OMS Heartbeat query for when a server is down - azure

How can i set an alert in OMS when a server is powered off or is not available? I have searched on google but the alerts either dont work or too many get sent . I need the alert to be generated as soon as the server goes offline

i found out myself
Heartbeat | summarize LastHeartbeat = max(TimeGenerated) by Computer | where Computer == "server1" | where LastHeartbeat < ago(5m)

Related

How to monitor and alert is log ingestion stops to a specifik Azure log analytics workspace

I have recently encountered issues where ingestion to certain log tables in an Azure log analytics table have stopped. This was caused by an Azure service disruption.
I use these log sources for Azure sentinel and now we want to set up an alert in case it happens again.
The problem we are facing and need help with is that you don't seem to be able to get a search result when you are querying for something that is zero/null.
I have tried this query without results:
workspace("xxxxxxxxxxxxxx").SigninLogs
| union withsource = source AuditLogs, AADNonInteractiveUserSignInLogs, AADServicePrincipalSignInLogs, AADProvisioningLogs, SecurityAlert, AzureActivity, AzureDiagnostics, DnsEvents, DnsInventory, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceInfo, DeviceLogonEvents, DeviceNetworkEvents, DeviceNetworkInfo, DeviceProcessEvents, DeviceRegistryEvents, OfficeActivity
| where TimeGenerated > now (-24h)
| project TimeGenerated, source
| summarize numbers_per_source=count() by source
| where numbers_per_source <= 1
Can someone please point me in the right direction with log query tips, thanks

Custom .NET Activity: The request was aborted: Could not create SSL/TLS secure channel

Under the Batch Service option, we are running a custom dot net activity, and that .net tool downloads data from some APIs. It was working fine without any issues until yesterday. Now we are facing the below error while downloading data from the APIs. I don't know why we are facing such an issue suddenly.
Error: The request was aborted: Could not create SSL/TLS secure
channel. StackTrace: at System.Net.WebClient.OpenRead(Uri address)
at Import.DownloadSite(String url, String type)
The same .Net tool works fine in our local desktop machines(Windows 10 OS). Getting the error only in the batch account machine. So I think the problem is in the batch account machine.
Using the below C# code for downloading data from the APIs:
WebClient wc = new WebClient();
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
return wc.DownloadString(string.Format(ApiUrl, type));
I tried most of the solutions suggested in the below link, and nothing works for me.
The request was aborted: Could not create SSL/TLS secure channel
More information:
.NET Framework: v4.5
Batch machine: Windows Server 2012 R2 (x64)
You need to Add HTTP Header "Expect" with value "100-continue". In your case, please add these lines of code before creating the request :
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12
| SecurityProtocolType.Ssl3;

Device info using KQL

How can we get a device info using KQL, Is there any inbuilt function in Azure ?
I have checked but am not able to find out. Can anyone help me out of this ?
Thanks in advance,
If you are looking at the application insights logs from the invocation logs then you can use Cloud_RoleName for the name of the function app (the app service itself) and operation_name for the function name. In the following example I have a function called MyFunction that is run from the app service MyFunctionApp.
requests
| project timestamp, id, operation_Name, success, resultCode, duration, operation_Id, cloud_RoleName, invocationId=customDimensions['InvocationId']
| where timestamp > ago(30d)
| where cloud_RoleName =~ 'MyFunctionApp' and operation_Name =~ 'MyFunction'
| order by timestamp desc
| take 20

Reserved EventIds in ApplicationInsights

I am creating some LogError calls in my ASP.NET Core webapp on the line of
_logger.LogError(new EventId(5000,"CustomName"),"description");``
I can find this event in Application Insights by querying like this
traces | where timestamp > ago(10m) |where customDimensions.EventId == 5000
Is there any list of event ids that is reserved? I only want to get my own events. I know that a third party library that i bind to my project theoretically can write some events with the above event id, but I am thinking more if Microsoft has a list of reserved event ids. If I do this search in my log
traces | where timestamp > ago(10m) |where customDimensions.EventId > 1
I get some hits, on Azure Function startup, so I know that Microsoft are using this also.
I have searched the docs, but haven't found any list.
No, there're no reserved EventIDs in app insights. You always need to provide it by yourself.

How to trigger a failure in an azure function http trigger, WITH a custom error response

I cannot find a way to fail a http call to a nodejs azure function, and include a custom error response.
Calling context.done() allows for a custom response (but not indicated as a failure in Application Insights)
Calling context.done(true, XXX) does create a failure, but returns a generic error to the user (no matter what I put in XXX):
{"id":"b6ca6fb0-686a-4a9c-8c66-356b6db51848","requestId":"7599d94b-d3f2-48fe-80cd-e067bb1c8557","statusCode":500,"errorCode":0,"message":"An error has occurred. For more information, please check the logs for error ID b6ca6fb0-686a-4a9c-8c66-356b6db51848"}
This is just the latest headache I have ran into in trying to get a fast web api running on Azure funcs. If you cant track errors, than it should hardly be called "Application Insights". Any ideas?
Success will be true, but resultCode will be set to your value.
Try an AppInsights query like this:
// Get all errors
requests
| where toint(resultCode) >= 400
| limit 10
[Update]
The Id value in Requests is the 'function instance id', which uniquely identifies that invocation.
There is also a 'traces' table that contains the logging messages from your azure function. You can join between requests and traces via the operation_Id.
requests
| where toint(resultCode) >= 400
| take 10
| join (traces) on operation_Id
| project id, message, operation_Id
The response body is not automatically logged to AppInsights. You'll need to add some explicit log statements to capture that.
Why not use context.res to return a customer response for an HTTP trigger function?

Resources