SOLVED

How to monitor windows services

%3CLINGO-SUB%20id%3D%22lingo-sub-768888%22%20slang%3D%22en-US%22%3EHow%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768888%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20to%20monitor%20services%20in%20Azure%20VMs%20like%20IIS%2C%20MSSQL%20or%20any%20other%20Windows%20service.%20Here%20we%20already%20have%20integration%20with%20service-now%20and%20want%20to%20achieve%20if%20Windows%20service%20is%20down%20we%20will%20get%20alert%20and%20then%20once%20service%20is%20online%20it%20will%20resolve%20the%20alert%20or%20it%20will%20not%20regenerate%20alert%20at%20frequency.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-768888%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApplication%20Insights%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-768982%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768982%22%20slang%3D%22en-US%22%3E%3CP%3EHIi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380509%22%20target%3D%22_blank%22%3E%40Rahul_Mahajan%3C%2FA%3Eyou%20cannot%20achieve%20fully%20the%20scenario%20of%20closing%20the%20alert%20once%20the%20service%20is%20up.%20You%20can%20only%20achieve%20to%20get%20alert%20once%20the%20service%20is%20down.%20I%20have%20blogged%20about%20this%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudadministrator.net%2F2018%2F01%2F24%2Fmonitoring-windows-services-sates-with-log-analytics%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudadministrator.net%2F2018%2F01%2F24%2Fmonitoring-windows-services-sates-with-log-analytics%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EThe%20method%20described%20there%20is%20by%20using%20the%20System%20event%20log%20but%20the%20same%20thing%20can%20be%20achieved%20with%20using%20Change%20Tracking%20solution%20which%20also%20tracks%20Windows%20Services%20states.%20In%20our%20book%20Inside%20%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FInside-the-Operations-2928e342%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Management%3C%2FA%3Ewe%20have%20descried%20the%20scenario%20with%20using%20Change%20tracking%20as%20well.%20The%20example%20in%20the%20scenario%20also%20includes%20automatic%20service%20remediation%20by%20starting%20the%20service%20on%20the%20VM%20via%20runbook.%20This%20is%20described%20in%20the%20Automation%20chapter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769009%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769009%22%20slang%3D%22en-US%22%3EThanks%20%40Stanislav%20%2C%20will%20test%20them%20and%20get%20back%20to%20you.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769096%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769096%22%20slang%3D%22en-US%22%3EWhen%20I%20am%20running%20below%20query%2C%20always%20getting%200%20results%20even%20if%20selecting%20time%20rage%204%20months%20or%20more%20%3A%3CBR%20%2F%3E%3CBR%20%2F%3EEvent%3CBR%20%2F%3E%7C%20where%20EventLog%20%3D%3D%20%22System%22%20and%20EventID%20%3D%3D%207036%20and%20Source%20%3D%3D%20'Service%20Control%20Manager'%3CBR%20%2F%3E%7C%20parse%20kind%3Drelaxed%20EventData%20with%20*%20'%3CDATA%20name%3D%22%26quot%3Bparam1%26quot%3B%22%3E'%20Windows_Service_Name%20'%3C%2FDATA%3E%3CDATA%20name%3D%22%26quot%3Bparam2%26quot%3B%22%3E'%20Windows_Service_State%20'%3C%2FDATA%3E'%20*%3CBR%20%2F%3E%7C%20sort%20by%20TimeGenerated%20desc%3CBR%20%2F%3E%7C%20project%20Computer%2C%20Windows_Service_Name%2C%20Windows_Service_State%2C%20TimeGenerated%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20is%20it%20ok%20to%20use%20this%20to%20fetch%20%3A%3CBR%20%2F%3E%3CBR%20%2F%3EConfigurationData%3CBR%20%2F%3E%7C%20where%20SvcName%20%3D~%20%22w3svc%22%3CBR%20%2F%3E%7C%20where%20SvcState%20!%3D%20%22Running%22%3CBR%20%2F%3E%7C%20project%20Computer%2C%20SvcName%2C%20SvcDisplayName%2C%20SvcState%2C%20TimeGenerated%2C%20SvcStartupType%2C%20SvcAccount%2C%20SourceSystem%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20in%20your%20blog%20you%20have%20said%20change%20tracking%20is%20having%20some%20delay%20to%20collect%20data.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769098%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769098%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380509%22%20target%3D%22_blank%22%3E%40Rahul_Mahajan%3C%2FA%3EFor%20the%20first%20query%20you%20need%20to%20ingest%20the%20System%20log%20from%20all%20your%20Windows%20machines.%20In%20overall%20I%20would%20recommend%20using%20Change%20Tracking%20(ConfigurationData)%20if%20you%20are%20already%20using%20it%20or%20if%20the%20cost%20of%20that%20data%20is%20ok%20with%20you.%20The%20good%20thing%20with%20Azure%20Monitor%20is%20that%20there%20are%20multiple%20paths%20for%20some%20things.%3C%2FP%3E%0A%3CP%3EKeep%20in%20mind%20that%20when%20you%20have%20to%20build%20the%20query%20for%20the%20alert%20it%20needs%20to%20have%20certain%20things%20like%20AggregatedValue.%20In%20the%20book%20example%20you%20will%20see%20how%20the%20query%20looks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769107%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769107%22%20slang%3D%22en-US%22%3ECan%20you%20give%20me%20few%20sample%20queries%20and%20idea%20on%20change%20tracking%2C%20how%20to%20achieve%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769114%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769114%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380509%22%20target%3D%22_blank%22%3E%40Rahul_Mahajan%3C%2FA%3EDownload%20the%20book%20I%20have%20pasted%20link%20to.