services/DesktopVirtualization/hostPools/alerts.yaml

- name: Capacity 85 Percent (xHostPoolNamex) description: This alert is based on the Action Account and Runbook that populates the Log Analytics specificed with the AVD Metrics Deployment Solution for xHostPoolNamex. -->Last Number in the string is the Percentage Remaining for the Host Pool. Output is - HostPoolName|ResourceGroup|Type|MaxSessionLimit|NumberHosts|TotalUsers|DisconnectedUser|ActiveUsers|SessionsAvailable|HostPoolPercentageLoad' type: Log verified: false visible: true tags: - avd properties: severity: 2 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT30M evaluationFrequency: PT5M threshold: 1 resouceIdColumn: ResourceId dimensions: - name: HostPoolName operator: Include values: - '*' - name: UserSessionsTotal operator: Include values: - '*' - name: UserSessionsDisconnected operator: Include values: - '*' - name: UserSessionsActive operator: Include values: - '*' - name: UserSessionsAvailable operator: Include values: - '*' - name: HostPoolPercentLoad operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'AzureDiagnostics | where Category has "JobStreams" and StreamType_s == "Output" and RunbookName_s == "AvdHostPoolLogData" | sort by TimeGenerated | where TimeGenerated > now() - 5m | extend HostPoolName=tostring(split(ResultDescription, "|")[0]) | extend ResourceGroup=tostring(split(ResultDescription, "|")[1]) | extend Type=tostring(split(ResultDescription, "|")[2]) | extend MaxSessionLimit=toint(split(ResultDescription, "|")[3]) | extend NumberSessionHosts=toint(split(ResultDescription, "|")[4]) | extend UserSessionsTotal=toint(split(ResultDescription, "|")[5]) | extend UserSessionsDisconnected=toint(split(ResultDescription, "|")[6]) | extend UserSessionsActive=toint(split(ResultDescription, "|")[7]) | extend UserSessionsAvailable=toint(split(ResultDescription, "|")[8]) | extend HostPoolPercentLoad=toint(split(ResultDescription, "|")[9]) | extend HPResourceId=tostring(split(ResultDescription, "|")[13]) | extend ResourceId=tostring(HPResourceId) | where HostPoolPercentLoad >= 85 and HostPoolPercentLoad < 95 | where HostPoolName =~ "xHostPoolNamex"' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: a8e65618-c367-42bc-916a-b192ddf4c6ca - name: Capacity 95 Percent (xHostPoolNamex) description: This alert is based on the Action Account and Runbook that populates the Log Analytics specificed with the AVD Metrics Deployment Solution for xHostPoolNamex. -->Last Number in the string is the Percentage Remaining for the Host Pool. Output is - HostPoolName|ResourceGroup|Type|MaxSessionLimit|NumberHosts|TotalUsers|DisconnectedUser|ActiveUsers|SessionsAvailable|HostPoolPercentageLoad' type: Log verified: false visible: true tags: - avd properties: severity: 1 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT30M evaluationFrequency: PT5M threshold: 1 resouceIdColumn: ResourceId dimensions: - name: HostPoolName operator: Include values: - '*' - name: UserSessionsTotal operator: Include values: - '*' - name: UserSessionsDisconnected operator: Include values: - '*' - name: UserSessionsActive operator: Include values: - '*' - name: UserSessionsAvailable operator: Include values: - '*' - name: HostPoolPercentLoad operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'AzureDiagnostics | where Category has "JobStreams" and StreamType_s == "Output" and RunbookName_s == "AvdHostPoolLogData" | sort by TimeGenerated | where TimeGenerated > now() - 5m | extend HostPoolName=tostring(split(ResultDescription, "|")[0]) | extend ResourceGroup=tostring(split(ResultDescription, "|")[1]) | extend Type=tostring(split(ResultDescription, "|")[2]) | extend MaxSessionLimit=toint(split(ResultDescription, "|")[3]) | extend NumberSessionHosts=toint(split(ResultDescription, "|")[4]) | extend UserSessionsTotal=toint(split(ResultDescription, "|")[5]) | extend UserSessionsDisconnected=toint(split(ResultDescription, "|")[6]) | extend UserSessionsActive=toint(split(ResultDescription, "|")[7]) | extend UserSessionsAvailable=toint(split(ResultDescription, "|")[8]) | extend HostPoolPercentLoad=toint(split(ResultDescription, "|")[9]) | extend