Low disk space alert for Windows server

813 views
Skip to first unread message

ektadhu...@gmail.com

unread,
May 27, 2021, 2:30:36 AM5/27/21
to Wazuh mailing list
Hi Team,

We had a requirement to create alert when C drive space on any Windows server crossed 85%.

How we can achieve this?

Thanks and Regards,
Ekta

victor....@wazuh.com

unread,
May 27, 2021, 7:21:27 AM5/27/21
to Wazuh mailing list
Hello Ekta,

There are a lot of possibilities to solve this use case. We are going to choose command monitoring (https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/command-configuration.html#basic-usage) to solve this issue:
  • Add to your agent configuration a new command monitoring configuration block
You can create a new configuration block in your agent's configuration that allows your agent to run a command that will provide the free disk space in your system. Add the following block:

<localfile>
   <log_format>command</log_format>
   <command>powershell -command "$disk = Get-PSDrive C | Select-Object Used,Free;$total = $disk.used + $disk.free;if ($total -gt 0){ $PercentFree = [Math]::round((($disk.free/$total) * 100))} else {$PercentFree = 0};if ($PercentFree -le 25){Write-Host 'Device C:/ with less than 25% of free space - '$PercentFree '%'}
"</command>
   <frequency>43200</frequency>
   <alias>free-space-disk-C</alias>
</localfile>

Where:

log_format: Specified the log format. In this case, command.
command: This command in cmd will call a PowerShell script. This one will check the free space in C: disk and will inform in case this is lower than 25 per cent of the total space.
frequency: The frequency of the command execution (set to 12 hours).
alias: Alias of the command.

More information about these options here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html

After restarting your wazuh-agent you will receive the following event in your wazuh manager, in case your disk space is lower than 25%:

2021 May 26 11:27:52 (vagrant-2016) any->free-space-disk-C ossec: output: 'free-space-disk-C': Device C:/ with less than 25% of free space -  20 %


You will need a specific rule for this event:
  • Rules: Add this rule in /var/ossec/etc/rules/local_rules.xml file:

<group name="win-custom,">
  <rule id="100034" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'free-space-disk-C':</match>
    <regex>with less than 25%</regex>
    <description>Device with less than 25% of free space </description>
  </rule>
</group>
  • Restart your wazuh manager.
  • Ensure your alert is working using /var/ossec/bin/wazuh-logtest tool:
[root@centos1 vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line

ossec: output: 'free-space-disk-C': Device C:/ with less than 25% of free space -  23 %

**Phase 1: Completed pre-decoding.
    full event: 'ossec: output: 'free-space-disk-C': Device C:/ with less than 25% of free space -  23 %'

**Phase 2: Completed decoding.
    name: 'ossec'

**Phase 3: Completed filtering (rules).
    id: '100034'
    level: '7'
    description: 'Device with less than 25% of free space '
    groups: '['win-custom']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.
  • Now, your wazuh manager will trigger the following alert:

** Alert 1622033145.140332: - win-custom,
2021 May 26 12:45:45 (vagrant-2016) any->free-space-disk-C
Rule: 100034 (level 7) -> 'Device with less than 25% of free space '
ossec: output: 'free-space-disk-C': Device C:/ with less than 25% of free space -  23 %


Using command monitoring is the best option if you want to monitor the free space of a lot of windows agent due to you can use a centralized configuration (https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html) enabling logcollector.remote_command  in your local internal options of your agents.

If you have any doubt don't hesitate to ask.

victor....@wazuh.com

unread,
May 27, 2021, 7:43:14 AM5/27/21
to Wazuh mailing list

Sorry, the script and configurations specified in my last message are for a percentage of free space of 25 or lower. For your use case (15% of free space) you should change:

  • Command:

   <command>powershell -command "$disk = Get-PSDrive C | Select-Object Used,Free;$total = $disk.used + $disk.free;if ($total -gt 0){ $PercentFree = [Math]::round((($disk.free/$total) * 100))} else {$PercentFree = 0};if ($PercentFree -le 25){Write-Host 'Device C:/ with less than 25% of free space - '$PercentFree '%'}"</command>

With

   <command>powershell -command "$disk = Get-PSDrive C | Select-Object Used,Free;$total = $disk.used + $disk.free;if ($total -gt 0){ $PercentFree = [Math]::round((($disk.free/$total) * 100))} else {$PercentFree = 0};if ($PercentFree -le 15){Write-Host 'Device C:/ with less than 15% of free space - '$PercentFree '%'}"</command>


Replacing ($PercentFree -le 25) with ($PercentFree -le 15) and 

Write-Host 'Device C:/ with less than 25% of free space - '$PercentFree '%' with Write-Host 'Device C:/ with less than 15% of free space - '$PercentFree '%'}


  • Regex and the description of the rule:

  <regex>with less than 15%</regex>

  <description>Device with less than 15% of free space </description>


You could edit the script to generate a different events for multiple free space limits or change it according to your preferences.

Reply all
Reply to author
Forward
0 new messages