Best practice: Monitoring file system usage

It is important to monitor file system usage in the /opt partition on Web Gateway, as this partition is used for storing system files while the appliance software is also installed there. This means that a full opt partition impacts the performance of the appliance.

The /opt partition can be monitored based on the following:

  • Incident ID — An incident with ID 22 is generated on Web Gateway when the /opt partition is filled up to a level of 90%. This incident triggers an alert on the dashboard.

    The utilization level that leads to generating the incident is fixed and cannot be configured.

  • Statistical counter — A statistical counter called FileSystemUsage is available on Web Gateway to record utilization of the opt partition.

    Using this statistical counter in a suitable rule, you can configure your own utilization threshold to trigger various kinds of alerts and log entries.

Working with a statistical counter

The statistical counter that you work with to monitor the /opt partition is configured as the criteria of a rule set. For example, if the statistical counter records an 85% utilization of the /opt partition, the rules in the rule set are processed.

The rule set is filled with the following:

  • A rule that creates a notification message, for example, "/opt partition usage is at 85 %".
  • Several rules that send or log this message

Place the rule set as an embedded rule set in the Monitoring rule set, which is by default provided among the rule sets of the Error Handler log on Web Gateway.

The Monitoring rule set and its embedded rule sets are processed every minute by the error handler on Web Gateway, due to the use of incident ID 5 in the criteria of the embedding rule set.

In accordance with the names of the embedded monitoring rule sets that are by default available, your rule set for monitoring the /opt partition might be named Check Opt Partition.

Depending on the threshold that you choose, the criteria for this rule set reads as follows:

StatisticCounter.GetCurrent ("FileSystemUsage") greater than or equals 85

Rules in a rule set for monitoring the /opt partition

A rule set for monitoring the /opt partition can be filled with the rules shown in the following.

Note: The structure of these rules is the same as that of the rules in the monitoring rule sets that are by default embedded in the Monitoring rule set. For example, the rules in the embedded Check Cache Partition rule set also have this structure.

This rule creates the notification message that is sent or logged by the other rules in the rule set.

Name
Create notification message
Criteria Action Events
Always –> Continue

Set User-Defined.notificationMessage = "/opt partition usage at:"

+ Number.ToString

(Statistics.Counter.GetCurrent ("FileSystemUsage")<Default>)

+ "%"

These rules use the notification message to perform the following activities:

  • Send an SNMP trap
  • Create a syslog entry
  • Send an email notification
  • Write a log file entry
Name and criteria Action Events
Send SNMP trap
Always –> Continue

Set SNMP.Trap.Additional = User-Defined.notificationMessage

SNMP.Trap.Send.User (12, "High /opt partition utilization detected."

Create syslog entry
Always –> Continue

Syslog (3, User-Defined.notificationMessage)

Send email for notification
Always Continue

Email.Send ("Enter valid email", "Message from McAfee Web Gateway, User-Defined.notificationMessage) <Monitoring>

Write /opt partition into log
Always –> Continue

Set User.Defined.monitorLogMessage = "High /opt partition utilization detected."

+ User-Defined.notificationMessage) <Monitoring>

FileSystemLogging.WriteLogEntry (User.Defined.monitorLogMessage <Monitoring Incident Log>