topic Re: EventCode 5156 in Getting Data In

EventCode 5156

splunktp — Wed, 18 Jul 2012 07:59:05 GMT

Hi Guys,

We are using Splunk version 4.3.1, build 119532 on both the Indexer and the Universal Forwarder.

Over the past 48 hours, were seeing a lot of MS EVentCode 5156 on our environment. One machine (FileServer) is shwoing that 99% of the event is being generated by the splunkd.exe. This event was generated more than 1 million times which is very unusual. We have a few dozen windows machines installed with Splunk Universal Forwarder and only this machine is generating this "noise".

The amount of log being generated by this event is eating our 10GB/day license. Can anyone please help me on how to correct this?

=============================================================================================

“The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1936 Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 172.24.1.55 Source Port: 49196 Destination Address: 172.16.0.81 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Connect Layer Run-Time ID: 48”

=============================================================================================

Thanks you very much.

Re: EventCode 5156

lguinn2 — Wed, 18 Jul 2012 15:32:03 GMT

I am no expert on Windows and the "Filtering Platform" - but this looks some sort of firewall setting to me. I expect that this message is being generated each time the Universal Forwarder sends a packet to the indexer.

There is obviously some setting that needs to be changed on the file server. Sorry I can't help you with exactly what that is. What's different about the firewall settings on this server?

However, I can tell you how to filter these events so that they don't chew up your Splunk license.

On the indexer, add the following to your props.conf and transforms.conf, where TheHost represents the host name (in Splunk) of the Universal Forwarder with issues:

props.conf

[host::TheHost]
TRANSFORMS-t1=eliminate-splunkd-5136

transforms.conf

[eliminate-splunkd-5136]
REGEX=5156.*splunkd.exe
DEST_KEY=queue
FORMAT=nullQueue

You might be able to make the REGEX a bit cleaner, but I think that will work. Here is the relevant discussion in the manual.

Re: EventCode 5156

jbsplunk — Wed, 18 Jul 2012 15:40:44 GMT

That is a valid event from my perspective. You're WFP is set to log permitted connections. This is entirely a function of your operating system, and if you wanted to figure out why, you could use a tool like process monitor to see what is happening just prior to the event, which should tell you why it is triggering.

My suggestion would be to disable successful auditing for connections. I don't think you can do this via the GUI, but disable specific subcategories with Auditpol.exe. This may or may not be acceptable to admins, but the command to run is:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

Re: EventCode 5156

yannK — Tue, 23 Jul 2013 16:11:40 GMT

There is a way in win 2008 to disable those events at the source, with the audit policies.
see http://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-has-allowed-a-connection/

Re: EventCode 5156

greyf1r3 — Wed, 12 Sep 2018 18:58:55 GMT

From Windows Splunk Logging Cheat Sheet

Filter by Message, NOT by Event Code: It is common to blacklist event codes that are noisy or excessive that
impacts storage and licensing. By enabling Process Creation Success (4688) Process Terminate (4689) and Windows
Firewall Filtering Platform Connection Success (5156 & 5158) they will be the top four event codes in your Splunk
index. Filtering by the content of the Message or Field name is the better way to go. Once you understand what
normal noise is, has minimal risk to be exploited or important to security monitoring you can filter those out at the
client or server. For Windows, Splunk limits the blacklist to only 10 entries, so you will need to chain similar events
in one line. Here is an example of a proper exclusion:
[WinEventLog://Security]
disabled=0
current_only=1
blacklist = 4689,5158
blacklist1 = EventCode="4688" Message="(?:New Process
Name:).+(?:SplunkUniversalForwarder\bin\splunk.exe)|.+(?:SplunkUniversalForwarder\bin\splunkd.exe)|.+(?:Splunk
UniversalForwarder\bin\btool.exe)"
blacklist2 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\bin\splunkwinprintmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkpowershell.exe)|.+(?:SplunkUniversalForwarder\bin\splunkregmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkadmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkMonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\bin\splunkwinevtlog.exe)|.+(?:SplunkUniversalForwarder\bin\splunkperfmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunk-wmi.exe)"
blacklist3 = EventCode="4688" Message="(?:Process Command Line:).+(?:--scheme)|.+(?:--no-log)|.+(?:-Embedding)"