Hello,
I am running into an issue where our security logs are filling up on each of our DC's. In my GPO's I have setup the Advanced Audit Policies to have the auditing for "Object Access -> Audit Filtering Platform Connection" and "Object Access -> Audit Filtering Platform Packet Drop" set to "No Auditing". With these set and after a gpupdate /force I run "auditpol /get /subcategory:"Filtering Platform Connection"" and the results show that "Filtering Platform Connection" setting is set to success, and I can see in RSOP that the policies have applied to the DC's.
I have also tried to to run the command "auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable" to disable the logs via auditpol. In my security events I see that the command was successful, but then a few seconds later I can see another log where the "SYSTEM" user is re-enabling the log. Everything that I have seen online about these events is telling me to run the commands and set the GPO policies that I have set without any change in the logs.
Any help would be greatly appreciated.
Thank you