Monitoring Best Practices

- [ ] CPU usage (sustained high load)
- [ ] Memory usage (low available memory)
- [ ] Disk space (all volumes)
- [ ] Disk I/O (performance degradation)
- [ ] Network connectivity (ping/port checks)
- [ ] Critical services (running status)
- [ ] Windows Update status
- [ ] Antivirus status and definitions
- [ ] System event log errors

Domain Controllers:
- [ ] AD replication status
- [ ] SYSVOL replication
- [ ] DNS service responding
- [ ] DHCP scope utilization
- [ ] FSMO role holder status

File Servers:
- [ ] Share accessibility
- [ ] DFS replication status
- [ ] Shadow copy success
- [ ] Disk queue length

Database Servers:
- [ ] Database service status
- [ ] Transaction log size
- [ ] Deadlocks and blocking
- [ ] Backup job status
- [ ] Connection pool usage

Web Servers:
- [ ] HTTP/HTTPS response
- [ ] Application pool status
- [ ] Certificate expiration
- [ ] Response time
- [ ] Error rates

- [ ] Online/offline status
- [ ] Antivirus status
- [ ] Last boot time (stale systems)
- [ ] Patch compliance
- [ ] Disk encryption status

Firewalls:
- [ ] VPN tunnel status
- [ ] Interface status
- [ ] High availability failover
- [ ] Policy sync status
- [ ] License expiration

Switches:
- [ ] Port status (critical uplinks)
- [ ] VLAN configuration
- [ ] Spanning tree changes
- [ ] Power supply status (if redundant)

Wireless:
- [ ] Controller connectivity
- [ ] AP status
- [ ] Client association issues
- [ ] Channel utilization

- [ ] Backup job completion status
- [ ] Backup duration trends
- [ ] Backup size trends
- [ ] Failed files/errors
- [ ] Backup storage capacity
- [ ] Offsite/cloud backup status
- [ ] Test restore success

Microsoft 365:
- [ ] Service health
- [ ] Mailbox full warnings
- [ ] License expiration
- [ ] Exchange Online Protection alerts
- [ ] SharePoint site quota

Azure/AWS:
- [ ] Virtual machine status
- [ ] Storage account capacity
- [ ] Subscription spending alerts
- [ ] Security Center alerts
- [ ] Backup job status

Alert when C: drive reaches 80% full

Alert when disk will fill in 7 days at current rate

Example calculation:
- Monday: 60GB free
- Friday: 55GB free
- Rate: 5GB/4 days = 1.25GB/day
- Days until full: 55GB / 1.25GB = 44 days
- Action: Monitor, no alert yet

If rate increases to 5GB/day:
- Days until full: 55GB / 5GB = 11 days
- Action: Warning alert

# Check disk space trend
$drive = "C:"
$threshold = 7  # days

$history = Get-DiskSpaceHistory -Drive $drive -Days 7
$currentFree = (Get-PSDrive $drive).Free / 1GB
$avgDailyDecrease = ($history[0].FreeGB - $history[-1].FreeGB) / 7

if ($avgDailyDecrease -gt 0) {
    $daysUntilFull = $currentFree / $avgDailyDecrease

    if ($daysUntilFull -lt $threshold) {
        Send-Alert -Severity Critical -Message "Drive $drive will fill in $daysUntilFull days"
    }
}

Critical: >90% for 15 minutes
Warning: >80% for 30 minutes
Info: >70% for 1 hour

Critical: <10% available physical RAM for 10 minutes
Warning: <20% available for 15 minutes

Critical: <100MB available (not cached/buffered)
Warning: <500MB available

Check frequency: Every 5 minutes
Timeout: 30 seconds
Alert after: 2 consecutive failures
Check: HTTP 200 response code
Response time warning: >3 seconds
Response time critical: >10 seconds

Check frequency: Every 5 minutes
Alert after: 2 consecutive failures
Test: Actual query execution, not just port check

Check: Service status (Running/Stopped)
Alert: Immediately if stopped (for critical services)
Action: Attempt automatic restart before alerting
Escalate: If restart fails or service stops 3 times in 1 hour

# Silence alerts during maintenance
# Configure in monitoring system or:

# Example: Disable monitoring for server during patching
Disable-Monitoring -Server "SERVER01" -Duration 60 -Reason "Windows Updates"

# Auto-enable after duration or:
Enable-Monitoring -Server "SERVER01"

EMAIL 1: Server1 - Disk C: high
EMAIL 2: Server1 - Disk D: high
EMAIL 3: Server1 - Disk E: high

EMAIL 1: Server1 - Multiple disk space alerts (C:, D:, E:)

If backup fails between 2 AM - 3 AM:
  Wait 30 minutes
  Check again
  If still failing: Alert

