on Jul 28, 2020Article Content
| Article Number | 000039049 |
| Applies To | RSA Product Set: RSA NetWitness Platform RSA Product/Service Type: Core Appliance RSA Version/Condition: 11.X Platform: CentOS O/S Version: 7 |
| Issue | Few windows event source collection fails with below errors. /var/log/messages for MaxConcurrentOperationsPerUser error.
/var/log/messages for Max concurrent shells error.
|
| Cause | MaxConcurrentOperationsPerUser Exceeded issue can be due to: Multiple other products (for example, enVision or third party products) are also accessing WinRM on the same system using the same user account as RSA NetWitness. The same system is being collected from multiple times by RSA NetWitness (the same event source address is being accessed from different Collectors). WinRM Maximum Sessions Exceeded issue can be due to: By default, WinRM allows a maximum of five connections to a remote computer to be active per user. This has been exceeded on sites where other applications are collecting logs via WinRM in parallel with RSA NetWitness (for example, enVision). |
| Workaround | Please login to windows event source to increase the maximum concurrent operations per user via GPO or directly as follows by running command. winrm set winrm/config/Service @ \{MaxConcurrentOperationsPerUser="40"} Note: Number 40 is variable, if MaxConcurrentOperationsPerUser exceeded continues. Please increase the threshold to higher value. Restart the Windows Remote Management service in Services page. Please login to windows event source to increase the maximum concurrent sessions. Run the following command. winrm s winrm/config/winrs @{MaxShellsPerUser="X"} Note: X represents the number of connections that want to allow. Restart the Windows Remote Management service in Services page. |