This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Servers in our environment have their sec logs filled very quickly with a few event id's. At first I thought it was a GPO but I cannot find a GPO pushing Audit Filtering Platform or anything in the Sec Settings / Advanced Audit policy. When I look at the local policy on our boxes they all show "Not Configured" for these policies. I am scratching my head as to how these audits are being enabled, i need to either disable or reduce the verbosity because my logs are filling up in seconds.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello
Thank you for posting here.
1.On the machines that we can see these event ID (4663, 4658 and 5156), we can check the status of the related audit policy settings with the following command.
auditpol /get /category:*
For example:
2.We can also check if we configured the related audit policy settings through gpresult file.
Logon the machine that we can see these event ID (4663, 4658 and 5156) with Administrator.
Open CMD (run as Administrator) and type gpresult /h C:\audit.html and click Enter.
And open the audit.html and check the audit settings (including domain policy settings and local policy settings) under “Computer Details”, check if there are settings “Audit Removable Storage” and “Audit Filtering Platform Connection”.
For example:
3.On one problematic server, we can try to check if we can see the related audit policy settings ( “Audit Removable Storage” and “Audit Filtering Platform Connection”) in the following path:
\a.local\SYSVOL\a.local\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit.csv
C:\Windows\security\audit.csv
{31B2F340-016D-11D2-945F-00C04FB984F9} is the GUID of the default domain policy.
The audit.csv look just like this:
Best Regards,
Daisy Zhou