KQL Query – Identifying Failed Azure Arc-enabled Servers Extension Installations
If you're using Azure Arc for Servers, you may have encountered instances where the Extension failed to install correctly.
We can use the following KQL query in Sentinel or Log Analytics. By running the following query, you can quickly see which servers have failed Azure Arc for Servers Extension installations:
AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/WRITE" and ActivityStatusValue == "Failure"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Extension Name"] = split(Properties.resource,"/")[1]
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated,Server, User, ['Resource Group'],["Extension Name"],['Susbcription ID'], ['IP Address'],["Activity Status"]
| sort by TimeGeneratedResults
This query will return a list of all the servers that have experienced failed Azure Arc for Servers Extension installations.
Summary
Are you ready to take your on-premises servers to the next level with Azure Arc? Contact me today and let me help you implement Azure Arc for your servers and unlock the full potential of your hybrid infrastructure.
Member discussion