2

I want to fire an alert every time the VM is started. Windows updates can automatically install and restart the machine. I would like to be alerted for this any other time the server is restarted.

I thought this would be a common thing am I missing something obvious?

FYI: The Activity Log will tell you when someone via Azure starts the VM but not when the system itself restarts, like from automatic windows updates.

Thanks.

Steven T. Cramer
  • 1,508
  • 1
  • 18
  • 34
  • Based on my understanding , you can make use of the system logs & capture those event ID which are being generated when self reboot or automatic updates reboot is caused. You can leverage the azure log analytics agent to transfer those logs to log analytics workspace. from there using some custom queries you can configure the alerts for the self restart or automatic updates. – VenkateshDodda Dec 16 '21 at 11:24
  • Can you define what "some custom queries" would be? I am trying but don't see what the query should be. – Steven T. Cramer Dec 16 '21 at 12:13
  • you can refer [this](https://www.brentmcconnell.com/2020/01/14/syslog-loganalytics) blog wherein they have transferred those system logs to log analytic workspace , created some custom queries on there own instead running the inbuilt queries based on those results they have configured the alerts accordingly – VenkateshDodda Dec 16 '21 at 12:24
  • Another person trying to do the same as me. https://techcommunity.microsoft.com/t5/analytics-on-azure/how-to-set-up-an-alert-when-a-server-is-restarted-in-azure/m-p/1776114 I try the query (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d) which gives error https://stackoverflow.com/questions/70034370/failed-to-resolve-table-or-column-expression-named-securityevent That it says I need to use Security Center which has now been renamed to MS Defender for cloud @$15/month just to know when VM started? Is that correct? – Steven T. Cramer Dec 16 '21 at 13:38
  • 1
    As per this [Azure Documentation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events),You can use azure log analytics agent to collect the windows event logs. You can't configure collection of security events using the log analytics workspace. You must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. – VenkateshDodda Dec 17 '21 at 04:32

1 Answers1

0

Assuming you have configured the log analytics workspace to collect the System(*)\System Up Time performance counter, you can use:

Perf
| where CounterName == "System Up Time"
| where CounterValue < 600
| distinct Computer

which will be triggered if the Windows machine has recently been started up (so uptime less than 10 min)

Paolo
  • 21,270
  • 6
  • 38
  • 69