• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 19 subscribers
  • Views 864 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

How to alert when a Windows Services is restarted

patriot

I would like to configure an alert that triggers when any Windows service on a monitored server is restarted. I'm not talking about executing an alert action to restart a service (though this alert would fire when that happens), but I need to know when and hopefully who restarts a Windows service. Would this be done as an Audit Event alert, or as an application alert based on a Windows event log monitor? What variable would be queried in the Trigger?

Thanks in advance for your help.

  • 0

    Good question.  I don't see an obvious way but I am digging in database to see if SW keeps tracks of the process lifetime on the PID.

    Whats your use case on the service restart?

  • 0 in reply to monitoringlife

    We just want to know when it happens either manually or by alert action.

  • 0 in reply to patriot

    I'll let others weigh in on detecting the service restart, I didn't find anything.

    You can track alert actions by viewing alert history.  Here is dashboard I use (sorry I don't remember the post to give proper credit to the creator):

    SELECT DISTINCT 
      ahv.Name 'Alert Name' 
      ,last24.Qty 'Last 24 Hrs'
      ,lastseven.Qty 'Last 7 Days' 
      ,lastthirty.Qty 'Last 30 Days' 
    FROM AlertHistoryView ahv 
    Left outer JOIN 
      (SELECT Name, COUNT(1) 'Qty' 
      FROM AlertHistoryView 
      WHERE
      TimeStamp > (GetDate()-1) 
      AND EventTypeWord = 'Triggered' 
      GROUP BY Name) last24 ON ahv.Name = last24.Name 
    Left outer JOIN 
      (SELECT Name, COUNT(1) 'Qty' 
      FROM AlertHistoryView 
      WHERE
      TimeStamp > (GetDate()-7) 
      AND EventTypeWord = 'Triggered' 
      GROUP BY Name) lastseven ON ahv.Name = lastseven.Name 
    JOIN 
      (SELECT Name, COUNT(1) 'Qty' 
      FROM AlertHistoryView 
      WHERE
      TimeStamp > (GetDate()-30) 
      AND EventTypeWord = 'Triggered' 
      GROUP BY Name) lastthirty ON ahv.Name = lastthirty.Name 
      ORDER BY lastthirty.Qty  desc

         pastedImage_8.png

  • 0

    I guess you have Server & Application Monitor installed on your Orion Platform as you mention an "application alert based on a Windows event log monitor ", in the normal course of monitoring services you are on the right track. The challenge I see with your use case is that services do not restart, but rather Stop and then Start which generates two distinct event log entries. This use case of correlation is more aligned with the features of Security Event Manager.  A possible alternative may be Server Configuration Monitor which in addition to being able to track who makes server changes​ can also alert when the output of a power shell script changes. I'm thinking you could use something similar to this Last restart/start time of a windows service - Server Fault

    In a similar context, I have previously used Get-Services which are set to auto start and are stopped.ps1

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.