If you are a Windows user and love playing around with Windows VM on Azure, and if you would like to monitor whether a Windows service is stopped or in a running state using Log Analytics query, here is a post for you.
In order to first monitor a Windows service running on a Windows VM from Azure Portal, from the VM page, Azure Portal gives you one option, the Windows Admin Center, that you can use and leverage, without having to log onto the Azure VM running Windows every time using RDP.
After enabling Windows Admin Center, try to connect to the WAC (Windows Admin Center) Tool from the VM page on Azure Portal. Click on the "Connect" button.
Then you will see a page that is loading as you see in the below screenshot upon trying to connect to the WAC (Windows Admin Center) Tool.
As the page gets loaded, you will see the "Overview" page like in the below screenshot.
Navigate to the "Services" Page as you may want to check the Windows services and its status.
If you may want to start a service that has stopped, please select the service and then proceed with the operation you may want to do.
Perform the "Start" Operation by clicking on the "Start" button at the top of the selected Windows Service.
Once the start operation is completed, you will see a notification that says the start operation is complete and you will see the updated status on the selected service.
In this way, you can not only monitor a Windows service status from the Azure portal instead of having to RDP into the machine to do the same on an Azure VM running Windows but also perform operations on the Windows services using the WAC Tool (Windows Admin Center Tool).
We can also monitor the status of Windows Service using Log Analytics Workspace and Azure Monitor. Let us see how we can monitor using an Azure Monitor Agent extension installed on the Azure VM.
Install the Azure Monitor Agent onto the Azure VM running Windows using this guide.
Once installed, you can use the Log Analytics query page to examine/monitor the services stopped.
The KQL query that I have used for querying to get the data of stopped Windows services on my VM (VM1) grouping it by the time at which the status is seen stopped, is shared below.
ConfigurationChange | where ConfigChangeType == "WindowsServices" and SvcState contains "Stopped" | order by TimeGenerated desc
Here the configuration change metric is nothing but the configuration change that is tracked on the Azure VM running Windows, by the "Change Tracking" Tool.
Then I used the "Create new alert rule" option at the Log Analytics Querying page, to create an alert rule AL11 that will notify with the custom KQL query mentioned above, to notify me through an email that the Windows Services has stopped when a change is tracked on the current state of Windows services and if it equals stopped.