Posted on Leave a comment

Monitoring Windows service on Azure with Event Viewer and Log Analytics

A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Expect from that it can be used also for monitoring combined with Azure alerts given that you create the appropriate query.

The below query can be used to monitor a windows server service by querying log analytics. In more detail it searches for eventID=7036 which indicates the service stopped status.

Query code in Kusto language will return the service name, state and time of the event.

Event
| where TimeGenerated >ago(1h)
| where EventLog  == "System" and EventID ==7036 and Source == "Service Control Manager" 
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>'*
| sort by TimeGenerated desc
| where Windows_Service_Name startswith "Docker Desktop" and Windows_Service_State contains "stopped"
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

You can use the above query to create a azure alert when a service is found as stopped. As I want to monitor the Docker Desktop service, I will need to use that in the where clause of the query where Windows_Service_Name. The alert logic should indicate when a result is returned as a row in a given timeframe then an alert should be generated. This happens because a row is returned only when the event is captured on the event viewer. This means that the service stopped during the TimeGenerated interval of the query. The frequency of evaluation will be the time on which we want to repeat the log analytics query. For example if we need to search every 5 minutes for a stopped service then we should add 5 minutes there.

Finally the alert will be triggered and inform you about windows stopped services.

Posted on Leave a comment

Query servers disk size – Azure Log Analytics

Log Analytics can be a powerful monitoring tool for your infrastructure as you can query various metrics that are important for your servers availability like disk space.

The below query can be used to get free space for your Linux VM disks.

 InsightsMetrics
| where Origin == "vm.azm.ms"
    and Namespace == "LogicalDisk"  
    and Name == "FreeSpaceMB"
| extend Disk=tostring(todynamic(Tags)["vm.azm.ms/mountId"]),
    Disk_Size_GB=(todynamic(Tags)["vm.azm.ms/diskSizeMB"]) / (1024)
| summarize Disk_Free_Space_GB = avg(Val) / (1024)
    by Computer,
    Disk, Disk_Size_GB, _ResourceId
| where Disk in ('sda1', 'sdb1', 'sdc1', 'sdd1','/')
| project Computer, Disk, Disk_Size_GB, Disk_Free_Space_GB

You can also select the scope of the query in order to get results for specific resources/resource groups.

The result will bring all disks size and free space that their name is included in the list

('sda1', 'sdb1', 'sdc1', 'sdd1','/')

The same query with a small change can be applied also for windows vms in order to get the available space for your C: drive.

 InsightsMetrics
| where Origin == "vm.azm.ms"
    and Namespace == "LogicalDisk"  
    and Name == "FreeSpaceMB"
| extend Disk=tostring(todynamic(Tags)["vm.azm.ms/mountId"]),
    Disk_Size_GB=(todynamic(Tags)["vm.azm.ms/diskSizeMB"]) / (1024)
| summarize Disk_Free_Space_GB = avg(Val) / (1024)
    by Computer,
    Disk, Disk_Size_GB, _ResourceId
| where Disk in ('C:')
| project Computer, Disk, Disk_Size_GB, Disk_Free_Space_GB

Finally you can pin this result inside an Azure dashboard by clicking pin and select the specific dashboard.

Posted on Leave a comment

Docker Desktop as background task on Windows server

Docker desktop is not easy to run as a background task on a windows server. A common issue that you may find would be that although the service is running, when the user log out from the machine, then docker stops working.

Error during connect: In the default daemon configuration on Windows, the docker client must be run with elevated privileges to connect.: Post
open //./pipe/docker_engine: The system cannot find the file specified
Process exited with code 1

In order to bypass this behavior you can leave the user session online inside the server by using lock instead of sign out in the windows server machine.

Given that the machine restarts, the docker service will stop working on the background. In order to bypass this problem you can use an external utility from sysinternals in order to auto logon the user.

https://learn.microsoft.com/en-us/sysinternals/downloads/autologon

When you unzip the download, you can notice the exe application which you should run and input the user password.

Then an automatic logon will be configured using the password that you provided but is stored encrypted on the machine.

After the reboot, the docker desktop service will run without any manual action.

Posted on Leave a comment

Start windows service with powershell

Sometimes the windows services manager may not be enough for interaction with the services. Using the GUI you can set a service to start on startup by changing the status from Manual to Automatic but there could be cases that you want to execute this functionality with powershell. A reason for that could be a failure on the service startup that you want to check through code.

Using powershell you can check if a service is running with Get-Service. The below example checks if docker service is running and if not it will print a message on the output of the command line.

if (-not((Get-Service -Name "com.docker.service").Status -eq "Running")) { echo not running }

We can now check how to implement the start of the service using powershell. As shown below the docker desktop service is not running at the moment.

 if (-not((Get-Service -Name "com.docker.service").Status -eq "Running")) { Start-Service -Name "com.docker.service" }

After running the powershell above, we will get the service started.

Using the powershell you can create an automatic job with task scheduler and check this behavior on the computer startup.