https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363119#M66174 <P>The excessive WinEventLog:Security events started the day some updates were pushed to the machine:<BR /> Microsoft Security Update for .NET <BR /> McAfee product updates (including Firewall update)</P> <P>Hmm... But it could have been something else that triggered it too.</P> Tue, 03 Oct 2017 21:01:23 GMT nk-1 2017-10-03T21:01:23Z https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363117#M66172 <P>Splunk Universal Forwarder is v6.4.x<BR /> Splunk Server is v6.5.x</P> <P>In C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf , I have:</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> index = wmi</P> <P>I would normally see about 240 WinEventLog://Security "splunkd.exe" events logged per hour (for weeks).<BR /> Suddenly, that number jumped to over 4 million WinEventLog://Security "splunkd.exe" events logged per hour, and my indexing limit was exceeded.</P> <P>Here's what gets logged:</P> <P>TIMESTAMP<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=5156<BR /> EventType=0<BR /> Type=Information <BR /> ComputerName=HOSTNAME <BR /> TaskCategory=Filtering Platform Connection <BR /> OpCode=Info <BR /> RecordNumber=X<BR /> Keywords=Audit Success <BR /> Message=The Windows Filtering Platform has permitted a connection. </P> <P>Application Information: <BR /> Process ID: XXX <BR /> Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe </P> <P>Network Information: <BR /> Direction: Outbound <BR /> Source Address: 10.X.X.X <BR /> Source Port: XXX <BR /> Destination Address: 172.X.X.X <BR /> Destination Port: XXX <BR /> Protocol: 6 </P> <P>Filter Information: <BR /> Filter Run-Time ID: XXX <BR /> Layer Name: Connect <BR /> Layer Run-Time ID: X</P> <P>What could have possibly changed in a Windows machine that suddenly makes it log so much WinEventLog:Security "splunkd.exe" events?</P> <P>I could set disabled=1, but then I'd lose the ability to track who is logging in/out of that machine.<BR /> Is there any way to just omit logging these kind of "Audit Success" / "The Windows Filtering Platform has permitted a connection" events?</P> Tue, 29 Sep 2020 16:00:03 GMT https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363117#M66172 nk-1 2020-09-29T16:00:03Z https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363118#M66173 <P>Found an answer right here - <A href="http://answers.splunk.com/answers/53422/eventcode-5156.html">http://answers.splunk.com/answers/53422/eventcode-5156.html</A></P> <P><CODE><BR /> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable<BR /> </CODE></P> Tue, 03 Oct 2017 00:12:23 GMT https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363118#M66173 nk-1 2017-10-03T00:12:23Z https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363119#M66174 <P>The excessive WinEventLog:Security events started the day some updates were pushed to the machine:<BR /> Microsoft Security Update for .NET <BR /> McAfee product updates (including Firewall update)</P> <P>Hmm... But it could have been something else that triggered it too.</P> Tue, 03 Oct 2017 21:01:23 GMT https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363119#M66174 nk-1 2017-10-03T21:01:23Z https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363120#M66175 <P>Did you ever figure out why the "Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe" was making excessive connections to the machine? I have also run into this issue, but would like to know the root cause of excessive connections, and not excessive logs.</P> Wed, 16 May 2018 18:54:23 GMT https://community.splunk.com/t5/Getting-Data-In/Sudden-excessive-WinEventLog-Security-events-involving-splunkd/m-p/363120#M66175 chanthongphiob 2018-05-16T18:54:23Z