HPResourceId=tostring(split(ResultDescription, "|")[13]) | extend ResourceId=tostring(HPResourceId) | where HostPoolPercentLoad >= 95 | where HostPoolName =~ "xHostPoolNamex"' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: eefabb12-9ce7-4784-911a-c7000424388e - name: No Resources Available (xHostPoolNamex) description: Catastrophic Event! Indicates potential problems with dependencies, diagnose and resolve for xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 1 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT15M evaluationFrequency: PT15M threshold: 1 resouceIdColumn: _ResourceId dimensions: - name: UserName operator: Include values: - '*' - name: SessionHostName operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'WVDConnections | where TimeGenerated > ago (15m) | where _ResourceId contains "xHostPoolNamex" | project-away TenantId,SourceSystem | summarize arg_max(TimeGenerated, *), StartTime = min(iff(State== "Started", TimeGenerated , datetime(null) )), ConnectTime = min(iff(State== "Connected", TimeGenerated , datetime(null) )) by CorrelationId | join kind=leftouter (WVDErrors |summarize Errors=makelist(pack("Code", Code, "CodeSymbolic", CodeSymbolic, "Time", TimeGenerated, "Message", Message ,"ServiceError", ServiceError, "Source", Source)) by CorrelationId ) on CorrelationId | join kind=leftouter (WVDCheckpoints | summarize Checkpoints=makelist(pack("Time", TimeGenerated, "Name", Name, "Parameters", Parameters, "Source", Source)) by CorrelationId | mv-apply Checkpoints on ( order by todatetime(Checkpoints["Time"]) asc | summarize Checkpoints=makelist(Checkpoints)) ) on CorrelationId | project-away CorrelationId1, CorrelationId2 | order by TimeGenerated desc | where Errors[0].CodeSymbolic == "ConnectionFailedNoHealthyRdshAvailable"' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 691468ac-c0a5-45cf-81d1-41032c7c766a - name: User Disconnected over 24h (xHostPoolNamex) description: Verify Remote Desktop Policies are applied relating to Session Limits for xHostPoolNamex. This could impact your scaling plan as well. type: Log verified: false visible: true tags: - avd properties: severity: 2 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT1H evaluationFrequency: PT1H threshold: 1 resouceIdColumn: _ResourceId dimensions: - name: UserName operator: Include values: - '*' - name: SessionHostName operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'WVDConnections | where TimeGenerated > ago(24h) | where State == "Connected" | where _ResourceId contains "xHostPoolNamex" | project CorrelationId , UserName, ConnectionType, StartTime=TimeGenerated, SessionHostName | join (WVDConnections | where State == "Completed" | project EndTime=TimeGenerated, CorrelationId) on CorrelationId | project Duration = EndTime - StartTime, ConnectionType, UserName, SessionHostName | where Duration >= timespan(24:00:00) | sort by Duration desc' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: b31d7620-f79b-4a44-b4f6-e96563040ea4 - name: User Disconnected over 72h (xHostPoolNamex) description: Verify Remote Desktop Policies are applied relating to Session Limits for xHostPoolNamex. This could impact your scaling plan as well. type: Log verified: false visible: true tags: - avd properties: severity: 2 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT1H evaluationFrequency: PT1H threshold: 1 resouceIdColumn: _ResourceId dimensions: - name: UserName operator: Include values: - '*' - name: SessionHostName operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'WVDConnections | where TimeGenerated > ago(24h) | where State == "Connected" | where _ResourceId contains "xHostPoolNamex" | project CorrelationId , UserName, ConnectionType, StartTime=TimeGenerated, SessionHostName | join(WVDConnections | where State == "Completed" | project EndTime=TimeGenerated, CorrelationId) on CorrelationId | project Duration = EndTime - StartTime, ConnectionType, UserName, SessionHostName | where Duration >= timespan(72:00:00) | sort by Duration desc' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: c2c03bd2-0b7c-43cb-9e83-9da78cc4eb6e - name: Local Disk