Collect Windows Filtering Platform (WFP) events in SEM

Windows Filtering Platform (WFP) logs firewall and IPsec related events to the System Security Log. These alerts are background events that require additional SEM resources to process and are not recommended for an optimized SEM deployment.

About Windows WFP events and SEM performance

By default, WFP logging is disabled in the Windows Security Log connector. Tuning out Windows noise in group policies has the following advantages:

  • Reduces the space that these events occupy in the Security Event log
  • Reduces network activity
  • Reduces demand on SEM system resources (such as CPU, memory, and disk space)

The Windows Security Log connector stopped collecting WFP data in SEM version 6.2.

Configure SEM to collect WFP events (Optional)

If necessary, you can enable WFP event logging in SEM.

SolarWinds strongly recommends that you keep WFP logging turned off.

To collect WFP events in SEM, configure the Windows Filtering Platform Events connector. Enabling this connector will result in SEM collecting a huge volume of data. To manage this data, see the following sections.

Improve SEM performance by tuning Windows WFP events

If you collect WFP events in SEM, SolarWinds recommends tuning WFP in your Active Directory group policies to decrease the load that background events place on the SEM Manager. The following tables describe alerts located in the Event Distribution Policy in SEM Manager. You can filter out these events by clearing the appropriate check boxes in the Console, Database, Warehouse, and Rules columns. SEM will process the remaining events.

In SEM, the terms event and alert are interchangeable.

SolarWinds recommends disabling WFP alerts using Group or Local Policy.

The ProviderSID value in the following alerts match the Windows Security Auditing Event ID format where Event ID is one of the Windows Event IDs listed in the following table.

Alert Name Windows Event ID
TCPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
IPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
UDPTrafficAudit 5152, 5154, 5156, 5157, 5158, 5159
ICMPTrafficAudit 5152, 5156, 5157, 5158, 5159
RoutingTrafficAudit 5152, 5156
PPTPTrafficAudit 5152

Table of Descriptions by Event ID

Event ID Brief Description
5152 Windows Filtering Platform blocked a packet
5154 Windows Filtering Platform permitted an application or service to listen on a port for incoming connections
5156 Windows Filtering Platform allowed a connection
5157 Windows Filtering Platform blocked a connection
5158 Windows Filtering Platform permitted a bind to a local port
5159 Windows Filtering Platform blocked a bind to a local port