SOLVED
Home

Need query for Getting the Status of a particular app pool in IIS

%3CLINGO-SUB%20id%3D%22lingo-sub-500038%22%20slang%3D%22en-US%22%3ENeed%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500038%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20share%20the%20query%20to%20identify%20when%20a%20particular%20IIS%20application%20pool%20stopped%2Fcrashed%20via%20Log%20Analytics.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3CP%3ERC%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-500038%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500172%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500172%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272206%22%20target%3D%22_blank%22%3E%40RCDevops777%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20should%20hopefully%20have%20EventIDs%20that%20match%20what%20you%20are%20looking%20for%20in%20your%20logs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'd%20run%20this%2C%20to%20see%20which%20Event%20Id's%20you%20have%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(30d)%0A%7C%20search%20%22application%20pool%22%0A%7C%20summarize%20count()%20by%20EventID%3C%2FPRE%3E%0A%3CP%3EYou%20can%20then%20check%20the%20'%3CSTRONG%3ERenderedDescription%3C%2FSTRONG%3E'%20to%20see%20which%20ones%20are%20stop%2Fstart%20or%20other%20events%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(30d)%0A%7C%20search%20%22application%20pool%22%0A%7C%20summarize%20count()%20by%20EventID%2C%20%3CSTRONG%3ERenderedDescription%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3EI%20have%20a%20few%20App%20Pools%2C%20but%20not%20a%20lot%20of%20data%2C%20a%20query%20like%20this%20would%20get%20the%20info%20from%20the%20past%2060%20days%20-%20I%20don't%20think%20that%20is%20an%20extensive%20list%20of%20Event%20IDs%2C%20but%20a%20base%20to%20start%20from.%26nbsp%3B%20If%20you%20don't%20have%20any%20in%20your%20logs%2C%20then%20look%20online.%26nbsp%3B%2060days%20is%20my%20value%2C%20edit%20it%20to%20provide%20the%20best%20criteria%20for%20your%20search..%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(60d)%0A%7C%20where%20EventID%20in%20(5186%2C%205080%20%2C%205079%2C%205074%2C%205076%2C%205189%2C%20503)%0A%7C%20summarize%20count()%20by%20%20EventID%3C%2FPRE%3E%0A%3CP%3EYou%20can%20get%20the%20App%20Pool%20Name%2C%26nbsp%3B%20by%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Fparseoperator%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eparsing%3C%2FA%3E%20RenderedDescription%20like%20this%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(60d)%0A%7C%20parse%20RenderedDescription%20with%20*%22serving%20application%20pool%20'%22%20AppPoolName%20%22'%20was%22*%20%20%20%2F%2F%20parse%20the%20filed%20for%20the%20pool%20name%0A%7C%20where%20AppPoolName%20%3D%3D%20%22DefaultAppPool%22%20%20%20%2F%2F%20only%20show%20where%20the%20pool%20name%20matches%0A%7C%20summarize%20count()%20by%20AppPoolName%20%20%3C%2FPRE%3E%0A%3CP%3EI%20hope%20this%20is%20good%20start...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500206%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500206%22%20slang%3D%22en-US%22%3E%3CP%3EI%20got%20this%20query%20....but%20unable%20to%20figure%20out%20when%20it%20stopped%20or%20started.%3C%2FP%3E%3CP%3EEvent%3CBR%20%2F%3E%7C%20where%20Computer%20contains%20%22XXXXX%22%3CBR%20%2F%3E%7C%20where%20EventLog%20%3D%3D%20%22System%22%20and%20Source%20%3D%3D%20%22Microsoft-Windows-WAS%22%3CBR%20%2F%3E%7C%20parse%20ParameterXml%20with%20*%20%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%20AppPoolName%20%22%3CPARAM%20%2F%3E%22%20*%3CBR%20%2F%3E%7C%20where%20AppPoolName%20%3D%3D%20%22XXXXXX%22%3CBR%20%2F%3E%7C%20summarize%20by%20AppPoolName%2C%20EventID%2C%20RenderedDescription%2C%20Computer%3CBR%20%2F%3E%2F%2F%7C%20summarize%20by%20AppPoolName%2C%20%3CA%20title%3D%22EventID%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EEventID%3C%2FA%3E%3C%2FOBJECT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500354%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500354%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272206%22%20target%3D%22_blank%22%3E%40RCDevops777%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethis%20would%20show%20the%20time%20of%20the%20event%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(60d)%0A%2F%2F%7C%20where%20Computer%20contains%20%22XXXXX%22%0A%7C%20where%20EventLog%20%3D%3D%20%22System%22%20and%20Source%20%3D%3D%20%22Microsoft-Windows-WAS%22%0A%7C%20parse%20ParameterXml%20with%20*%20%22%26lt%3B%2FParam%26gt%3B%26lt%3BParam%26gt%3B%22%20AppPoolName%20%22%26lt%3B%2FParam%26gt%3B%26lt%3BParam%26gt%3B%22%20*%0A%7C%20where%20AppPoolName%20%3D%3D%20%22DefaultAppPool%22%0A%7C%20summarize%20by%20TimeGenerated%2C%20AppPoolName%2C%20EventID%2C%20RenderedDescription%2C%20Computer%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110982i09AD53102337E6B1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-04-29%20174238.jpg%22%20title%3D%22Annotation%202019-04-29%20174238.