Automation ,Powershell ,Series: PowerShell Monitoring

Blog Series: Monitoring using PowerShell: Part five – Monitoring the Windows Search Database, iSCSI Connections, and Bitlocker state.

Kelvin Tegelaar | 10 Nov, 2017 | 3 Mins Read

Hi All,

My next couple of blogs will be a series of blogs where I will be explaining on how to use PowerShell for the monitoring of critical infrastructure. I will be releasing a blog every day that will touch on how to monitor specific software components, but also network devices from Ubiquity, third-party API’s and Office365. I will also be showing how you can integrate this monitoring in current RMM packages such as Solarwinds N-Central, Solarwinds RMM MSP and even include the required files to import the monitoring set directly into your system.

Requirements:

  • (Optional): Windows Search Service Installed
  • (Optional): TPM/Bitlocker
  • (Optional): a iSCSI connected disk
  • PowerShell v3 or higher

Creating the monitoring sets:

In this blog we’re going a bit more diverse and I will explain how to monitor very specific Windows Components. This is just a large combination of stuff I like to monitor and see people struggling with sometimes. I hope these sets help in creating your own. 🙂

Monitor the Windows Search Database

If you’re using RDS2012 or 2016 with the Windows Search Service you know the Windows.edb database can sometimes grow explosively. A part of the solution for this can be found in the CoreCount Registery key found in my blog here. This script is to monitor the Windows search database and report if its growing out of control.

param(
[string]$MaxSizeInGB = '50'
)
$getservice = Get-service "wsearch" -ErrorAction SilentlyContinue
if($getservice.Status -eq "running"){
$CurrentLoc = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Search" -name DataDirectory
$File =  Get-item -path "$($CurrentLoc.DataDirectory)\Applications\Windows\windows.edb"
$FileSize =   [math]::truncate($file.length / 1GB)
if($FileSize -gt $MaxSizeInGB){
$searchHealth = "SearchDB is $($filesize)GB - Please investigate"
}
if (!$SearchHealth) { $SearchHealth = Healthy }
}

Just knowing its getting large is of course only half the battle. I’ll also include the script we have to automatically rebuild the search database when this happens. Just pay mind that you do not run this while users are using the servers and schedulde this only in maintenance windows

Rebuild the searchdb:

Stop-Service Wsearch
$CurrentLoc = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Search" -name DataDirectory
remove-item $CurrentLoc.DataDirectory -force -Recurse
Start-Service Wsearch

Monitoring iSCSI connections and restoring them.

For our clients we often use iSCSI SANs, or iSCSI NAS devices for backups. Sometimes these devices get disconnected or lose one of the iSCSI connections. We can monitor this using get-iscsiconnection on any server 2012+ by using the following script.

try{
$Sessions = Get-iScsisession
}Catch {
$ScriptError = "Get-IscsiSession failed. : $($_.Exception.Message)"
exit
}
foreach($session in $Sessions){
if($session.isConnected -eq $false -and $session.NumberOfConnections -eq 0){
$iSCSIStatus += "`n$($Session.TargetNodeAddress) is disconnected"
}
}
if (!$iSCSIStatus) { $iSCSIStatus = Healthy }
if (!$ScriptEror) { $ScriptError = Healthy }

Now restoring them is quite simple; You can run the following command to reconnect all disconnected sessions:

Get-IscsiTarget | Connect-IscsiTarget

Or to only connect the target that is disconnected specifically:

Get-IscsiTarget | where-object IsConnected -eq $False | Connect-IscsiTarget

Monitor Bitlocker status:

We also have clients that want us to monitor the bitlocker state for them. So we’ve created a monitoring set for this too, monitoring the bitlocker state is done by checking for the string “Protection on”.

$Key =  (Get-BitLockerVolume -MountPoint C).KeyProtector
Try {
Get-WmiObject -Namespace "root\CIMV2\Security\MicrosoftVolumeEncryption" -Class Win32_EncryptableVolume |
ForEach-Object {$ID = $_.DriveLetter ;
Switch($_.GetProtectionStatus().ProtectionStatus)
{
0 {$State = "PROTECTION OFF"}
1 {$State = "PROTECTION ON - $key"}
2 {$State = "PROTECTION UNKNOWN"}
}
$ProtectionStatus =  "$ID $State"
}
} catch {
$ScriptError = "Get Bitlocker State Failed : $($_.Exception.Message)"
exit
}
if (!$ScriptEror) { $ScriptError = Healthy }

And that’s it!

Downloads for RMM packages:

N-Central 11.0+ – iSCSI Monitoring

N-Central 11.0+ – SearchDB Monitoring

N-Central 11.0+ – Bitlocker Monitoring

Recent Articles

Series: PowerShell Automation
The return of CyberDrain CTF
09 Jan, 2023|2 Mins Read

CyberDrain CTF returns! (and so do I!)

It’s been since september that I actually picked up a digital pen equivalent and wrote anything down. This was due to me being busy with life but also my side projects like CIPP. I’m trying to get back into the game of scripting and blogging about these scripts. There’s still so much to automate and so little time, right? ;)

Series: PowerShell Monitoring
Monitoring with PowerShell: Monitoring Acronis Backups
05 Sep, 2022|3 Mins Read

Intro

This is a monitoring script requested via Reddit, One of the reddit r/msp users wondered how they can monitor Acronis a little bit easier. I jumped on this because it happened pretty much at the same time that I was asked to speak at the Acronis CyberSummit so it kinda made sense to script this so I have something to demonstrate at my session there.

Series: PowerShell Monitoring
Monitoring with PowerShell: Monitoring VSS Snapshots
30 Aug, 2022|2 Mins Read

Intro

Wow! It’s been a while since I’ve blogged. I’ve just been so swamped with CIPP that I’ve just let the blogging go entirely. It’s a shame because I think out of all my hobbies it’s one I enjoy the most. It’s always nice helping others achieve their scripting target. I even got a couple of LinkedIn questions asking if I was done with blogging but I’m not. Writing always gives me some more piece of mind so I’ll try to catch up again. I know I’ve said that before but this time I’ll follow through. I’m sitting down right now and scheduling the release of 5 blogs in one go. No more whining and no more waiting.