Reading Time: 2 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

In this blog post, I am going to show you how to use Azure Log Analytics to see if a Process is or has been running on a VM. For this, we are going to use Performance Counters. This can come in handy to see if an application has been running on a server and potentially help combat data loss.

Perquisites

The servers you want to monitor connected to the Azure Log Analytics Workspace you are querying against.

You will also need to add 1 Performance counter to your Azure Log Analytics Workspace Data source.

Process(*)\% Processor Time 

You can follow this video on how to do that.

The Queries

So, let’s say you want to find all of your servers running Dropbox and how many instances you may have running on the server. (The server could handle RDS, so multiple logins.) The query below will use Performance counters, specifically % Processor Time with the Process object. It then only looks for the InstanceName the contains Dropbox. You could change the instance name to anything you want to check.

Perf
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where InstanceName contains "dropbox"
| summarize Running_Instances = dcount(InstanceName) by Computer

By default, this will get you What’s been running in the last 24 hours. Now say you would like to know between a certain date range. The next query will help with that. Just change the StartDate and EndDate to when you would like to check.

let StartDate = datetime("2019-06-30 22:46:42");
let EndDate = datetime("2019-07-01 00:57:27");
Perf
| where TimeGenerated between(StartDate .. EndDate)
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where InstanceName contains "DropBox"
| summarize Running_Instances = dcount(InstanceName) by Computer

So now that you know DropBox is not only installed on a server but is actively running. You can now uninstall the software from your Server to help stop any potential data loss.

You could also change the contains to notcontains. This will then show you all servers not running a process. This could help you find servers not running some software you know needs to be installed like vulnerability scanning.

I hope you found this article helpful. If you have any questions or comments, please reach out in the comments below or via social media.

Thanks for reading.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

I agree