Max Thread Limit xxxxx Reached
I am trying to write a rule which is looking for failed logins for a user followed by no successful login in certain time period. If this gets true, alert me.
In this logic, I am using multithread on 'username' for the first statement. Even after making it 5k, it always says that the 'Max Thread Limit xxxxx Reached'. Post some investigation, i was able to figure out that this rule is also considering the usernames for multithreading which has successful logsins for this rule even though successful login is not a criteria here.
My question is, why enVision is doing a multithread on the usernames where a failed login didn't even happen? In this case, I am sure the thread Limit will always be reached.
Any comments or advise to correct my uderstanding (if wrong).
The multithreading is based purely on the variable without regard to the actual events being collected.
You should go back and double-check your event selection and filter criteria in your rule... make sure you did not accidentally include any events that contain any successful logins, or perhaps action/result codes that show successes instead of failures.
Thanks for quick reply.
Well, the first circuit contains all the failure events where I am counting around 25 events in 5 minutes.
The second circuit "No Successful Login Attempt" joined by "Followed By" which does not have any threashold but yes it has the successful events selected. Which in my opinion should not have any affect on multithreading as I am not counting any events.
So here's the catch...
Multithreading applies across the entire rule - not just the first circuit. That said, it doesn't sound like it should be affecting your rule the way you built it.
Can you post the exported XML of your correlation rule so the community can take a look?
As Matt mentioned the multi-threading is across the entire rule. Since you are looking at Logon Type 3 which occurs all of the time, you probably have tons of messages. Depending on how large your Windows Environment is, I could see why you might reach your limit.
What are you trying to accomplish with your report? That is, why the focus on logon type 3?