cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 12

How to alert when a Windows Services is restarted

I would like to configure an alert that triggers when any Windows service on a monitored server is restarted. I'm not talking about executing an alert action to restart a service (though this alert would fire when that happens), but I need to know when and hopefully who restarts a Windows service. Would this be done as an Audit Event alert, or as an application alert based on a Windows event log monitor? What variable would be queried in the Trigger?

Thanks in advance for your help.

0 Kudos
4 Replies
Product Manager
Product Manager

I guess you have Server & Application Monitor installed on your Orion Platform as you mention an "application alert based on a Windows event log monitor ", in the normal course of monitoring services you are on the right track. The challenge I see with your use case is that services do not restart, but rather Stop and then Start which generates two distinct event log entries. This use case of correlation is more aligned with the features of Security Event Manager.  A possible alternative may be Server Configuration Monitor which in addition to being able to track who makes server changes​ can also alert when the output of a power shell script changes. I'm thinking you could use something similar to this Last restart/start time of a windows service - Server Fault

In a similar context, I have previously used Get-Services which are set to auto start and are stopped.ps1

Level 12

Good question.  I don't see an obvious way but I am digging in database to see if SW keeps tracks of the process lifetime on the PID.

Whats your use case on the service restart?

0 Kudos

We just want to know when it happens either manually or by alert action.

0 Kudos

I'll let others weigh in on detecting the service restart, I didn't find anything.

You can track alert actions by viewing alert history.  Here is dashboard I use (sorry I don't remember the post to give proper credit to the creator):

SELECT DISTINCT 
  ahv.Name 'Alert Name'
  ,last24.Qty 'Last 24 Hrs'
  ,lastseven.Qty 'Last 7 Days'
  ,lastthirty.Qty 'Last 30 Days'
FROM AlertHistoryView ahv
Left outer JOIN
  (SELECT Name, COUNT(1) 'Qty'
  FROM AlertHistoryView
  WHERE
  TimeStamp > (GetDate()-1)
  AND EventTypeWord = 'Triggered'
  GROUP BY Name) last24 ON ahv.Name = last24.Name
Left outer JOIN
  (SELECT Name, COUNT(1) 'Qty'
  FROM AlertHistoryView
  WHERE
  TimeStamp > (GetDate()-7)
  AND EventTypeWord = 'Triggered'
  GROUP BY Name) lastseven ON ahv.Name = lastseven.Name
JOIN
  (SELECT Name, COUNT(1) 'Qty'
  FROM AlertHistoryView
  WHERE
  TimeStamp > (GetDate()-30)
  AND EventTypeWord = 'Triggered'
  GROUP BY Name) lastthirty ON ahv.Name = lastthirty.Name
  ORDER BY lastthirty.Qty  desc

     pastedImage_8.png

0 Kudos