Forum Discussion
How to monitor windows services
HIi Rahul_Mahajan you cannot achieve fully the scenario of closing the alert once the service is up. You can only achieve to get alert once the service is down. I have blogged about this here:
https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-with-log-analytics/
The method described there is by using the System event log but the same thing can be achieved with using Change Tracking solution which also tracks Windows Services states. In our book Inside Azure Management we have descried the scenario with using Change tracking as well. The example in the scenario also includes automatic service remediation by starting the service on the VM via runbook. This is described in the Automation chapter.
When I am running below query, always getting 0 results even if selecting time rage 4 months or more :
Event
| where EventLog == "System" and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
Also is it ok to use this to fetch :
ConfigurationData
| where SvcName =~ "w3svc"
| where SvcState != "Running"
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated, SvcStartupType, SvcAccount, SourceSystem
As in your blog you have said change tracking is having some delay to collect data.
Rahul_Mahajan For the first query you need to ingest the System log from all your Windows machines. In overall I would recommend using Change Tracking (ConfigurationData) if you are already using it or if the cost of that data is ok with you. The good thing with Azure Monitor is that there are multiple paths for some things.
Keep in mind that when you have to build the query for the alert it needs to have certain things like AggregatedValue. In the book example you will see how the query looks.
- Can you give me few sample queries and idea on change tracking, how to achieve it.
Rahul_Mahajan Download the book I have pasted link to. Open Chapter 10 - section Automated Alert Remediation. Read it. The latest working code is here: https://github.com/slavizh/InsideAzureMgmt-1/tree/master/Chapter10/Remediate soon the book will be updated with that code.