Collect Windows Filtering Platform (WFP) events in SEM
Windows Filtering Platform (WFP) logs firewall and IPsec related events to the System Security log. These alerts are background events that require additional SEM resources to process and are not recommended for an optimized SEM deployment.
About Windows WFP events and SEM performance
By default, WFP logging is disabled in the Windows Security Log connector. Tuning out Windows noise in group policies has the following advantages:
- Reduces the space that these events occupy in the Security Event log
- Reduces network activity
- Reduces demand on SEM system resources (such as CPU, memory, and disk space)
The Windows Security Log connector stopped collecting WFP data in SEM version 6.2.
Configure SEM to collect WFP events (Optional)
If necessary, you can enable WFP event logging in SEM.
SolarWinds strongly recommends that you keep WFP logging turned off.
To collect WFP events in SEM, configure the Windows Filtering Platform Events connector. Enabling this connector will result in SEM collecting a huge volume of data. To manage this data, see the following sections.
Improve SEM performance by tuning Windows WFP events
If you collect WFP events in SEM, SolarWinds recommends tuning WFP in your Active Directory group policies to decrease the load that background events place on the SEM Manager. The following tables describe alerts located in the Event Distribution Policy in SEM Manager. You can filter out these events by clearing the appropriate check boxes in the Console, Database, Warehouse, and Rules columns. SEM will process the remaining events.
In SEM, the terms event and alert are interchangeable.
SolarWinds recommends disabling WFP alerts using Group or Local Policy.
The ProviderSID value in the following alerts match the
Windows Security Auditing Event ID format where
Event ID is one of the Windows Event IDs listed in the following table.
|Alert Name||Windows Event ID|
|TCPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|IPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|UDPTrafficAudit||5152, 5154, 5156, 5157, 5158, 5159|
|ICMPTrafficAudit||5152, 5156, 5157, 5158, 5159|
Table of Descriptions by Event ID
|Event ID||Brief Description|
|5152||Windows Filtering Platform blocked a packet|
|5154||Windows Filtering Platform permitted an application or service to listen on a port for incoming connections|
|5156||Windows Filtering Platform allowed a connection|
|5157||Windows Filtering Platform blocked a connection|
|5158||Windows Filtering Platform permitted a bind to a local port|
|5159||Windows Filtering Platform blocked a bind to a local port|