Space less than 10% (xHostPoolNamex) description: Disk space Moderately Low. \nConsider review of the VM local C drive and determine what is consuming disk space for the VM in xHostPoolNamex. This could be local profiles or temp files that need to be cleaned up or removed. type: Log verified: false visible: true tags: - avd properties: severity: 2 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT15M evaluationFrequency: PT15M threshold: 1 resouceIdColumn: _ResourceId dimensions: - name: ComputerName operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Perf | where TimeGenerated > ago(15m) | where ObjectName == "LogicalDisk" and CounterName == "% Free Space" | where InstanceName !contains "D:" | where InstanceName !contains "_Total" | where CounterValue <= 10.00 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | summarize arg_max(TimeGenerated, *) by ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, CounterValue, subscription, ResourceGroup, TimeGenerated | join kind = leftouter (WVDAgentHealthStatus | where TimeGenerated > ago(15m) | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool, _ResourceId ) on ComputerName | where ComputerName1 contains ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 1749f4f8-e4cd-4bc8-b2f8-7aa9b98095da - name: Local Disk Space less than 5% (xHostPoolNamex) description: Disk space Moderately Low. \nConsider review of the VM local C drive and determine what is consuming disk space for the VM in xHostPoolNamex. This could be local profiles or temp files that need to be cleaned up or removed. type: Log verified: false visible: true tags: - avd properties: severity: 1 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT15M evaluationFrequency: PT15M threshold: 1 resouceIdColumn: _ResourceId dimensions: - name: ComputerName operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Perf | where TimeGenerated > ago(15m) | where ObjectName == "LogicalDisk" and CounterName == "% Free Space" | where InstanceName !contains "D:" | where InstanceName !contains "_Total" | where CounterValue <= 5.00 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | summarize arg_max(TimeGenerated, *) by ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, CounterValue, subscription, ResourceGroup, TimeGenerated | join kind = leftouter ( WVDAgentHealthStatus | where TimeGenerated > ago(15m) | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool, _ResourceId ) on ComputerName | where ComputerName1 contains ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 2f25b89a-6c5b-4a74-9584-31fe13802d3c - name: FSLogix Profile less than 5% (xHostPoolNamex) description: User Profiles Service logged Event ID 33. Expand User's Virtual Profile Disk and/or clean up user profile data on the VM in xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 2 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT5M evaluationFrequency: PT5M threshold: 1 dimensions: - name: ComputerName operator: Include values: - '*' - name: RenderedDescription operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Event | where EventLog == "Microsoft-FSLogix-Apps/Admin" | where EventLevelName == "Warning" | where EventID == 34 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, RenderedDescription, subscription, ResourceGroup, TimeGenerated | join kind = leftouter (WVDAgentHealthStatus | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool ) on ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 560c969e-13bd-43bf-8b07-5798f6c4a31c - name: FSLogix Profile less than 2% (xHostPoolNamex) description: User Profiles Service logged Event ID 34. Expand User's Virtual Profile Disk and/or clean up user profile data on the VM in xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 1 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT5M evaluationFrequency: PT5M threshold: 1 dimensions: - name: ComputerName operator: Include values: - '*' - name: RenderedDescription operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Event | where EventLog == "Microsoft-FSLogix-Apps/Admin" | where EventLevelName == "Error" | where EventID == 33 