Getting Data In

EventCode 5156


Hi Guys,

We are using Splunk version 4.3.1, build 119532 on both the Indexer and the Universal Forwarder.

Over the past 48 hours, were seeing a lot of MS EVentCode 5156 on our environment. One machine (FileServer) is shwoing that 99% of the event is being generated by the splunkd.exe. This event was generated more than 1 million times which is very unusual. We have a few dozen windows machines installed with Splunk Universal Forwarder and only this machine is generating this "noise".

The amount of log being generated by this event is eating our 10GB/day license. Can anyone please help me on how to correct this?


“The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1936 Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: Source Port: 49196 Destination Address: Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Connect Layer Run-Time ID: 48”


Thanks you very much.

Tags (2)


From Windows Splunk Logging Cheat Sheet

Filter by Message, NOT by Event Code: It is common to blacklist event codes that are noisy or excessive that
impacts storage and licensing. By enabling Process Creation Success (4688) Process Terminate (4689) and Windows
Firewall Filtering Platform Connection Success (5156 & 5158) they will be the top four event codes in your Splunk
index. Filtering by the content of the Message or Field name is the better way to go. Once you understand what
normal noise is, has minimal risk to be exploited or important to security monitoring you can filter those out at the
client or server. For Windows, Splunk limits the blacklist to only 10 entries, so you will need to chain similar events
in one line. Here is an example of a proper exclusion:
blacklist = 4689,5158
blacklist1 = EventCode="4688" Message="(?:New Process
blacklist2 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\bin\splunkwinprintmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkpowershell.exe)|.+(?:SplunkUniversalForwarder\bin\splunkregmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkadmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkMonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\bin\splunkwinevtlog.exe)|.+(?:SplunkUniversalForwarder\bin\splunkperfmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunk-wmi.exe)"
blacklist3 = EventCode="4688" Message="(?:Process Command Line:).+(?:--scheme)|.+(?:--no-log)|.+(?:-Embedding)"

0 Karma

Splunk Employee
Splunk Employee

There is a way in win 2008 to disable those events at the source, with the audit policies.

0 Karma

Splunk Employee
Splunk Employee

That is a valid event from my perspective. You're WFP is set to log permitted connections. This is entirely a function of your operating system, and if you wanted to figure out why, you could use a tool like process monitor to see what is happening just prior to the event, which should tell you why it is triggering.

My suggestion would be to disable successful auditing for connections. I don't think you can do this via the GUI, but disable specific subcategories with Auditpol.exe. This may or may not be acceptable to admins, but the command to run is:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable


I am no expert on Windows and the "Filtering Platform" - but this looks some sort of firewall setting to me. I expect that this message is being generated each time the Universal Forwarder sends a packet to the indexer.

There is obviously some setting that needs to be changed on the file server. Sorry I can't help you with exactly what that is. What's different about the firewall settings on this server?

However, I can tell you how to filter these events so that they don't chew up your Splunk license.

On the indexer, add the following to your props.conf and transforms.conf, where TheHost represents the host name (in Splunk) of the Universal Forwarder with issues:





You might be able to make the REGEX a bit cleaner, but I think that will work. Here is the relevant discussion in the manual.

Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...