Solved

Alerts on Server Reboot

Posted on 2013-06-05
17
1,398 Views
Last Modified: 2013-06-21
I do not have SCOM in my environment, so I am trying to figure out a way to send an alert if a server 2008 R2 does an unexpected reboot. Server 2K8R2 does an event ID 6008 when there is an unexpected shutdown, is there anything natively to windows or free tools that will alert to an email when this even event happens?
0
Comment
Question by:Geodash
  • 9
  • 8
17 Comments
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223289
From Event Viewer create a Custom View. Your custom view would just be set to look for 6008 events. Then you can right click and say "attach a task to this custom view".
Whenever an event occurs, you set what action should take place...you can send an e-mail, start a script or batch file or .exe, or send an alert.

See here for reference: (scroll down to the custom views section)

http://answers.oreilly.com/topic/2893-how-to-monitor-and-respond-to-events-in-windows/
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223443
Additionally, if you want to monitor shut down events across multiple machines, you can configure one machine to collect event logs from all the other machines. You can set it up as a "pull" where one machine retrieves the logs from designated systems or a "push" where you configure multiple machines to send their logs to one central server.

When you open up Event Viewer, that is what the "Subscriptions" item is used for:

See this link:
http://technet.microsoft.com/en-us/library/cc748890.aspx
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223584
Thank you. I have set this up for event ID 41 (unexpected reboot) and simulated a power failure for the server. It records the info in the event log like it should but doesn't send the alert email. The only thing the task asks for is smtp server name, are there advanced options for it somewhere? I cannot get the alert to send.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223609
If I right click on the task it created, it runs and sends the alert. However, when the event happens form the Event Log, it doesn't send the alert.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223707
The alert is working fine, it seems as if the trigger is failing. I have it set for "kernel power failure" with event id 41, which is showing up in the custom log I created, but it will not send the alert when it happens.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223766
So you have it sending an e-mail? Could you test by having it run a program instead, just to make sure that piece is okay? For instance, you could have it run test.bat when that Event ID happens....test.bat could just echo some phrase out to a text file...like:  echo event was triggered > c:\mytest.log
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223838
I had it run a bat file and it didn't work. The event works fine, as if I right click on it and say run, the event creates the text file on the C drive. The trigger is not working. I tested it by power the machine off to simulate a power failure, it recorded the event ID 41 in the vent log, but it didn't trigger the task.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39224360
Not sure why at the moment why that doesn't trigger for you. I use that feature and just set it up on a test machine to double-check.....and it worked as expected. I'll have to get back to you.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 15

Expert Comment

by:ZabagaR
ID: 39225419
Can you set up an alert for some mundane event viewer informational item that occurs on a regular basis, as a test? If you look at your system or application log, find an event like a logon or something common....then set up your alert for it. On windows task scheduler, make sure you view all of the different tabs and options in case you're accidentally setting (or not setting) something that's preventing it from working.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39225745
I will try another event. Here is my settings for the event and trigger, attached in the screenshot. You cant see the bottom of the Trigger settings, but it is enabled.
Capture.JPG
0
 
LVL 9

Author Comment

by:Geodash
ID: 39225867
So I used the exact same alerts but changed it to event ID 7036 and it is working and triggering correctly. When I change it back to event ID 41, nothing happens. This alert is for a power failure. I'm wondering if when the server comes back online, the event log isn't checking because it was just rebooted.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226218
I see what you mean. I just set up a filter to find event 6008, which is an unexpected shutdown. I attached that to a task. I powered off the machine and back on.  The 6008 event was logged but the task never ran. Weird....I don't know why.

In searching for a reason why (and I didn't find one yet) I came across this method to send an e-mail when your server reboots:

http://hawk82.blogspot.com/2013/04/send-e-mail-alert-when-windows-server.html

Although, that just e-mails you on a reboot...so it could be a planned friendly reboot. I'm still looking around...I'll post if I find more information.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39226234
Your test with the 6008 is exactly what I did, with same results. I cannot find any information on fixing this. I assume it is trying to email the event before the server is even back online yet, is why it is not going through.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226415
The task itself doesn't even try to start. I had mine run a batch script.  In 'scheduled tasks' the last time ran field shows it never ran.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39226476
Same here
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226534
If I use this link I posted above
http://hawk82.blogspot.com/2013/04/send-e-mail-alert-when-windows-server.html

and add my own script to "find event 6008 that occurred in the last 1 hour"...it works.
My script below is 4 lines....the blogspot com line below plus logic I added.

so if you follow the blogspot suggestion but in their step 2, use my script which adds to theirs.

rebootalert.cmd
---------------------------

wevtutil qe System /q:"*[System[(EventID=6008)] and System[TimeCreated[timediff(@SystemTime) < 3600000]]]" /c:1 /f:text /rd:true | find "shutdown"

if %errorlevel% EQU 1 goto end

c:\Scripts\sendemail.exe -f localadmin@domain.com -t alerts@yourdomain.com;alerts2@yourdomain.com -u "SERVERNAME rebooted" -m "SERVERNAME has rebooted!" -s smtp.ispsmarthost.com

:end
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 500 total points
ID: 39226547
...and for that "sendmail.exe" there's a set or parameters for username, password, etc.....that link is http://caspian.dotconf.net/menu/Software/SendEmail/
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now