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, RenderedDescription, subscription, ResourceGroup, TimeGenerated | join kind = leftouter (WVDAgentHealthStatus | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool ) on ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 44d508c2-ae0c-487b-bf5f-65422a59cd63 - name: FSLogix Network Issue (xHostPoolNamex) description: User Profiles Service logged Event ID 43. Verify network communications between the storage and AVD VM related to xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 1 operator: GreaterThanOrEqual timeAggregation: Count windowSize: P1D evaluationFrequency: PT5M threshold: 1 dimensions: - name: ComputerName operator: Include values: - '*' - name: RenderedDescription operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Event | where EventLog == "Microsoft-FSLogix-Apps/Admin" | where EventLevelName == "Error" | where EventID == 43 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, RenderedDescription, subscription, ResourceGroup, TimeGenerated | join kind = leftouter (WVDAgentHealthStatus | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool ) on ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: d11e2210-d818-43c6-9380-b0f6cd02ed6e - name: FSLogix Profile Disk Failed to Attach (xHostPoolNamex) description: User Profiles Service logged an Event ID 52 or 40. Investigate error details for reason regarding xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 1 operator: GreaterThanOrEqual timeAggregation: Count windowSize: P1D evaluationFrequency: PT5M resourceIdColumn: _ResourceId threshold: 1 dimensions: - name: ComputerName operator: Include values: - '*' - name: RenderedDescription operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Event | where EventLog == "Microsoft-FSLogix-Apps/Admin" | where EventLevelName == "Error" | where EventID == 42 or EventID == 40 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, RenderedDescription, subscription, ResourceGroup, TimeGenerated | join kind = leftouter (WVDAgentHealthStatus | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool ) on ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 222d5a84-2439-4f76-90a2-a44161eafbb0 - name: FSLogix Service Disabled (xHostPoolNamex) description: User Profile Service Disabled. Determine why service was disabled and re-enable / start the FSLogix service. Regarding xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 1 operator: GreaterThanOrEqual timeAggregation: Count windowSize: P1D evaluationFrequency: PT5M resourceIdColumn: _ResourceId threshold: 1 dimensions: - name: ComputerName operator: Include values: - '*' - name: RenderedDescription operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Event | where EventLog == "Microsoft-FSLogix-Apps/Admin" | where EventLevelName == "Warning" | where EventID == 60 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, RenderedDescription, subscription, ResourceGroup, TimeGenerated | join kind = leftouter (WVDAgentHealthStatus | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool ) on ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: e03e4072-a5d4-46e8-b5fe-dc586ca56a86 - name: FSLogix Disk Compact Failure (xHostPoolNamex) description: User Profile Service logged Event ID 62 or 63. The profile Disk was marked for compaction due to additional white space but failed. See error details for additional information regarding xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 2 operator: GreaterThanOrEqual timeAggregation: Count windowSize: P1D evaluationFrequency: PT5M resourceIdColumn: _ResourceId threshold: 1 dimensions: - name: ComputerName operator: Include values: - '*' - name: RenderedDescription operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Event | where EventLog == "Microsoft-FSLogix-Apps/Admin" | where EventLevelName == "Error" | where EventID == 62 or EventID == 63 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, RenderedDescription, subscription, ResourceGroup, TimeGenerated | join kind = leftouter (WVDAgentHealthStatus | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool ) on ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 