This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sam reboot alert on windows servers that includes information from the event log

The default node rebooted alerts uses the Last Boot has changed event to trigger the alert, this works and is reliable.  However I want more information.  So I created a component that checks for event ID 1074, then set up an alert on that, the issue is that the event log entry is generated twice for every reboot.  So I get the alert twice also it seems some version of windows do not use event ID 1074.

so what I would like to do is something similar to the alert that brings in the top ten processes when the CPU is high.  So keep the last boot has changed alert and just add a process to it that would pull out event log 1074 if available and include that information in the node reboot alert.

Let me know if you have any suggestions on a way to do this.

Parents
  • It's not easily possible to relate a Windows Event Log Monitor to a node in such a way that would make this generic enough to be applicable to any node. You could have a whole host of Windows Event Log Monitors associated with a Node, so it would be impossible to know which to associate with the node down alert. This could be done manually via SWQL, but it would need to be manually defined for each node you wanted to alert upon. Needless to say that doesn't scale very well.

    What I would recommend instead is using the EventID instead of SNMP to trigger the node reboot alert. By looking for a specific ID or IDs to trigger the alert upon you can then easily include the full message details of the Windows Event Log Message into the body of the Alert Action email notification.

  • Like I said in the original post this is what I am doing now.  I set up a component to look for ID 1074, and when 1074 is triggered, an e-mail will be sent containing the data in the even log entry.  This works, the issue is that every reboot includes at least two instances of 1074, so it creates multiple entries, and as you stated, this particular event log may not be available on every server.  So I could set up the last boot has changed as a seperate alert and now I would get between one and three alerts every time a node rebooted.

    So I would simply like to set up a node reboot alert, if the last boot data has changed, wait a few seconds, then attempt to collect the event log information, either from a component or a from the actual even log for the specific ID.  If that information is found include it in the e-mail, if it is not found send an e-mail anyway, it cannot be that hard to get information that is already in the system.

    For instance:

    Setup Component to look for 1074, if found collect the information.

    Setup an alert if last boot has changed, if it has changed send an e-mail and include any information from component 1074 that is not older than 5 minutes.

Reply
  • Like I said in the original post this is what I am doing now.  I set up a component to look for ID 1074, and when 1074 is triggered, an e-mail will be sent containing the data in the even log entry.  This works, the issue is that every reboot includes at least two instances of 1074, so it creates multiple entries, and as you stated, this particular event log may not be available on every server.  So I could set up the last boot has changed as a seperate alert and now I would get between one and three alerts every time a node rebooted.

    So I would simply like to set up a node reboot alert, if the last boot data has changed, wait a few seconds, then attempt to collect the event log information, either from a component or a from the actual even log for the specific ID.  If that information is found include it in the e-mail, if it is not found send an e-mail anyway, it cannot be that hard to get information that is already in the system.

    For instance:

    Setup Component to look for 1074, if found collect the information.

    Setup an alert if last boot has changed, if it has changed send an e-mail and include any information from component 1074 that is not older than 5 minutes.

Children
No Data