I have tried using ${N=SwisEntity;M=AssetInventory.ServerInformation.LastLoggedInUser} but it gives the wrong username.
Based on Event ID 1074 User, I see the correct user who rebooted but I wan to display the user inside my alert email.
Thank you
You want to pull the event message variable, then if you want to be clever wrap that in a custom SWQL/SQL macro to use stuff like REPLACE and SUBSTRING to chop the username out
So, I am using the built-in "${NodeName} seems to have rebooted at ${LastBoot}" alert and its working fine. Now, I want it to email me who rebooted it and at what time? Can you please provide me with the full SWQL? I would like to email result to look like this powershell script. Get-EventLog -LogName System |where {$_.EventId -eq 1074} |select-object -first 10 |ForEach-Object {$rv = New-Object PSObject | Select-Object Date, User, Action, process, Reason, ReasonCodeif ($_.ReplacementStrings[4]) {$rv.Date = $_.TimeGenerated$rv.User = $_.ReplacementStrings[6]$rv.Process = $_.ReplacementStrings[0]$rv.Action = $_.ReplacementStrings[4]$rv.Reason = $_.ReplacementStrings[2]$rv}} | Select-Object Date, Action, Reason, User, Process |ft
@AndoniFTQ did you get this, it would be useful for my new deploment
Unfortunately I didn't get an answer from anyone.
I see two options:
First, you could find a clever way to parse the event menage, but if I'm remembering correctly about that message, it's not an easy thing.
Or, if you want to use your PowerShell script, you'd have to use escalations and an external script. That gets into potential permission issues, but let's assume that part works.
This can go sideways in a couple ways because of permissions, time outs, or network connectivity.
@AndoniFTQ its hard to get answers to big questions that depend on environment stuff.SWQL is selecting some information from the DB. Your powershell is selecting data from the event log on a box, from the same box by the looks. Note there's a different start point and source.
So you've got to think about how to put that data in the DB first. @KMSigma.SWI 's solution works on the assumption you've not got the data in the DB and you need to acquire it at the time it triggers based on a reboot which will exist in the DB currently. It's a good solutionYou can pull stuff into the DB via a SAM monitor reading the event log, then it'd exist in the SAM tables, so the SWQL could select from that.
you could use a powershell monitor to stick closest to your current code. You'd need to add an output block, but then you could just pull the Message, no SWQL needed even.
You could forward the log from windows, then it'd exist in solarwinds in the logs DB, you could trigger a processing rule into an alert and then use SWQL to edit the message into whatyou want
Each of these look really different and could get blocked by security at various places, so we could provide the answer and it still wouldn't work for you
I used the (2) Windows Server Unexpected and Normal Reboot Alert - Application Monitor Templates - Server & Application Monitor - THWACK (solarwinds.com) and it works fine. But when it detects the reboot, it does not reset the alert. Basically, in the event log, it finds event 1074, it turns red and sends an email. But once the server is up, that event id is still there and constantly shows red. What am I missing?
I currently used the "Windows Server Unexpected and Normal Reboot Alert " template and it works fine. But is does not tell me who rebooted. Just when.
Any way I could add who rebooted in the email alert?
Either the amount of time to look backward (if it's set to days or something that's unwise, should be like 1.5 polls) or it's the reset logic on the alert. I'd assume if it's red it's probably the former, otherwise the latter
