This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sam reboot alert on windows servers that includes information from the event log

The default node rebooted alerts uses the Last Boot has changed event to trigger the alert, this works and is reliable.  However I want more information.  So I created a component that checks for event ID 1074, then set up an alert on that, the issue is that the event log entry is generated twice for every reboot.  So I get the alert twice also it seems some version of windows do not use event ID 1074.

so what I would like to do is something similar to the alert that brings in the top ten processes when the CPU is high.  So keep the last boot has changed alert and just add a process to it that would pull out event log 1074 if available and include that information in the node reboot alert.

Let me know if you have any suggestions on a way to do this.

Parents
  • I too am also trying to pull Event 1074 info into our reboot node alerts so my team knows who is rebooting the server. I do not want to apply an application monitor to every Windows server in our network to simply gather a single value. Plus it doesn't work that well anyways for the same reasons you listed above. Is there anyway to add a script as a variable to the alert message? Or perhaps build a new variable?

  • You could write a script that queries this information and includes it in the "Notes" field of the alert using the Orion SDK. You would then want to delay the sending of the alert notification by a minute or two using alert escalation so the script has an opportunity to fully run and populate the notes field of the alert before sending the email notification. The "Notes" field is of course a variable which can be included as part of the alert message.

  • I gave up on trying to combine external scripting with native functionality and went with a single powershell script that does everything.

  • Could you share the powershell script that worked for you? I too am trying to accomplish a similar task here and would appriciate any info you can share.

    Thanks in advance

  • Below is the Powershell script I run from the Node Reboot Alert Trigger Action. It works well for Windows servers but doesn't work at all for non-Windows systems.

    Header 1

    Add-PSSnapin SwisSnapin

    $swis = Connect-Swis -host "<OrionServer>" -username 'Admin' -password '<Password>'

    #Collect information from AlertStatus

    $ActiveObject = Get-SwisData $swis "SELECT ActiveObject FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

    $Node = Get-SwisData $swis "SELECT ObjectName FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

    $Time = Get-SwisData $swis "SELECT TriggerTimeStamp FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

    $Description = Get-SwisData $swis "SELECT Description FROM Orion.Nodes WHERE NodeID = '$ActiveObject'"

    $IP =  Get-SwisData $swis "SELECT IPAddress FROM Orion.Nodes WHERE NodeID = '$ActiveObject'"

    #Collect Custom Properties of Node

    $Environment = Get-SwisData $swis "SELECT NodeEnvironment FROM Orion.NodesCustomProperties WHERE NodeID = '$ActiveObject'"

    $Location = Get-SwisData $swis "SELECT DeviceLocation FROM Orion.NodesCustomProperties WHERE NodeID = '$ActiveObject'"

    # Get Event Log Info. Looks for Event ID 1074 in the past 5 minutes.

    $EventInfo = Get-WinEvent -ComputerName $Node -FilterHashtable @{logname='System'; id=1074; StartTime=(get-date).AddMinutes(-5)} -MaxEvents 1

    if ($EventInfo) {$EventInfo | ForEach-Object {

    $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment

    $rv.Date = $_.TimeCreated

    $rv.User = $_.Properties[6].Value

    $rv.Process = $_.Properties[0].Value

    $rv.Action = $_.Properties[4].Value

    $rv.Reason = $_.Properties[2].Value

    $rv.ReasonCode = $_.Properties[3].Value

    $rv.Comment = $_.Properties[5].Value

    $rv

    }}

    #If it cant find a 1074 event in the past 5 minutes it will return an "Unknown" for the variable.

    else {

    $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment

    $rv.Date = $Time

    $rv.User = "Unknown"

    $rv.Process = "Unknown"

    $rv.Action = "Unknown"

    $rv.Reason = "Unknown"

    $rv.ReasonCode = "Unknown"

    $rv.Comment = "Unknown"

    $rv

    }

    # SMTP EMAIL SETTINGS

    $From = ""

    $To = ""

    #$Cc = ""

    $Subject = $Node + " has Rebooted"

    #My Email body contains custom properties that will differ from your system.

    $Body = "$Node has rebooted at $($rv.Date) by $($rv.User) `r`n`r`nOS: $Description `r`nIP Address: $IP `r`nEnvironment: $Environment `r`nLocation: $Location"

    $SMTPServer = ""

    $SMTPPort = "25"

    # Send Email

    Send-MailMessage -From $From -to $To -Subject $Subject -Body $Body -SmtpServer $SMTPServer

Reply
  • Below is the Powershell script I run from the Node Reboot Alert Trigger Action. It works well for Windows servers but doesn't work at all for non-Windows systems.

    Header 1

    Add-PSSnapin SwisSnapin

    $swis = Connect-Swis -host "<OrionServer>" -username 'Admin' -password '<Password>'

    #Collect information from AlertStatus

    $ActiveObject = Get-SwisData $swis "SELECT ActiveObject FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

    $Node = Get-SwisData $swis "SELECT ObjectName FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

    $Time = Get-SwisData $swis "SELECT TriggerTimeStamp FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

    $Description = Get-SwisData $swis "SELECT Description FROM Orion.Nodes WHERE NodeID = '$ActiveObject'"

    $IP =  Get-SwisData $swis "SELECT IPAddress FROM Orion.Nodes WHERE NodeID = '$ActiveObject'"

    #Collect Custom Properties of Node

    $Environment = Get-SwisData $swis "SELECT NodeEnvironment FROM Orion.NodesCustomProperties WHERE NodeID = '$ActiveObject'"

    $Location = Get-SwisData $swis "SELECT DeviceLocation FROM Orion.NodesCustomProperties WHERE NodeID = '$ActiveObject'"

    # Get Event Log Info. Looks for Event ID 1074 in the past 5 minutes.

    $EventInfo = Get-WinEvent -ComputerName $Node -FilterHashtable @{logname='System'; id=1074; StartTime=(get-date).AddMinutes(-5)} -MaxEvents 1

    if ($EventInfo) {$EventInfo | ForEach-Object {

    $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment

    $rv.Date = $_.TimeCreated

    $rv.User = $_.Properties[6].Value

    $rv.Process = $_.Properties[0].Value

    $rv.Action = $_.Properties[4].Value

    $rv.Reason = $_.Properties[2].Value

    $rv.ReasonCode = $_.Properties[3].Value

    $rv.Comment = $_.Properties[5].Value

    $rv

    }}

    #If it cant find a 1074 event in the past 5 minutes it will return an "Unknown" for the variable.

    else {

    $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment

    $rv.Date = $Time

    $rv.User = "Unknown"

    $rv.Process = "Unknown"

    $rv.Action = "Unknown"

    $rv.Reason = "Unknown"

    $rv.ReasonCode = "Unknown"

    $rv.Comment = "Unknown"

    $rv

    }

    # SMTP EMAIL SETTINGS

    $From = ""

    $To = ""

    #$Cc = ""

    $Subject = $Node + " has Rebooted"

    #My Email body contains custom properties that will differ from your system.

    $Body = "$Node has rebooted at $($rv.Date) by $($rv.User) `r`n`r`nOS: $Description `r`nIP Address: $IP `r`nEnvironment: $Environment `r`nLocation: $Location"

    $SMTPServer = ""

    $SMTPPort = "25"

    # Send Email

    Send-MailMessage -From $From -to $To -Subject $Subject -Body $Body -SmtpServer $SMTPServer

Children
  • sorry to sound dumb but this looks like its exactly what I am after but could you flag the parts that need adjusting.

    I assume this does  '<Node Reboot Alert ID #> but where do I get that information.

    Thanks