Forum Discussion

Copper Contributor

Jan 31, 2018

Solved

Query to Get service Information of VM.

Hi, I am trying to write a log search query which gives me the information about all the services that are stopped are started in services.msc for past 3 hours. I have tried to use Configuratio...

Azure Log Analytics

azure monitor

Stanislav_Zhelyazkov
Feb 01, 2018
Hi

This article might help you as well:

Monitoring Windows Services States with Log Analytics

Evgeny Ternovsky

Microsoft

Feb 01, 2018

I don't have any data in my subscriptions around services starting and stopping, but looking for event 7036 (The %1 service entered the %2 state) in the events table might be one approach. Not sure if it gets routed to the Event or SecurityEvent table, so can do a

union Event, SecurityEvent | where EventId == 7036 | ...

Thanks,
-Evgeny

Akhila Nalluri

Copper Contributor

Feb 01, 2018

Thanks Evgeny. It is getting logged in Event Table with

Service Control Manager as Source. But there is a time delay of around 15 minutes from when the service state is changed to the data visible in OMS portal. So I missed out earlier.

I am trying to understand something else too. Some services are getting logged in ConfigurationChange Table and some are not like the below query worked for some services.

ConfigurationChange
| where ConfigChangeType == "WindowsServices"
| where SvcDisplayName == "Xbox Live Auth Manager"
| where SvcState == "Stopped"

Thanks,

Akhila

Stanislav_Zhelyazkov
MVP
Feb 01, 2018
Hi

This article might help you as well:

Monitoring Windows Services States with Log Analytics

Forum Discussion

Query to Get service Information of VM.

Monitoring Windows Services States with Log Analytics

Monitoring Windows Services States with Log Analytics