Getting Data In

EventCode 5156

splunktp
Explorer

Hi Guys,

We are using Splunk version 4.3.1, build 119532 on both the Indexer and the Universal Forwarder.

Over the past 48 hours, were seeing a lot of MS EVentCode 5156 on our environment. One machine (FileServer) is shwoing that 99% of the event is being generated by the splunkd.exe. This event was generated more than 1 million times which is very unusual. We have a few dozen windows machines installed with Splunk Universal Forwarder and only this machine is generating this "noise".

The amount of log being generated by this event is eating our 10GB/day license. Can anyone please help me on how to correct this?

=============================================================================================

“The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1936 Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 172.24.1.55 Source Port: 49196 Destination Address: 172.16.0.81 Destination Port: 9997 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Connect Layer Run-Time ID: 48”

=============================================================================================

Thanks you very much.

Tags (2)

greyf1r3
Engager

From Windows Splunk Logging Cheat Sheet

Filter by Message, NOT by Event Code: It is common to blacklist event codes that are noisy or excessive that
impacts storage and licensing. By enabling Process Creation Success (4688) Process Terminate (4689) and Windows
Firewall Filtering Platform Connection Success (5156 & 5158) they will be the top four event codes in your Splunk
index. Filtering by the content of the Message or Field name is the better way to go. Once you understand what
normal noise is, has minimal risk to be exploited or important to security monitoring you can filter those out at the
client or server. For Windows, Splunk limits the blacklist to only 10 entries, so you will need to chain similar events
in one line. Here is an example of a proper exclusion:
[WinEventLog://Security]
disabled=0
current_only=1
blacklist = 4689,5158
blacklist1 = EventCode="4688" Message="(?:New Process
Name:).+(?:SplunkUniversalForwarder\bin\splunk.exe)|.+(?:SplunkUniversalForwarder\bin\splunkd.exe)|.+(?:Splunk
UniversalForwarder\bin\btool.exe)"
blacklist2 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\bin\splunkwinprintmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkpowershell.exe)|.+(?:SplunkUniversalForwarder\bin\splunkregmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkadmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunkMonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\bin\splunkwinevtlog.exe)|.+(?:SplunkUniversalForwarder\bin\splunkperfmon.exe)|.+(?:SplunkUniversalForwarder\bin\splunk-wmi.exe)"
blacklist3 = EventCode="4688" Message="(?:Process Command Line:).+(?:--scheme)|.+(?:--no-log)|.+(?:-Embedding)"

0 Karma

yannK
Splunk Employee
Splunk Employee

There is a way in win 2008 to disable those events at the source, with the audit policies.
see http://www.cupfighter.net/index.php/2009/10/get-rid-of-event-id-5156-the-windows-filtering-platform-...

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

That is a valid event from my perspective. You're WFP is set to log permitted connections. This is entirely a function of your operating system, and if you wanted to figure out why, you could use a tool like process monitor to see what is happening just prior to the event, which should tell you why it is triggering.

My suggestion would be to disable successful auditing for connections. I don't think you can do this via the GUI, but disable specific subcategories with Auditpol.exe. This may or may not be acceptable to admins, but the command to run is:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

lguinn2
Legend

I am no expert on Windows and the "Filtering Platform" - but this looks some sort of firewall setting to me. I expect that this message is being generated each time the Universal Forwarder sends a packet to the indexer.

There is obviously some setting that needs to be changed on the file server. Sorry I can't help you with exactly what that is. What's different about the firewall settings on this server?

However, I can tell you how to filter these events so that they don't chew up your Splunk license.

On the indexer, add the following to your props.conf and transforms.conf, where TheHost represents the host name (in Splunk) of the Universal Forwarder with issues:

props.conf

[host::TheHost]
TRANSFORMS-t1=eliminate-splunkd-5136

transforms.conf

[eliminate-splunkd-5136]
REGEX=5156.*splunkd.exe
DEST_KEY=queue
FORMAT=nullQueue

You might be able to make the REGEX a bit cleaner, but I think that will work. Here is the relevant discussion in the manual.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...