{"id":1460,"date":"2016-10-28T17:15:29","date_gmt":"2016-10-29T00:15:29","guid":{"rendered":"http:\/\/jim-zimmerman.com\/?p=1460"},"modified":"2016-10-28T17:15:29","modified_gmt":"2016-10-29T00:15:29","slug":"auditpol-windows-filtering-platform-event-id-5157","status":"publish","type":"post","link":"https:\/\/jim-zimmerman.com\/?p=1460","title":{"rendered":"Auditpol &#8211; Windows Filtering Platform &#8211; Event ID: 5157"},"content":{"rendered":"<p>Enough is enough.  I&#8217;ll turn it on when I need it or have infinitely resources to manage the logs when I have Filtering Platform logging enabled.  In my case, I was getting a lot messages for event ID 5157 (&#8220;The Windows Filtering Platform has blocked a connection.&#8221;).  For now, how do you turn this off in Windows Server 2012 R2?<\/p>\n<p>To list all the categories:<\/p>\n<blockquote><p>C:\\>auditpol \/list \/category<br \/>\nCategory\/Subcategory<br \/>\nAccount Logon<br \/>\nAccount Management<br \/>\nDetailed Tracking<br \/>\nDS Access<br \/>\nLogon\/Logoff<br \/>\nObject Access<br \/>\nPolicy Change<br \/>\nPrivilege Use<br \/>\nSystem<\/p><\/blockquote>\n<p>To get a list of any sub-categories for a category:<\/p>\n<blockquote><p>auditpol \/get \/category:&#8221;Account Logon&#8221;<br \/>\nauditpol \/get \/category:&#8221;Account Management&#8221;<br \/>\nauditpol \/get \/category:&#8221;Detailed Tracking&#8221;<br \/>\nauditpol \/get \/category:&#8221;DS Access&#8221;<br \/>\nauditpol \/get \/category:&#8221;Logon\/Logoff&#8221;<br \/>\nauditpol \/get \/category:&#8221;Object Access&#8221;<br \/>\nauditpol \/get \/category:&#8221;Policy Change&#8221;<br \/>\nauditpol \/get \/category:&#8221;Privilege Use&#8221;<br \/>\nauditpol \/get \/category:&#8221;System&#8221;<\/p><\/blockquote>\n<p>I have picked on the sub-categories under the &#8220;Object Access&#8221; category, because that is where the Filtering Platform settings exist.  To see the current settings for a sub-category:<\/p>\n<blockquote><p>auditpol \/get \/subcategory:&#8221;Filtering Platform Packet Drop&#8221;<br \/>\nauditpol \/get \/subcategory:&#8221;Filtering Platform Connection&#8221;<br \/>\nauditpol \/get \/subcategory:&#8221;IPsec Driver&#8221;<br \/>\nauditpol \/get \/subcategory:&#8221;IPsec Main Mode&#8221;<br \/>\nauditpol \/get \/subcategory:&#8221;IPsec Quick Mode&#8221;<br \/>\nauditpol \/get \/subcategory:&#8221;IPsec Extended Mode&#8221;<\/p><\/blockquote>\n<p>Example:<\/p>\n<blockquote><p>C:\\>auditpol \/get \/subcategory:&#8221;Filtering Platform Connection&#8221;<br \/>\nSystem audit policy<br \/>\nCategory\/Subcategory                      Setting<br \/>\nObject Access<br \/>\n  Filtering Platform Connection           Success and Failure<\/p><\/blockquote>\n<p>To disable all audit logging for some sub-categories:<\/p>\n<blockquote><p>auditpol \/set \/subcategory:&#8221;Filtering Platform Packet Drop&#8221; \/success:disable \/failure:disable<br \/>\nauditpol \/set \/subcategory:&#8221;Filtering Platform Connection&#8221; \/success:disable \/failure:disable<br \/>\nauditpol \/set \/subcategory:&#8221;IPsec Driver&#8221; \/success:disable \/failure:disable<br \/>\nauditpol \/set \/subcategory:&#8221;IPsec Main Mode&#8221; \/success:disable \/failure:disable<br \/>\nauditpol \/set \/subcategory:&#8221;IPsec Quick Mode&#8221; \/success:disable \/failure:disable<br \/>\nauditpol \/set \/subcategory:&#8221;IPsec Extended Mode&#8221; \/success:disable \/failure:disable<\/p><\/blockquote>\n<blockquote><p>C:\\>auditpol \/get \/subcategory:&#8221;Filtering Platform Connection&#8221;<br \/>\nSystem audit policy<br \/>\nCategory\/Subcategory                      Setting<br \/>\nObject Access<br \/>\n  Filtering Platform Connection           No Auditing<\/p><\/blockquote>\n<p>Or to enable all audit logging for some sub-categories:<\/p>\n<blockquote><p>auditpol \/set \/subcategory:&#8221;Filtering Platform Packet Drop&#8221; \/success:enable \/failure:enable<br \/>\nauditpol \/set \/subcategory:&#8221;Filtering Platform Connection&#8221; \/success:enable \/failure:enable<br \/>\nauditpol \/set \/subcategory:&#8221;IPsec Driver&#8221; \/success:enable \/failure:enable<br \/>\nauditpol \/set \/subcategory:&#8221;IPsec Main Mode&#8221; \/success:enable \/failure:enable<br \/>\nauditpol \/set \/subcategory:&#8221;IPsec Quick Mode&#8221; \/success:enable \/failure:enable<br \/>\nauditpol \/set \/subcategory:&#8221;IPsec Extended Mode&#8221; \/success:enable \/failure:enable<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Enough is enough. I&#8217;ll turn it on when I need it or have infinitely resources to manage the logs when I have Filtering Platform logging enabled. In my case, I was getting a lot messages for event ID 5157 (&#8220;The Windows Filtering Platform has blocked a connection.&#8221;). For now, how do you turn this off [&#038;hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[436,435,437,36],"class_list":["post-1460","post","type-post","status-publish","format-standard","hentry","category-documentation","tag-436","tag-audit","tag-filter","tag-windows"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1460"}],"version-history":[{"count":2,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1460\/revisions"}],"predecessor-version":[{"id":1462,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1460\/revisions\/1462"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}