Event ID 5156

[cduffy]

Our NLS get bogged down ever few days with event ID 5156. It appears that when a log is sent the NLS it created a 5156 event. Then sending the 5156 log creates another and so on and so on.

We have the following in our nxlog config but we are still receiving the logs at the bottom of this post in NLS.

Exec if ($EventID == 5156 AND ($DestinationPort == 514 OR $DestinationPort == 3515)) drop();



The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 3772
Application Name: \device\harddiskvolume4\program files (x86)\nxlog\nxlog.exe

Network Information:
Direction: Outbound
Source Address:
Source Port: 49694
Destination Address:
Destination Port: 3515
Protocol: 6

Filter Information:
Filter Run-Time ID: 67911
Layer Name: Connect
Layer Run-Time ID: 48

[jdunitz]

Hi Cduffy,

It looks like you could just disable 5156 events altogether, if that's a solution for you:

https://www.urtech.ca/2012/09/solved-ho ... onnection/

or

https://stories.schubergphilis.com/get- ... 35ecc83265


Hope that helps!

--Jeffrey

[cduffy]

We need to have event ID 5156 enabled. Im looking to stop nxlog from sending them to NLS.

[jdunitz]

Perhaps a more general filter would work better in your case?

Code: Select all

if ($EventID == 5156 and $Channel == 'Security') drop();

Better yet, use what you had before, but with DestPort rather than DestinationPort:

Code: Select all

Exec if ($EventID == 5156 AND ($DestPort == 514 OR $DestPort == 3515)) drop();

Let me know if that works any better for you.

--Jeffrey

[cduffy]

Ill try destport and let you know if it works. I want to log other 5156 events to NLS so I cant use the other line.

[jdunitz]

If that doesn't work for you, let us know and we'll find some other ideas.

--Jeffrey