Instant Monitoring of Windows Services

Has there been a seriously critical Windows Service which you need to monitor in real-time, or more than one Windows Service? – i.e. as soon as the Windows Service stops, you need to be notified by getting an SMS text message to your phone – within 5 seconds? While this is slightly manual, once setup, it works perfectly well and is reliable.

This is similar to my other blog post which discusses Instant Monitoring of Windows Performance.

This blog post walks you through everything, I am using both Azure Functions and the Telstra SMS API in Australia to send instant SMS notifications should a Windows Service stop. While this Telstra service is hosted in Australia, it’s highly available and can be used to send messages overseas.

  • Q: Can I send SMS and MMS to all countries?
  • A: You can send SMS and MMS to all countries EXCEPT to countries which are subject to global sanctions namely: Burma, Côte d’Ivoire, Cuba, Iran, North Korea, Syria.

And yes, there’s a free SMS plan! (Maximum 1000 free SMS messages) to get you started.

This blog will walk you through the process of creating an Azure Function, along with a scheduled task using the Windows event log as the trigger. Why the event log? Pretty much everything is logged to the event log instantly as things happen – e.g. Windows Services stopping…

  1. You specify a Windows Service
  2. As soon as this Windows Service stops, this triggers off a scheduled task which uses a query of (ID: 7036) with the word ‘stopped‘ in the event log query.
  3. The scheduled task kicks off a PowerShell script. This PowerShell script has a whole bunch of parameter values pre-specified
  4. The PowerShell script fires off an Azure Function by using a ‘Route Path‘ based URL.
  5. The Azure Function takes these parameter values at the time it’s fired off, then uses the parameter values to:
    1. send an SMS
    2. log an entry in a Log Analytics workspace custom log.

The below walks you through setting it up. While this blog focuses on Windows Services, you can easily follow this methodology with literally anything and call the Azure Functions URL to send the SMS based on any trigger you like.

Backend Setup (Manual)

Done once only…..

Setup an account with Telstra DEV

  1. Setup an account with https://dev.telstra.com
  2. Setup an SMS API app in the ‘develop‘ section
  3. Once setting up the app, you’ll get a Client key and Client secret. Don’t loose these, these are like the username and password you need each time an SMS is sent

Setup a Log Analytics workspace

Follow this guide to setup a Log Analytics workspace, or you can us an existing Log Analytics workspace. While you are notified by SMS instantly when a Windows Service stops, these messages are also logged in Log Analytics to keep track of the history/trends – where you can create a dashboard etc.

Doing a Log Search in Log Analytics, here’s an example of the query you would need to query back on past data:

ServiceStopped_CL
| project Message, TimeGenerated
| sort by TimeGenerated desc

Create an Azure Function

The Azure Function is what you need as the engine to fire off the SMS & Log to your Log Analytics workspace.

  1. Create a new PowerShell based Azure Function. For this guide, I called mine ‘EventDrivenFunction‘.

    FunctionNewPowerShell

  2. Under the Integrate menu of your Azure Function, select the Advanced Editor and paste in the following:
    {
    "bindings":[
    {
    "name":"req",
    "type":"httpTrigger",
    "direction":"in",
    "authLevel":"anonymous",
    "route":"EventDrivenFunction/{LogAnalyticsCustomerID}/{LogAnalyticsPrimaryKey}/{LogType}/{Telstra_app_key}/{Telstra_app_secret}/{tel_numbers}/{Message}"
    },
    {
    "name":"res",
    "type":"http",
    "direction":"out"
    }
    ],
    "disabled":false
    }
  3. Then click on the actual function itself and paste in the following: (and hit Save)

Setup the Scheduled Task | Query

This is like an interim step to build out the query for the exact event log you are looking for.

In this step you build out a query in order to setup a Scheduled task with an Windows event as the trigger. The idea here is you need to find the event in which you want to monitor (a service if it stops). Windows Stopped services are logged under Event ID 7036 in the Information event log.

Pick one of the events and Copy Details as Text.

2018-08-20_2138

Paste into Notepad and have a look at the EventData. Below shows the EventData of the Windows Service Running, however you would most likely want to monitor for a ‘Stopped‘ service.

2018-08-20_2138_001

Take note of the EventData details and build a query using this information – as per this example:

<QueryList>
<QueryId="0"Path="System">
<SelectPath="System">*[System[Provider[@Name='Service Control Manager'] and (Level=4 or Level=0) and (EventID=7036)]] and *[EventData[Data[@Name='param1'] and (Data='SHOUTcast')]] and *[EventData[Data[@Name='param2'] and (Data='stopped')]]
</Select>
</Query>
</QueryList>

This query is what your Scheduled task will use. So you need to make sure it works…… If you need help to write your query, check out this other blog.

To test your query, create a custom view:

2018-08-20_2142

Paste the query into the XML tab and hit OK. Make sure you can see events in the ‘Custom Views‘ which match your query.

2018-08-20_2144

Once you’re happy that the query is what you are looking for, take the code below, edit line 34 where is has $EventLog_Query, change this to your own query. Copy and paste the query across into PowerShell removing the carriage returns, making sure it’s all on one single line.

Client Setup (Automatic)

Once the backend is all setup (the Azure Function, Log Analytics Workspace & Telstra DEV account), this client setup part is fully automatic and can be rolled out to many machines all at once.  To run this remotely, you could run this using Remote PowerShell or you could set this up using Group Policy.

Run PowerShell ISE as administrator if running this on the actual machine. Don’t forget to change all the variables at the top section of the below script to suit your environment.

  1. $LogAnalyticsCustomerID – Obtain workspace ID and key
  2. $LogAnalyticsPrimaryKey – Obtain workspace ID and key
  3. $Telstra_app_key – From https://dev.telstra.com/
  4. $Telstra_app_secret – From https://dev.telstra.com/
  5. $tel_numbers – One or many mobile numbers to send the SMS to
  6. $FunctionUri – Your own Azure Functions URI

Run this whole script as Administrator, this will setup the scheduled task & the PowerShell script which is called from the scheduled task, which in turn calls the Azure Function.

Azure PowerShell

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: