1 Reply Latest reply on Mar 24, 2015 6:29 PM by zackm

    Windows Filtering Platform Auditing - What if it Never Existed?

    nicole pauls

      Hi All,

       

      We're considering turning off by default the Windows Filtering Platform events from the Security Log that tend to make a whole lot of noise for no really good reason. The only problem we have with this is our policy to date has been "we capture 100% of the Security Log" and we know some people may have legit reasons for using them. Our experience in support, though, tells us that most everyone is happy with turning them off and never seeing them again. We would provide coverage in a second connector, something you could easily enable for many systems using connector profiles (or individually for each system you needed it on).

       

      Do you use Windows Filtering Platform Events? On which systems? What do you use them for? What if we turned them off by default?

        • Re: Windows Filtering Platform Auditing - What if it Never Existed?
          zackm

          I have worked with a large amount of LEM clients over the past 18 months. During that time, I have not had a single client need (or want) anything from WFP events.

           

          For me, I absolutely LOVE the new setup where we have to turn ON rules with a new installtion (instead of turning OFF things that were not neded). Given that our time with clients is generally short and to the point, it is not always possible to get a GPO-level auditing policy change through an enterprise while working with them. I would strongly support the ability to 'ignore' these events by default with the product and let the client work through their change management to get their auditing policies to stop generating the events in the first place. For the random one-off scenarios with clients who might want to "see all the things!!!", I think a connector would really be ideal, and easy to implement. Functionally speaking, it takes minutes to add a WFP connector to a profile.

           

          Count me in for a big +1

           

          -ZackM

          Loop1 Systems: SolarWinds Training and Professional Services