Sep 06 2018
03:54 PM
- last edited on
Apr 07 2022
05:28 PM
by
TechCommunityAP
Sep 06 2018
03:54 PM
- last edited on
Apr 07 2022
05:28 PM
by
TechCommunityAP
I have an Azure customer who wants to be able to monitor the Service State of a 3rd party service (not windows) on a VM and alert on it. Does anyone have a process and can share a kusto query to do this? Thanks in advance!
Sep 07 2018 06:50 AM
SolutionHi,
Previously I have written this blog post which is still valid:
https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-with-log-analytics/
Additionally Change Tracking solution can also monitor Services states and recently they've made it possible so you can monitor those with 10s difference:
You can potentially use change tracking for that as well as it offers better out of box experience for that. Example query for specific server and service will be :
ConfigurationChange | where ConfigChangeType == "WindowsServices" | where SvcState == "Stopped" | where SvcDisplayName == "WMI Performance Adapter" | where Computer == "ContosoFileSrv1"
You will have to replace the display name of the service with the one you want to monitor and the Computer with the server name you want to monitor. With that query you can create Log Search alert of type Number of results.
You can also do it more dynamic with alert Log Search alert of type metric measurement. In that case the query will look the following:
ConfigurationChange | where ConfigChangeType == "WindowsServices" | where SvcState == "Stopped" | where SvcDisplayName == "WMI Performance Adapter" | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 5m)
For that query Aggregated Value should be greater than 0. Trigger will be Consecutive breaches greater than 0. Period and frequency will be 5 minutes.
You can also see at more advanced scenario with having query aggregating on more than one filed here:
Sep 07 2018 06:50 AM
SolutionHi,
Previously I have written this blog post which is still valid:
https://cloudadministrator.net/2018/01/24/monitoring-windows-services-sates-with-log-analytics/
Additionally Change Tracking solution can also monitor Services states and recently they've made it possible so you can monitor those with 10s difference:
You can potentially use change tracking for that as well as it offers better out of box experience for that. Example query for specific server and service will be :
ConfigurationChange | where ConfigChangeType == "WindowsServices" | where SvcState == "Stopped" | where SvcDisplayName == "WMI Performance Adapter" | where Computer == "ContosoFileSrv1"
You will have to replace the display name of the service with the one you want to monitor and the Computer with the server name you want to monitor. With that query you can create Log Search alert of type Number of results.
You can also do it more dynamic with alert Log Search alert of type metric measurement. In that case the query will look the following:
ConfigurationChange | where ConfigChangeType == "WindowsServices" | where SvcState == "Stopped" | where SvcDisplayName == "WMI Performance Adapter" | summarize AggregatedValue = count() by Computer, bin(TimeGenerated, 5m)
For that query Aggregated Value should be greater than 0. Trigger will be Consecutive breaches greater than 0. Period and frequency will be 5 minutes.
You can also see at more advanced scenario with having query aggregating on more than one filed here: