Zabbix Windows Security event id 5156

Posted on 31/10/2016 · Posted in Microsoft, Zabbix

Noticed in one case the Zabbix agent was spamming the Windows Security eventlog with events “filtering platform connection” of status success and event id 5156. This was especially true when disk space was low and the agent seemed to query the disk space a lot more frequently. This caused the log file to fill up even faster which helped the disk space to fill up.

To get around this, I disabled the success events from filtering platform connections while leaving the failed events on based on this technet article here.

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable