Security Log Filtering ineffectiveAnswered
Recently enabled audit logging on success/failure for a Windows server. The"Windows Filtering Platform has permitted a connection" EventCode = 5156 is logged thousands of times per hour. The filter "Does not match EventCode = 5156" was created and applied to the collector but the events continue to be pulled into Sumo. What can be done to filter out these events?
To be on the same page, I assume the filter was added using the UI following the following steps:
Some basic questions to help you debug:
- Do you have other filters for this same Source? Keep in mind that Excludes take precedence over Include filters, and if mire than 2 filters apply, they boolean OR is assumed.
- Another thing to keep in mind is that your rule must match from the beginning to the end of the message. If you are looking for "Event Code = 5156", write the rule .Event Code = 5156.
Hope this helps.
Please sign in to leave a comment.