Pre-requisites:
- Microsoft Azure – Troubleshoot Azure VM Process using KQL
- Microsoft Azure – Track CPU Utilization of Azure Virtual Machines using KQL Log Query
Heartbeat is an Azure Log Management solution and you can get/fetch the below following information from the KQL Log Heartbeat query.:
- Computer Name
- An Environment that hosts the computer: Azure or Non-Azure
- Name of Operating system, Type of OS, Operating system major version, Operating system minor version
- List of solutions deployed on the agent
- The Version of the agent, etc.
Let’s see some below examples of Heartbeat KQL Log Monitoring Query:
1. KQL Query to find the Computer and Computer Environment that hosts the computer: Azure or Non-Azure
Heartbeat | where OSType == 'Windows' or OSType == 'Linux' | summarize arg_max(TimeGenerated, *) by SourceComputerId | sort by Computer | project Computer, ComputerEnvironment | render table
Output:
2. KQL Query to find the Computer OS Type, OS Name OS Major Version, and OS Minor Version.
Heartbeat | where OSType == 'Windows' or OSType == 'Linux' | summarize arg_max(TimeGenerated, *) by SourceComputerId | sort by Computer | project Computer, ComputerEnvironment, OSType, OSName, OSMajorVersion, OSMinorVersion | render table
Output:
3. KQL Query to find the Computer with OS Type has only Windows and display OS Name OS Major Version and OS Minor Version.
Heartbeat | where OSType == 'Windows' | summarize arg_max(TimeGenerated, *) by SourceComputerId | sort by Computer | project Computer, ComputerEnvironment, OSType, OSName, OSMajorVersion, OSMinorVersion | render table
Output:
4. KQL Query to find the Computer with OS Type has only Linux and display OS Name OS Major Version and OS Minor Version.
Heartbeat | where OSType == 'Linux' | summarize arg_max(TimeGenerated, *) by SourceComputerId | sort by Computer | project Computer, ComputerEnvironment, OSType, OSName, OSMajorVersion, OSMinorVersion | render table
Output:
5. KQL Query to find the Computer Remote IP.
Heartbeat | summarize arg_max(TimeGenerated, *) by SourceComputerId | sort by Computer | project Computer, ComputerEnvironment, ComputerIP | render table
Output: