Navigation:  Monitoring with EventSentry > System Health Monitoring >

Service Monitoring

 Top  Previous  Next

Service monitoring offers the following features

 

Detect service status changes (stopped -> running, paused -> stopped, etc.)
Detect if services are added or removed
Detect service configuration changes (service account change, executable change)
Detect if a service set to auto-start did not start
Ensure that a service is always in a desired state (stopped or running)
Track service status, changes and activity in a database

 

clip0143

 

Alert or Warning 1 24 n g

Service also refers to drivers if EventSentry is configured to monitor drivers (details below). All service activity will be logged to the Application Event Log, so you will need to make sure that you are monitoring the application event log with at least one event log filter.

 

Service & Driver Monitoring

You can choose to either monitor all services, only specific services or no services.

 

Monitor all Services:

All services, except the ones included in the listbox, are monitored.

Monitor only Selected Services:

Only the services shown in the list box are monitored. If the list box is empty then service monitoring will not be active.

Do not monitor services

No services are monitored, and all services from the list box are removed.

 

clip0143

 

If the Boot Time Behavior is set to "Rescan after Reboot", then service status changes will also be monitored during reboots and/or EventSentry service restarts. For example, if the Server Service status was running when you stop the EventSentry service, but stopped when you started the EventSentry service, then this status change will be logged.

 

Services are displayed with both the display name and the service key name in the list. If a service is a driver then Yes will be shown in the Driver column, otherwise No.

 

Adding and Removing Services from the List

To add services to the list of monitored (or excluded) services click the plus (+) button on the right of the list. The dialog displayed when clicking the plus button will allow you to choose a service (or driver) from a dropdown list to add to the list. Please note that services starting with an asterix (*) indicate that this service is a driver. Drivers will only be shown in this list if you check the Monitor Drivers checkbox.

 

clip0144

 

To remove a service, select the service in the list and click the minus (-) button.

 

Alert or Warning 1 24 n g

You can also add services which are not listed in the "Service Display Name" list, just enter the service name. This can be the case if a service is installed on a monitored server but not on the management workstation. Remote agents will simply ignore to monitor services that are not installed.

 

Monitoring Interval

You can set your own monitoring interval, the default is 60 seconds. If you specify a monitoring interval in seconds then it will have to be a multiple of 10 seconds (and changed automatically if not).

 

What to Monitor

You can either monitor a services status change, a change in the SCM (=Service Control Manager) database, or both. You can also choose whether you want to monitor drivers.

 

Monitor Status Changes: If the status of a service changes, then an event in the Application event log will be generated. For example, if the Messenger service is stopped, EventSentry will indicate that the Messenger changed from Running to Stopped.

When service is stopped, notify every: When checked, additionally generates continuous alerts when a service remains in the "Stopped" state for the specified time period.

 

Monitor SCM Changes: If a service is added or removed, EventSentry will log an event in the Application event log.

 

Monitor Drivers: Select this option if you also want to monitor drivers.

 

With the Log Changes As setting you can configure which severity events will be written to the Application event log.

 

Database 16 n g Log to ODBC action

Activate this feature and select an ODBC action if you want to record all database activity to a database.

 

clip0145

 

Advanced Options

See "Advanced Options" for more details.

 

Service Status Control

You can make sure that certain services are always in a Running or Stopped state (individually configurable per service) with Service Status Control.

 

To control a service, click the + button and select a service from the list. If the requested service is not in the list you may simply type the service key name into the "Service Display Name" field. Then specify the desire service state (e.g. "Running") and click the OK button. EventSentry will now make sure that the service is always in the requested state.

 

In the example below, the iPodService will be stopped if it is running, whereas the Sophos Anti-Virus service will be started if it is stopped.

 

clip0146

Whenever the agent determines that a service is not in the requested state it will attempt to change the state accordingly and write a message to the event log. The Log Service Control Attempts As setting determines the severity with which these messages are written to the event log.

 

Limitations

If a service status is changed twice during a monitoring interval, then the status change will not be detected by EventSentry.

 

For example, if the monitoring interval is set to 90 seconds and the Messenger service is stopped and restarted right after the most recent monitoring pass, then the next service monitoring pass of EventSentry will not be aware of this action.

 

Implications on System Load

Service monitoring does not have a high impact on the system load. We recommend setting the service monitoring interval to ~20 seconds for regular servers and to ~10 seconds for mission critical servers.