Monday, November 29, 2010

Windows Auditing can be annoying. (Shut up already)

My audit logs were filling up with a bunch of B.S. from perfectly good packets being successfully sent and received. (event id 5157, and 5152) By default, Windows thinks you want all of these packets logged... and perhaps some admins do. But they can be logged in the firewall log, I don't want them in the event log too. (Default location of the Windows Firewall log is at "C:\Windows\system32\LogFiles\Firewall\pfirewall.log") So after a bunch of googleing, I found several answers that almost worked. Here is what really worked for me on Windows 2008 R2 and R1:

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

So there you go, save some audit log space for something that matters, like non-firewall stuff.

(oh, and one more thing, if you want to create a Group policy for this, it is under
computer configuration --> policies --> windows settings --> security settings --> advanced audit policy configuration --> audit policies --> object access. Then double click "Audit Filtering Platform Connection" and check only the box next to "configure the following audit events." DO NOT CLICK THE OTHER TWO BOXES. Repeat for "Audit Filtering Platform Packet Drop" too. If this does not work, edit your GPO to include the policy outlined in Method 1, steps 2 and 3 from .  REMEMBER, THE GPO MIGHT TAKE SOME TIME, so if you don't reboot, give it at least 90 min before you give up on the GPO idea.)