Forum Discussion

lucajons1980's avatar
lucajons1980
Copper Contributor
Mar 22, 2019

Create alert when microsft third part service stopped and not return in the status started after 5 m

Hi, I want to create an alert when Microsoft services (3 parts) stopped and not return at started after 3 minutes. I read the precedent post (Monitoring Windows Services States with Log Analytics) a...
Azure Log Analytics
azure monitor
CliveWatson's avatar
CliveWatson
Former Employee
Apr 01, 2019

lucajons1980 

 

Does this help?  You need to add back you computer name and the service name...

 

//7035 started SERVICE
//7036 stopped SERVICE
Event
| where TimeGenerated > ago(1d)
| where Computer contains "RDS2019" 
| where EventLog == "System" 
        and EventLevelName == "Information"
        // look for STOPPED only
        and EventID == 7036
        and Source == "Service Control Manager"
// example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem>
| parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
// now look at a specifc state and service
| where Windows_Service_State =="stopped" and Windows_Service_Name == "Windows Update"
| extend AggregatedValue = 1
lucajons1980's avatar
lucajons1980
Copper Contributor
Apr 01, 2019

CliveWatson 

 

I modified the query, in my log i write 'RenderedDescription' :

 

Event
| where TimeGenerated > ago(60m)
| where Computer contains "BKE"
| where EventLog == "Application"
and EventLevelName == "Information"
// look for STOPPED only
// and EventID == 7036
and Source == "BiTXRDeq"
// example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem>
| parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Computer, RenderedDescription, TimeGenerated
 
Because if I use :

| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

I don't have any rows. I don't have Windows_Service_Name and Windows_Service_State compiled.

Even with query modified the problem remaining because i've always 2 rows, one stop service and one start service. 

I did a restart service test and I 've 2 rows in event viewer; i think i need a query that discard this situation on restart service and notify me when I've only more stop that start in the same TimeGenerated .

I hope explained better the situation
thanks

  • CliveWatson's avatar
    CliveWatson
    Former Employee
    Apr 01, 2019

    lucajons1980 

     

    It's the parse command that will generate those missing pieces of data: Windows_Service_Name etc..

    | parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *

    Can you send me the output from rendered-description as plain text (paste it into your reply).  

    in the query I have an example of rendered description  we need to see:
    // example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem> 

    The parse command needs to be told what parts of this string to look at and what to ignore, looking at the info in RED.  When we have that we can use the WHERE command to filter out the started and other messages    

     

     

     

Resources