Skip to content
  • There are no suggestions because the search field is empty.

RSA NetWitness Windows event source collection failure due to MaxConcurrentOperationsPerUser/MaxShellsPerUser Exceed

Issue

Few windows event source collection fails with below errors.

/var/log/messages for MaxConcurrentOperationsPerUser error.
Jun 24 03:48:12 COllector NwLogCollector[8524]: [WindowsCollection] [failure] [Domain_Controllers_Application.10_10_10_10] [processing] [WorkUnit] [processing] Unable to subscribe for events with Windows event source 10.10.10.10: Fault Code : s:Receiver Subcode : w:InternalError Reason : The WS-Management service cannot process the request. The maximum number of concurrent operations for this user has been exceeded. Close existing operations for this user, or raise the quota for this user. Fault Detail : The WS-Management service cannot process the request. This user is allowed a maximum number of 15 concurrent operations, which has been exceeded. Close existing operations for this user, or raise the quota for this user.

/var/log/messages for Max concurrent shells error. 
The WS-Management service cannot process the request. This user is allowed a maximum number of 5 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user

Cause

MaxConcurrentOperationsPerUser Exceeded issue can be due to:
Multiple other products (for example, enVision or third party products) are also accessing WinRM on the same system using the same user account as RSA NetWitness.
The same system is being collected from multiple times by RSA NetWitness (the same event source address is being accessed from different Collectors).

WinRM Maximum Sessions Exceeded issue can be due to:
By default, WinRM allows a maximum of five connections to a remote computer to be active per user. This has been exceeded on sites where other applications are collecting logs via WinRM in parallel with RSA NetWitness (for example, enVision).

Workaround

Please login to windows event source to increase the maximum concurrent operations per user via GPO or directly as follows by running command.

winrm set winrm/config/Service @ \{MaxConcurrentOperationsPerUser="40"}

Note: Number 40 is variable, if MaxConcurrentOperationsPerUser exceeded continues. Please increase the threshold to higher value.

Restart the Windows Remote Management service in Services page.

Please login to windows event source to increase the maximum concurrent sessions. Run the following command.

winrm s winrm/config/winrs @{MaxShellsPerUser="X"}

Note: X represents the number of connections that want to allow.

Restart the Windows Remote Management service in Services page.

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Summary

This document outlines the procedure to increase the MaxConcurrentOperationsPerUser and MaxShellsPerUser threshold.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue