000039049 - RSA NetWitness Windows event source collection failure due to MaxConcurrentOperationsPerUser/MaxShellsPerUser Exceed

Document created by RSA Customer Support Employee on Jul 28, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039049
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
 
IssueFew windows event source collection fails with below errors.

/var/log/messages for MaxConcurrentOperationsPerUser error.

Jun 24 03:48:12 COllector NwLogCollector[8524]: [WindowsCollection] [failure] [Domain_Controllers_Application.10_10_10_10] [processing] [WorkUnit] [processing] Unable to subscribe for events with Windows event source 10.10.10.10: Fault Code : s:Receiver Subcode : w:InternalError Reason : The WS-Management service cannot process the request. The maximum number of concurrent operations for this user has been exceeded. Close existing operations for this user, or raise the quota for this user.  Fault Detail : The WS-Management service cannot process the request. This user is allowed a maximum number of 15 concurrent operations, which has been exceeded. Close existing operations for this user, or raise the quota for this user.


/var/log/messages for Max concurrent shells error. 


The WS-Management service cannot process the request. This user is allowed a maximum number of 5 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user
CauseMaxConcurrentOperationsPerUser Exceeded issue can be due to:
Multiple other products (for example, enVision or third party products) are also accessing WinRM on the same system using the same user account as RSA NetWitness.
The same system is being collected from multiple times by RSA NetWitness (the same event source address is being accessed from different Collectors).

WinRM Maximum Sessions Exceeded issue can be due to:
By default, WinRM allows a maximum of five connections to a remote computer to be active per user. This has been exceeded on sites where other applications are collecting logs via WinRM in parallel with RSA NetWitness (for example, enVision).
WorkaroundPlease login to windows event source to increase the maximum concurrent operations per user via GPO or directly as follows by running command.

winrm set winrm/config/Service @ \{MaxConcurrentOperationsPerUser="40"}

Note: Number 40 is variable, if MaxConcurrentOperationsPerUser exceeded continues. Please increase the threshold to higher value.

Restart the Windows Remote Management service in Services page.

Please login to windows event source to increase the maximum concurrent sessions. Run the following command.

winrm s winrm/config/winrs @{MaxShellsPerUser="X"}

Note: X represents the number of connections that want to allow.

Restart the Windows Remote Management service in Services page.
 

Attachments

    Outcomes