SOLVED
Home

Query to Get service Information of VM.

%3CLINGO-SUB%20id%3D%22lingo-sub-150642%22%20slang%3D%22en-US%22%3EQuery%20to%20Get%20service%20Information%20of%20VM.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-150642%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20I%20am%20trying%20to%20write%20a%20log%20search%20query%20which%20gives%20me%20the%20information%20about%20all%20the%20services%20that%20are%20stopped%20are%20started%20in%26nbsp%3B%20services.msc%20for%20past%203%20hours.%20I%20have%20tried%20to%20use%20ConfigurationChange%20after%20going%20through%20the%20documentation%2C%20but%20it%20seems%20to%20be%20deprecated.%20The%20logs%20are%20not%20a%20part%20of%20Event%20or%20Perf%20either.%20Can%20anyone%20guide%20me%20through%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-150642%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151101%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20to%20Get%20service%20Information%20of%20VM.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151101%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EThis%20article%20might%20help%20you%20as%20well%3A%3C%2FP%3E%0A%3CH1%20class%3D%22entry-title%22%20id%3D%22toc-hId-1817089001%22%20id%3D%22toc-hId-410997911%22%3E%3CA%20href%3D%22https%3A%2F%2Fcloudadministrator.wordpress.com%2F2018%2F01%2F24%2Fmonitoring-windows-services-sates-with-log-analytics%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMonitoring%20Windows%20Services%20States%20with%20Log%20Analytics%3C%2FA%3E%3C%2FH1%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151063%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20to%20Get%20service%20Information%20of%20VM.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151063%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Evgeny.%20It%20is%20getting%20logged%20in%20Event%20Table%20with%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3EService%20Control%20Manager%20as%20Source.%20But%20there%20is%20a%20time%20delay%20of%20around%2015%20minutes%20from%20when%20the%20service%20state%20is%20changed%20to%20the%20data%20visible%20in%20OMS%20portal.%20So%20I%20missed%20out%20earlier.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EI%20am%20trying%20to%20understand%20something%20else%20too.%20Some%20services%20are%20getting%20logged%20in%20ConfigurationChange%20Table%20and%20some%20are%20not%20like%20the%20below%20query%20worked%20for%20some%20services.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CPRE%3EConfigurationChange%0A%7C%20where%20ConfigChangeType%20%3D%3D%20%22WindowsServices%22%0A%7C%20where%20SvcDisplayName%20%3D%3D%20%22Xbox%20Live%20Auth%20Manager%22%0A%7C%20where%20SvcState%20%3D%3D%20%22Stopped%22%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EAkhila%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151035%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20to%20Get%20service%20Information%20of%20VM.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151035%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20have%20any%20data%20in%20my%20subscriptions%20around%20services%20starting%20and%20stopping%2C%20but%20looking%20for%20event%207036%20(The%20%251%20service%20entered%20the%20%252%20state)%20in%20the%20events%20table%20might%20be%20one%20approach.%20Not%20sure%20if%20it%20gets%20routed%20to%20the%20Event%20or%20SecurityEvent%20table%2C%20so%20can%20do%20a%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3Eunion%20Event%2C%20SecurityEvent%20%7C%20where%20EventId%20%3D%3D%207036%20%7C%20...%3C%2FPRE%3E%0A%3CP%3E%3CBR%20%2F%3E%20Thanks%2C%3CBR%20%2F%3E%20-Evgeny%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

   I am trying to write a log search query which gives me the information about all the services that are stopped are started in  services.msc for past 3 hours. I have tried to use ConfigurationChange after going through the documentation, but it seems to be deprecated. The logs are not a part of Event or Perf either. Can anyone guide me through this.

 

Thanks!

3 Replies

I don't have any data in my subscriptions around services starting and stopping, but looking for event 7036 (The %1 service entered the %2 state) in the events table might be one approach. Not sure if it gets routed to the Event or SecurityEvent table, so can do a 

union Event, SecurityEvent | where EventId == 7036 | ...


Thanks,
-Evgeny

Highlighted

Thanks Evgeny. It is getting logged in Event Table with 

Service Control Manager as Source. But there is a time delay of around 15 minutes from when the service state is changed to the data visible in OMS portal. So I missed out earlier. 
 
I am trying to understand something else too. Some services are getting logged in ConfigurationChange Table and some are not like the below query worked for some services. 
 
ConfigurationChange
| where ConfigChangeType == "WindowsServices"
| where SvcDisplayName == "Xbox Live Auth Manager"
| where SvcState == "Stopped"
 
Thanks,
Akhila
Highlighted
Solution

Hi

This article might help you as well:

Monitoring Windows Services States with Log Analytics