Monitoring Windows Services

Download this manual as a PDF file

Windows Services are long-running applications. These applications typically do not have a user interface or produce any visual output. Any messages associated with the service are typically written to the Windows Event Log. Services can be configured to start automatically when the computer is booted. Services do not require a logged in user in order to execute.

During discovery, SL1 retrieves information about Windows services from discovered devices. When SL1 assigns a device class to a discovered device, SL1 examines the definition of that device class to determine how to retrieve information about Windows services. SL1 looks at the Service Collection field in the definition of the device class. The Service Collection field specifies one of the following:

  • This is not a Windows device class.
  • Use the Windows MIB to gather information about Windows services.
  • Use the WMI Informant MIB to gather information about Windows services.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Windows Services Monitoring Policies

SL1 allows you to create policies that monitor Windows Services. A service policy tells SL1 to monitor the device and look for the service. You can define a service policy so that:

  • SL1 generates an event if the service is not running or SL1 generates an event if the service is running.
  • Optionally, SL1 starts, pauses, or restarts the service.
  • Optionally, SL1 reboots or shuts down the device.
  • Optionally, SL1 triggers the execution of a script (script must reside on the device).

NOTE: In addition to using a Windows service monitoring policy, SL1 includes a PowerPack called "Windows Restart Automatic Services". This PowerPack includes a Dynamic Application that monitors Windows Services with a mode of "Automatic". This PowerPack also includes two events and a Run Book policy. If the Dynamic Application reports that a Windows Service with a mode of "Automatic" has stopped running, SL1 generates an event and the Run Book policy automatically restarts the Windows Service.

Viewing the List of Windows Service Monitoring Policies

You can view the list of Windows service monitoring policies from the Windows Service Monitoring page (Registry > Monitors > Windows Services).

The Windows Service Monitoring page displays the following information about each Windows service monitoring policy:

  • Windows Service Name. Name of the service that is monitored by the policy.
  • Service Action. On their local devices, Windows services can be defined with a startup-type of "automatic." This means that the service is started automatically when the local device is booted. Generally, critical services are defined with a startup-type of "automatic" to ensure that the service is always available. If a service with a startup-type of "automatic" fails on a device, SL1 can automatically restart the service. If an unwanted service is running on a device, SL1 can automatically stop the service. For a Windows service-policy, SL1 can perform one or more of the following service actions:
  • Stop Service. SL1 stops the service.
  • Start Service. SL1 starts the service.
  • Pause Service. SL1 pauses the service.
  • Restart Service. SL1 restarts the service.
  • Reboot System. SL1 reboots the computer.
  • Shutdown System. SL1 shuts down the computer.
  • Action Script. SL1 triggers the execution of a script on the device. The script must reside on the managed device, in the directory "c:/program files/snmp informant/operating_system/spawn". For example, you might want to execute a script if a service has crashed; the script could execute the steps required to cleanup any problems before restarting the service.
  • Policy ID. Unique, numeric ID, assigned to the policy automatically by SL1.
  • State. Whether the policy is enabled or disabled.
  • Device Name. Name of the device associated with the policy.
  • IP Address. IP address of the device associated with the policy. This is the IP address SL1 uses to communicate with the device.
  • Device Category. Device category of the device associated with the policy.
  • Organization. Organization for the device associated with the policy.

From the list of policies, you can select the checkbox for one or more policies and choose one of the following bulk actions from the Select Action drop-down at the bottom right of the page:

  • Delete Monitors. Deletes the selected policies from SL1. The associated reports (from the Device Reports > Performance tab) are also deleted.
  • Enable Monitors. Enables the selected policies so that SL1 can collect the data for these policies.
  • Disable Monitors. Disables the selected policies. SL1 will not collect the data specified in these policies.

Filtering the List of Windows Service Monitoring Policies

You can filter the list on the Windows Service Monitoring page by one or more parameters. Only policies that meet all the filter criteria will be displayed on the Windows Service Monitoring page.

To filter by parameter, enter text into the desired filter-while-you-type field. The Windows Service Monitoring page searches for policies that match the text, including partial matches. By default, the cursor is placed in the left-most filter-while-you-type field. You can use the <Tab> key or your mouse to move your cursor through the fields. The list is dynamically updated as you type. Text matches are not case-sensitive.

You can also use special characters to filter each parameter.

