Azure Log Analytics: Linux Groups

Earlier today I needed to look for some specific Linux machines, and a process name in Syslog.

If you happen to have a naming convention, that enables a startswith or endswith or even a contains then its reasonably easy to find this info,

e.g.

image

However I wanted to make sure it was a Linux server and the Heartbeat type allows you to find by OSType. e.g.

image

Combing the two is somewhat harder, and the method I went for was:

// First create a list of Linux machines that startwith "Fnnnnn"
let myLinuxGrp = toscalar(Heartbeat
| where OSType == "Linux" and Computer startswith "F"
| summarize makeset(Computer));

  

I used a #let command to store the computer names in a variable called myLinuxGroup, this holds a list of the Linux servers that start with “F”.  I needed toscalar and makeset to enable this to work.  You can see the output of myLinuxGrp in this screen capture, its essentially a comma separated list.

image

I then added another #let to hold the process name (didn't really need to do this but…it looked neater IMO).  I used a #where to look into myLinuxGrp to see which Computers matched, and which had the process name in the Syslog in the last day. 

let myLinuxProcess = "sshd";
Syslog
| where TimeGenerated > ago(1d)
| where myLinuxGrp contains Computer and ProcessName == myLinuxProcess

So putting it all together we get:

image