Ok the requirements are simple. We want to find out whenever a system is shutdown or rebooted. Both
- Planned / User driven
- and unplanned (BSOD crashes / power cuts)
Pretty basic. Its amazing that it doesn’t come with a Microsoft provided Management packs. So here goes.
Provided that server computer came back up, there will be events recorded in event viewer.
We start with creating a custom rule logged in as a user with admin role. The rule we are trying to create is “NT Event log (Alert)”. Save it in appropriate Custom Management Pack.
Name it. Choose category. Target is naturally windows computer. Keep enabled or disabled. Press Next.
Choose System events log as this is the place where the events we are looking for are recorded.
Event Id 1074 is related to user driven reboots / shutdowns. Event ids 1001, 6008 and 41 are the ones related to unexpected shutdowns and since in this demo I am focusing on them therefore…
And finally here you specify what information you want to be provided in the alert.
I would change the priority to high as you can appreciate unexpected shutdowns / crashes are not usually a medium priority issue specially in a live server.
So this should look something like this or did after I was done with it. Make your own decision will you :)?
Due to the nature of the alert you wouldnt want to recieve alerts from it ever but would be better to test it with some low priority machines.