If service restarts successfully:
  Log event
  Don't alert

If service restarts 3 times in 1 hour:
  Alert critical

If Firewall offline:
  Suppress alerts for:
    - All internet-dependent checks
    - VPN tunnel status
    - External website monitoring

If Domain Controller offline:
  Suppress alerts for:
    - AD authentication failures on other systems
    - Group Policy errors

Send single alert: "DC01 offline - 15 dependent checks suppressed"

# Performance Monitor
perfmon

# Event Viewer
eventvwr.msc

# Resource Monitor
resmon

# Task Scheduler for automated checks
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\DailyCheck.ps1'
$trigger = New-ScheduledTaskTrigger -Daily -At 8am
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Daily Health Check"

# Built-in monitoring
top
htop
iotop
netstat
ss

# System logs
journalctl
tail -f /var/log/syslog

# Cron for scheduled checks
crontab -e
0 8 * * * /usr/local/bin/daily-check.sh

# Basic server health check
function Get-ServerHealth {
    param($ComputerName)

    $result = @{}

    # CPU
    $cpu = Get-Counter "\Processor(_Total)\% Processor Time" -ComputerName $ComputerName
    $result.CPU = [math]::Round($cpu.CounterSamples[0].CookedValue, 2)

    # Memory
    $os = Get-WmiObject Win32_OperatingSystem -ComputerName $ComputerName
    $freeMemory = $os.FreePhysicalMemory / 1MB
    $totalMemory = $os.TotalVisibleMemorySize / 1MB
    $result.MemoryFreeGB = [math]::Round($freeMemory, 2)
    $result.MemoryUsedPercent = [math]::Round((($totalMemory - $freeMemory) / $totalMemory) * 100, 2)

    # Disk space
    $disks = Get-WmiObject Win32_LogicalDisk -Filter "DriveType=3" -ComputerName $ComputerName
    $result.Disks = $disks | ForEach-Object {
        [PSCustomObject]@{
            Drive = $_.DeviceID
            SizeGB = [math]::Round($_.Size / 1GB, 2)
            FreeGB = [math]::Round($_.FreeSpace / 1GB, 2)
            PercentFree = [math]::Round(($_.FreeSpace / $_.Size) * 100, 2)
        }
    }

    # Services
    $criticalServices = @("W32Time", "DNS", "NTDS")  # Adjust as needed
    $result.Services = Get-Service -Name $criticalServices -ComputerName $ComputerName |
        Select-Object Name, Status

    # Last boot time
    $result.LastBootTime = $os.ConvertToDateTime($os.LastBootUpTime)
    $result.UptimeDays = ((Get-Date) - $result.LastBootTime).Days

    return $result
}

# Usage
$health = Get-ServerHealth -ComputerName "SERVER01"
if ($health.CPU -gt 90) {
    Send-Alert "High CPU on SERVER01: $($health.CPU)%"
}

#!/bin/bash
# linux-health-check.sh

# CPU
CPU_USAGE=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)

# Memory
MEM_TOTAL=$(free -m | awk 'NR==2{print $2}')
MEM_USED=$(free -m | awk 'NR==2{print $3}')
MEM_PERCENT=$(awk "BEGIN {printf \"%.2f\", ($MEM_USED/$MEM_TOTAL)*100}")

# Disk
DISK_USAGE=$(df -h / | awk 'NR==2{print $5}' | cut -d'%' -f1)

# Services
SERVICES=("sshd" "cron" "rsyslog")
for service in "${SERVICES[@]}"; do
    if ! systemctl is-active --quiet $service; then
        echo "CRITICAL: $service is not running"
        # Send alert
    fi
done

# Uptime
UPTIME_DAYS=$(uptime | awk '{print $3}' | cut -d',' -f1)

# Check thresholds
if [ $(echo "$CPU_USAGE > 90" | bc) -eq 1 ]; then
    echo "CRITICAL: CPU usage at ${CPU_USAGE}%"
fi

if [ $(echo "$MEM_PERCENT > 90" | bc) -eq 1 ]; then
    echo "CRITICAL: Memory usage at ${MEM_PERCENT}%"
fi

if [ $DISK_USAGE -gt 85 ]; then
    echo "WARNING: Disk usage at ${DISK_USAGE}%"
fi

Subject: Daily IT Summary - $(Get-Date -Format "yyyy-MM-dd")

ALERTS (Last 24 Hours):
- 2 Critical
- 5 Warnings
- 12 Information

BACKUP STATUS:
- Successful: 15/15
- Failed: 0
- Warnings: 0

SERVER STATUS:
- Online: 18/18
- CPU Avg: 35%
- Memory Avg: 60%
- Disk Space: Healthy

WORKSTATIONS:
- Online: 45/50
- Patch Compliance: 92%
- AV Up-to-Date: 100%

ACTION REQUIRED:
- Review certificate expiration on WEB01 (30 days)
- Plan disk upgrade for FILE01 (trending to full in 45 days)