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500712%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20dont%20need%20the%20time...basically%20trying%20to%20create%20an%20log%20search%20alert%20...so%20that%20we%20know%20when%20the%20app%20pool%20stopped%20or%20crashed.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500991%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500991%22%20slang%3D%22en-US%22%3E%3CP%3E%40%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272206%22%20target%3D%22_blank%22%3ERCDevops777%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAh%20ok%2C%20so%20this%20is%20for%20an%20Alert.%26nbsp%3B%20in%20that%20case%2C%20you%20always%20put%20the%20Time%20filter%20as%20part%20of%20the%20Alert%20form%2C%20not%20in%20the%20query%2C%20so%20I%20commented%20that%20line%20out.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20added%20a%20line%20to%20check%20for%20%225186%22%20events%20and%20'shutdown'%20%3CU%3E%3CSTRONG%3EHowever%3C%2FSTRONG%3E%20%3C%2FU%3Eyou%20will%20need%20to%20find%20the%20%3CU%3E%3CSTRONG%3Eright%3C%2FSTRONG%3E%20%3C%2FU%3EEventIDs%20and%20txt%20(maybe%20you%20don't%20need%20the%20txt%3F).%26nbsp%3B%20I%20only%20have%205186%20events%2C%20so%20don't%20know%20the%20right%20IDs.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20then%20created%20value%20for%20the%20output%20%3D%201%20(success).%26nbsp%3B%20So%20you%20can%20now%20tell%20the%20Alert%20to%20fire%20when%20the%20value%20is%20%26gt%3B%20zero.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EEvent%0A%2F%2F%7C%20where%20TimeGenerated%20%26gt%3B%20ago(60d)%0A%2F%2F%7C%20where%20Computer%20contains%20%22XXXXX%22%0A%7C%20where%20EventLog%20%3D%3D%20%22System%22%20and%20Source%20%3D%3D%20%22Microsoft-Windows-WAS%22%0A%7C%20parse%20ParameterXml%20with%20*%20%22%26lt%3B%2FParam%26gt%3B%26lt%3BParam%26gt%3B%22%20AppPoolName%20%22%26lt%3B%2FParam%26gt%3B%26lt%3BParam%26gt%3B%22%20*%0A%7C%20where%20AppPoolName%20%3D%3D%20%22DefaultAppPool%22%0A%7C%20where%20RenderedDescription%20has%20%22shutdown%20%22%20and%20EventID%20%3D%3D%225186%22%0A%7C%20extend%20AggregatedValue%20%3D1%20%0A%2F%2F%7C%20summarize%20by%20AppPoolName%2C%20EventID%2C%20RenderedDescription%2C%20Computer%3C%2FPRE%3E%0A%3CP%3EMock%20Alert%20config.%26nbsp%3B%20Where%20AggregatedValue%20%26gt%3B%200%20(zero)%20-%20as%20this%20should%20be%20%221%22%20if%20the%20query%20finds%20a%20match.%3CBR%20%2F%3ELook%20back%2024hrs(1440mins%20-%20which%20is%20the%20max)%20and%20poll%20every%2015mins%20-%20adjust%20these%20values%20to%20suit.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20828px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111000i1FC536AA9F23E078%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-04-29%20212318.jpg%22%20title%3D%22Annotation%202019-04-29%20212318.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-505544%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-505544%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BThanks%20for%20helping%20me%20with%20this...i%20see%20that%20you%20got%20this%20working%20with%20rendered%20description%20as%20%22shutdown%22%20....one%20thing%20i%20am%20noticing%20is%20i%20dont%20see%20any%20entries%20with%20shutdown%20...but%20i%20see%20with%20rendered%20description%20%22%3CSPAN%3Ehas%20requested%20a%20recycle%22.%26nbsp%3B%20I%20have%20set%20the%20alert%20with%20this%20description...but%20looks%20like%20the%20user%20needs%20to%20know%20when%20it%20stopped%20and%20started%20instead%20of%20recycle.%20Need%20to%20check%20more%20on%20this.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-505568%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-505568%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272206%22%20target%3D%22_blank%22%3E%40RCDevops777%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESounds%20like%20we%20are%20nearly%20done.%26nbsp%3B%20I%20did%20mention%20I%20used%20'Shutdown'%20as%20a%20test%20bit%20of%20text.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20you'll%20be%20able%20to%20spot%20a%20real%20%22stopped%22%20event%20soon%2C%20and%20get%20the%20real%20EventID%20%23%20and%2For%20correct%20text%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
RCDevops777
Occasional Contributor

