Forum Discussion

lucajons1980's avatar
lucajons1980
Copper Contributor
Mar 22, 2019

Create alert when microsft third part service stopped and not return in the status started after 5 m

Hi, I want to create an alert when Microsoft services (3 parts) stopped and not return at started after 3 minutes.

I read the precedent post (Monitoring Windows Services States with Log Analytics) and I've written this :

Event
| where Computer contains "BKE"
| where EventLog == "Application" and Source == "BiTXRDeq"
| sort by TimeGenerated desc

If I start and stop service I see the different lines, but I don't know how to set an alert when service stopped and not return in the status started after 3/5 minutes.

Can you help me ?
Thanks 

  
Azure Log Analytics
azure monitor

6 Replies

Sort By
  • CliveWatson's avatar
    CliveWatson
    Icon for Microsoft rankMicrosoft
    Apr 01, 2019

    lucajons1980 

     

    Does this help?  You need to add back you computer name and the service name...

     

    //7035 started SERVICE
//7036 stopped SERVICE
Event
| where TimeGenerated > ago(1d)
| where Computer contains "RDS2019" 
| where EventLog == "System" 
        and EventLevelName == "Information"
        // look for STOPPED only
        and EventID == 7036
        and Source == "Service Control Manager"
// example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem>
| parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
// now look at a specifc state and service
| where Windows_Service_State =="stopped" and Windows_Service_Name == "Windows Update"
| extend AggregatedValue = 1
    • lucajons1980's avatar
      lucajons1980
      Copper Contributor
      Apr 01, 2019

      CliveWatson 

       

      I modified the query, in my log i write 'RenderedDescription' :

       

      Event
      | where TimeGenerated > ago(60m)
      | where Computer contains "BKE"
      | where EventLog == "Application"
      and EventLevelName == "Information"
      // look for STOPPED only
      // and EventID == 7036
      and Source == "BiTXRDeq"
      // example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem>
      | parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *
      | sort by TimeGenerated desc
      | project Computer, RenderedDescription, TimeGenerated
       
      Because if I use :

      | project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

      I don't have any rows. I don't have Windows_Service_Name and Windows_Service_State compiled.

      Even with query modified the problem remaining because i've always 2 rows, one stop service and one start service. 

      I did a restart service test and I 've 2 rows in event viewer; i think i need a query that discard this situation on restart service and notify me when I've only more stop that start in the same TimeGenerated .

      I hope explained better the situation
      thanks

      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft
        Apr 01, 2019

        lucajons1980 

         

        It's the parse command that will generate those missing pieces of data: Windows_Service_Name etc..

        | parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *

        Can you send me the output from rendered-description as plain text (paste it into your reply).  

        in the query I have an example of rendered description  we need to see:
        // example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem> 

        The parse command needs to be told what parts of this string to look at and what to ignore, looking at the info in RED.  When we have that we can use the WHERE command to filter out the started and other messages    

         

         

         

    • lucajons1980's avatar
      lucajons1980
      Copper Contributor
      Apr 01, 2019

      Hi CliveWatson i read your  URL but i have a different need.

      In the example :

       

      Event
      | where Computer contains "BKE02"
      | where EventLog == "Application" and Source == "BiTXRDeq"
      | where RenderedDescription has "stopped"
      | sort by TimeGenerated desc
      | summarize count() by Computer, RenderedDescription

       

      In the up query I have service with source =BiTXRDeq, when his stopped he send email alert; but i must excluded when the service restart and I've 2 event : stopped and started this service (with 1 minute difference).
      In 'creat rule' i can add only one log search (file image2).

      how I can do it ?

      regards

Resources