Windows Reboot Tracker Template- With Event Logs

Version 1

    It was tedious task for my NOC team to login to the rebooted server every time and check the reason for reboot. I tried thwacking to get a solution for finding out the reboot reason and couldn't find any templates. So I have created this template which will list out the windows reboot event logs and alert with event log messages whenever a server is rebooted. Please make sure to import & enable the alert attached.

     

    After deploying these templates My NOC team has saved lots of time manually logging in each rebooted server and finding the reason for reboot. In a day at least they get 30-50 server reboot alerts.

     

    1. Import the Windows Reboot Events.apm-template  and Node+Reboot+Informational+Alert.xml
    2. Deploy the Windows Reboot Events.apm-template on windows server
    3. Modify the alert recipients,SMTP Server, etc.. as required in. Node+Reboot+Informational+Alert.xml

     

    Kindly provide feedback/comments to back this template better or share your ideas.

     

    Below will be the alert message.

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Team,
    Server TESTSERVER  has rebooted

     

    Alert Message:

     

    Server TESTSERVER has rebooted

    Windows Event Log Information:--- Event 1 of 2:
      Log Name: System
    Source: USER32
    Logged: 09/29/2016 08:27:23
    Event ID: 1074
    Level: Information
    User: Domain\testuser
    Computer: SERVERFQDN.local
      The process C:\Windows\system32\winlogon.exe (NOCOMI) has initiated the restart of computer TESTSERVER on behalf of user Domain\testuser for the following reason: No title for this reason could be found
    Reason Code: 0x500ff
    Shutdown Type: restart
    Comment:
      --- Event 2 of 2:

    Log Name: System
    Source: USER32
    Logged: 09/29/2016 08:27:22
    Event ID: 1074
    Level: Information
    User:LAB.TEST
    Computer: SERVERFQDN.local

    The process Explorer.EXE has initiated the restart of computer TESTSERVER on behalf of user Domain\testuser for the following reason: Other (Planned)
    Reason Code: 0x85000000
    Shutdown Type: restart
    Comment: Solarwinds Reboot Alert Tesing-Amarnath Rajendran