Mar 22 2019
08:28 AM
- last edited on
Apr 07 2022
05:43 PM
by
TechCommunityAP
Mar 22 2019
08:28 AM
- last edited on
Apr 07 2022
05:43 PM
by
TechCommunityAP
Hi, I want to create an alert when Microsoft services (3 parts) stopped and not return at started after 3 minutes.
I read the precedent post (Monitoring Windows Services States with Log Analytics) and I've written this :
Event
| where Computer contains "BKE"
| where EventLog == "Application" and Source == "BiTXRDeq"
| sort by TimeGenerated desc
If I start and stop service I see the different lines, but I don't know how to set an alert when service stopped and not return in the status started after 3/5 minutes.
Can you help me ?
Thanks
Apr 01 2019 07:52 AM
Hi @CliveWatson i read your URL but i have a different need.
In the example :
Event
| where Computer contains "BKE02"
| where EventLog == "Application" and Source == "BiTXRDeq"
| where RenderedDescription has "stopped"
| sort by TimeGenerated desc
| summarize count() by Computer, RenderedDescription
In the up query I have service with source =BiTXRDeq, when his stopped he send email alert; but i must excluded when the service restart and I've 2 event : stopped and started this service (with 1 minute difference).
In 'creat rule' i can add only one log search (file image2).
how I can do it ?
regards
Apr 01 2019 07:56 AM
Apr 01 2019 08:31 AM
Does this help? You need to add back you computer name and the service name...
//7035 started SERVICE //7036 stopped SERVICE Event | where TimeGenerated > ago(1d) | where Computer contains "RDS2019" | where EventLog == "System" and EventLevelName == "Information" // look for STOPPED only and EventID == 7036 and Source == "Service Control Manager" // example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem> | parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" * | sort by TimeGenerated desc | project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated // now look at a specifc state and service | where Windows_Service_State =="stopped" and Windows_Service_Name == "Windows Update" | extend AggregatedValue = 1
Apr 01 2019 09:17 AM
I modified the query, in my log i write 'RenderedDescription' :
Event
| where TimeGenerated > ago(60m)
| where Computer contains "BKE"
| where EventLog == "Application"
and EventLevelName == "Information"
// look for STOPPED only
// and EventID == 7036
and Source == "BiTXRDeq"
// example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem>
| parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Computer, RenderedDescription, TimeGenerated
Because if I use :
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
I don't have any rows. I don't have Windows_Service_Name and Windows_Service_State compiled.
Even with query modified the problem remaining because i've always 2 rows, one stop service and one start service.
I did a restart service test and I 've 2 rows in event viewer; i think i need a query that discard this situation on restart service and notify me when I've only more stop that start in the same TimeGenerated .
I hope explained better the situation
thanks
Apr 01 2019 09:30 AM
It's the parse command that will generate those missing pieces of data: Windows_Service_Name etc..
| parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *
Can you send me the output from rendered-description as plain text (paste it into your reply).
in the query I have an example of rendered description we need to see:
// example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem>
The parse command needs to be told what parts of this string to look at and what to ignore, looking at the info in RED. When we have that we can use the WHERE command to filter out the started and other messages