How to identify a stopped service in a Windows VM using Log Analytics Workspace
Published Jul 05 2023 08:10 PM 7,979 Views
Microsoft

If you are a Windows user and love playing around with Windows VM on Azure, and if you would like to monitor whether a Windows service is stopped or in a running state using Log Analytics query, here is a post for you.

 

In order to first monitor a Windows service running on a Windows VM from Azure Portal, from the VM page, Azure Portal gives you one option, the Windows Admin Center, that you can use and leverage, without having to log onto the Azure VM running Windows every time using RDP. 

 

To enable Windows Admin Center on an Azure VM running Windows OS please check out these steps. Manage a Windows Server VM using Windows Admin Center in Azure | Microsoft Learn

 

After enabling Windows Admin Center, try to connect to the WAC (Windows Admin Center) Tool from the VM page on Azure Portal. Click on the "Connect" button.

 

Aarthi795_MSFT_0-1684789697676.png

 

 

Then you will see a page that is loading as you see in the below screenshot upon trying to connect to the WAC (Windows Admin Center) Tool.

 

Aarthi795_MSFT_0-1684791575486.png

 

As the page gets loaded, you will see the "Overview" page like in the below screenshot. 

 

Aarthi795_MSFT_1-1684791677508.png

 

 

Navigate to the "Services" Page as you may want to check the Windows services and its status.

 

Aarthi795_MSFT_2-1684791813570.png

 

 

If you may want to start a service that has stopped, please select the service and then proceed with the operation you may want to do.

 

Aarthi795_MSFT_4-1684791934373.png

 

Perform the "Start" Operation by clicking on the "Start" button at the top of the selected Windows Service.

 

Aarthi795_MSFT_5-1684792010416.png

 

Once the start operation is completed, you will see a notification that says the start operation is complete and you will see the updated status on the selected service.

 

Aarthi795_MSFT_0-1684792174839.png

 

In this way, you can not only monitor a Windows service status from the Azure portal instead of having to RDP into the machine to do the same on an Azure VM running Windows but also perform operations on the Windows services using the WAC Tool (Windows Admin Center Tool).

 

We can also monitor the status of Windows Service using Log Analytics Workspace and Azure Monitor. Let us see how we can monitor using an Azure Monitor Agent extension installed on the Azure VM.

 

Install the Azure Monitor Agent onto the Azure VM running Windows using this guide

 

Once installed, you can use the Log Analytics query page to examine/monitor the services stopped. 

 

Aarthi795_MSFT_0-1684794481831.png

 

The KQL query that I have used for querying to get the data of stopped Windows services on my VM (VM1) grouping it by the time at which the status is seen stopped, is shared below.

 

ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState contains "Stopped"
| order by TimeGenerated desc

 

Here the configuration change metric is nothing but the configuration change that is tracked on the Azure VM running Windows, by the "Change Tracking" Tool. 

 

Aarthi795_MSFT_1-1684794730120.png

 

Then I used the "Create new alert rule" option at the Log Analytics Querying page, to create an alert rule AL11 that will notify with the custom KQL query mentioned above, to notify me through an email that the Windows Services has stopped when a change is tracked on the current state of Windows services and if it equals stopped. 

 

Aarthi795_MSFT_2-1684794969844.png

 

Here is the guide for creating a new alert rule on Azure Portal. Create Azure Monitor alert rules - Azure Monitor | Microsoft Learn

 

This way, I have an alert triggered that notifies me through an email whenever a Windows service has its state Stopped from running state as previous state. 

 

Thanks for reading through this post, I hope this blog is useful for you.

 

Happy Learning!

 

FastTrack for Azure:  Move to Azure efficiently with customized guidance from Azure engineering. FastTrack for Azure – Benefits, and FAQ | Microsoft Azure 

 

 

Co-Authors
Version history
Last update:
‎May 22 2023 03:44 PM
Updated by: