p***@gmail.com
2008-06-26 09:26:56 UTC
We recently installed Windows Server 2008 on a server and we have
noticed that the Windows Security Log is crowded with events like the
ones below (several thousands every day). We realize that they are
from some kind of multicast, but we just want to get rid of them. It
is however a bit difficult since we don't know the cause. Any Help
will be greatly appreciated.
Thanks,
Mattias
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2008-06-26 02:00:15
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: cosmo.lundalogik.local
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 716
Application Name: \device\harddiskvolume2\windows
\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 192.168.35.56
Destination Port: 49425
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5157</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-06-26T00:00:15.364Z" />
<EventRecordID>65636</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>cosmo.lundalogik.local</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">716</Data>
<Data Name="Application">\device\harddiskvolume2\windows
\system32\svchost.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">224.0.0.252</Data>
<Data Name="SourcePort">5355</Data>
<Data Name="DestAddress">192.168.35.56</Data>
<Data Name="DestPort">49425</Data>
<Data Name="Protocol">17</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2008-06-26 02:00:15
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: cosmo.lundalogik.local
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 716
Application Name: \device\harddiskvolume2\windows
\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: ff02::1:3
Source Port: 5355
Destination Address: fe80::e530:9589:5d64:74f3
Destination Port: 54188
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 46
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5157</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-06-26T00:00:15.348Z" />
<EventRecordID>65633</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>cosmo.lundalogik.local</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">716</Data>
<Data Name="Application">\device\harddiskvolume2\windows
\system32\svchost.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">ff02::1:3</Data>
<Data Name="SourcePort">5355</Data>
<Data Name="DestAddress">fe80::e530:9589:5d64:74f3</Data>
<Data Name="DestPort">54188</Data>
<Data Name="Protocol">17</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">46</Data>
</EventData>
</Event>
noticed that the Windows Security Log is crowded with events like the
ones below (several thousands every day). We realize that they are
from some kind of multicast, but we just want to get rid of them. It
is however a bit difficult since we don't know the cause. Any Help
will be greatly appreciated.
Thanks,
Mattias
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2008-06-26 02:00:15
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: cosmo.lundalogik.local
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 716
Application Name: \device\harddiskvolume2\windows
\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 192.168.35.56
Destination Port: 49425
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5157</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-06-26T00:00:15.364Z" />
<EventRecordID>65636</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>cosmo.lundalogik.local</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">716</Data>
<Data Name="Application">\device\harddiskvolume2\windows
\system32\svchost.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">224.0.0.252</Data>
<Data Name="SourcePort">5355</Data>
<Data Name="DestAddress">192.168.35.56</Data>
<Data Name="DestPort">49425</Data>
<Data Name="Protocol">17</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2008-06-26 02:00:15
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: cosmo.lundalogik.local
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 716
Application Name: \device\harddiskvolume2\windows
\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: ff02::1:3
Source Port: 5355
Destination Address: fe80::e530:9589:5d64:74f3
Destination Port: 54188
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 46
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5157</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-06-26T00:00:15.348Z" />
<EventRecordID>65633</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>cosmo.lundalogik.local</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">716</Data>
<Data Name="Application">\device\harddiskvolume2\windows
\system32\svchost.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">ff02::1:3</Data>
<Data Name="SourcePort">5355</Data>
<Data Name="DestAddress">fe80::e530:9589:5d64:74f3</Data>
<Data Name="DestPort">54188</Data>
<Data Name="Protocol">17</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">46</Data>
</EventData>
</Event>