Recently enabled audit logging on success/failure for a Windows server. The"Windows Filtering Platform has permitted a connection" EventCode = 5156 is logged thousands of times per hour. The filter "Does not match EventCode = 5156" was created and applied to the collector but the events continue to be pulled into Sumo. What can be done to filter out these events?
Please sign in to leave a comment.