The Security Analytics concentrator service demonstrates instability, appearing to going offline then back on in the UI. When reviewing the concentrator's /var/log/messages file, it is observed that there are thousands of messages such as:
NwCreateChannelByPath returned 0; code 128; error: Session 1585 has exceeded the maximum allowed channels (2000)
These messages reconcile to the same date and time of the first observed instance of the instability.
In this instance, the number of threads allocated in the concentrator configuration was set to 15; below the default value of 20, as seen in the screenshot here:
Under load, this may cause the concentrator process to become thread bound, as the concentrator process will be forced to wait for a thread to become available before a pending request can be processed.
To that note, in some instances on busy systems, it may be necessary to increase this value if it is currently set at the default value of 20.
Check the number of allocated threads in the configuration screen for the concentrator.
If it is lower than 20, increase it to 20, then restart the nwconcentrator process.
If already at 20, increase it in reasonable increments, starting at 25.
To adjust the thread value, evoke the Security Analytics UI, and click on Administration > Services.
Select the concentrator service, then View > Config.
Under the System Configuration section, double click on the number value of Threads under the Config Value column.
Enter an appropriate value (if not set to 20, enter 20, if already at 20, enter 25).
A service restart of nwconcentrator is then required. From the command line as root, issue the following command:
Be sure to monitor /var/log/messages closely when the system is under load to ensure the thread value is high enough to support thread requests.