Retrieving errors from a Virtual Machine

%3CLINGO-SUB%20id%3D%22lingo-sub-1901520%22%20slang%3D%22en-US%22%3ERetrieving%20errors%20from%20a%20Virtual%20Machine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1901520%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecently%20I%20have%20been%20trying%20to%20retrieve%20the%20most%20common%20errors%20from%20a%20Virtual%20Machine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20that%20this%20will%20need%20to%20use%20the%20analytic%20logs%20and%20KQL%20however%20I%20am%20not%20how%20to%20create%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20running%20the%20script%20below%2C%20it%20unfortunately%20does%20not%20return%20any%20results%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%2F%2F%20Reported%20errors%20%0A%2F%2F%20Show%20error%20events%20from%20the%20last%20hour.%20%0A%2F%2F%20To%20create%20an%20alert%20for%20this%20query%2C%20click%20'%2B%20New%20alert%20rule'%0Aunion%20Event%2C%20Syslog%20%2F%2F%20Event%20table%20stores%20Windows%20event%20records%2C%20Syslog%20stores%20Linux%20records%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1h)%0A%7C%20where%20EventLevelName%20%3D%3D%20%22Error%22%20%2F%2F%20EventLevelName%20is%20used%20in%20the%20Event%20(Windows)%20records%0Aor%20SeverityLevel%3D%3D%20%22err%22%20%2F%2F%20SeverityLevel%20is%20used%20in%20Syslog%20(Linux)%20records%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AidenBrennan_0-1605717132535.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F234431i4E6B2B4FF2FE9FF3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22AidenBrennan_0-1605717132535.png%22%20alt%3D%22AidenBrennan_0-1605717132535.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1907774%22%20slang%3D%22en-US%22%3ERe%3A%20Retrieving%20errors%20from%20a%20Virtual%20Machine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1907774%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F872983%22%20target%3D%22_blank%22%3E%40AidenBrennan%3C%2FA%3ECan%20you%20confirm%20how%20you%20enabled%20your%20Log%20Analytics%20WP%3F%20to%20collect%20the%20data%20of%20your%20vm's%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHome%20%26gt%3B%20analytics%20wp%20%26gt%3B%20advanced%20settings%20%26gt%3B%20data%20%26gt%3B%20windows%20event%20logs%20%26gt%3B%20select%20%22system%2C%20setup%22%20as%20per%20event%20logs%20tables%2F%20columns%20in%20Windows%20Event%20Viewer.%3CBR%20%2F%3ERefer%20to%20the%20attached%20images.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%20from%202020-11-19%2018-30-28.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F234725i9027E3FEA4808F0E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%20from%202020-11-19%2018-30-28.png%22%20alt%3D%22Screenshot%20from%202020-11-19%2018-30-28.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20run%20the%20query%20after%20the%20logs%20have%20been%20ingested%20into%20your%20analytics%20wp%20then%20you%20should%20be%20able%20to%20see%20the%20results.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Visitor

Hi,

 

Recently I have been trying to retrieve the most common errors from a Virtual Machine.

 

I understand that this will need to use the analytic logs and KQL however I am not how to create this.

 

When running the script below, it unfortunately does not return any results:

 

// Reported errors 
// Show error events from the last hour. 
// To create an alert for this query, click '+ New alert rule'
union Event, Syslog // Event table stores Windows event records, Syslog stores Linux records
| where TimeGenerated > ago(1h)
| where EventLevelName == "Error" // EventLevelName is used in the Event (Windows) records
or SeverityLevel== "err" // SeverityLevel is used in Syslog (Linux) records

AidenBrennan_0-1605717132535.png

 

Any help would be appreciated.

1 Reply

@AidenBrennanCan you confirm how you enabled your Log Analytics WP? to collect the data of your vm's?

 

Home > analytics wp > advanced settings > data > windows event logs > select "system, setup" as per event logs tables/ columns in Windows Event Viewer.
Refer to the attached images.
Screenshot from 2020-11-19 18-30-28.png

 

When you run the query after the logs have been ingested into your analytics wp then you should be able to see the results.