Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > LEM Manager crashes after a high number of alerts from Windows 7 or Windows Server 2008

LEM Manager crashes after a high number of alerts from Windows 7 or Windows Server 2008

Created by Aileen de Lara_ret, last modified by MindTouch on Jun 23, 2016

Views: 36 Votes: 0 Revisions: 3

Overview

Tune Windows Advanced Audit Policy Configuration on computers running Windows 7 and Windows Server 2008 to avoid overloading your LEM Manager with unnecessary alerts. 

Environment

All LEM versions running on Windows 7 and Windows Server 2008

 

Cause 

Advanced Audit Policy Configuration interacts with Windows Filtering Platform (WFP), a new application in Windows 7 and Windows Server 2008 that logs firewall and IPsec related events to the System Security Log. This advanced auditing is turned on by default, so if you have a LEM Agent on a server or workstation with WFP and you have not tuned it properly, it will log an extremely high number of events, eventually causing your LEM Manager to crash. 

 

For additional information about Advanced Audit Policy Configuration, see the Microsoft TechNet article on Advanced Security Auditing FAQ.

For information about tuning standard Windows audit policies for your LEM implementation on a non-WFP computer, see Audit Policies and Best Practices. 

 

Resolution

Important: By making a single change to Windows Advanced Audit Policy Configuration, you are telling Windows to favor Advance Audit Policy over your basic or standard audit policies, which causes the default Advanced Audit Policy to override any custom settings in Local Security Settings > Local Policies > Audit Policies. If you implement the following recommendation, you must also replicate your current basic/standard audit policies using Advanced Audit Policy Configuration.

 

Set the following subcategories to No Auditing to tune Windows Advanced Audit Policy logging for your LEM implementation:

  • Logon/Logoff > Audit IPsec Extended Mode
  • Logon/Logoff > Audit IPsec Main Mode
  • Logon/Logoff > Audit IPsec Quick Mode
  • Object Access > Audit Filtering Platform Connection
  • Object Access > Audit Filtering Platform Packet Drop
  • Policy Change > Audit Filtering Platform Policy Change
  • System > Audit IPsec Driver

 

To set a WFP subcategory to No Auditing using Group Policies (recommended):

  1. Launch Group Policy Management from Control Panel > Administrative Tools.
  2. Open Group Policy Management Editor for the domain policy you want to edit. For example, click Default Domain Policy, and then click Action > Edit.
  3. Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  4. Click each policy under this node to view and edit its subcategories.
  5. In the right pane, click the subcategory you want to edit, and then click Action > Properties.
  6. On the Policy tab, select Configure the following audit events.
    Note: Do not select Success or Failure.

Note: To edit WFP auditing using local policy instead, open Administrative Tools > Local Security Policy, and then expand Advanced Audit Policy Configuration.

 

 

Last modified
20:13, 22 Jun 2016

Tags

Classifications

Public