Home

Monitoring processes

%3CLINGO-SUB%20id%3D%22lingo-sub-250947%22%20slang%3D%22en-US%22%3EMonitoring%20processes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250947%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20the%20best%20way%20to%20monitor%20for%26nbsp%3B%3CEM%3Eprocesses%3C%2FEM%3E%20that%20are%20no%20longer%20running.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20instance%2C%20COMPUTER1%20should%20have%20a%20process%20called%20ABCPROCESS.exe.%20If%26nbsp%3B%3CSTRONG%3EABCPROCESS.exe%3C%2FSTRONG%3E%20is%20not%20running%20for%20the%20last%205%20minutes%2C%20create%20an%20alert.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20would%20be%20the%20best%20way%20to%20query%20for%20this%3F%20Can%20I%20simply%20use%20a%20process%20Perf%20counter%20and%20check%20to%20see%20that%20the%20process%20is%20generating%20data%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20is%20appreciated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-250947%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251873%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20processes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Scott%2C%3C%2FP%3E%3CP%3Eyou%20can%20monitor%20processes%20under%20the%20Performance%20log.%20You%20need%20to%20add%20the%26nbsp%3BProcess(*)%25%20Processor%20Time%20counter%2C%20I%20have%20a%20post%20on%20it%20here.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.systemcenterautomation.com%2F2018%2F07%2Fadding-azure-log-analytics-performance-counters%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.systemcenterautomation.com%2F2018%2F07%2Fadding-azure-log-analytics-performance-counters%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBefore%20you%20do%20that%20consider%20that%20it%20will%20add%20extra%20log%20ingestion%20and%20thus%20billing.%20That%20will%20work%2C%20especially%20if%20your%20process%20isn't%20installed%20as%20a%20windows%20service%20as%20the%20blog%20Gourav%20linked%20to.%20If%20you%20use%20that%20counter%20you%20could%20then%20look%20for%20when%20that%20process%20is%20using%200%20amount%20of%20processor%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20also%20write%20a%20powershell%20script%20to%20collect%20this%20information%20for%20only%20select%20processes%20and%20send%20it%20to%20the%20log%20analytics%20api.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eas%20always%20with%20log%20analytics%20there%20are%20multiple%20options%20to%20solve%20a%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20helps%2C%26nbsp%3B%3C%2FP%3E%3CP%3E~Billy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251178%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20processes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251178%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Scott%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20can%20not%20query%20processes%20using%20perf%20as%20perf%20is%20used%20for%20CPU%2C%20Memory%20and%20Disk.%3C%2FP%3E%3CP%3EWhat%20you%20can%20do%20is%20since%20every%20service%20when%20starts%20or%20stops%20on%20server%20will%20trigger%20a%20specific%20event%20ID.%20You%20can%20capture%20that%20event%20ID%20and%20create%20a%20alert%20as%20per%20your%20requirement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20its%20not%20SCOM%20so%20we%20need%20write%20query%20where%20we%20could%20see%20event%20ID%20along%20with%20service%20name%20to%20avoid%20discrepancy.%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20check%20below%20link%20and%20mimic%20the%20same%20to%20fullfil%20your%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudadministrator.net%2F2018%2F01%2F24%2Fmonitoring-windows-services-sates-with-log-analytics%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudadministrator.net%2F2018%2F01%2F24%2Fmonitoring-windows-services-sates-with-log-analytics%2F%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Scott Allison
Contributor

I'm looking for the best way to monitor for processes that are no longer running. 

 

For instance, COMPUTER1 should have a process called ABCPROCESS.exe. If ABCPROCESS.exe is not running for the last 5 minutes, create an alert. 

 

What would be the best way to query for this? Can I simply use a process Perf counter and check to see that the process is generating data?

 

Any help is appreciated. 

2 Replies

Hi Scott,

 

We can not query processes using perf as perf is used for CPU, Memory and Disk.

What you can do is since every service when starts or stops on server will trigger a specific event ID. You can capture that event ID and create a alert as per your requirement.

 

However its not SCOM so we need write query where we could see event ID along with service name to avoid discrepancy. 

You can check below link and mimic the same to fullfil your need.

 

https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-with-log-analytics/ 

Hi Scott,

you can monitor processes under the Performance log. You need to add the Process(*)% Processor Time counter, I have a post on it here. 

https://www.systemcenterautomation.com/2018/07/adding-azure-log-analytics-performance-counters/

 

Before you do that consider that it will add extra log ingestion and thus billing. That will work, especially if your process isn't installed as a windows service as the blog Gourav linked to. If you use that counter you could then look for when that process is using 0 amount of processor time.

 

You could also write a powershell script to collect this information for only select processes and send it to the log analytics api.

 

as always with log analytics there are multiple options to solve a problem.

 

I hope this helps, 

~Billy