• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2402
  • Last Modified:

Alerts on Server Reboot

I do not have SCOM in my environment, so I am trying to figure out a way to send an alert if a server 2008 R2 does an unexpected reboot. Server 2K8R2 does an event ID 6008 when there is an unexpected shutdown, is there anything natively to windows or free tools that will alert to an email when this even event happens?
0
Geodash
Asked:
Geodash
  • 9
  • 8
1 Solution
 
ZabagaRCommented:
From Event Viewer create a Custom View. Your custom view would just be set to look for 6008 events. Then you can right click and say "attach a task to this custom view".
Whenever an event occurs, you set what action should take place...you can send an e-mail, start a script or batch file or .exe, or send an alert.

See here for reference: (scroll down to the custom views section)

http://answers.oreilly.com/topic/2893-how-to-monitor-and-respond-to-events-in-windows/
0
 
ZabagaRCommented:
Additionally, if you want to monitor shut down events across multiple machines, you can configure one machine to collect event logs from all the other machines. You can set it up as a "pull" where one machine retrieves the logs from designated systems or a "push" where you configure multiple machines to send their logs to one central server.

When you open up Event Viewer, that is what the "Subscriptions" item is used for:

See this link:
http://technet.microsoft.com/en-us/library/cc748890.aspx
0
 
GeodashAuthor Commented:
Thank you. I have set this up for event ID 41 (unexpected reboot) and simulated a power failure for the server. It records the info in the event log like it should but doesn't send the alert email. The only thing the task asks for is smtp server name, are there advanced options for it somewhere? I cannot get the alert to send.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
GeodashAuthor Commented:
If I right click on the task it created, it runs and sends the alert. However, when the event happens form the Event Log, it doesn't send the alert.
0
 
GeodashAuthor Commented:
The alert is working fine, it seems as if the trigger is failing. I have it set for "kernel power failure" with event id 41, which is showing up in the custom log I created, but it will not send the alert when it happens.
0
 
ZabagaRCommented:
So you have it sending an e-mail? Could you test by having it run a program instead, just to make sure that piece is okay? For instance, you could have it run test.bat when that Event ID happens....test.bat could just echo some phrase out to a text file...like:  echo event was triggered > c:\mytest.log
0
 
GeodashAuthor Commented:
I had it run a bat file and it didn't work. The event works fine, as if I right click on it and say run, the event creates the text file on the C drive. The trigger is not working. I tested it by power the machine off to simulate a power failure, it recorded the event ID 41 in the vent log, but it didn't trigger the task.
0
 
ZabagaRCommented:
Not sure why at the moment why that doesn't trigger for you. I use that feature and just set it up on a test machine to double-check.....and it worked as expected. I'll have to get back to you.
0
 
ZabagaRCommented:
Can you set up an alert for some mundane event viewer informational item that occurs on a regular basis, as a test? If you look at your system or application log, find an event like a logon or something common....then set up your alert for it. On windows task scheduler, make sure you view all of the different tabs and options in case you're accidentally setting (or not setting) something that's preventing it from working.
0
 
GeodashAuthor Commented:
I will try another event. Here is my settings for the event and trigger, attached in the screenshot. You cant see the bottom of the Trigger settings, but it is enabled.
Capture.JPG
0
 
GeodashAuthor Commented:
So I used the exact same alerts but changed it to event ID 7036 and it is working and triggering correctly. When I change it back to event ID 41, nothing happens. This alert is for a power failure. I'm wondering if when the server comes back online, the event log isn't checking because it was just rebooted.
0
 
ZabagaRCommented:
I see what you mean. I just set up a filter to find event 6008, which is an unexpected shutdown. I attached that to a task. I powered off the machine and back on.  The 6008 event was logged but the task never ran. Weird....I don't know why.

In searching for a reason why (and I didn't find one yet) I came across this method to send an e-mail when your server reboots:

http://hawk82.blogspot.com/2013/04/send-e-mail-alert-when-windows-server.html

Although, that just e-mails you on a reboot...so it could be a planned friendly reboot. I'm still looking around...I'll post if I find more information.
0
 
GeodashAuthor Commented:
Your test with the 6008 is exactly what I did, with same results. I cannot find any information on fixing this. I assume it is trying to email the event before the server is even back online yet, is why it is not going through.
0
 
ZabagaRCommented:
The task itself doesn't even try to start. I had mine run a batch script.  In 'scheduled tasks' the last time ran field shows it never ran.
0
 
GeodashAuthor Commented:
Same here
0
 
ZabagaRCommented:
If I use this link I posted above
http://hawk82.blogspot.com/2013/04/send-e-mail-alert-when-windows-server.html

and add my own script to "find event 6008 that occurred in the last 1 hour"...it works.
My script below is 4 lines....the blogspot com line below plus logic I added.

so if you follow the blogspot suggestion but in their step 2, use my script which adds to theirs.

rebootalert.cmd
---------------------------

wevtutil qe System /q:"*[System[(EventID=6008)] and System[TimeCreated[timediff(@SystemTime) < 3600000]]]" /c:1 /f:text /rd:true | find "shutdown"

if %errorlevel% EQU 1 goto end

c:\Scripts\sendemail.exe -f localadmin@domain.com -t alerts@yourdomain.com;alerts2@yourdomain.com -u "SERVERNAME rebooted" -m "SERVERNAME has rebooted!" -s smtp.ispsmarthost.com

:end
0
 
ZabagaRCommented:
...and for that "sendmail.exe" there's a set or parameters for username, password, etc.....that link is http://caspian.dotconf.net/menu/Software/SendEmail/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now