Jul 22 2020
01:54 AM
- last edited on
Apr 08 2022
10:34 AM
by
TechCommunityAP
Jul 22 2020
01:54 AM
- last edited on
Apr 08 2022
10:34 AM
by
TechCommunityAP
Hi All,
Is there a way to monitor only Windows services which the startup type is "Automatic"?
I found the following article to monitor Window services. but it is to monitor all Windows services regardless of startup type.
https://techcommunity.microsoft.com/t5/azure-monitor/how-to-monitor-windows-services/m-p/768888
Thanks so much
Jul 30 2020 04:17 AM
SolutionHi@zarchi ,
This is possible. Example query:
ConfigurationChange
| where ConfigChangeType =~ 'WindowsServices' and ChangeCategory =~ 'Modified' and SvcChangeType =~ 'State' and SvcState =~ 'Stopped' and SvcStartupType =~ 'Auto'
| extend AggregatedValue = 1
| summarize arg_max(TimeGenerated, *) by _ResourceId, SvcDisplayName, bin(TimeGenerated, 5m)
You can read more about the query I am using on my blog post. You need to set the alert on Metric measurement, greater than, threshold value 0, total breaches greater than 0. Period 5 mins, frequency 5 minutes. Aggregate on: select _ResourceId and SvcDisplayName. Usually Aggregate on is not available when you create alerts via portal so it is best to create it via ARM Template as I have shown in my blog post. My Advise is to always scope to specific services names as I have shown in my blog post and not to monitor all Automatic services. There are some automatic services that start and stop on certain periods which will generate a lot of false positives and noise.
Jul 30 2020 07:39 AM
@Stanislav_ZhelyazkovThanks so much for the response. I was thinking to use "Change Tracking" and I found its limitation where all VMs need to the same subscription and region of the automation account. As we have many VMs across tenants and different subscriptions, we can't use it. Is it possible to use the Kusto query?
Jul 30 2020 07:44 AM
@zarchi There is no such limitation. If there is it must be in the portal only experience. To a single workspace and automation account with change tracking enabled you can onboard VMs from multiple subscriptions under the same tenant. If you want to onboard VMs in other tenants you have to onboard them like they are on-premises VMs. I would strongly suggest using automation account and workspace per tenant rather onboarding multiple tenants to the same workspace and automation account. Especially of the tenants are different customers.
Aug 03 2020 12:54 AM
@Stanislav_Zhelyazkov Thanks for your suggestion. It is mentioned here in this article "To use the Change Tracking and Inventory feature, you must locate all your VMs in the same subscription and region of the Automation account."
https://docs.microsoft.com/en-us/azure/automation/change-tracking
As long as it is working fine with multiple subscriptions and different locations, I am happy to enable this. 🙂
Aug 03 2020 01:14 AM
@zarchi As I have said it is not true. Here is official issue opened for the docs: https://github.com/MicrosoftDocs/azure-docs/issues/60154
Aug 05 2020 11:43 PM
@Stanislav_Zhelyazkov Thanks so much. I have enabled it and working fine :).
Jul 30 2020 04:17 AM
SolutionHi@zarchi ,
This is possible. Example query:
ConfigurationChange
| where ConfigChangeType =~ 'WindowsServices' and ChangeCategory =~ 'Modified' and SvcChangeType =~ 'State' and SvcState =~ 'Stopped' and SvcStartupType =~ 'Auto'
| extend AggregatedValue = 1
| summarize arg_max(TimeGenerated, *) by _ResourceId, SvcDisplayName, bin(TimeGenerated, 5m)
You can read more about the query I am using on my blog post. You need to set the alert on Metric measurement, greater than, threshold value 0, total breaches greater than 0. Period 5 mins, frequency 5 minutes. Aggregate on: select _ResourceId and SvcDisplayName. Usually Aggregate on is not available when you create alerts via portal so it is best to create it via ARM Template as I have shown in my blog post. My Advise is to always scope to specific services names as I have shown in my blog post and not to monitor all Automatic services. There are some automatic services that start and stop on certain periods which will generate a lot of false positives and noise.