Monitoring on premises servers

Occasional Visitor

We have to monitor on premises servers on Log analytics workspace. And below are the points we have to put in one query:


1. DHCP Client Service is Down or stopped
2. Disk space alert
3. HealthService on the nose has stopped
4. Heartbeat Error on HCI server
5. Windows Update Orchestrator has entered stopped state.


Above are basically alerts already set, which we need to display on dashboard in one tile. In that tile it should show red or greeen based on the health check by these 5 points which are mentioned above.


If not from queries then is there any other way to achieve this.

1 Reply

Short answer is : yes, you can create a query that returns the 5 information you mentionned. And you can craft your request in order to set up your workbook to display it how you want.


Long answer : although I don't have a deep understanding of Windows Server logs, I think you can use the Event table from Log Analytics workspace and look for the events you want. This post explains that the 7036 event ID "contains information which service has stopped or started."


So I guess a good starting point could be the following query. The only thing I changed here is that I added the last line of code that may be helpful to filter on services you're interested in.

| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
| where Windows_Service_Name == "WhateverYourServiceNameIs1" or Windows_Service_Name == "WhateverYourServiceNameIs2"


To monitor disk space, take a look at this blog post that seems to answer your need by leveraging the Perf table.


To monitor Heartbeat errors, just monitor the Heartbeat table.


Since all the information you want to collect is not in the same table, you must use a union statement to end up with a table containing all the information you want. Based on this query, you must tweak it so that it integrates with your workbook.



Workbooks are very powerfull, and without technical details (e.g. code, screenshots, tables, data examples) I can't provide a more precise answer.