I'm trying to determine if I should stop logging "Sucess" events from Audit Policy > Policy Change from our users with Win7 and Vista. But I'm getting a ton of these 5447 events a min. But since Policy Change is not an option with XP Group Policy, they are not capturing the events. Are these a problem? Is it recommended to remove the sucess event from our Group Policy? Here is an example from a vista user A Windows Filtering Platform callout has been changed. Subject: Security ID: S-1-5-19 Account Name: NT AUTHORITY\LOCAL SERVICE Process Information: Process ID: 536 Provider Information: ID: {9250A3DB-5929-4952-B834-E88709B0A35E} Name: WFKMP Change Information: Change Type: %%16384 Callout Information: ID: {C3DBED20-0BB6-4BF3-828D-96732E1E0024} Name: Windows Firewall: callout Type: %%16388 Run-Time ID: 256 Layer Information: ID: {1247D66D-0B60-4A15-8D44-7155D0F53A0C} Name: ALE Resource Assignment v4 Layer Run-Time ID: 36 Log Name: <Security> Source: <Microsoft-Windows-Security-Auditing> Record Number: <1780365> User: <N/A> MS Event ID: <5446> MS Event Category: <13572> (13572) MS Event Type: <8> (Security audit success) MS Insertion Strings: <['536', 'S-1-5-19', 'NT AUTHORITY\\LOCAL SERVICE', '{9250A3DB-5929-4952-B834-E88709B0A35E}', 'WFKMP', '%%16384', '{C3DBED20-0BB6-4BF3-828D-96732E1E0024}', 'Windows Firewall: callout', '%%16388', '256', '{1247D66D-0B60-4A15-8D44-7155D0F53A0C}', 'ALE Resource Assignment v4 Layer', '36']> A Windows Filtering Platform filter has been changed. Subject: Security ID: S-1-5-19 Account Name: NT AUTHORITY\LOCAL SERVICE Process Information: Process ID: 468 Provider Information: ID: {DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62} Name: Windows Firewall Change Information: Change Type: %%16384 Filter Information: ID: {378F129E-5DC7-4873-9CE0-AA37DA82D200} Name: Core Networking - IPv6 (IPv6-In) Type: %%16388 Run-Time ID: 65998 Layer Information: ID: {E1CD9FE7-F4B5-4273-96C0-592E487B8650} Name: ALE Receive/Accept v4 Layer Run-Time ID: 44 Callout Information: ID: {00000000-0000-0000-0000-000000000000} Name: - Additional Information: Weight: 4611809180909568000 Conditions: Condition ID: {d78e1e87-8644-4ea5-9437-d809ecefc971} Match value: Equal to Condition value: 00000000 53 00 79 00 73 00 74 00-65 00 6d 00 00 00 S.y.s.t.e.m... Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7} Match value: Equal to Condition value: 0x29 Filter Action: %%16390 Log Name: <Security> Source: <Microsoft-Windows-Security-Auditing> Record Number: <2197685> User: <N/A> MS Event ID: <5447> MS Event Category: <13573> (13573) MS Event Type: <8> (Security audit success) MS Insertion Strings: <['468', 'S-1-5-19', 'NT AUTHORITY\\LOCAL SERVICE', '{DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62}', 'Windows Firewall', '%%16384', '{378F129E-5DC7-4873-9CE0-AA37DA82D200}', 'Core Networking - IPv6 (IPv6-In)', '%%16388', '65998', '{E1CD9FE7-F4B5-4273-96C0-592E487B8650}', 'ALE Receive/Accept v4 Layer', '44', '4611809180909568000', ' \tCondition ID:\t{d78e1e87-8644-4ea5-9437-d809ecefc971} \tMatch value:\tEqual to \tCondition value:\t 00000000 53 00 79 00 73 00 74 00-65 00 6d 00 00 00 S.y.s.t.e.m... \tCondition ID:\t{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7} \tMatch value:\tEqual to \tCondition value:\t0x29 ', '%%16390', '{00000000-0000-0000-0000-000000000000}', '-']>

Hi, Thanks for posting in Microsoft TechNet Forum. In Windows, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities. Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. These events can provide valuable information to help administrators troubleshoot and investigate security-related activities. If you want to get more information about your security, you could keep this settings. And, I see you have already opened a thread about this issue in forum, please continue to follow up in your thread here. Thanks. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.