0

I need OMS to trigger an alert when a service is stopped for example the IIS service. Can someone advise the best way to do this?

Thanks

Nancy
  • 26,865
  • 3
  • 18
  • 34
itye1970
  • 1,654
  • 7
  • 31
  • 62

2 Answers2

1

i worked it out myself

To get this list you need to go to advanced analytics in your OMS workspace then run the query as below

search EventLog == "System"
| where ( EventLevelName == "Information" )
| where ( Computer == "server1" )

This then shows a list of other fields, i found the ParameterXml field contained what i needed ie the keywords "World Wide Web Publishing Service" and "stopped". I then added this to the above query to filter out where the service called IIS (World Wide Web Publishing) stopped

search EventLog == "System"
| where ( EventLevelName == "Information" )
| where ( Computer == "server1" )
| where ParameterXml == "<Param>World Wide Web Publishing Service</Param><Param>stopped</Param><Param>-</Param>"

All you need to do then is create an alert and set your conditions

itye1970
  • 1,654
  • 7
  • 31
  • 62
0

I used the "Change Tracking" solution for this: ConfigurationChange | where ConfigChangeType == "WindowsServices" and SvcName == "W3SVC" and SvcState != "Running"

Then to alert once back up: ConfigurationChange | where ConfigChangeType == "WindowsServices" and SvcName == "W3SVC" and SvcState == "Running"

Matt Richardson
  • 1
  • 2