Filter by one or more of the following parameters:

  • Windows Service Name. You can enter text to match, including special characters, and the Windows Service Monitoring page will display only policies with a matching name.
  • Service Action. You can enter text to match, including special characters, and the Windows Service Monitoring page will display only policies that perform actions that match the text.
  • Policy ID. You can enter text to match, including special characters, and the Windows Service Monitoring page will display only policies that have a matching policy ID.
  • Device Name. You can enter text to match, including special characters, and the Windows Service Monitoring page will display only policies aligned with a device with a matching device name.
  • IP Address. You can enter text to match, including special characters, and the Windows Service Monitoring page will display only policies aligned with a device with a matching IP address.
  • Device Category. You can enter text to match, including special characters, and the Windows Service Monitoring page will display only policies aligned with a device with a matching device category.
  • Organization. You can enter text to match, including special characters, and the Windows Service Monitoring page will display only policies that have a matching organization.

Prerequisites and Configuration for Windows Service Monitoring Policies

Before you can define a Windows service monitoring policy that performs actions on the external device, you must perform some required configuration in SL1 and on the external server.

Optional Settings in SL1

If you do not define a Windows service monitoring policy, SL1 will still detect the services that are running on Windows devices. You can configure SL1 to automatically monitor all services of type "automatic" and restart those services if they fail, without creating a Windows service monitoring policy.

You can specify whether SL1 will automatically restart failed Windows services in the Behavior Settings page (System > Settings > Behavior). In the Behavior Settings page, you can define the following options in the Restart Windows Services page:

  • 0. Disabled. SL1 will not automatically restart failed services that have been defined on the device with a startup type of "automatic".
  • 1. Enabled. SL1 will automatically restart failed services that have been defined on the device with a startup type of "automatic".

NOTE: The following services have a startup type of "automatic", but run only when explicitly called. Therefore, these services will not be restarted automatically if they are not found running: ATI HotKey Poller, Distributed Transaction Coordinator, Performance Logs and Alerts, Removable Storage, TPM Base Services, Windows Service Pack Installer update service, and VSS. If you would like to include additional services in this exclusion list, please contact ScienceLogic Customer Support.

Required Configuration

To include any of the optional actions in a Windows service monitoring policy, the external device must meet these requirements:

  • The external device must be running the SNMP Informant, WMI Edition agent.
  • To execute a script on the external device for monitoring policies, the script must reside on the external device, in the directory:

c:/program files/snmp informant/operating_system/spawn

Additionally, for SL1 to automatically monitor services of type "automatic" and/or execute an action for a Windows service monitoring policy for a device, the device must:

  • Be aligned to a device class that has "WMI Informant" configured in the Service Collection field.
  • Have an SNMP Write credential defined on the Settings tab of the Device Investigator (or in the Device Properties page in the classic SL1 user interface).

Defining a Monitoring Policy for Windows Services

You can define a Windows service monitoring policy for a device on the Monitors tab of the Device Investigator.

To define a Windows service monitoring policy:

  1. Go to the Devices page and click the Device Name of the device for which you want to define a Windows service monitoring policy. The Device Investigator displays.
  2. Click the Monitors tab.
  3. Click Create, and then select Create Windows service monitoring policy. The Windows Service Policy modal appears.
  4. In the Windows Service Policy modal, supply a value in each of the following fields:
  • Select Device. Select a device to align with this policy. If you accessed this page through the Device Administration panel, the current device is selected in this field by default. This field displays only devices that belong to a device class where the Service Collection field contains either Windows Basic or WMI Informant.
  • Service Name. Service to be monitored by the policy. Select from a list of all Windows services discovered in the network by SL1.
  • Alert if Found. You can use this field in one of two ways: Generate an event when a required Windows service is not found or generate an event when an illicit Windows service is found. Your choices are:   
  • Yes. Use this setting to look for an illicit service.
  • If SL1 finds the illicit service (specified in the Service Name field), SL1 will generate an event.
  • If SL1 does not find the illicit service, SL1 will not generate an event.
  • No. Use this setting to ensure that a required service is running.
  • If SL1 finds the required service, (specified in the Service Name field, SL1 does not generate an event.
  • If SL1 does not find the required service, SL1 generates an event.
  • Service Action. If the device is a Windows computer running a WMI agent, you can define some automated actions, based on the condition specified in the Alert if Found field. 
  • Disabled. The Service Action field is disabled and no automated actions are performed.
  • Stop Service. If SL1 has generated an event based on the condition specified in the Alert if Found field, stop the service.
  • Start Service. If SL1 has generated an event based on the condition specified in the Alert if Found field, start the service.
  • Pause Service. If SL1 has generated an event based on the condition specified in the Alert if Found field, pause the service.
  • Restart Service. If SL1 has generated an event based on the condition specified in the Alert if Found field, restart the service.
  • System Action. If the device is a Windows computer running a WMI agent, you can define some automated actions, based on the condition specified in the Alert if Found field.
  • Disabled. The System Action field is disabled and no automated actions are performed.
  • Reboot System. If SL1 has generated an event based on the condition specified in the Alert if Found field, reboot the computer.
  • Shutdown System. If SL1 has generated an event based on the condition specified in the Alert if Found field, shut down the computer.
  • Action Script Path. If the device is a Windows computer running a WMI agent, you can execute a script on the computer. If SL1 has generated an event based on the condition specified in the Alert if Found field, SL1 can then execute the action script. For example, you might want to execute a script if a service crashed; the script could execute the steps required to cleanup any problems before restarting the service. In this field, you can specify the script to execute. The script must reside on the managed device, in the directory "c:/program files/snmp informant/operating_system/spawn".
  • State. Specifies whether SL1 should start collecting data specified in this policy from the device. Choices are:
  • Enabled. SL1 will collect the data specified in this policy at the frequency specified in the Process Manager page (System > Settings > Admin Processes) for the Data Collection: OS Service Check process.
  • Disabled. SL1 will not collect the data specified in this policy until the State field is set to Enabled.
  1. Click Save.