Hi,

 

Can you share the query to identify when a particular IIS application pool stopped/crashed via Log Analytics. 

 

Thanks 

RC 

7 Replies

@RCDevops777 

 

You should hopefully have EventIDs that match what you are looking for in your logs.

 

I'd run this, to see which Event Id's you have

Event
| where TimeGenerated > ago(30d)
| search "application pool"
| summarize count() by EventID

You can then check the 'RenderedDescription' to see which ones are stop/start or other events 

 

Event
| where TimeGenerated > ago(30d)
| search "application pool"
| summarize count() by EventID, RenderedDescription

I have a few App Pools, but not a lot of data, a query like this would get the info from the past 60 days - I don't think that is an extensive list of Event IDs, but a base to start from.  If you don't have any in your logs, then look online.  60days is my value, edit it to provide the best criteria for your search..

Event
| where TimeGenerated > ago(60d)
| where EventID in (5186, 5080 , 5079, 5074, 5076, 5189, 503)
| summarize count() by  EventID

You can get the App Pool Name,  by parsing RenderedDescription like this

Event
| where TimeGenerated > ago(60d)
| parse RenderedDescription with *"serving application pool '" AppPoolName "' was"*   // parse the filed for the pool name
| where AppPoolName == "DefaultAppPool"   // only show where the pool name matches
| summarize count() by AppPoolName  

I hope this is good start...

 

I got this query ....but unable to figure out when it stopped or started.

Event
| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "XXXXXX"
| summarize by AppPoolName, EventID, RenderedDescription, Computer
//| summarize by AppPoolName, EventID

@RCDevops777 

 

this would show the time of the event?

 

Event
| where TimeGenerated > ago(60d)
//| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "DefaultAppPool"
| summarize by TimeGenerated, AppPoolName, EventID, RenderedDescription, Computer

Annotation 2019-04-29 174238.jpg

@Clive Watson 

 

I dont need the time...basically trying to create an log search alert ...so that we know when the app pool stopped or crashed.  

Solution

@RCDevops777

 

Ah ok, so this is for an Alert.  in that case, you always put the Time filter as part of the Alert form, not in the query, so I commented that line out.  

 

I added a line to check for "5186" events and 'shutdown' However you will need to find the right EventIDs and txt (maybe you don't need the txt?).  I only have 5186 events, so don't know the right IDs. 

 

I then created value for the output = 1 (success).  So you can now tell the Alert to fire when the value is > zero.

 

Event
//| where TimeGenerated > ago(60d)
//| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "DefaultAppPool"
| where RenderedDescription has "shutdown " and EventID =="5186"
| extend AggregatedValue =1 
//| summarize by AppPoolName, EventID, RenderedDescription, Computer

Mock Alert config.  Where AggregatedValue > 0 (zero) - as this should be "1" if the query finds a match.
Look back 24hrs(1440mins - which is the max) and poll every 15mins - adjust these values to suit.

Annotation 2019-04-29 212318.jpg

 

@Clive Watson Thanks for helping me with this...i see that you got this working with rendered description as "shutdown" ....one thing i am noticing is i dont see any entries with shutdown ...but i see with rendered description "has requested a recycle".  I have set the alert with this description...but looks like the user needs to know when it stopped and started instead of recycle. Need to check more on this.

@RCDevops777 

 

Sounds like we are nearly done.  I did mention I used 'Shutdown' as a test bit of text.

 

Hopefully you'll be able to spot a real "stopped" event soon, and get the real EventID # and/or correct text

 

:) 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies