I have seen more number of logs with the Event ID 5156 while working with File System Auditing where this event is being repeatedly logged on my server 2008 R2 machine.
See the event in this picture
After I have analyzed for the reason of Event ID 5156 is being repeatedly logged, found the below solutions to stop the Event ID 5156 from being logged continuously
Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.
Category: Object Access
Subcategory: Filtering Platform Connection
You will get the following Event IDs if the Filtering Platform Connection is enabled.
5031 – The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5154 – The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 – The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 – The Windows Filtering Platform has allowed a connection
5157 – The Windows Filtering Platform has blocked a connection
5158 – The Windows Filtering Platform has permitted a bind to a local port.
5159 -The Windows Filtering Platform has blocked a bind to a local port.
5154 – The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 – The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 – The Windows Filtering Platform has allowed a connection
5157 – The Windows Filtering Platform has blocked a connection
5158 – The Windows Filtering Platform has permitted a bind to a local port.
5159 -The Windows Filtering Platform has blocked a bind to a local port.
We should disable the audit policy setting Filtering Platform Connection in Advanced Audit Policy Configuration to stop this event. We can do it in the following ways.
Possible Solution: 1- using Auditpol exe
If you would like to get rid of this Filtering Platform Connection event 5156 then you need to run the following commands in an elevated command prompt (Run As Administrator):
Auditpol /set /subcategory:”Filtering Platform Connection” /Success:disable
Then update gpo by this command
gpupdate /force
Possible Solution: 2 – using Local Security Policy
You can also disable Filtering Platform Connection in Advanced Audit Policy Configuration of Local Security Policy.
1. Press the key Windows + R
2. Type command secpol.msc, click OK
3. Then go to the node Advanced Audit Policy Configuration->Object Access.
4. Check the audit setting Audit Filtering Platform Connection If it is configured as Success, you can revert it Not Configured and Apply the setting.
Possible Solution: 3 – using Group Policy Object
If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the setting Audit Filtering Platform Connection. You can find the GPO by running Resultant Set of Policy.
1. Press the key Windows + R
2. Type command rsop.msc, click OK.
3. Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.
4. Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Filtering Platform Connection.
5. Then you can edit the Audit Filtering Platform Connection of corresponding GPO by running GPMC.msc command through Run window or command window.
Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.
Related Articles:
– Event ID 4656 – Repeated Security Event log – PlugPlayManager
– Event ID 1046 – DHCP Server
– Event ID 1000 -The remote procedure call failed in Sql Server Configuration manager
– Event 4624 null sid – Repeated security log
– Event ID 1014 Name resolution for the name cyber-mind.info timed out after none of the configured DNS servers responded
– Event ID 7036 service entered the stopped state – Service Control Manager
– Event ID 1059 – The DHCP service failed to see a directory server for authorization
– Event ID 4656 – Repeated Security Event log – PlugPlayManager
– Event ID 1046 – DHCP Server
– Event ID 1000 -The remote procedure call failed in Sql Server Configuration manager
– Event 4624 null sid – Repeated security log
– Event ID 1014 Name resolution for the name cyber-mind.info timed out after none of the configured DNS servers responded
– Event ID 7036 service entered the stopped state – Service Control Manager
– Event ID 1059 – The DHCP service failed to see a directory server for authorization
Thanks,
Morgan
Software Developer
Advertisement