1b3f0c37-61b9-4024-8e4b-17b2279d3306 - name: FSLogix Disk Already In Use (xHostPoolNamex) description: User Profile Service logged an Event ID 51. This indicates that a user attempted to load their profile disk but it was in use or possibly mapped to another VM. Ensure the user is not connected to another host pool or remote app with the same profile. Regarding xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 2 operator: GreaterThanOrEqual timeAggregation: Count windowSize: P1D evaluationFrequency: PT5M resourceIdColumn: _ResourceId threshold: 1 dimensions: - name: ComputerName operator: Include values: - '*' - name: RenderedDescription operator: Include values: - '*' - name: VMresourceGroup operator: Include values: - '*' - name: HostPool operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'Event | where EventLog == "Microsoft-FSLogix-Apps/Operational" | where EventLevelName == "Warning" | where EventID == 51 | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" ResourceGroup "/providers/microsoft.compute/virtualmachines/" ComputerName | extend ComputerName=tolower(ComputerName) | project ComputerName, RenderedDescription, subscription, ResourceGroup, TimeGenerated | join kind = leftouter (WVDAgentHealthStatus | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscriptionAgentHealth "/resourcegroups/" ResourceGroupAgentHealth "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" VMsubscription "/resourceGroups/" VMresourceGroup "/providers/Microsoft.Compute/virtualMachines/" ComputerName | extend ComputerName=tolower(ComputerName) | summarize arg_max(TimeGenerated,*) by ComputerName | project VMresourceGroup, ComputerName, HostPool ) on ComputerName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: edbbb4d2-00e5-4592-a489-08c2afe37506 - name: Session Host Healthcheck Failure (xHostPoolNamex) description: VM is available for use but one of the dependent resources is in a failed state for hostpool xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 2 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT15M evaluationFrequency: PT15M resourceIdColumn: _ResourceId threshold: 1 dimensions: - name: SessionHostName operator: Include values: - '*' - name: HealthCheckDesc operator: Include values: - '*' - name: HostPool operator: Include values: - '*' - name: SessionHostRG operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'let MapToDesc = (idx: long) { case(idx == 0, "DomainJoin", idx == 1, "DomainTrust", idx == 2, "FSLogix", idx == 3, "SxSStack", idx == 4, "URLCheck", idx == 5, "GenevaAgent", idx == 6, "DomainReachable", idx == 7, "WebRTCRedirector", idx == 8, "SxSStackEncryption", idx == 9, "IMDSReachable", idx == 10, "MSIXPackageStaging", "InvalidIndex")}; WVDAgentHealthStatus | where TimeGenerated > ago(10m) | where Status != "Available" | where AllowNewSessions = True | extend CheckFailed = parse_json(SessionHostHealthCheckResult) | mv-expand CheckFailed | where CheckFailed.AdditionalFailureDetails.ErrorCode != 0 | extend HealthCheckName = tolong(CheckFailed.HealthCheckName) | extend HealthCheckResult = tolong(CheckFailed.HealthCheckResult) | extend HealthCheckDesc = MapToDesc(HealthCheckName) | where HealthCheckDesc != "InvalidIndex" | where _ResourceId contains "xHostPoolNamex" | parse _ResourceId with "/subscriptions/" subscription "/resourcegroups/" HostPoolResourceGroup "/providers/microsoft.desktopvirtualization/hostpools/" HostPool | parse SessionHostResourceId with "/subscriptions/" HostSubscription "/resourceGroups/" SessionHostRG " /providers/Microsoft.Compute/virtualMachines/" SessionHostName' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: c87ad0cd-e867-4d18-b61c-ec2a092ef459 - name: Personal Desktop Assigned Healthcheck Failure (xHostPoolNamex) description: VM is assigned to a user but one of the dependent resources is in a failed state for hostpool xHostPoolNamex. This alert relies on the runbook AvdHostPoolLogData. type: Log verified: false visible: true tags: - avd properties: severity: 1 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT5M evaluationFrequency: PT5M resourceIdColumn: _ResourceId threshold: 1 dimensions: - name: SessionHostName operator: Include values: - '*' - name: HealthCheckDesc operator: Include values: - '*' - name: HostPool operator: Include values: - '*' - name: SessionHostRG operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'AzureDiagnostics | where Category has "JobStreams" and StreamType_s == "Output" and RunbookName_s == "AvdHostPoolLogData" | sort by TimeGenerated | where TimeGenerated > ago(15m) | extend HostPoolName=tostring(split(ResultDescription, "|")[0]) | extend ResourceGroup=tostring(split(ResultDescription, "|")[1]) | extend Type=tostring(split(ResultDescription, "|")[2]) | extend NumberSessionHosts=toint(split(ResultDescription, "|")[4]) | extend UserSessionsActive=toint(split(ResultDescription, "|")[7]) | extend NumPersonalUnhealthy=toint(split(ResultDescription, "|")[10]) | extend PersonalSessionHost=extract_json("$.SessionHost", tostring(split(ResultDescription, "|")[11]), typeof(string)) | extend PersonalAssignedUser=extract_json("$.AssignedUser", tostring(split(ResultDescription, "|")[11]), typeof(string)) | where HostPoolName =~ "xHostPoolNamex" | where Type == "Personal" | where NumPersonalUnhealthy > 0 ' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 55c5591a-60bb-48a0-bdd5-4c35f6293278 - name: User Connection to Session Host Failure (xHostPoolNamex) description: While trying to connect to xHostPoolNamex a user had an error and failed to connect to a VM. There are lots of variables between the end uers and AVD VMs. If this is frequent for the user, determine if their Internet connection is slow or latency is over 150 ms. Regarding xHostPoolNamex. type: Log verified: false visible: true tags: - avd properties: severity: 3 operator: GreaterThanOrEqual timeAggregation: Count windowSize: PT5M evaluationFrequency: PT5M resourceIdColumn: _ResourceId threshold: 1 dimensions: - name: HostPool operator: Include values: - '*' - name: ResourceGroup operator: Include values: - '*' - name: UserName operator: Include values: - '*' - name: ClientOS operator: Include values: - '*' - name: ClientVersion operator: Include values: - '*' - name: ClientSideIPAddress operator: Include values: - '*' - name: ConnectionType operator: Include values: - '*' - name: ErrorShort operator: Include values: - '*' - name: ErrorMessage operator: Include values: - '*' failingPeriods: numberOfEvaluationPeriods: 1 minFailingPeriodsToAlert: 1 query: 'WVDConnections // | where UserName == "upn.here@contoso.com" | project-away TenantId,SourceSystem | summarize arg_max(TimeGenerated, *), StartTime = min(iff(State=="Started", TimeGenerated , datetime(null) )), ConnectTime = min(iff(State=="Connected", TimeGenerated , datetime(null) )) by CorrelationId | join kind=leftouter (WVDErrors |summarize Errors=make_list(pack("Code", Code, "CodeSymbolic", CodeSymbolic, "Time", TimeGenerated, "Message", Message ,"ServiceError", ServiceError, "Source", Source)) by CorrelationId ) on CorrelationId | join kind=leftouter (WVDCheckpoints | summarize Checkpoints=make_list(pack("Time", TimeGenerated, "Name", Name, "Parameters", Parameters, "Source", Source)) by CorrelationId | mv-apply Checkpoints on ( order by todatetime(Checkpoints["Time"]) asc | summarize Checkpoints=make_list(Checkpoints)) ) on CorrelationId | project-away CorrelationId1, CorrelationId2 | order by TimeGenerated desc | where TimeGenerated > ago(15m) | extend ResourceGroup=tostring(split(_ResourceId, "/")[4]) | extend HostPool=tostring(split(_ResourceId, "/")[8]) | where HostPool =~ "xHostPoolNamex" | extend ErrorShort=tostring(Errors[0].CodeSymbolic) | extend ErrorMessage=tostring(Errors[0].Message) | project TimeGenerated, HostPool, ResourceGroup, UserName, ClientOS, ClientVersion, ClientSideIPAddress, ConnectionType, ErrorShort, ErrorMessage' autoMitigate: true autoResolve: true autoResolveTime: 0:30:00 references: null deployments: - name: AVD-HostPool template: Deploy-AVD-HostPool-Alert.json type: Policy tags: - alz properties: scope: Subscription multiResource: false enabled: true guid: 1f0258f8-bc06-4593-9d77-eba879f5b62d

services/DesktopVirtualization/hostPools/alerts.yaml (1,218 lines of code) (raw):