It was tedious task for my NOC team to login to the rebooted server every time and check the reason for reboot. I tried thwacking to get a solution for finding out the reboot reason and couldn't find any templates. So I have created this template which will list out the windows reboot event logs and alert with event log messages whenever a server is rebooted. Please make sure to import & enable the alert attached.
After deploying these templates My NOC team has saved lots of time manually logging in each rebooted server and finding the reason for reboot. In a day at least they get 30-50 server reboot alerts.
- Import the Windows Reboot Events.apm-template and Node+Reboot+Informational+Alert.xml
- Deploy the Windows Reboot Events.apm-template on windows server
- Modify the alert recipients,SMTP Server, etc.. as required in. Node+Reboot+Informational+Alert.xml
Kindly provide feedback/comments to back this template better or share your ideas.
Below will be the alert message.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Team,
Server TESTSERVER has rebooted
Alert Message:
Server TESTSERVER has rebooted
Windows Event Log Information:--- Event 1 of 2:
Log Name: System
Source: USER32
Logged: 09/29/2016 08:27:23
Event ID: 1074
Level: Information
User: Domain\testuser
Computer: SERVERFQDN.local
The process C:\Windows\system32\winlogon.exe (NOCOMI) has initiated the restart of computer TESTSERVER on behalf of user Domain\testuser for the following reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: restart
Comment:
--- Event 2 of 2:
Log Name: System
Source: USER32
Logged: 09/29/2016 08:27:22
Event ID: 1074
Level: Information
User:LAB.TEST
Computer: SERVERFQDN.local
The process Explorer.EXE has initiated the restart of computer TESTSERVER on behalf of user Domain\testuser for the following reason: Other (Planned)
Reason Code: 0x85000000
Shutdown Type: restart
Comment: Solarwinds Reboot Alert Tesing-Amarnath Rajendran