If you’re using Azure Arc for Servers, you may have encountered instances where the Extension failed to install correctly.
We can use the following KQL query in Sentinel or Log Analytics. By running the following query, you can quickly see which servers have failed Azure Arc for Servers Extension installations:
AzureActivity | where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/WRITE" and ActivityStatusValue == "Failure"
| extend Properties = (parse_json(Properties))
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Extension Name"] = split(Properties.resource,"/")[1]
| extend User = Properties.caller
| extend ["Resource Group"] = Properties.resourceGroup
| extend ["Susbcription ID"] = Properties.SubscriptionId
| extend ["IP Address"] = CallerIpAddress
| extend ["Activity Status"] = Properties.activityStatusValue
| project TimeGenerated,Server, User, ['Resource Group'],["Extension Name"],['Susbcription ID'], ['IP Address'],["Activity Status"]
| sort by TimeGenerated
Results
This query will return a list of all the servers that have experienced failed Azure Arc for Servers Extension installations.
The following KQL query summarizes failed extension installations by extension name and server name.
AzureActivity
| where OperationNameValue == "MICROSOFT.HYBRIDCOMPUTE/MACHINES/EXTENSIONS/WRITE" and ActivityStatusValue == "Failure"
| extend Properties = parse_json(Properties)
| extend Server = toupper(split(Properties.resource,"/")[0])
| extend ["Extension Name"] = tostring(split(Properties.resource,"/")[1])
| summarize
['Extensions Count'] = dcount(["Extension Name"]),
['List of Extensions'] = make_set(["Extension Name"])
by Server
