Hello,
I am running into an issue where our security logs are filling up on each of our DC's. In my GPO's I have setup the Advanced Audit Policies to have the auditing for "Object Access -> Audit Filtering Platform Connection" and "Object Access -> Audit Filtering Platform Packet Drop" set to "No Auditing". With these set and after a gpupdate /force I run "auditpol /get /subcategory:"Filtering Platform Connection"" and the results show that "Filtering Platform Connection" setting is set to success, and I can see in RSOP that the policies have applied to the DC's.
I have also tried to to run the command "auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable" to disable the logs via auditpol. In my security events I see that the command was successful, but then a few seconds later I can see another log where the "SYSTEM" user is re-enabling the log. Everything that I have seen online about these events is telling me to run the commands and set the GPO policies that I have set without any change in the logs.
Any help would be greatly appreciated.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 89%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
