Forum Discussion

Naexz's avatar
Naexz
Copper Contributor
Jun 06, 2019
Solved

Event Log - Windows Services

Hello guys,   I'm a rookie on Log Analytics, that's why I followed these interesting posts of Stanislav_Zhelyazkov :  - https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-...
azure monitor
Query Language
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Jun 10, 2019

    Hi,

    Sorry for not being able to respond earlier here and on my blog. I do not think the case that you want to achieve is possible with just queries. In any case I think even when you create the query it might result in false positives and if it happens regularly it will beat the purpose. I think the most logical thing to do is to have some automation that disables alerts when maintenance window starts and enables them when it finishes. If you have machines in different maintenance windows it will be best if you create alerts for each group as you can enable/disable them independently. You may also have a function that represents a static or dynamic list of all machines. You alert query will filter on that list. Before maintenance window starts you update that query via some automation to remove the machine that are in that windows and once the windows stops you return them back by updating the function. The latter scenario I haven't tested as until recently for Log Analytics alerts there was message (in the docs) that functions are not supported of being used in alert queries. That message seems to be removed but it is unknown if this is due to adding that support or just the documentation was updated.

     

    I hope this provides you with clear path.

    Also keep in mind that the article was published when Azure Change tracking solution was tracking start and stopped services every 30 mins at minimum. The current release allows you to lower that to 30 seconds. In case you need faster data on those events I would suggest using the Change tracking solution.

Meir_Mendelovich's avatar
Meir_Mendelovich
Icon for Microsoft rankMicrosoft
Jun 06, 2019
Your query looks great.
I didn't understand in the Hearbeat part why you aggregate twice on Computer one after the other. Consider using the extend operator instead.

Other comments:

- Prefer using "has" and not "contain" where possible
- You can use "let" to set up the constants in the query.
- You might want to use "kind=leftouter" in your join to handle cases of no Heartbeat.


Hope it helps,
Meir :->
Naexz's avatar
Naexz
Copper Contributor
Jun 06, 2019

Meir_Mendelovich thank you very much for all these tips, certainly I will improve my syntax. 

 

However, I think it's more a logical problem... Both queries ( Event & HeartBeat ) don't share the same temporality. The first one, filter only on my specific services event. The second part determine if my VM is online or not ...

In conclusion, when my VM is online all my events are set to 1 and I can't dissociate real stopped event, and events generated by our shut down.

 

Result :

 

 

  • Meir_Mendelovich's avatar
    Meir_Mendelovich
    Icon for Microsoft rankMicrosoft
    Jun 06, 2019
    I'm not sure what are you trying to find. Are you looking for machines that doesn't have Heartbeat and you don't have shut down event for them?
    • Naexz's avatar
      Naexz
      Copper Contributor
      Jun 06, 2019

      Meir_Mendelovich Sorry for misunderstanding.

      In fact I would like to monitored stopped events for particular services but also exclude these events when they are generated just after a shut down.

      Because, it's just a normal behaviour and not due to an issue. 

      • Naexz's avatar
        Naexz
        Copper Contributor
        Jun 07, 2019

        Hello guys,

        I drew a schema in order to explain my purpose :

         

         

         

Resources