cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Monitor Only "Automatic" Windows Services

zarchi
Copper Contributor

‎Jul 22 2020 01:54 AM - last edited on ‎Apr 08 2022 10:34 AM by

‎Jul 22 2020 01:54 AM - last edited on ‎Apr 08 2022 10:34 AM by

Monitor Only "Automatic" Windows Services

Hi All,

 

Is there a way to monitor only Windows services which the startup type is "Automatic"?

I found the following article to monitor Window services. but it is to monitor all Windows services regardless of startup type.

 

https://techcommunity.microsoft.com/t5/azure-monitor/how-to-monitor-windows-services/m-p/768888

 

 

Thanks so much

Labels:
2,832 Views
0 Likes
6 Replies
Reply
6 Replies
best response confirmed by Stanislav Zhelyazkov (MVP)
Stanislav Zhelyazkov

‎Jul 30 2020 04:17 AM

‎Jul 30 2020 04:17 AM

Solution

Re: Monitor Only "Automatic" Windows Services

Hi@zarchi ,

This is possible. Example query:

ConfigurationChange
 | where ConfigChangeType =~ 'WindowsServices' and ChangeCategory =~ 'Modified' and SvcChangeType =~ 'State' and SvcState =~ 'Stopped' and SvcStartupType =~ 'Auto'
 | extend AggregatedValue = 1 
 | summarize arg_max(TimeGenerated, *) by _ResourceId, SvcDisplayName, bin(TimeGenerated, 5m) 

You can read more about the query I am using on my blog post. You need to set the alert on Metric measurement, greater than, threshold value 0, total breaches greater than 0. Period 5 mins, frequency 5 minutes. Aggregate on: select _ResourceId and SvcDisplayName. Usually Aggregate on is not available when you create alerts via portal so it is best to create it via ARM Template as I have shown in my blog post. My Advise is to always scope to specific services names as I have shown in my blog post and not to monitor all Automatic services. There are some automatic services that start and stop on certain periods which will generate a lot of false positives and noise.

1 Like
Reply
zarchi

‎Jul 30 2020 07:39 AM

‎Jul 30 2020 07:39 AM

Re: Monitor Only "Automatic" Windows Services

@Stanislav ZhelyazkovThanks so much for the response. I was thinking to use "Change Tracking" and I found its limitation where all VMs need to the same subscription and region of the automation account. As we have many VMs across tenants and different subscriptions, we can't use it. Is it possible to use the Kusto query?

 

0 Likes
Reply
Stanislav Zhelyazkov

‎Jul 30 2020 07:44 AM

‎Jul 30 2020 07:44 AM

Re: Monitor Only "Automatic" Windows Services

@zarchi There is no such limitation. If there is it must be in the portal only experience. To a single workspace and automation account with change tracking enabled you can onboard VMs from multiple subscriptions under the same tenant. If you want to onboard VMs in other tenants you have to onboard them like they are on-premises VMs. I would strongly suggest using automation account and workspace per tenant rather onboarding multiple tenants to the same workspace and automation account. Especially of the tenants are different customers.

2 Likes
Reply
zarchi

‎Aug 03 2020 12:54 AM

‎Aug 03 2020 12:54 AM

Re: Monitor Only "Automatic" Windows Services

@Stanislav Zhelyazkov Thanks for your suggestion. It is mentioned here in this article "To use the Change Tracking and Inventory feature, you must locate all your VMs in the same subscription and region of the Automation account."

https://docs.microsoft.com/en-us/azure/automation/change-tracking

As long as it is working fine with multiple subscriptions and different locations, I am happy to enable this. :)

1 Like
Reply
Stanislav Zhelyazkov

‎Aug 03 2020 01:14 AM

‎Aug 03 2020 01:14 AM

Re: Monitor Only "Automatic" Windows Services

@zarchi As I have said it is not true. Here is official issue opened for the docs: https://github.com/MicrosoftDocs/azure-docs/issues/60154

1 Like
Reply
zarchi

‎Aug 05 2020 11:43 PM

‎Aug 05 2020 11:43 PM

Re: Monitor Only "Automatic" Windows Services

@Stanislav Zhelyazkov Thanks so much. I have enabled it and working fine :).

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Stanislav Zhelyazkov (MVP)
Stanislav Zhelyazkov

‎Jul 30 2020 04:17 AM

‎Jul 30 2020 04:17 AM

Solution

Re: Monitor Only "Automatic" Windows Services

Hi@zarchi ,

This is possible. Example query:

ConfigurationChange
 | where ConfigChangeType =~ 'WindowsServices' and ChangeCategory =~ 'Modified' and SvcChangeType =~ 'State' and SvcState =~ 'Stopped' and SvcStartupType =~ 'Auto'
 | extend AggregatedValue = 1 
 | summarize arg_max(TimeGenerated, *) by _ResourceId, SvcDisplayName, bin(TimeGenerated, 5m) 

You can read more about the query I am using on my blog post. You need to set the alert on Metric measurement, greater than, threshold value 0, total breaches greater than 0. Period 5 mins, frequency 5 minutes. Aggregate on: select _ResourceId and SvcDisplayName. Usually Aggregate on is not available when you create alerts via portal so it is best to create it via ARM Template as I have shown in my blog post. My Advise is to always scope to specific services names as I have shown in my blog post and not to monitor all Automatic services. There are some automatic services that start and stop on certain periods which will generate a lot of false positives and noise.

View solution in original post

1 Like
Reply