Hide this message
Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at firstname.lastname@example.org
Tune Windows Advanced Audit Policy Configuration on computers running Windows 7 and Windows Server 2008 to avoid overloading your LEM Manager with unnecessary alerts.
All LEM versions running on Windows 7 and Windows Server 2008
Advanced Audit Policy Configuration interacts with Windows Filtering Platform (WFP), a new application in Windows 7 and Windows Server 2008 that logs firewall and IPsec related events to the System Security Log. This advanced auditing is turned on by default, so if you have a LEM Agent on a server or workstation with WFP and you have not tuned it properly, it will log an extremely high number of events, eventually causing your LEM Manager to crash.
For additional information about Advanced Audit Policy Configuration, see the Microsoft TechNet article on Advanced Security Auditing FAQ.
For information about tuning standard Windows audit policies for your LEM implementation on a non-WFP computer, see Audit Policies and Best Practices.
Important: By making a single change to Windows Advanced Audit Policy Configuration, you are telling Windows to favor Advance Audit Policy over your basic or standard audit policies, which causes the default Advanced Audit Policy to override any custom settings in Local Security Settings > Local Policies > Audit Policies. If you implement the following recommendation, you must also replicate your current basic/standard audit policies using Advanced Audit Policy Configuration.
Set the following subcategories to No Auditing to tune Windows Advanced Audit Policy logging for your LEM implementation:
To set a WFP subcategory to No Auditing using Group Policies (recommended):
Note: To edit WFP auditing using local policy instead, open Administrative Tools > Local Security Policy, and then expand Advanced Audit Policy Configuration.