cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 10

NPM Alert to include user who restarted Server

We have an alert that is setup to notify us when a Windows Server gets rebooted.  Reason behind this is some Virtual Servers can restart in less than polling time so we never knew they restarted.

What I'd like to do is include the username of the person who restarted the server in the alert. We utilize the "Last Boot Has Changed" item in our trigger condition.

Does anyone know what event or variable I can use?

Labels (1)
Tags (3)
0 Kudos
9 Replies

mikesky​   me likey!!!

0 Kudos
MVP
MVP

I use this alert trigger action for the Node Reboot alert (below) to show me who was the last logged in user before the reboot.

capture3.PNG

This is a nice idea.  But, I would be careful with this. The last logged in user field comes from asset inventory polling which only happens once a day by default. So, that leaves lots of room for other users to log in and/or reboot the server.  I think a more accurate way to do this, if you own the Server and Application Monitor (SAM) module, would be to set up an application monitor that looks in the event logs for a reboot event.  Then alert on that application monitor and have the email include the event details which would include the user that initiated the reboot.

I was thinking the same thing.  We sometimes have engineers working on servers and they may not always locked the server or log off and then another engineer will hit the some console and sometimes perform the reboot.  See this in our virtual environment frequently.  So, if the lastloggedinuser is only inventoried once or so, you would be getting inaccurate information.  We actually countered this by using our SIEM product (non-Solarwinds) to send out alerts anytime a server is rebooted as the event log information is processed by the SIEM so we actually get the accurate details of who did it, when, and why. 

0 Kudos

Nice one Thanks for sharing... will add this to my one as well. I can see now how last logged in user can be misleading. I would say if SolarWinds extracts last logged on user and pushes it into inventory already, then same approach can be taken to do the same for last rebooted user. My take on it - it is a great feature request to consider asking SolarWinds product team to implement

MVP
MVP

I used last login in the alert message that worked but sometimes if an automated process reboots a server then it appears to be the last logged in user who did it which can be a little misleading.

0 Kudos

I believe that this information will not be readily available in SolarWinds (unless, maybe, when user initiates reboot via SolarWinds itself). You would probably need to track Event Log for reboot events (windows), not sure how to deal with other OS

0 Kudos

I'd like this information sent out to me in the Alert so I know who the engineer is who I need to contact to find out why they have rebooted the server.

0 Kudos

Not to say that it is impossible, but rather might be quite complex to setup. Logic would probably goes like - fire up an action in Reboot alert to run a script, which will in turn access server logs and extracts last event that has this information. Then pass it back to the alert and inject this info into email body...

I always say that SolarWinds IS NOT troubleshooting tool, it is MONITORING platform. Its main purpose is to notify you about certain things happening. Troubleshooting happens outside of it. Yes, I agree, you can make it easier for Engineers by embedding a lot of useful info and stats into an alerts, but... to an extent really. If your critical servers are being randomly rebooted without you knowing and without any records of ticket/change for it - then my guess you have a bigger problem. ITIL your best place to start with this

If, however, you have an odd unauthorized reboot of a device once in a while - from what I can feel it is not worth investing time trying to automate this extra checks across multiple different platforms when it takes just few minutes to check logs locally, providing your alert includes IP and Hostename, which it does I am sure

0 Kudos