+ Post New Thread
Results 1 to 7 of 7
Windows Server 2008 R2 Thread, 20K+ Event IDs 5152 in 1 Hour on 2x WinServer 2008 R2 in Technical; Hello All, I've got 2x Win 2008 R2 servers on our school network, during the working day, both servers get ...
  1. #1

    Join Date
    May 2009
    Location
    Holsworthy
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    20K+ Event IDs 5152 in 1 Hour on 2x WinServer 2008 R2

    Hello All,

    I've got 2x Win 2008 R2 servers on our school network, during the working day, both servers get flooded with at least 20 thousand Event ID 5152s each in a single hour!

    The IP address: 10.3.126.114 belongs to a staff laptop running Win7 Pro 64bit, and its last McAfee VirusScan 8.8 Patch 2 has come up negative for anything untoward.

    I've Googled around the following;
    Getting alot of Event ID 5152
    Security Event ID 5152 by the thousands - Microsoft Community
    Stuff I figured out.: Windows Auditing can be annoying. (Shut up already)
    Notes on MS Integration, Administration, and Management: Resolve issue with multiple Event ID 5152 and 5157 appearing in the security event log

    and some forums say its a MS server 2008 bug that requires a hotfix,

    some say it's packets coming from Dropbox or Bonjour of the origin computer.

    The port numbers don't clearly point to any specific program.

    Lots of forums say, its harmless, and instruct to mute and ignore them.
    I'd rather not mute them as it would mask any other problems.

    None of these sites are giving a solid solution to the problem.
    Anyone else come across this and wish to share their wisdom?

    Am I making a mountain out of a mole hill? or is this something which can (or can't) be fixed?

    -----I've copied and pasted one of the events for you to look at------

    The Windows Filtering Platform has blocked a packet.

    Application Information:
    Process ID: 0
    Application Name: -

    Network Information:
    Direction: Inbound
    Source Address: 10.3.126.114
    Source Port: 54799
    Destination Address: 255.255.255.255
    Destination Port: 2008
    Protocol: 17

    Filter Information:
    Filter Run-Time ID: 4267779
    Layer Name: Transport
    Layer Run-Time ID: 13
    ---------------------------------------------------------------------

    Any questions?

  2. #2
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    974
    Thank Post
    42
    Thanked 82 Times in 78 Posts
    Rep Power
    21
    Why does a staff laptop have apple stuff and itunes anyhow?

  3. #3

    Join Date
    May 2009
    Location
    Holsworthy
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by free780 View Post
    Why does a staff laptop have apple stuff and itunes anyhow?
    Stay on topic please,

    Staff take their laptops home, and some of them happen to use Apple products for teaching.

  4. #4

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,966
    Thank Post
    583
    Thanked 1,020 Times in 785 Posts
    Blog Entries
    15
    Rep Power
    464
    I had this from a similar - primary school staff laptop, iTunes installed. Disabling bonjour resolved it but to be honest I did little after that to investigate why. As bad as iAnything is when installed on a PC it can't be inherent to bonjour alone, I've installed it standalone on a couple of machines for them be used by iPads for Reflector (apple TV type software).


    ** edit - actually, this is a random thought but there's a distinct possibility said laptop was running McAfee. The desktops I installed bonjour on without issue were all System Center EP. It may help narrow down a search looking up bonjour + mcafee to see if there's any known issues there. Maybe coincidental but could be worth a look.
    Last edited by synaesthesia; 27th January 2014 at 09:06 AM.

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,453 Times in 1,899 Posts
    Blog Entries
    24
    Rep Power
    833
    Have you tried doing the process in the blogspot article? Ie. disable that type of firewall auditing? You don't say if you tried it or not.

  6. #6

    Join Date
    May 2009
    Location
    Holsworthy
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by localzuk View Post
    Have you tried doing the process in the blogspot article? Ie. disable that type of firewall auditing? You don't say if you tried it or not.
    I've tried, but decided to re-enable, as this doesn't fix the problem, only hides/masks it along with any other issue.

    Quote Originally Posted by synaesthesia View Post
    I had this from a similar - primary school staff laptop, iTunes installed. Disabling bonjour resolved it but to be honest I did little after that to investigate why. As bad as iAnything is when installed on a PC it can't be inherent to bonjour alone, I've installed it standalone on a couple of machines for them be used by iPads for Reflector (apple TV type software).
    ** edit - actually, this is a random thought but there's a distinct possibility said laptop was running McAfee. The desktops I installed bonjour on without issue were all System Center EP. It may help narrow down a search looking up bonjour + mcafee to see if there's any known issues there. Maybe coincidental but could be worth a look.
    I'll have another look. afaik, I have removed all traces of Apple iTunes and bonjour from the laptop. Didn't think the McAfee VirusScan would have an affect as all the workstations on our domain are running it... nonetheless, stranger things have happened.

  7. #7
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    802
    Thank Post
    82
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32
    I've never come across this before, but this will give you a list of all ongoing connections on a machine (both outgoing and listening) and the process that created it:

    Code:
    netstat -b
    At least you'll be able to narrow it down to process.

SHARE:
+ Post New Thread

Similar Threads

  1. Event ID 2012 Source Srv on Server 2008
    By cookie_monster in forum Windows Server 2008
    Replies: 64
    Last Post: 5th September 2011, 03:34 PM
  2. Replies: 0
    Last Post: 17th May 2010, 09:25 AM
  3. Event ID: 9548 in Exchange
    By techie211 in forum Windows Server 2000/2003
    Replies: 1
    Last Post: 25th March 2009, 08:17 AM
  4. Event ID errors in ePortal
    By tosca925 in forum MIS Systems
    Replies: 0
    Last Post: 14th May 2007, 12:18 PM
  5. event ID 11708 - Sophos EM on New Server
    By monsterplastic in forum Windows
    Replies: 13
    Last Post: 9th March 2007, 05:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •