Submit a ticketCall us

AnnouncementsSystem Monitoring for Dummies

Tired of monitoring failures disrupting the system, application, and service? Learn the key monitoring concepts needed to help you create sophisticated monitoring and alerting strategies that can help you save time and money. Read the eBook.

Get your free eBook.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Tune out Windows Filtering Platform on LEM and on a Windows agent

Tune out Windows Filtering Platform on LEM and on a Windows agent

Updated: September 21, 2018


This article describes how to tune out Windows Filtering Platform (WFP) noise on LEM and on a Windows agent. WFP is a new application in Windows newer operating systems, starting with Windows Vista, that logs firewall and IPsec related events to the Security Event Log. These alerts (events) provide no value for auditing, represent noise. In addition, they consume additional resources on LEM. Once LEM has been upgraded to version 6.2.0 or newer, LEM agent version 6.2.0 will drop these evetns at the Windows computer so that LEM never receives these events.


  • All LEM versions(especially version prior to 6.2.0), but WFP does not exist if LEM agent is 6.2.0 or newer.
  • Windows 7, 8, 8.1, 10
  • Windows Server 2008, 2008-R2, 2012, 2012-R2, 2016


Modify the LEM Alert Distribution Policy

  1. Open LEM Console and log into your LEM Manager from the Manage > Appliances view.
  2. Next to your LEM Manager, click the gear icon, and then select Policy.

    This is the Event Distribution Policy.

  3. Locate the alerts you want to disable by either browsing the Alert Taxonomy or using the search box under Refine Results.

    You can locate all the alerts listed below by typing Windows Security in the search box.

  4. Select or clear the check boxes in Console, Database, Warehouse or Rules, as appropriate.
    • Clear the Console check box to prevent your LEM Manager from showing the alerts in your LEM Console.
    • Clear the Database check box to prevent your LEM Manager from storing the alerts in your LEM database.
    • Clear the Warehouse check box to prevent your LEM Manager from sending the alerts to an independent database warehouse.
    • Clear the Rules check box to prevent your LEM Manager from processing the alerts against your LEM rules.
    • Select any check box to enable processing of the alerts for any of the four levels listed above. 
  5.  If you want to save your changes and keep working, click Apply, or click OK if you want to save your changes and exit the Alerts Distribution Policy window.

Table  of Alerts with Security Auditing Provider SIDs

The Provider SID value in the following alerts match the format, Windows Security, Auditing Event ID,  where Event ID is one of the Windows Event ID listed below.

Alert Name Windows Event ID
TCPTrafficAudit     5152, 5154, 5156, 5157, 5158, 5159  
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit   5152, 5156
PPTPTrafficAudit 5152

Table of Description by Event ID

Event ID  Brief Description 
5152 Windows Filtering Platform blocked a packet.
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections.
5156 Windows Filtering Platform allowed a connection.
5157 Windows Filtering Platform blocked a connection.
5158 Windows Filtering Platform permitted a bind to a local port.
5159 Windows Filtering Platform blocked a bind to a local port.

Additional Suggested Settings

Set the following subcategories to No Auditing to tune Windows Advanced Audit Policy logging for LEM implementation:

  • Logon/Logoff > Audit IPsec Extended Mode
  • Logon/Logoff > Audit IPsec Main Mode
  • Logon/Logoff > Audit IPsec Quick Mode
  • Object Access > Audit Filtering Platform Connection
  • Object Access > Audit Filtering Platform Packet Drop
  • Policy Change > Audit Filtering Platform Policy Change
  • System > Audit IPsec Driver

Set a WFP subcategory to No Auditing using Group Policies

  1. Navigate to Control Panel > Administrative Tools, and then open Group Policy Management.
  2. Open Group Policy Management Editor for the domain policy you want to edit. For example, click Default Domain Policy, and then click Action > Edit.
  3. Under Computer Configuration, navigate to Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  4. Click each policy under this node to view and edit its subcategories.
  5. In the right pane, click the subcategory you want to edit, and then click Action > Properties.
  6. On the Policy tab, select Configure the following audit events. Do not select Success or Failure.
    Note: To edit WFP auditing using local policy instead, open Administrative Tools > Local Security Policy, and expand Advanced Audit Policy Configuration.

Additional Resources

For additional information about Advanced Audit Policy Configuration, see the Microsoft TechNet article, Advanced Security Auditing FAQ.

For information about tuning standard Windows audit policies for LEM implementation on a non-WFP computer, see:

If you are required to log these WFP events, contact Solarwinds support for a connector that reads and forwards the WFP events.

Last modified