SCOM custom event based rule to monitor Reboot, unexpected shutdowns and BSOD crashes

Ok the requirements are simple. We want to find out whenever a system is shutdown or rebooted. Both

  1. Planned / User driven
  2. and unplanned (BSOD crashes / power cuts)

Pretty basic. Its amazing that it doesn’t come with a Microsoft provided Management packs. So here goes.

Provided that server computer came back up, there will be events recorded in event viewer.

We start with creating a custom rule logged in as a user with admin role. The rule we are trying to create is “NT Event log (Alert)”. Save it in appropriate Custom  Management Pack.

createrule1

 

 

Name it. Choose category. Target is naturally windows computer. Keep enabled or disabled. Press Next.

createrule3

Choose System events log as this is the place where the events we are looking for are recorded.

createrule4

 

Event Id 1074 is related to user driven reboots / shutdowns. Event ids 1001, 6008 and 41 are the ones related to unexpected shutdowns and since in this demo I am focusing on them therefore…

createrule6

And finally here you specify what information you want to be provided in the alert.

I would change the priority to high as you can appreciate unexpected shutdowns / crashes are not usually a medium priority issue specially in a live server.

createrule7

So this should look something like this or did after I was done with it. Make your own decision will you :)?

createrule8

Due to the nature of the alert you wouldnt want to recieve alerts from it ever but would be better to test it with some low priority machines.

The end.

 

 

 

Advertisements
About

IT professional with wider interest in technology

Tagged with: , , , , ,
Posted in log, Monitoring, SCOM, windows
One comment on “SCOM custom event based rule to monitor Reboot, unexpected shutdowns and BSOD crashes
  1. […] See post 1 at “SCOM custom event based rule to monitor Reboot, unexpected shutdowns and BSOD crashes” […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: