Logs missing from Azure Log Analytics
We are setting up Log Analytics in Azure and are trying to monitor for specified services if they go into a stopped state. My issue is that I'm not seeing all of the EventID records for event 7036 in Log Analytics. If I use the following query:
Event
| where (EventID ==7036)
| where Computer == "xxxx.yyy.com"
I see entries for some services but not all. Example I see entries for "The WMI Performance Adapter service entered the running state. " but none for "The Print Spooler service entered the stopped state." when the following entry is in the Event log on the actual VM.
Log Name: System
Source: Service Control Manager
Date: 12/7/2018 2:28:39 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: xxxx.yyyy.com
Description:
The Print Spooler service entered the stopped state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7036</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2018-12-07T20:
<EventRecordID>122417</Eve
<Correlation />
<Execution ProcessID="664" ThreadID="7096" />
<Channel>System</Channel>
<Computer>xxxx.yyyy.com</C
<Security />
</System>
<EventData>
<Data Name="param1">Print Spooler</Data>
<Data Name="param2">stopped</Dat
<Binary>530070006F006F006C
</EventData>
</Event>
Event
| where (EventID ==7036)
| where Computer == "xxxx.yyy.com"
I see entries for some services but not all. Example I see entries for "The WMI Performance Adapter service entered the running state. " but none for "The Print Spooler service entered the stopped state." when the following entry is in the Event log on the actual VM.
Log Name: System
Source: Service Control Manager
Date: 12/7/2018 2:28:39 PM
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: xxxx.yyyy.com
Description:
The Print Spooler service entered the stopped state.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-
<EventID Qualifiers="16384">7036</E
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80800000000000
<TimeCreated SystemTime="2018-12-07T20:
<EventRecordID>122417</Eve
<Correlation />
<Execution ProcessID="664" ThreadID="7096" />
<Channel>System</Channel>
<Computer>xxxx.yyyy.com</C
<Security />
</System>
<EventData>
<Data Name="param1">Print Spooler</Data>
<Data Name="param2">stopped</Dat
<Binary>530070006F006F006C
</EventData>
</Event>
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.