Defining a Monitoring Policy for Windows Services in the Classic SL1 User Interface

There are two places in SL1 from which you can define a monitoring policy for Windows services:

  • From the Device Manager page (Devices > Device Manager):
  • In the Device Manager page, find the device that you want to associate with the monitoring policy. Click the wrench icon () for the device.

  • In the Device Administration panel, click the Monitors tab.
  • From the Create menu in the upper right, select Create Windows Services Policy.

Or:

  • From the Windows Service Monitoring page (Registry > Monitors > Windows Services):
  • In the Windows Service Monitoring page, click the Create button.
  • The Windows Service Policy modal appears.

For information about completing the fields in the Windows Service Policy modal, see the section on Defining a Monitoring Policy for Windows Services.

Editing a Windows Service Monitoring Policy

To edit a Windows service monitoring policy:

  1. Go to the Devices page and click the name of the device for which you want to edit a monitoring policy. The Device Investigator displays.
  2. Click the Monitors tab.
  3. Find the policy you want to edit and click its wrench icon (). The Windows Service Policy modal appears.
  4. In the Windows Service Policy modal, you can change the values in one or more of the fields described in the section on Defining a Monitoring Policy for Windows Services.
  5. Click Save.

Editing a Windows Service Monitoring Policy in the Classic SL1 User Interface

There are two places in SL1 from which you can edit a monitoring policy for a Windows service:

  • From the Device Manager (Devices > Device Manager) page:
  • In the Device Manager page, find the device that you want to associate with the monitoring policy. Click the wrench icon () for the device.
  • In the Device Administration panel, click the Monitors tab.
  • In the Monitoring Policies page, find the policy you want to edit and click its wrench icon ().

Or:

  • From the Windows Service Monitoring page (Registry > Monitors > Windows Services):
  • In the Windows Service Monitoring page, find the policy you want to edit and click its wrench icon ().
  1. The Windows Service Policy modal appears.
  2. In the Windows Service Policy modal, you can change the values in one or more of the fields described in the section on Defining a Monitoring Policy for Windows Services.
  3. Click Save.

Executing a Windows Service Monitoring Policy

After creating or editing a Windows service monitoring policy, you can manually execute the policy and view detailed logs of each step during the execution.

NOTE: After you define a Windows service monitoring policy and enable the policy, SL1 will automatically execute the policy every five minutes. However, you can use the steps in this section to execute the policy immediately and see debug information about the execution of the policy.

To execute a Windows service monitoring policy:

  1. Go to the Devices page and click the name of the device for which you want to execute the monitoring policy. The Device Investigator displays.
  2. Click the Monitors tab.
  3. Find the policy you want to run manually and click its lightning bolt icon ().
  4. The Session Logs modal opens while the policy is executing. The Session Logs page provides detailed descriptions of each step during the execution. This is helpful for diagnosing possible problems with a policy.

Executing a Windows Service Monitoring Policy in the Classic SL1 User Interface

To execute a Windows service monitoring policy in the classic SL1 user interface:

  1. In the Windows Service Monitoring page (Registry > Monitors > Windows Services), find the policy you want to run manually.
  2. Click the lightning bolt icon () to manually execute the policy.
  3. While the policy is executing, SL1 spawns a modal called Session Logs. The Session Logs page provides detailed descriptions of each step during the execution. This is very helpful for diagnosing possible problems with a policy.

