Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Additional LEM Configuration and Troubleshooting Information > Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy

Disabling Windows Filtering Platform Alerts Using Alert Distribution Policy

Windows Filtering Platform (WFP) is a new application in Windows 7 and 8 and Windows Server 2008 and 2012 that logs firewall and IPsec related events to the System Security Log.

These alerts represent background events which can consume additional resources on the LEM to process these events, and are not necessary for an optimized LEM deployment. Tuning out the Windows noise in the group policies will reduce the space these events occupy in the Security Event log, reduce network activity, and reduce system resources on the LEM (such as CPU, memory, and disk space). SolarWinds recommends tuning WFP in your Active Directory group policies to decrease the load it would otherwise create on your LEM Manager.

To modify the alert distribution policy on LEM manager:

  1. Open your LEM Console and log into your LEM Manager from the Manage > Appliances view.
  2. Click the gear icon next to your LEM Manager, and then select Policy.
  3. Locate the alerts you want to disable by either browsing the alert taxonomy or using the search box under Refine Results.

    You can locate all of the alerts listed below by typing Windows Security in the search box.

  4. Select or clear the check boxes in the Console, Database, Warehouse, or Rules columns as appropriate.

    1. Clear the Console box to prevent your LEM Manager from showing the alert in your LEM Console.
    2. Clear the Database box to prevent your LEM Manager from storing the alert on your LEM database.
    3. Clear the Warehouse box to prevent your LEM Manager from sending the alert to an independent database warehouse.
    4. Clear the Rules box to prevent your LEM Manager from processing the alert against your LEM rules.
    5. Select any check box to enable processing for the alert at any of the four levels listed above.
  5. Click Apply to save your changes.
  6. Click Save to save your changes and exit the Alert Distribution Policy window.

Alerts with Windows security auditing provider SIDs

The following tables describe alerts located in the Event Distribution Policy of your LEM Manager. You can filter out these alerts by clearing the appropriate check boxes in the Console, Database, Warehouse, and Rules columns. LEM will process these events, which require additional system resources, including memory and CPU reservations.

SolarWinds recommends disabling WFP alerts using Group or Local Policy instead of LEM manager, as this process prevents you from receiving useful data and may impact performance.

For information about disabling these alerts on a computer running WFP, see LEM Manager crashes after a high number of alerts from Windows 7 or Windows Server 2008.

The ProviderSID value in the following alerts match the Windows Security Auditing Event ID format where Event ID is one of the Windows Event IDs listed in the following table.

Alert Name Windows Event ID
TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit 5152, 5156
PPTPTrafficAudit 5152

Table of Descriptions by Event ID

Event ID Brief Description
5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port

 

Last modified
16:34, 27 Jan 2017

Tags

Classifications

Public