Windows-Server-2008-R2

Windows 防火牆中允許連接的事件日誌條目

  • August 15, 2019

我在事件日誌中看到了很多條目:

The Windows Filtering Platform has permitted a connection.
Application Information:
   Process ID:                4
   Application Name:          System
Network Information:
   Direction:                  Inbound
   Source Address:             10.xxx.xxx.xxx
   Source Port:                80
   Destination Address:        10.xxx.xxx.xxx
   Destination Port:           31773
   Protocol:                   6
Filter Information:
   Filter Run-Time ID:         67903
   Layer Name:                 Receive/Accept
   Layer Run-Time ID:          44

我們有一個負載均衡器,它每秒檢查一次應用程序是否仍在執行(健康檢查)。日誌包含大量此類條目,這使得事件查看器速度變慢,並且很難找到更有趣的日誌。

如何確保這些消息不會出現在事件日誌中?

您可以使用以下命令行語句關閉此類日誌:

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

在這裡找到它:

http ://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-has-allowed-a-connection/

是的,你可以擺脫很多方法..

來源:http ://www.morgantechspace.com/2013/09/event-id-5156-filtering-platform.html

解決方案 1:如果您想擺脫此過濾平台連接事件 5156,則需要在提升的命令提示符(以管理員身份執行)中執行以下命令:

Auditpol /set /subcategory:"Filtering Platform Connection" /Success:disable

然後通過此命令更新 gpo

gpupdate /force

解決方案 2:

您還可以在本地安全策略的高級審核策略配置中禁用過濾平台連接。

1. Press the key Windows + R
2. Type command secpol.msc, click OK
3. Then go to the node Advanced Audit Policy Configuration->Object Access.
4. Check the audit setting **Audit Filtering Platform Connection** If it is configured as Success, you can   revert it Not Configured and Apply the setting.

引用自:https://serverfault.com/questions/433669