%20Open%20Chapter%2010%20-%20section%20Automated%20Alert%20Remediation.%20Read%20it.%20The%20latest%20working%20code%20is%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fslavizh%2FInsideAzureMgmt-1%2Ftree%2Fmaster%2FChapter10%2FRemediate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fslavizh%2FInsideAzureMgmt-1%2Ftree%2Fmaster%2FChapter10%2FRemediate%3C%2FA%3Esoon%20the%20book%20will%20be%20updated%20with%20that%20code.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769125%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769125%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9172%22%20target%3D%22_blank%22%3E%40Stanislav%20Zhelyazkov%3C%2FA%3EThanks%20for%20specifics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20is%20there%20any%20way%20to%20monitor%20all%20SQL%20database%20in%20Azure%20SQL%20servers%20as%20we%20have%20few%20databases%20which%20are%20keep%20spiking%20CPU%20usage%20and%20causing%20issues.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769149%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769149%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380509%22%20target%3D%22_blank%22%3E%40Rahul_Mahajan%3C%2FA%3EIt%20is%20best%20to%20open%20new%20threads%20for%20new%20issues%2Fquestions.%20That%20way%20other%20folks%20will%20find%20information%20easier.%20Azure%20SQL%20has%20diagnostic%20logs%20and%20metrics%20which%20can%20be%20send%20to%20Log%20Analytics%20and%20you%20can%20create%20alerts%20based%20on%20them.%20Even%20without%20sending%20metrics%20to%20Log%20Analytics%20you%20can%20create%20metric%20alerts%20(those%20are%20per%20resource).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-778702%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-778702%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20am%20trying%20to%20change%20-%20change%20tracking%20frequency%20to%2010%20seconds%20its%20not%20working.%20it%20says%20task%20completed%20successfully%20but%20again%20it%20revert%20back%20to%2030%20seconds.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20confirm%20which%20level%20of%20access%20is%20required%20to%20do%20this%20task%20and%20also%20how%20to%20easily%20identify%20in%20future%20which%20level%20of%20access%20is%20required%20for%20other%20tasks%20in%20Azure%20monitoring%20and%20Update%20management.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787634%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787634%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380509%22%20target%3D%22_blank%22%3E%40Rahul_Mahajan%3C%2FA%3ETo%20change%20that%20setting%20you%20need%20contributor%20access%20on%20the%20Log%20Analytics%20workspace.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-836919%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20monitor%20windows%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-836919%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9172%22%20target%3D%22_blank%22%3E%40Stanislav%20Zhelyazkov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23444444%3B%20font-family%3A%20%26amp%3Bquot%3B%20helvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2015px%3B%20font-style%3A%20italic%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EHello%20Stanislav%2C%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23444444%3B%20font-family%3A%20%26amp%3Bquot%3B%20helvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2015px%3B%20font-style%3A%20italic%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EI%20am%20trying%20to%20write%20a%20query%20to%20get%20results%20when%20%E2%80%98Service%20A%E2%80%99%20is%20in%20running%20state%20and%20%E2%80%98Service%20B%E2%80%99%20is%20in%20stopped%20state.%20I%20am%20getting%200%20results.%20Below%20is%20the%20query%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23444444%3B%20font-family%3A%20%26amp%3Bquot%3B%20helvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2015px%3B%20font-style%3A%20italic%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EEvent%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%7C%20where%20EventLog%20%3D%3D%20%E2%80%98System%E2%80%99%20and%20EventID%20%3D%3D%207036%20and%20Source%20%3D%3D%20%E2%80%98Service%20Control%20Manager%E2%80%99%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%7C%20parse%20kind%3Drelaxed%20EventData%20with%20*%20%E2%80%9D%20Windows_Service_Name%20%E2%80%9D%20Windows_Service_State%20%E2%80%9D%20*%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%7C%20where%20Windows_Service_Name%20%3D%3D%20%E2%80%9CService%20A%E2%80%9D%20and%20Windows_Service_State%20%3D%3D%20%E2%80%9Crunning%E2%80%9D%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%7C%20where%20Windows_Service_Name%20%3D%3D%20%E2%80%9CService%20B%E2%80%9D%20and%20Windows_Service_State%20%3D%3D%20%E2%80%9Cstopped%E2%80%9D%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%7C%20sort%20by%20TimeGenerated%20desc%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%22%20%2F%3E%7C%20project%20Computer%2C%20Windows_Service_Name%2C%20Windows_Service_State%2C%20TimeGenerated%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23444444%3B%20font-family%3A%20%26amp%3Bquot%3B%20helvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2015px%3B%20font-style%3A%20italic%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAppreciate%20your%20response.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi All,

