Forum Discussion
How to monitor windows services
HIi Rahul_Mahajan you cannot achieve fully the scenario of closing the alert once the service is up. You can only achieve to get alert once the service is down. I have blogged about this here:
https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-with-log-analytics/
The method described there is by using the System event log but the same thing can be achieved with using Change Tracking solution which also tracks Windows Services states. In our book Inside Azure Management we have descried the scenario with using Change tracking as well. The example in the scenario also includes automatic service remediation by starting the service on the VM via runbook. This is described in the Automation chapter.
HIi Rahul_Mahajan you cannot achieve fully the scenario of closing the alert once the service is up. You can only achieve to get alert once the service is down. I have blogged about this here:
https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-with-log-analytics/
The method described there is by using the System event log but the same thing can be achieved with using Change Tracking solution which also tracks Windows Services states. In our book Inside Azure Management we have descried the scenario with using Change tracking as well. The example in the scenario also includes automatic service remediation by starting the service on the VM via runbook. This is described in the Automation chapter.
- Can we monitor linux services using change tracking?
Stanislav_Zhelyazkov Stanislav Zhelyazkov
Is there any other MP to monitor all windows services using a “Monitor” (not Rule) ?
Currently we are monitoring windows services using a "Rule" which needs manual intervention to close the Service alerts in SCOM to avoid that we are looking for a MP to monitor all windows services using a “Monitor” which will close the alert automatically once the service is up.
Please let me know if there is any such MP to make this possible.
Thanks in Advance !!
Hello Stanislav,
I am trying to write a query to get results when ‘Service A’ is in running state and ‘Service B’ is in stopped state. I am getting 0 results. Below is the query
Event
| where EventLog == ‘System’ and EventID == 7036 and Source == ‘Service Control Manager’
| parse kind=relaxed EventData with * ” Windows_Service_Name ” Windows_Service_State ” *
| where Windows_Service_Name == “Service A” and Windows_Service_State == “running”
| where Windows_Service_Name == “Service B” and Windows_Service_State == “stopped”
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGeneratedAppreciate your response.
- Thanks @Stanislav , will test them and get back to you.
When I am running below query, always getting 0 results even if selecting time rage 4 months or more :
Event
| where EventLog == "System" and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
Also is it ok to use this to fetch :
ConfigurationData
| where SvcName =~ "w3svc"
| where SvcState != "Running"
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated, SvcStartupType, SvcAccount, SourceSystem
As in your blog you have said change tracking is having some delay to collect data.Rahul_Mahajan For the first query you need to ingest the System log from all your Windows machines. In overall I would recommend using Change Tracking (ConfigurationData) if you are already using it or if the cost of that data is ok with you. The good thing with Azure Monitor is that there are multiple paths for some things.
Keep in mind that when you have to build the query for the alert it needs to have certain things like AggregatedValue. In the book example you will see how the query looks.
