In most operation and maintenance work, we want to focus on in addition to the utilization of system resources but also concerned about the health of applications and services, to ensure the system can continue to provide services. So how do we use Azure Monitor to monitor the health service it. One of the best Windows and Linux monitoring services using Azure automated change tracking solutions.
Use change tracking solution that can track changes on Windows / Linux systems. It supports the Windows trace files, registry, services, and changes to installed software; in linux it supports change tracking files, software, and daemons.
By default, change tracking solution will be collected once every service changes 30 minutes, the eggs can be configured to collect every 10 seconds. But one thing to note, of which refers to the way track to change without tracking the current status. That is, if there is no change, no data is sent to the log analytics. 
In the next article, we will focus on monitoring Windows services, but the same concept works for Linux daemon.
Enable change tracking
when using the GUI, we have two ways to enable change tracking:
-
Log Analytics Workspace enabled from the
"+ Add" - - click on the "workspace summary" in the log analytics in "Change Tracking":
Click "Change Tracking" will open the Description tab, and then click Create, follow the prompts to enter automated account information can be: - From Automation Account enabled
click the Enable Click "Change Tracking" in "Automation Account", then select the log analytics work area corresponding to:
ps: personally feel that change tracking is enabled in automation accounts more convenient to write
Query data collected
We can list the latest data collected by the following query. However, please note that, as we said before, we can only collect data changes, there is no change for the other states collect less than we are. And if suddenly a virtual machine crashes, we may not be appropriate to change the practice of collecting. But we do not need to worry, we can use other queries to monitor the viability of vm.
let utcoffset = 8h;
ConfigurationData
| where ConfigDataType == "WindowsServices"
| where SvcName == "W3SVC"
| extend localTimestamp = TimeGenerated + utcoffset
| project localTimestamp, Computer, SvcDisplayName, SvcState
| order by localTimestamp desc
| summarize arg_max(localTimestamp, *) by SvcDisplayName
Configure alert service changes:
in general operation and maintenance scenario, we certainly hope that when the problem is detected after the emergence of service can be notified by e-mail, etc. to the corresponding operation and maintenance personnel for processing. So here we can configure the alert rule according to the service changes. In this example, we used to query, warning IIS (W3SVC) service is stopped:
ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcName == "W3SVC" and SvcState == "Stopped"
After setting the alarm, we can manually test environment iis service stops, after the service stops, our mailbox will receive the following alert:
