Some queries added and additional documentation

2017-05-29 20:12:28 +04:00 · 2017-05-29 20:12:28 +04:00 · abcf676a6d
--- a/Deploy/Tenant/RB-Ops-Daily.ps1
+++ b/Deploy/Tenant/RB-Ops-Daily.ps1
@ -13,3 +13,13 @@
 		-ReportName "criticalupdatesrequired" `
 		-dynamicQuery "Type=Update UpdateState=Needed Optional=false (Classification=""Security Updates"" OR Classification=""Critical Updates"")"

+#All VMs with more than 2GB RAM available on average
+.\RB-ProcessLogs.ps1 `
+		-ReportName "vmswithover2gbramavailable" `
+		-dynamicQuery "Type=Perf ObjectName=Memory CounterName=""Available MBytes"" | measure avg(CounterValue) by Computer | where AggregatedValue>2048"
+
+#All computers with their most recent data
+.\RB-ProcessLogs.ps1 `
+		-ReportName "allvmsmostrecentdata" `
+		-dynamicQuery "NOT(ObjectName=""Advisor Metrics"" OR ObjectName=ManagedSpace) TimeGenerated>NOW-5MINUTES"
+
--- a/Deploy/Tenant/RB-Ops-Hourly.ps1
+++ b/Deploy/Tenant/RB-Ops-Hourly.ps1
@ -1,14 +1,19 @@
-#Average CPU usage calculated over 10 minutes for the last 1 hours.
+#Average CPU usage calculated over 10 minutes for the last 1 hours
 .\RB-ProcessLogs.ps1 `
 		-ReportName "perfavgcpu" `
 		-dynamicQuery "Type=Perf CounterName=""% Processor Time"" TimeGenerated>=NOW-1HOURS | measure avg(CounterValue) by Computer interval 30MINUTE"

-#All detected threats based on threat status rank.
+#All detected threats based on threat status rank
 .\RB-ProcessLogs.ps1 `
 		-ReportName "securitydetectedthreats" `
 		-dynamicQuery "Type=ProtectionStatus ThreatStatusRank > 199 ThreatStatusRank != 470 | measure max(ThreatStatusRank) as Rank by Computer | Top 5000"

-#All Windows security login failures in the past 1 hours.
+#All Windows security login failures in the past 1 hour
 .\RB-ProcessLogs.ps1 `
 		-ReportName "acctloginfailurepasthour" `
 		-dynamicQuery "Type=SecurityEvent EventID=4625 TimeGenerated>=NOW-1HOURS"
+
+#All Linux Syslog errors in the past 1 hour
+.\RB-ProcessLogs.ps1 `
+		-ReportName "linuxsyslogerrors" `
+		-dynamicQuery "Type=Syslog SeverityLevel=error TimeGenerated>NOW-1HOUR"
--- a/Documentation/Log-Reports.md
+++ b/Documentation/Log-Reports.md
@ -9,9 +9,12 @@ The queries included in this sample solution are designed to be flexible and hig
 * Alerts generated in the past 24 hours that are still open
 * All Windows VMs that require updates
 * All VMs that are missing critical updates
+* All VMs with more than 2GB RAM available on average
+* All computers with their most recent data

 ### Hourly Reports

 * Average CPU usage calculated over 10 minutes for the last 1 hours
 * All detected threats based on threat status rank
 * All Windows security login failures in the past 1 hours
+* All Linux Syslog errors in the past 1 hour
--- a/Documentation/Writing-Reports.md
+++ b/Documentation/Writing-Reports.md
@ -0,0 +1,18 @@
+# zMonitor
+
+## Writing Queries
+
+Some tips for gettings started with writing Log Analytics queries and generating reports.
+
+A great place to start is the default "Saved Searches" in Log Analytics. Once you start exploring writing your own queries, a good place to start digging is:
+
+```LogAnalytics
+* | Measure count() by Type
+```
+
+## References
+
+Some excellent resources to get up and running quickly:
+
+* [Find data using log searches](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-searches)
+* [Log Analytics search reference](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-search-reference)
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@

 An Azure platform native monitoring solution that enables monitoring across multiple tenants or subscriptions.

-The primary goal is to utilize Azure native components, and deliver an as simple as possible, highly configurable and scalable, cost-effective monitoring solution. The driving force behind this solution was the need to be able to monitor Azure resources across tenants (for service providers), using Azure native tools. While there are many metrics and logs generated in Azure, surfacing this information across subscriptions/tenants proved challenging.
+The primary goal is to utilize Azure native components, and deliver an as simple as possible, highly configurable and scalable, cost-effective monitoring solution. The driving force behind this solution was the need to be able to monitor Azure resources across tenants (for service providers), using Azure native tools. While there are many metrics and logs generated in Azure, surfacing this information across subscriptions/tenants and effectively monitoring proved challenging.

 ## Solution

@ -29,35 +29,35 @@ The components that make up the solution:
  * Azure Automation
  * [Optional] Power BI

-## Azure Resource Documentation
+For additional info on what is currently enabled through this solution (work in progress):

-* Log Analytics
-
-  <!--![Log Analytics](Documentation/images/loganalytics.png)-->
-  [Documentation: Log Analytics][1]
-
-* Azure Automation
-
-  [Documentation: Azure Automation][2]
-
-* Stream Analytics
-
-  [Documentation: Stream Analytics][3]
-
-* Azure Cosmos DB
-
-  [Documentation: Azure Cosmos DB][4]
-
-* Power BI
-
-  [Documentation: Power BI][5]
+* [Reports/Queries](Documentation/Log-Reports.md)
+* [Resources for writing Log Analytics queries](Documentation/Writing-Reports.md)

 ## Deployment

+The detailed deployment instructions for the solution:
+
 [Deploying monitoring for Tenant/ Subscription][6]

 [Deploying the central repository (e.g. Service Provider)][7]

+## Azure Resource Documentation
+
+For more information on the individual components, please refer to the official documentation:
+
+* [Log Analytics][1]
+
+  <!--![Log Analytics](Documentation/images/loganalytics.png)-->
+
+* [Azure Automation][2]
+
+* [Stream Analytics][3]
+
+* [Azure Cosmos DB][4]
+
+* [Power BI][5]
+
 ## Contributions

 Please refer to [CONTRIBUTING](Documentation/Contributing.md)