Home

Monitoring processes

%3CLINGO-SUB%20id%3D%22lingo-sub-250947%22%20slang%3D%22en-US%22%3EMonitoring%20processes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250947%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20the%20best%20way%20to%20monitor%20for%26nbsp%3B%3CEM%3Eprocesses%3C%2FEM%3E%20that%20are%20no%20longer%20running.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20instance%2C%20COMPUTER1%20should%20have%20a%20process%20called%20ABCPROCESS.exe.%20If%26nbsp%3B%3CSTRONG%3EABCPROCESS.exe%3C%2FSTRONG%3E%20is%20not%20running%20for%20the%20last%205%20minutes%2C%20create%20an%20alert.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20would%20be%20the%20best%20way%20to%20query%20for%20this%3F%20Can%20I%20simply%20use%20a%20process%20Perf%20counter%20and%20check%20to%20see%20that%20the%20process%20is%20generating%20data%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20is%20appreciated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-250947%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251873%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20processes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Scott%2C%3C%2FP%3E%3CP%3Eyou%20can%20monitor%20processes%20under%20the%20Performance%20log.%20You%20need%20to%20add%20the%26nbsp%3BProcess(*)%25%20Processor%20Time%20counter%2C%20I%20have%20a%20post%20on%20it%20here.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.systemcenterautomation.com%2F2018%2F07%2Fadding-azure-log-analytics-performance-counters%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.systemcenterautomation.com%2F2018%2F07%2Fadding-azure-log-analytics-performance-counters%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBefore%20you%20do%20that%20consider%20that%20it%20will%20add%20extra%20log%20ingestion%20and%20thus%20billing.%20That%20will%20work%2C%20especially%20if%20your%20process%20isn't%20installed%20as%20a%20windows%20service%20as%20the%20blog%20Gourav%20linked%20to.%20If%20you%20use%20that%20counter%20you%20could%20then%20look%20for%20when%20that%20process%20is%20using%200%20amount%20of%20processor%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20also%20write%20a%20powershell%20script%20to%20collect%20this%20information%20for%20only%20select%20processes%20and%20send%20it%20to%20the%20log%20analytics%20api.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eas%20always%20with%20log%20analytics%20there%20are%20multiple%20options%20to%20solve%20a%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20helps%2C%26nbsp%3B%3C%2FP%3E%3CP%3E~Billy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251178%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20processes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251178%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Scott%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20can%20not%20query%20processes%20using%20perf%20as%20perf%20is%20used%20for%20CPU%2C%20Memory%20and%20Disk.%3C%2FP%3E%3CP%3EWhat%20you%20can%20do%20is%20since%20every%20service%20when%20starts%20or%20stops%20on%20server%20will%20trigger%20a%20specific%20event%20ID.%20You%20can%20capture%20that%20event%20ID%20and%20create%20a%20alert%20as%20per%20your%20requirement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20its%20not%20SCOM%20so%20we%20need%20write%20query%20where%20we%20could%20see%20event%20ID%20along%20with%20service%20name%20to%20avoid%20discrepancy.%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20check%20below%20link%20and%20mimic%20the%20same%20to%20fullfil%20your%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudadministrator.net%2F2018%2F01%2F24%2Fmonitoring-windows-services-sates-with-log-analytics%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudadministrator.net%2F2018%2F01%2F24%2Fmonitoring-windows-services-sates-with-log-analytics%2F%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Scott Allison
Contributor

I'm looking for the best way to monitor for processes that are no longer running. 

 

For instance, COMPUTER1 should have a process called ABCPROCESS.exe. If ABCPROCESS.exe is not running for the last 5 minutes, create an alert. 

 

What would be the best way to query for this? Can I simply use a process Perf counter and check to see that the process is generating data?

 

Any help is appreciated. 

2 Replies

Hi Scott,

 

We can not query processes using perf as perf is used for CPU, Memory and Disk.

What you can do is since every service when starts or stops on server will trigger a specific event ID. You can capture that event ID and create a alert as per your requirement.

 

However its not SCOM so we need write query where we could see event ID along with service name to avoid discrepancy. 

You can check below link and mimic the same to fullfil your need.

 

https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-with-log-analytics/ 

Hi Scott,

you can monitor processes under the Performance log. You need to add the Process(*)% Processor Time counter, I have a post on it here. 

https://www.systemcenterautomation.com/2018/07/adding-azure-log-analytics-performance-counters/

 

Before you do that consider that it will add extra log ingestion and thus billing. That will work, especially if your process isn't installed as a windows service as the blog Gourav linked to. If you use that counter you could then look for when that process is using 0 amount of processor time.

 

You could also write a powershell script to collect this information for only select processes and send it to the log analytics api.

 

as always with log analytics there are multiple options to solve a problem.

 

I hope this helps, 

~Billy

 

 

Related Conversations
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
PacketMon Components are not loading in WAC 1909
HotCakeX in Windows Admin Center on
2 Replies