Please consider donating: https://www.corelan.be/index.php/donate/


6,257 views

Monitoring disk space utilization growth/increase with Operations Manager 2007

By default, Microsoft Operations Manager includes some monitors / rules that have the ability to monitor the disk utilization of system and/or data disks of your servers (and clients). This is a really nice feature, however there may be reasons why this kind of monitoring would still leave you one step behind of your users. After all, there would be no way to monitor if a set of data on a disk starts growing faster than you would like.   You would get an alert – sure – but it might be too late already.

Let’s say you have a disk on a fileserver, that contains all of the data/shares of your end users, and all of the homefolders.   Assuming that the (for example) 300Gb disk contains 260Gb worth of data already. No problems so far, life is good, OpsMgr would not get trigger and alert yet (unless you have changed the default threshold values).

Suppose one of your users starts copying a DVD to his homefolder… the available space would increase with 4Gb.  OpsMgr would still not generate an alert.  But let’s be honest –  this would be something you would like to know, right ?  If your data folders increase by 4Gb a day, then you would like to know this sooner – even before the “low level” threshold gets triggered.

Out of the box, there is no way to do this.  So I decided to write a small vbs script, and used the vbscript in an OpsMgr monitor.

Download

You can download a copy of the script here :
checkfoldergrowth.vbs (8.9 KiB)

(Check back for updated versions of the script)

Script basics

The script requires 3 parameters, each separated with a single blank (space), and one optional parameter :

Mandatory parameters

1. The absolute path to the folder (or disk) that needs to be monitored.  You can use multiple paths/folders by separating them using a comma.    So if you want to look at  d:\shares and  d:\homefolders, then the first parameter should be  “d:\shares”,”d:\homefolders”

Note : the current version of script will look at all folders (1 level deep) inside the folder that you’ve specified as a parameter. So if d:\shares only contains files, then you should use d:\  as parameter (which would include d:\shares, as well as all other folders on drive d:)

2. The timewindow, in hours (integer numeric value)

3. The max amount of growth, in megabytes.

Optional parameter

As 4th parameter, you can specify the folders you want to exclude from the monitoring. You can specify multiple folders, just make sure to use the conventions as with the first parameter ( => comma separated, no spaces between the individual folders, put each folder path between double quotes”

Conclusion : if you want to monitor disk space utilization growth on drive d:, which includes all shared folders (under d:\shares) and all shared homefolders (under d:\homefolders), and you would allow up to 2Gb growth in 24 hours, and you want to exclude d:\scripts then you should use this as parameters

“d:\”,”d:\shares”,”d:\homefolders” 24 2048 “d:\scripts”

(Make sure not to put any spaces between the folders, just use double quotes and a comma, no spaces !)

When the script runs, you will get event 951 in the Operations Manager event log on the server that is being monitored. This event indicates that the script was launched.  If the script was launched with an invalid number of parameters, you will get a corresponding message in the body of that event log entry

When the script finishes (for the first time), you will get event ID 991, indicating that the script has finished (and has only created baseline information). In all other cases, you will get event ID 990, either containing the text “GOOD” when no problems have been detected, or containing some information about the folders that have triggered an alert.

The message that is passed back in a PropertyBag to OpsMgr is stored in the Message variable (see later in this post – see unhealthy & health expressions section)

Operations Manager Setup

This is how you can use this script as an Operations Manager monitor

Open the Operations Console, Open the “Authoring” pane, go to “Monitors” and open the Windows 2003 Computers (or any other group that contains computer objects)

Create a new Unit monitor, and select “Scripting” – “Generic” – “Timed Script Two State Monitor”

image_2

Create a new custom Management Pack and select the custom Management Pack as destination MP

Click Next to continue

Specify a good relevant name. You can include the name of the server and the drive/folder, because you will have create a monitor for each server / folderset combination.

image_4

Make sure the target is set to Windows Server 2003 Computer (or another group that contains computer objects) and DISABLE the monitor for now

Click next to continue

Run every : 30 minutes may be a good interval to start with.  Set to sync at 0:00

Click next to continue

File Name : choose a relevant filename for the script. Don’t forget the .vbs extension.

TImeout : choose something below the “Run every” interval.  25 Minutes may be a good starting point

image_6

Clean the “Script” field, and paste the entire script (download link : see earlier in this post) in the “Script” field

Click “Parameters” and enter your 3 parameters :

“d:\”,”d:\shares”,”d:\homefolders” 24 2048

image_8

Click OK to close the parameter window

Click Next to continue

Unhealth expression :

Property[@Name=’Message’]     Does not equal     GOOD

image_10

Click next

Healthy expression :

Property[@Name=’Message’]     Equals     GOOD

image_12

Click next

Map the monitor conditions to health states (default settings will do just fine for now)

image_14

Click next.

Enable the generation of alerts, and let the monitor auto resolve

Create a relevant Alert name (which will be displayed in the alert) and use

$Data/Context/Property[@Name=’Message’]$  in the alert description field

image_16

Click “Create” to save the monitor

The monitor is still disabled, so we need to create an override to activate the monitor on the server (FILESERVER1 in our example)

Right-click the monitor, choose “Overrides” – “Override the monitor” – “For a specific object of Type : Windows Server 2003 Computer”

image_18

Select the server where the monitored folders reside and click OK

Change the “enabled” parameter to “True” and save the override

Now wait for the script to kick in.  (Look at the event log. You should at least get event ID 951 under “Operations Manager” on the target server when the script starts, and event 990 when the script ends)

You can simulate if the script works fine by add files/data to your folders and see if the growth is noticed by our monitor.

Note : I wrote the script in about 30 minutes, so obviously it has not been tested thoroughly yet. If you find bugs, please don’t hesitate to let me know  (peter.ve@telenet.be)

Thanks

© 2008 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories