This week we are excited to release a long-requested feature in AzureWatch: support for active monitoring of Windows Event Logs.  We are starting things off with support for Application, System and Security logs in Windows Azure Cloud Services (Web or Worker Roles) and Windows Azure Virtual Machines.

Users can now create rule-based alerts that match against entries in a particular Event Log, against a specific event log level, name of the publishing application or text of the entry itself.  We've enhanced our Rules engine to support string comparison and search capabilities.  Even though the extra workload to accommodate monitoring of Event Logs is significant, this feature will be available at no additional charge to users who are already monitoring their servers with AzureWatch.

In order to enable Event Log monitoring, users need to specify which logs should AzureWatch be monitoring and at what level.  Take care to not overwhelm monitoring cycles by asking AzureWatch to inspect too much data per cycle.  Checkboxes and Minimum severity level that users can specify on the Role configuration screen will control how much data is being sent to AzureWatch. Hundreds of log entries per minute should be OK, but once the number of log events gets into thousands per minute, users with a lot of servers may notice slowdowns of their monitoring cycles.

After instructing AzureWatch (and via AzureWatch, Windows Azure itself) as to what Event Log data needs to be transferred to Windows Azure Diagnostics Table Storage or captured through Powershell Remoting, users can create custom alert or management rules based on the Event Log data.  We've enabled a number of Event Log specific variables that can be used in formulas of rules as shown in the screenshot below.  Every event log entry captured during a particular monitoring cycle will be evaluated against user-specific formula until a first matching log entry is found.  Users can combine aggregate metrics together with Event Log based search criteria to create sophisticated rules.  For example, it is possible to create a monitoring rule that looks for .NET errors that occur only when average CPU utilization is over 70%.  In order to support text-search capabilities in our engine, we've added ability to search text-based variables via three new functions: Contains, EndsWith and StartsWith, all of which return TRUE or FALSE when called from the rule's formula

Going forward we intend to further enhance the engine by providing numeric counts of events that match particular criteria to the rules engine, so that users can create rules based not only on individual log entries but also based on quantity of specific events found.

Do you have any feedback as to what you'd like to see from AzureWatch?  Please do not hesitate to contact us!