Solved

Alerts on Server Reboot

Posted on 2013-06-05
17
1,647 Views
Last Modified: 2013-06-21
I do not have SCOM in my environment, so I am trying to figure out a way to send an alert if a server 2008 R2 does an unexpected reboot. Server 2K8R2 does an event ID 6008 when there is an unexpected shutdown, is there anything natively to windows or free tools that will alert to an email when this even event happens?
0
Comment
Question by:Geodash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223289
From Event Viewer create a Custom View. Your custom view would just be set to look for 6008 events. Then you can right click and say "attach a task to this custom view".
Whenever an event occurs, you set what action should take place...you can send an e-mail, start a script or batch file or .exe, or send an alert.

See here for reference: (scroll down to the custom views section)

http://answers.oreilly.com/topic/2893-how-to-monitor-and-respond-to-events-in-windows/
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223443
Additionally, if you want to monitor shut down events across multiple machines, you can configure one machine to collect event logs from all the other machines. You can set it up as a "pull" where one machine retrieves the logs from designated systems or a "push" where you configure multiple machines to send their logs to one central server.

When you open up Event Viewer, that is what the "Subscriptions" item is used for:

See this link:
http://technet.microsoft.com/en-us/library/cc748890.aspx
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223584
Thank you. I have set this up for event ID 41 (unexpected reboot) and simulated a power failure for the server. It records the info in the event log like it should but doesn't send the alert email. The only thing the task asks for is smtp server name, are there advanced options for it somewhere? I cannot get the alert to send.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 9

Author Comment

by:Geodash
ID: 39223609
If I right click on the task it created, it runs and sends the alert. However, when the event happens form the Event Log, it doesn't send the alert.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223707
The alert is working fine, it seems as if the trigger is failing. I have it set for "kernel power failure" with event id 41, which is showing up in the custom log I created, but it will not send the alert when it happens.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39223766
So you have it sending an e-mail? Could you test by having it run a program instead, just to make sure that piece is okay? For instance, you could have it run test.bat when that Event ID happens....test.bat could just echo some phrase out to a text file...like:  echo event was triggered > c:\mytest.log
0
 
LVL 9

Author Comment

by:Geodash
ID: 39223838
I had it run a bat file and it didn't work. The event works fine, as if I right click on it and say run, the event creates the text file on the C drive. The trigger is not working. I tested it by power the machine off to simulate a power failure, it recorded the event ID 41 in the vent log, but it didn't trigger the task.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39224360
Not sure why at the moment why that doesn't trigger for you. I use that feature and just set it up on a test machine to double-check.....and it worked as expected. I'll have to get back to you.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39225419
Can you set up an alert for some mundane event viewer informational item that occurs on a regular basis, as a test? If you look at your system or application log, find an event like a logon or something common....then set up your alert for it. On windows task scheduler, make sure you view all of the different tabs and options in case you're accidentally setting (or not setting) something that's preventing it from working.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39225745
I will try another event. Here is my settings for the event and trigger, attached in the screenshot. You cant see the bottom of the Trigger settings, but it is enabled.
Capture.JPG
0
 
LVL 9

Author Comment

by:Geodash
ID: 39225867
So I used the exact same alerts but changed it to event ID 7036 and it is working and triggering correctly. When I change it back to event ID 41, nothing happens. This alert is for a power failure. I'm wondering if when the server comes back online, the event log isn't checking because it was just rebooted.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226218
I see what you mean. I just set up a filter to find event 6008, which is an unexpected shutdown. I attached that to a task. I powered off the machine and back on.  The 6008 event was logged but the task never ran. Weird....I don't know why.

In searching for a reason why (and I didn't find one yet) I came across this method to send an e-mail when your server reboots:

http://hawk82.blogspot.com/2013/04/send-e-mail-alert-when-windows-server.html

Although, that just e-mails you on a reboot...so it could be a planned friendly reboot. I'm still looking around...I'll post if I find more information.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39226234
Your test with the 6008 is exactly what I did, with same results. I cannot find any information on fixing this. I assume it is trying to email the event before the server is even back online yet, is why it is not going through.
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226415
The task itself doesn't even try to start. I had mine run a batch script.  In 'scheduled tasks' the last time ran field shows it never ran.
0
 
LVL 9

Author Comment

by:Geodash
ID: 39226476
Same here
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 39226534
If I use this link I posted above
http://hawk82.blogspot.com/2013/04/send-e-mail-alert-when-windows-server.html

and add my own script to "find event 6008 that occurred in the last 1 hour"...it works.
My script below is 4 lines....the blogspot com line below plus logic I added.

so if you follow the blogspot suggestion but in their step 2, use my script which adds to theirs.

rebootalert.cmd
---------------------------

wevtutil qe System /q:"*[System[(EventID=6008)] and System[TimeCreated[timediff(@SystemTime) < 3600000]]]" /c:1 /f:text /rd:true | find "shutdown"

if %errorlevel% EQU 1 goto end

c:\Scripts\sendemail.exe -f localadmin@domain.com -t alerts@yourdomain.com;alerts2@yourdomain.com -u "SERVERNAME rebooted" -m "SERVERNAME has rebooted!" -s smtp.ispsmarthost.com

:end
0
 
LVL 15

Accepted Solution

by:
ZabagaR earned 500 total points
ID: 39226547
...and for that "sendmail.exe" there's a set or parameters for username, password, etc.....that link is http://caspian.dotconf.net/menu/Software/SendEmail/
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question