SOLVED

Need query for Getting the Status of a particular app pool in IIS

Copper Contributor

Hi,

 

Can you share the query to identify when a particular IIS application pool stopped/crashed via Log Analytics. 

 

Thanks 

RC 

8 Replies

@RCDevops777 

 

You should hopefully have EventIDs that match what you are looking for in your logs.

 

I'd run this, to see which Event Id's you have

Event
| where TimeGenerated > ago(30d)
| search "application pool"
| summarize count() by EventID

You can then check the 'RenderedDescription' to see which ones are stop/start or other events 

 

Event
| where TimeGenerated > ago(30d)
| search "application pool"
| summarize count() by EventID, RenderedDescription

I have a few App Pools, but not a lot of data, a query like this would get the info from the past 60 days - I don't think that is an extensive list of Event IDs, but a base to start from.  If you don't have any in your logs, then look online.  60days is my value, edit it to provide the best criteria for your search..

Event
| where TimeGenerated > ago(60d)
| where EventID in (5186, 5080 , 5079, 5074, 5076, 5189, 503)
| summarize count() by  EventID

You can get the App Pool Name,  by parsing RenderedDescription like this

Event
| where TimeGenerated > ago(60d)
| parse RenderedDescription with *"serving application pool '" AppPoolName "' was"*   // parse the filed for the pool name
| where AppPoolName == "DefaultAppPool"   // only show where the pool name matches
| summarize count() by AppPoolName  

I hope this is good start...

 

I got this query ....but unable to figure out when it stopped or started.

Event
| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "XXXXXX"
| summarize by AppPoolName, EventID, RenderedDescription, Computer
//| summarize by AppPoolName, EventID

@RCDevops777 

 

this would show the time of the event?

 

Event
| where TimeGenerated > ago(60d)
//| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "DefaultAppPool"
| summarize by TimeGenerated, AppPoolName, EventID, RenderedDescription, Computer

Annotation 2019-04-29 174238.jpg

@CliveWatson 

 

I dont need the time...basically trying to create an log search alert ...so that we know when the app pool stopped or crashed.  

best response confirmed by RCDevops777 (Copper Contributor)
Solution

@RCDevops777

 

Ah ok, so this is for an Alert.  in that case, you always put the Time filter as part of the Alert form, not in the query, so I commented that line out.  

 

I added a line to check for "5186" events and 'shutdown' However you will need to find the right EventIDs and txt (maybe you don't need the txt?).  I only have 5186 events, so don't know the right IDs. 

 

I then created value for the output = 1 (success).  So you can now tell the Alert to fire when the value is > zero.

 

Event
//| where TimeGenerated > ago(60d)
//| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "DefaultAppPool"
| where RenderedDescription has "shutdown " and EventID =="5186"
| extend AggregatedValue =1 
//| summarize by AppPoolName, EventID, RenderedDescription, Computer

Mock Alert config.  Where AggregatedValue > 0 (zero) - as this should be "1" if the query finds a match.
Look back 24hrs(1440mins - which is the max) and poll every 15mins - adjust these values to suit.

Annotation 2019-04-29 212318.jpg

 

@CliveWatson Thanks for helping me with this...i see that you got this working with rendered description as "shutdown" ....one thing i am noticing is i dont see any entries with shutdown ...but i see with rendered description "has requested a recycle".  I have set the alert with this description...but looks like the user needs to know when it stopped and started instead of recycle. Need to check more on this.

@RCDevops777 

 

Sounds like we are nearly done.  I did mention I used 'Shutdown' as a test bit of text.

 

Hopefully you'll be able to spot a real "stopped" event soon, and get the real EventID # and/or correct text

 

:) 

@RCDevops777 I have also came across the same situation. Did you figure out stopped or started of IIS service?

1 best response

Accepted Solutions
best response confirmed by RCDevops777 (Copper Contributor)
Solution

@RCDevops777

 

Ah ok, so this is for an Alert.  in that case, you always put the Time filter as part of the Alert form, not in the query, so I commented that line out.  

 

I added a line to check for "5186" events and 'shutdown' However you will need to find the right EventIDs and txt (maybe you don't need the txt?).  I only have 5186 events, so don't know the right IDs. 

 

I then created value for the output = 1 (success).  So you can now tell the Alert to fire when the value is > zero.

 

Event
//| where TimeGenerated > ago(60d)
//| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "DefaultAppPool"
| where RenderedDescription has "shutdown " and EventID =="5186"
| extend AggregatedValue =1 
//| summarize by AppPoolName, EventID, RenderedDescription, Computer

Mock Alert config.  Where AggregatedValue > 0 (zero) - as this should be "1" if the query finds a match.
Look back 24hrs(1440mins - which is the max) and poll every 15mins - adjust these values to suit.

Annotation 2019-04-29 212318.jpg

 

View solution in original post