Earlier today I needed to look for some specific Linux machines, and a process name in Syslog.
If you happen to have a naming convention, that enables a startswith or endswith or even a contains then its reasonably easy to find this info,
However I wanted to make sure it was a Linux server and the Heartbeat type allows you to find by OSType. e.g.
Combing the two is somewhat harder, and the method I went for was:
// First create a list of Linux machines that startwith "Fnnnnn"
let myLinuxGrp = toscalar(Heartbeat
| where OSType == "Linux" and Computer startswith "F"
| summarize makeset(Computer));
I used a #let command to store the computer names in a variable called myLinuxGroup, this holds a list of the Linux servers that start with “F”. I needed toscalar and makeset to enable this to work. You can see the output of myLinuxGrp in this screen capture, its essentially a comma separated list.
I then added another #let to hold the process name (didn't really need to do this but…it looked neater IMO). I used a #where to look into myLinuxGrp to see which Computers matched, and which had the process name in the Syslog in the last day.
let myLinuxProcess = "sshd";
| where TimeGenerated > ago(1d)
| where myLinuxGrp contains Computer and ProcessName == myLinuxProcess
So putting it all together we get: