Solved

Alerts on Server Reboot

Posted on 2013-06-05
17
1,461 Views
Last Modified: 2013-06-21
I do not have SCOM in my environment, so I am trying to figure out a way to send an alert if a server 2008 R2 does an unexpected reboot. Server 2K8R2 does an event ID 6008 when there is an unexpected shutdown, is there anything natively to windows or free tools that will alert to an email when this even event happens?
0
Comment
Question by:Geodash
  • 9
  • 8
17 Comments
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223289
From Event Viewer create a Custom View. Your custom view would just be set to look for 6008 events. Then you can right click and say "attach a task to this custom view".
Whenever an event occurs, you set what action should take place...you can send an e-mail, start a script or batch file or .exe, or send an alert.

See here for reference: (scroll down to the custom views section)

http://answers.oreilly.com/topic/2893-how-to-monitor-and-respond-to-events-in-windows/
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223443
Additionally, if you want to monitor shut down events across multiple machines, you can configure one machine to collect event logs from all the other machines. You can set it up as a "pull" where one machine retrieves the logs from designated systems or a "push" where you configure multiple machines to send their logs to one central server.

When you open up Event Viewer, that is what the "Subscriptions" item is used for:

See this link:
http://technet.microsoft.com/en-us/library/cc748890.aspx
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223584
Thank you. I have set this up for event ID 41 (unexpected reboot) and simulated a power failure for the server. It records the info in the event log like it should but doesn't send the alert email. The only thing the task asks for is smtp server name, are there advanced options for it somewhere? I cannot get the alert to send.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223609
If I right click on the task it created, it runs and sends the alert. However, when the event happens form the Event Log, it doesn't send the alert.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223707
The alert is working fine, it seems as if the trigger is failing. I have it set for "kernel power failure" with event id 41, which is showing up in the custom log I created, but it will not send the alert when it happens.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223766
So you have it sending an e-mail? Could you test by having it run a program instead, just to make sure that piece is okay? For instance, you could have it run test.bat when that Event ID happens....test.bat could just echo some phrase out to a text file...like:  echo event was triggered > c:\mytest.log
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223838
I had it run a bat file and it didn't work. The event works fine, as if I right click on it and say run, the event creates the text file on the C drive. The trigger is not working. I tested it by power the machine off to simulate a power failure, it recorded the event ID 41 in the vent log, but it didn't trigger the task.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39224360
Not sure why at the moment why that doesn't trigger for you. I use that feature and just set it up on a test machine to double-check.....and it worked as expected. I'll have to get back to you.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 15

Expert Comment

by:ZabagaR
ID: 39225419
Can you set up an alert for some mundane event viewer informational item that occurs on a regular basis, as a test? If you look at your system or application log, find an event like a logon or something common....then set up your alert for it. On windows task scheduler, make sure you view all of the different tabs and options in case you're accidentally setting (or not setting) something that's preventing it from working.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39225745
I will try another event. Here is my settings for the event and trigger, attached in the screenshot. You cant see the bottom of the Trigger settings, but it is enabled.
Capture.JPG
0
 
LVL 9

Author Comment

by:Geodash
ID: 39225867
So I used the exact same alerts but changed it to event ID 7036 and it is working and triggering correctly. When I change it back to event ID 41, nothing happens. This alert is for a power failure. I'm wondering if when the server comes back online, the event log isn't checking because it was just rebooted.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226218
I see what you mean. I just set up a filter to find event 6008, which is an unexpected shutdown. I attached that to a task. I powered off the machine and back on.  The 6008 event was logged but the task never ran. Weird....I don't know why.

In searching for a reason why (and I didn't find one yet) I came across this method to send an e-mail when your server reboots:

http://hawk82.blogspot.com/2013/04/send-e-mail-alert-when-windows-server.html

Although, that just e-mails you on a reboot...so it could be a planned friendly reboot. I'm still looking around...I'll post if I find more information.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39226234
Your test with the 6008 is exactly what I did, with same results. I cannot find any information on fixing this. I assume it is trying to email the event before the server is even back online yet, is why it is not going through.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226415
The task itself doesn't even try to start. I had mine run a batch script.  In 'scheduled tasks' the last time ran field shows it never ran.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39226476
Same here
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226534
If I use this link I posted above
http://hawk82.blogspot.com/2013/04/send-e-mail-alert-when-windows-server.html

and add my own script to "find event 6008 that occurred in the last 1 hour"...it works.
My script below is 4 lines....the blogspot com line below plus logic I added.

so if you follow the blogspot suggestion but in their step 2, use my script which adds to theirs.

rebootalert.cmd
---------------------------

wevtutil qe System /q:"*[System[(EventID=6008)] and System[TimeCreated[timediff(@SystemTime) < 3600000]]]" /c:1 /f:text /rd:true | find "shutdown"

if %errorlevel% EQU 1 goto end

c:\Scripts\sendemail.exe -f localadmin@domain.com -t alerts@yourdomain.com;alerts2@yourdomain.com -u "SERVERNAME rebooted" -m "SERVERNAME has rebooted!" -s smtp.ispsmarthost.com

:end
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 500 total points
ID: 39226547
...and for that "sendmail.exe" there's a set or parameters for username, password, etc.....that link is http://caspian.dotconf.net/menu/Software/SendEmail/
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now