I’m thinking now for a couple of hours if it’s possible to create check that let me know if something weird is going on on our fileservers. Especially crypto malware that encrypt our whole filesystem should be able to see, or am I wrong? A check like: If in the last two minutes HDD usage = 100% then warn
Is there a way where I could create that check in CheckMK?
Most likely you need to create your own custom check for this.
On the fileserver whenever this is a *nix based system you might would like to check iostat output, specially the %util column (last one), on my test system nothing is going on here.
why not using thresholds on Disk IO Summary or for single Disk IO checks? It’s build in and just needs to be configured. Also CPU IO Wait could be an indicator.
monitoring hdd usage is not the best way to protect against ransoftware. there are a couple of possibilities available like monitoring for specific behaviour or file type extensions. In windows theres a build-in option called FSRM with that you can do realtime monitoring and blocking of smb connections:
Just use the built in Levels For Disk IO rule if you specifically want to monitor activity. I use it ensuring bottlenecks are spotted across certain hosts that are critical.
Hallo,
as a hint that something is happening ok but if a trojaner is active every second counts.
You should use a tool / a config designed for this case.