Solved: Dynatrace now monitoring UNC Shares?

Kenny_Gillette · ‎15 Sep 2023

Team,

Has anybody else seen that Dynatrace started monitoring UNC shares and alerting on it? I looked through release notes and have not found anything (could have missed). Our Product Specialist noticed this also started for another customer he is supporting at same time as it did for me. Started around mid June.

I know how to filter out Unc shares by disk: \\* but just curious why Dynatrace started doing this. This hurting other people?

From DT Chat: now that you have mentioned it, one of my other customers had the same thing happening too.

Dynatrace Certified Professional

Kenny_Gillette · ‎26 Sep 2023

From support:

Based on feedback from our lab, this was the timeline of changes, and indeed some changes would have affected your cluster version:

Before OA 1.267, network drives were not monitored on Windows.
In OA 1.267, Windows network disk monitoring has been introduced. That's why the network share metrics are showing up.
As soon as that version was rolled out to our customers, we discovered that the implementation was causing multiple problems, so we decided to disable it again with a debug flag temporarily.
We made multiple improvements, and the whole feature will be reenabled in OA 1.277.

We hope this helps explain the situation. Going forward, if you do not want to have network drives monitoring, we can disable it by setting a debug flag. Alternatively, you can update OneAgent to a newer 1.267/1.271/1.273/1.275 version that just sets it by default. Please let us know which route you'd prefer to take, and if there are any questions.

Dynatrace Certified Professional

SrikanthSamraj · ‎11 Jan 2024

I'm seeing this issue in our SaaS setup where OA agents are at 1.279.166

CuanP · ‎02 Feb 2024

Same here.

Manas_Dholakiya · ‎05 Mar 2024

same problem this is creating problem

SrikanthSamraj · ‎05 Mar 2024

You can ask Dynatrace support to set below option globally. This approach worked for us.

'debugEnableWindowsNetworkDriveMonitoring' to false

I was told there would be fix available in oneagent version 1.285 so that user can do this themselves at host level

sundarv1 · ‎23 Apr 2024

Hi Srikanth

debugEnableWindowsNetworkDriveMonitoring' to false - where we need to do this. Could you please share steps how to set this parameter to false

SrikanthSamraj · ‎23 Apr 2024

@sundarv1 - Hi, you can Dynatrace product support via a ticket to set this at the tenant level.

OR

1. You can add regex in disk exclusion filter. (Settings --> Preferences --> Disk options) for windows OS.

2. At the alerting profile, you can filter it using description filter. In my case, I've used one like below as a safety net measure (until product support enabled the flag)

Custom: Description not contains 'The total available space on filesystem or disk \\'

sundarv1 · ‎23 Apr 2024

Srikanth

1. You can add regex in disk exclusion filter. (Settings --> Preferences --> Disk options) for windows OS. - What we need to set here?

Operating system - Windows ,

Disk or Mount path = \\*

Is this setting fine

Manas_Dholakiya · ‎23 Apr 2024

Yes that should work i have also fixed it with

Manas_Dholakiya · ‎05 Mar 2024

i am using 1.279.166 version and still we can see this problem

gilles_tabary · ‎27 Aug 2024

Hi.

Having had already excluded \\*\* and \\*, Windows network drive monitoring we upgraded recently :

from 1.275
to 1.293 => blam : issue : spurious user remote logins attempt detected, even some users get locked
pinpointing...
- 1.277 I indeed see windows-network-disk-monitoring-enabled
- 1.287 no issue until v1.287.149
- 1.289 issue starts with v1.289.113

Looking again on how to exclude Windows network disk monitoring...

gilles_tabary · ‎27 Aug 2024

When we activate "Disable NFS Disc monitoring" we stop our spurious network user attempted logon : fine. Because we don't need the UNC / NFS / Network disk monitoring we *can* deactivate that. Though... it's a bit fishy. 🙂

On a sample host our attempts at filtering out on OS==Windows pattern==\\*\* or \\* with FS Type == * seams to not yield help. We did not find an other hack.

I will report issue to support through a new ticket.

gilles_tabary · ‎03 Sep 2024

Hmmm. Documented @ OneAgent 1.277 release notes : Windows - network disk monitoring enabled :

Note that this can create a security event log notifying that a process token was duplicated, but this is expected behavior and should not be interpreted as a security concern.

Support confirms works as designed.

Scary though. 😬🙂

Workaround indeed : "Disable NFS Disc monitoring" : makes OneAgent stop completely querying Windows perfmon API to get NFS discs infos. On the other hand, excluding UNC disc paths like \\* does not stop OA to query the API.

Regards.