Event Log > Security Event ID 5156 and 5158 filling it up

I am trying to use a Powershell scanner in PDQ Inventory (which runs a PS1 and enter the returning data into the asset) that scans the Security log for log on and log off events. The script then enters the data into that asset which allows us to see who has been using it and for how long (we are a school which generic computers all over). These log events are located in the Security logs.

In trying to research why we are only getting one MAYBE two user sessions I noticed that logs are getting FILLED with event 5156 and 5158. Upon research it's a log that the Windows Firewall allowed to pass. This is causing 1-7 events PER SECOND. This means the log gets filled to max in about 3-5 hours. So we only get 3-5 hours of user session events.

I looked around are there are some auditpol commands that people say stop this, however I want to restrict this is GP for obvious reason. I found a GPO for this in Machine > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Object Access > Audit Filtering Platform Connection

We set this to "No Auditing" by checking the box to configure it but leaving "Success" and "Failure" unchecked. GPRESULT /H shows this policy and the setting is "No Auditing". However, it still is logging these events. Did some research and found someone with the same issue and said it only works for them if it's added to the Default Domain Policy. While this is not ideal, we tried it. GPRESULT /H shows the change and it's assigned in the DDP, however it's STILL logging these events!

Running "auditpol /get /category:*" shows that "Filtering Platform Connection" is "success" even though we turned this off. Some how something is ignoring or over riding the DDP even. I am at a loss here, looking for help.

Increasing the size of the logs is not an option, even if we increase it 3x that is still only one day worth of user sessions (the PDQ scanner will over write the previous data, it will not append).

Thanks for any help!