Overview

This article provides information regarding reducing excessive noise events generated by Windows Server 2008 in GFI EventsManager.

Information

Windows Server 2008 generates a lot of noise events in its security log. GFI EventsManager has to collect each and every event, process it, and save it to the database or discard the event. This generates a high load on GFI EventsManager to process all these noise events. In particular, you will see many thousands of Windows Filtering Platform events that do not provide any benefit.

GFI recommends you reduce noise events that Windows creates at the source. This will cause EventsManager to run smoothly. We recommend you use Randy Franklin Smith's Recommended Baseline Audit Policy for Windows Server 2008. Randy is a leader in the field of Windows Security Event log analysis.

As a minimum, we recommend that you configure the following policies to No Auditing:

• Audit Filtering Platform Connection
• Audit Filtering Platform Packet Drop

For Windows Server 2008 (non-R2), you must use the Auditpol command to set these policies. See Randy Franklin Smith's Auditpol page for more information.

For Windows Server 2008 R2 and higher, you can use the Advanced Audit Policy Configuration in the Group Policy Management Editor to set these policies.