Freigeben über


IIS MP Event-Alerting Rules’s OpInsights Searches Equivalents

Just for the kicks, the other day I run an Excel export of the IIS8 MP with MPViewer, and then I applied a bunch of filters and removed several columns and copied out to notepad all the key info for the Alerting Rules that are based on Windows Events. And then I added field names and constructed equivalent search queries. The whole thing took me about 20 minutes or find&replace-Fu…

MPViewer's Excel Export of the IIS2012R2MP - Alerting Rules

Why did I do this, you might be asking? Well, you must have realized that, with Azure Operational Insights’s Log Management and Search capabilities, you would be able to collect the same event logs (mostly System and Application event logs is what is used by IIS) and using the Search query syntax, get those results – wait, if those were alerting rules, this means when one of those events was seen, it would generate al alert, right?

Well, you must have noticed that in a dashboard we feature a couple of style of tiles, in particular you can see a time-based distribution of occurrences of search results (those events) – so you can keep under control if and WHEN those errors happen, in a easy to reach way:

Time distribution of ASP Errors - Tile in 'My Dashboard' @OpInsights

or – if you don’t want those events to ever occur (after all, if they occur, you would alert, right?) you can keep them under control with the numeric tile and set a threshold – if more than ZERO (or more, if you want to tolerate a few – and you can add a time filter to the query to make it act on the most recent time period… this would be your ‘repeated event’ criteria, in ‘management packs’ terms…) then you can color the tile:

Total ASP Errors in the observed time range - Tile in 'My Dashboard' @OpInsights

 

 

In the future, we’d like to enable long running or scheduled searches that would produce ‘actions’ – i.e. produce an alert, notify via email, kick off a runbook…. and visualize your dashboard on your smartphone! Check out and vote those ideas, and let’s enable monitoring in a modern hybrid world!

 

And now, here’s the searches I produced by running this small experiment – Try them out, and have fun searching! (and you can try repeating the experiment yourself with other MP’s too Smile)

 

A script has not responded within the configured timeout period
EventID=2216 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

A server side include file has included itself or the maximum depth of server side includes has been exceeded
EventID=2221 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

ASP application error occurred
EventID=500 OR EventID=499 OR EventID=23 OR EventID=22 OR EventID=21 OR EventID=20 OR EventID=19 OR EventID=18 OR EventID=17 OR EventID=16 OR EventID=9 OR EventID=8 OR EventID=7 OR EventID=6 OR EventID=5 Source="Active Server Pages" EventLog=Application

HTTP control channel for the WWW Service did not open
EventID=1037 Source="Microsoft-Windows-IIS-W3SVC" EventLog=System

HTTP Server could not create a client connection object for user
EventID=2208 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

HTTP Server could not create the main connection socket
EventID=2206 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

HTTP Server could not initialize its security
EventID=2201 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

HTTP Server could not initialize the socket library
EventID=2203 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

HTTP Server was unable to initialize due to a shortage of available memory
EventID=2204 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

ISAPI application error detected
EventID=2274 OR EventID=2268 OR EventID=2220 OR EventID=2219 OR EventID=2214 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

Module has an invalid precondition
EventID=2296 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

Module registration error detected (failed to find RegisterModule entrypoint)
EventID=2295 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

Module registration error detected (module returned an error during registration)
EventID=2293 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

Only one type of logging can be enabled at a time
EventID=1133 Source="Microsoft-Windows-IIS-W3SVC" EventLog=System

SF_NOTIFY_READ_RAW_DATA filter notification is not supported in IIS 8
EventID=2261 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

The configuration manager for WAS did not initialize
EventID=5036 Source="Microsoft-Windows-WAS" EventLog=System

The directory specified for caching compressed content is invalid
EventID=2264 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

The Global Modules list is empty
EventID=2298 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

The HTTP server encountered an error processing the server side include file
EventID=2218 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

The server failed to close client connections to URLs during shutdown
EventID=2258 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

The server was unable to acquire a license for a SSL connection
EventID=2227 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

The server was unable to allocate a buffer to read a file
EventID=2233 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

The server was unable to read a file
EventID=2226 OR EventID=2230 OR EventID=2231 OR EventID=2232 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

WAS detected invalid configuration data
EventID=5174 OR EventID=5179 OR EventID=5180 Source="Microsoft-Windows-WAS" EventLog=System

WAS encountered a failure requesting IIS configuration store change notifications
EventID=5063 Source="Microsoft-Windows-WAS" EventLog=System

WAS encountered an error attempting to configure centralized logging
EventID=5066 Source="Microsoft-Windows-WAS" EventLog=System

WAS encountered an error attempting to look up the built in IIS_IUSRS group
EventID=5153 Source="Microsoft-Windows-WAS" EventLog=System

WAS encountered an error trying to read configuration
EventID=5172 OR EventID=5173 Source="Microsoft-Windows-WAS" EventLog=System

WAS is stopping because it encountered an error
EventID=5005 Source="Microsoft-Windows-WAS" EventLog=System

WAS received a change notification, but was unable to process it correctly
EventID=5053 Source="Microsoft-Windows-WAS" EventLog=System

WAS terminated unexpectedly and the system was not configured to restart it
EventID=5030 Source="Microsoft-Windows-WAS" EventLog=System

Worker process failed to initialize communication with the W3SVC service and therefore could not be started
EventID=2281 Source="Microsoft-Windows-IIS-W3SVC-WP" EventLog=Application

WWW Service did not initialize the HTTP driver and was unable to start
EventID=1173 Source="Microsoft-Windows-IIS-W3SVC" EventLog=System

WWW service failed to configure the centralized W3C logging properties
EventID=1135 OR EventID=1134 Source="Microsoft-Windows-IIS-W3SVC" EventLog=System

WWW Service failed to configure the HTTP.SYS control channel property
EventID=1020 Source="Microsoft-Windows-IIS-W3SVC" EventLog=System

WWW service failed to configure the logging properties for the HTTP control channel
EventID=1062 Source="Microsoft-Windows-IIS-W3SVC" EventLog=System

WWW Service failed to copy a change notification for processing
EventID=1126 Source="Microsoft-Windows-IIS-W3SVC" EventLog=System

WWW Service failed to enable end point sharing for the HTTP control channel
EventID=1175    Microsoft-Windows-IIS-W3SVC    System

WWW service failed to enable global bandwidth throttling
EventID=1071 OR EventID=1073 Source="Microsoft-Windows-IIS-W3SVC" EventLog=System

WWW service property failed range validation
EventID=5067 Source="Microsoft-Windows-WAS" EventLog=System