 

How to monitor services in Azure VMs like IIS, MSSQL or any other Windows service. Here we already have integration with service-now and want to achieve if Windows service is down we will get alert and then once service is online it will resolve the alert or it will not regenerate alert at frequency.

 

Thanks in advance.

11 Replies
Best Response confirmed by Stanislav Zhelyazkov (MVP)
Solution

HIi @Rahul_Mahajan you cannot achieve fully the scenario of closing the alert once the service is up. You can only achieve to get alert once the service is down. I have blogged about this here:

https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-with-log-analytics/

The method described there is by using the System event log but the same thing can be achieved with using Change Tracking solution which also tracks Windows Services states. In our book Inside Azure Management we have descried the scenario with using Change tracking as well. The example in the scenario also includes automatic service remediation by starting the service on the VM via runbook. This is described in the Automation chapter.

Thanks @Stanislav , will test them and get back to you.

@Stanislav Zhelyazkov 

 

When I am running below query, always getting 0 results even if selecting time rage 4 months or more :

Event
| where EventLog == "System" and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

Also is it ok to use this to fetch :

ConfigurationData
| where SvcName =~ "w3svc"
| where SvcState != "Running"
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated, SvcStartupType, SvcAccount, SourceSystem

As in your blog you have said change tracking is having some delay to collect data.

@Rahul_Mahajan For the first query you need to ingest the System log from all your Windows machines. In overall I would recommend using Change Tracking (ConfigurationData) if you are already using it or if the cost of that data is ok with you. The good thing with Azure Monitor is that there are multiple paths for some things.

Keep in mind that when you have to build the query for the alert it needs to have certain things like AggregatedValue. In the book example you will see how the query looks.

Can you give me few sample queries and idea on change tracking, how to achieve it.

@Rahul_Mahajan Download the book I have pasted link to. Open Chapter 10 - section Automated Alert Remediation. Read it. The latest working code is here: https://github.com/slavizh/InsideAzureMgmt-1/tree/master/Chapter10/Remediate soon the book will be updated with that code.

@Stanislav ZhelyazkovThanks for specifics.

 

Also is there any way to monitor all SQL database in Azure SQL servers as we have few databases which are keep spiking CPU usage and causing issues. 

 

@Rahul_Mahajan It is best to open new threads for new issues/questions. That way other folks will find information easier. Azure SQL has diagnostic logs and metrics which can be send to Log Analytics and you can create alerts based on them. Even without sending metrics to Log Analytics you can create metric alerts (those are per resource).

When I am trying to change - change tracking frequency to 10 seconds its not working. it says task completed successfully but again it revert back to 30 seconds.

 

Can someone confirm which level of access is required to do this task and also how to easily identify in future which level of access is required for other tasks in Azure monitoring and Update management.

 

 

@Rahul_Mahajan To change that setting you need contributor access on the Log Analytics workspace.

@Stanislav Zhelyazkov 

 

Hello Stanislav,

I am trying to write a query to get results when ‘Service A’ is in running state and ‘Service B’ is in stopped state. I am getting 0 results. Below is the query

Event
| where EventLog == ‘System’ and EventID == 7036 and Source == ‘Service Control Manager’
| parse kind=relaxed EventData with * ” Windows_Service_Name ” Windows_Service_State ” *
| where Windows_Service_Name == “Service A” and Windows_Service_State == “running”
| where Windows_Service_Name == “Service B” and Windows_Service_State == “stopped”
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

Appreciate your response.