Deleting a Windows Service Monitoring Policy

You can delete a Windows service monitoring policy from the Monitors tab of the Device Investigator. When you delete a monitoring policy, SL1 no longer uses the policy to collect data from the aligned device. Deleting a monitoring policy will also remove all data that was previously collected by the policy.

To delete a Windows service monitoring policy:

  1. Go to the Devices page and click the name of the device for which you want to delete the monitoring policy. The Device Investigator displays.
  2. Click the Monitors tab.
  3. Find the policy you want to delete and click its bomb icon (). A confirmation prompt appears.
  4. Click OK.

Deleting a Windows Service Monitoring Policy in the Classic SL1 User Interface

You can delete one or more Windows service monitoring policies from the Windows Service Monitoring page. When you delete a monitoring policy, SL1 no longer uses the policy to collect data from the aligned device. Deleting a monitoring policy will also remove all data that was previously collected by the policy.

To delete a Windows service process policy in the classic SL1 user interface:

  1. Go to the Windows Service Monitoring page (Registry > Monitors > Windows Services).
  2. In the Windows Service Monitoring page, select the checkbox(es) for each system service policy you want to delete. Click the checkmark icon () to select all of the service policies.
  3. In the Select Action menu in the bottom right of the page, select Delete Monitors.
  4. Click the Go button to delete the Windows service policies.
  5. The policy is deleted from SL1. The associated reports (from the Device Reports > Performance tab) are also deleted.

Viewing a List of All Windows Services

The Windows Services page displays a list of all services discovered by SL1. These services are running on devices that have been discovered by SL1. The Windows Services page also allows you to define service monitoring for multiple services running on multiple devices and to generate reports on services. 

To view the list of all Windows services running on all devices:

  1. Go to the Windows Services page (Devices > Services).
  2. The Windows Services page displays the following about each process:

To sort the list of services, click on a column heading. The list will be sorted by the column value, in ascending order. To sort the list by descending order, click the column heading again.

  • Device Name. Name of the device where the service resides. For devices running SNMP or with DNS entries, the named device is discovered automatically. For devices without SNMP or DNS entries, the device's IP address will appear in this field.
  • Organization. Organization associated with the device.
  • IP Address. IP address of the device where the service is located.
  • Device Class | Sub-Class. The manufacturer (device class) and type of device (sub-class). The Device Class | Sub-Class is automatically assigned during auto-discovery, at the same time as the Category.
  • Service. The name of the service. A single service name can have multiple entries.
  • Monitored. Specifies whether or not SL1 is monitoring the service. The choices are:
  • Yes. SL1 is currently monitoring this service.
  • No. SL1 is not currently monitoring this service.
  • Tools. For each service, the following tools are available:
  • Locate all services on device (). Leads to the Services Found page, where you can view a list of all services that reside on the device.
  • Print exclusion report (). Generates a detailed service report, in MS Word format. This report specifies all devices where the selected service is running and all devices where the selected service is not running. SL1 lists only appropriate devices in this report. For example, Solaris servers would not appear in a report for a Microsoft service.
  • Edit monitoring of this service (). Leads to the Monitoring Policies page, where you can edit the properties of the monitoring policy.
  • Checkbox (). The checkbox applies the action from the Select Action drop-down list to the service. To select all the checkboxes, select the large red check icon.

Filtering the List of Windows Services

You can filter the list on the Windows Services page by one or more parameters. Only services that meet all the filter criteria will be displayed in the Windows Services page.

To filter by parameter, enter text into the desired filter-while-you-type field. The Windows Services page searches for services that match the text, including partial matches. By default, the cursor is placed in the left-most filter-while-you-type field. You can use the <Tab> key or your mouse to move your cursor through the fields. The list is dynamically updated as you type. Text matches are not case-sensitive.

You can also use special characters to filter each parameter.

Filter by one or more of the following parameters:

  • Device Name. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Windows Services page will display only services that have a matching device name.

  • Organization. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Windows Services page will display only services that have a matching organization.
  • IP Address. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Windows Services page will display only services that have a matching IP address.
  • Device Class. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Windows Services page will display only services that have a matching device class.
  • Service. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Windows Services page will display only services that have a matching service name
  • Monitored. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Windows Services page will display only services that have a matching monitoring status.

