Create alert when microsft third part service stopped and not return in the status started after 5 m

Copper Contributor

Hi, I want to create an alert when Microsoft services (3 parts) stopped and not return at started after 3 minutes.

I read the precedent post (Monitoring Windows Services States with Log Analytics) and I've written this :

Event
| where Computer contains "BKE"
| where EventLog == "Application" and Source == "BiTXRDeq"
| sort by TimeGenerated desc

If I start and stop service I see the different lines, but I don't know how to set an alert when service stopped and not return in the status started after 3/5 minutes.

Can you help me ?
Thanks 

  
6 Replies

Hi @CliveWatson i read your  URL but i have a different need.

In the example :

 

Event
| where Computer contains "BKE02"
| where EventLog == "Application" and Source == "BiTXRDeq"
| where RenderedDescription has "stopped"
| sort by TimeGenerated desc
| summarize count() by Computer, RenderedDescription

 

In the up query I have service with source =BiTXRDeq, when his stopped he send email alert; but i must excluded when the service restart and I've 2 event : stopped and started this service (with 1 minute difference).
In 'creat rule' i can add only one log search (file image2).

how I can do it ?

regards

@lucajons1980 

 

Does this help?  You need to add back you computer name and the service name...

 

//7035 started SERVICE
//7036 stopped SERVICE
Event
| where TimeGenerated > ago(1d)
| where Computer contains "RDS2019" 
| where EventLog == "System" 
        and EventLevelName == "Information"
        // look for STOPPED only
        and EventID == 7036
        and Source == "Service Control Manager"
// example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem>
| parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
// now look at a specifc state and service
| where Windows_Service_State =="stopped" and Windows_Service_Name == "Windows Update"
| extend AggregatedValue = 1

@CliveWatson 

 

I modified the query, in my log i write 'RenderedDescription' :

 

Event
| where TimeGenerated > ago(60m)
| where Computer contains "BKE"
| where EventLog == "Application"
and EventLevelName == "Information"
// look for STOPPED only
// and EventID == 7036
and Source == "BiTXRDeq"
// example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem>
| parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Computer, RenderedDescription, TimeGenerated
 
Because if I use :

| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

I don't have any rows. I don't have Windows_Service_Name and Windows_Service_State compiled.

Even with query modified the problem remaining because i've always 2 rows, one stop service and one start service. 

I did a restart service test and I 've 2 rows in event viewer; i think i need a query that discard this situation on restart service and notify me when I've only more stop that start in the same TimeGenerated .

I hope explained better the situation
thanks

@lucajons1980 

 

It's the parse command that will generate those missing pieces of data: Windows_Service_Name etc..

| parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" *

Can you send me the output from rendered-description as plain text (paste it into your reply).  

in the query I have an example of rendered description  we need to see:
// example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem> 

The parse command needs to be told what parts of this string to look at and what to ignore, looking at the info in RED.  When we have that we can use the WHERE command to filter out the started and other messages