2008

LEM Manager crashes after a high number of alerts from Windows 7 or Windows Server 2008

Created by Aileen de Lara_ret, last modified by MindTouch on Jun 23, 2016

Views: 1,322 Votes: 0 Revisions: 3


Tune Windows Advanced Audit Policy Configuration on computers running Windows 7 and Windows Server 2008 to avoid overloading your LEM Manager with unnecessary alerts. 


All LEM versions running on Windows 7 and Windows Server 2008



Advanced Audit Policy Configuration interacts with Windows Filtering Platform (WFP), a new application in Windows 7 and Windows Server 2008 that logs firewall and IPsec related events to the System Security Log. This advanced auditing is turned on by default, so if you have a LEM Agent on a server or workstation with WFP and you have not tuned it properly, it will log an extremely high number of events, eventually causing your LEM Manager to crash. 


For additional information about Advanced Audit Policy Configuration, see the Microsoft TechNet article on Advanced Security Auditing FAQ.

For information about tuning standard Windows audit policies for your LEM implementation on a non-WFP computer, see Audit Policies and Best Practices. 



Important: By making a single change to Windows Advanced Audit Policy Configuration, you are telling Windows to favor Advance Audit Policy over your basic or standard audit policies, which causes the default Advanced Audit Policy to override any custom settings in Local Security Settings > Local Policies > Audit Policies. If you implement the following recommendation, you must also replicate your current basic/standard audit policies using Advanced Audit Policy Configuration.


Set the following subcategories to No Auditing to tune Windows Advanced Audit Policy logging for your LEM implementation:

  • Logon/Logoff > Audit IPsec Extended Mode
  • Logon/Logoff > Audit IPsec Main Mode
  • Logon/Logoff > Audit IPsec Quick Mode
  • Object Access > Audit Filtering Platform Connection
  • Object Access > Audit Filtering Platform Packet Drop
  • Policy Change > Audit Filtering Platform Policy Change
  • System > Audit IPsec Driver


To set a WFP subcategory to No Auditing using Group Policies (recommended):

  1. Launch Group Policy Management from Control Panel > Administrative Tools.
  2. Open Group Policy Management Editor for the domain policy you want to edit. For example, click Default Domain Policy, and then click Action > Edit.
  3. Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  4. Click each policy under this node to view and edit its subcategories.
  5. In the right pane, click the subcategory you want to edit, and then click Action > Properties.
  6. On the Policy tab, select Configure the following audit events.
    Note: Do not select Success or Failure.

Note: To edit WFP auditing using local policy instead, open Administrative Tools > Local Security Policy, and then expand Advanced Audit Policy Configuration.



Last modified