Viewing a List of Windows Services on a Single Device

On the Services tab of the Device Investigator, you can view a list of all Windows services enabled on the device:

The Services tab of the Device Investigator page

To keep your device running efficiently and to maintain security, the Services tab helps you manage services on your device. For each Windows service running on the device, the Services tab displays the following information:

To sort the list of Windows services, click on a column heading. The list will be sorted by the column value, in ascending order. To sort the list by descending order, click the column heading again.

  • Service Name. Name of the Windows service.

  • ID. If you have defined a monitoring policy for the Windows service, SL1 generates a unique numeric ID for the service.

  • Run State. The current state of the process. This can be one of the following:
  • Runnable. Service is ready to run as needed.

  • Running. Service is currently running.
  • Not Running. Service is in a "waiting" state.
  • Invalid. Service is part of an operation that failed. Service was not ended gracefully.

NOTE: Run states are defined by a device's operating system and/or installed agents. Run states may differ between devices.

  • Monitored. Specifies whether or not SL1 is monitoring this Windows service.

Viewing a List of Windows Services on a Single Device in the Classic SL1 User Interface

The Windows Services page displays a list of all of the Windows services that are running on a single device.

To view the list of Windows services on a single device:

  1. Go to the Device Manager page (Devices > Services).
  2. Find the device where you want to view the list of Windows services. Select the bar graph icon () for that device.
  3. In the Device Reports panel, select the Services tab. The Windows Services page appears.
  4. For each Windows service, the Windows Services page displays the following information:

To sort the list of Windows services, click on a column heading. The list will be sorted by the column value, in ascending order. To sort the list by descending order, click the column heading again.

  • Service Name. Name of the Windows service.
  • ID. If you have defined a monitoring policy for the Windows service, SL1 generates a unique numeric ID for the service.
  • Run State. The current state of the process. This can be one of the following:
  • Runnable. Service is ready to run as needed.
  • Running. Service is currently running.
  • Not Running. Service is in a "waiting" state.
  • Invalid. Service is part of an operation that failed. Service was not ended gracefully.

NOTE: Run states are defined by a device's operating system and/or installed agents. Run states may differ between devices.

  • Monitored. Specifies whether or not SL1 is monitoring this Windows service.

Generating and Viewing Reports about Windows Services

This section describes how to generate and view reports about Windows services.

Generating a Report on Multiple Windows Services

From the Windows Services page (Devices > Services) you can generate a report on all, multiple, or a single service in SL1. The Windows Services page allows you to generate a report that contains all the information displayed in the Windows Services page.

To generate a report on all or multiple Windows services in SL1:

  • Go to the Windows Services page (Devices > Services).

  • On the Windows Services page, click the Report button. The Export current view as a report modal appears.

    If you want to include only certain services in the report, use the "search as you type" fields at the top of each column. You can filter the list by one or more column headings. You can then select the Report button, and only the services displayed in the Windows Services page will appear in the report.

  • In the Export current view as a report modal, you must select the format in which SL1 will generate the report. Your choices are:

  • Comma-separated values (.csv)
  • Web page (.html)
  • OpenDocument Spreadsheet (.ods)
  • Excel spreadsheet (.xlsx)
  • Acrobat document (.pdf)
  1. Click the Generate button. The report will contain all the information displayed in the Windows Services page. You can immediately view the report or save it to a file for later viewing.

Generating an Exclusion Report for a Single Windows Service

From the Windows Services page, you can generate an exclusion report for a service. SL1 will generate the report in MS Word format. An exclusion report specifies all devices where the selected Windows service is running and all devices where the selected Windows service is not running.

A Windows Services Exclusion Report displays the following:

  • Name of the Windows service.
  • List of all devices in SL1 where the Windows service is running.
  • List of all devices in SL1 where the Windows service is not running. SL1 includes only appropriate servers in this report. For example, Solaris servers would not appear in a report for Windows services.
  • The last row in the report displays:
  • Total number of devices in report.
  • Total number of device categories included in the report.
  • Total number of device classes included in the report.
  • Total number of devices where Windows service is running.
  • Total number of devices where Windows service is not running.

To generate an exclusion report about a Windows service:

  1. Go to the Windows Services page (Devices > Services).
  2. In the Windows Services page, find an instance of the Windows service you want to generate an exclusion report for.
  3. Click its printer icon (). You will be prompted to save or view the generated report.

Viewing Reports about Windows Services

See the section on Viewing Performance Graphs for information and examples of reports for Windows services.