9 Replies Latest reply on Feb 2, 2017 10:30 AM by dodo123

    Sam reboot alert on windows servers that includes information from the event log

    jacob.johnson

      The default node rebooted alerts uses the Last Boot has changed event to trigger the alert, this works and is reliable.  However I want more information.  So I created a component that checks for event ID 1074, then set up an alert on that, the issue is that the event log entry is generated twice for every reboot.  So I get the alert twice also it seems some version of windows do not use event ID 1074.

       

      so what I would like to do is something similar to the alert that brings in the top ten processes when the CPU is high.  So keep the last boot has changed alert and just add a process to it that would pull out event log 1074 if available and include that information in the node reboot alert.

       

      Let me know if you have any suggestions on a way to do this.

        • Re: Sam reboot alert on windows servers that includes information from the event log
          aLTeReGo

          It's not easily possible to relate a Windows Event Log Monitor to a node in such a way that would make this generic enough to be applicable to any node. You could have a whole host of Windows Event Log Monitors associated with a Node, so it would be impossible to know which to associate with the node down alert. This could be done manually via SWQL, but it would need to be manually defined for each node you wanted to alert upon. Needless to say that doesn't scale very well.

           

          What I would recommend instead is using the EventID instead of SNMP to trigger the node reboot alert. By looking for a specific ID or IDs to trigger the alert upon you can then easily include the full message details of the Windows Event Log Message into the body of the Alert Action email notification.

            • Re: Sam reboot alert on windows servers that includes information from the event log
              jacob.johnson

              Like I said in the original post this is what I am doing now.  I set up a component to look for ID 1074, and when 1074 is triggered, an e-mail will be sent containing the data in the even log entry.  This works, the issue is that every reboot includes at least two instances of 1074, so it creates multiple entries, and as you stated, this particular event log may not be available on every server.  So I could set up the last boot has changed as a seperate alert and now I would get between one and three alerts every time a node rebooted.

               

              So I would simply like to set up a node reboot alert, if the last boot data has changed, wait a few seconds, then attempt to collect the event log information, either from a component or a from the actual even log for the specific ID.  If that information is found include it in the e-mail, if it is not found send an e-mail anyway, it cannot be that hard to get information that is already in the system.

               

              For instance:

              Setup Component to look for 1074, if found collect the information.

              Setup an alert if last boot has changed, if it has changed send an e-mail and include any information from component 1074 that is not older than 5 minutes.

            • Re: Sam reboot alert on windows servers that includes information from the event log
              muckman

              I too am also trying to pull Event 1074 info into our reboot node alerts so my team knows who is rebooting the server. I do not want to apply an application monitor to every Windows server in our network to simply gather a single value. Plus it doesn't work that well anyways for the same reasons you listed above. Is there anyway to add a script as a variable to the alert message? Or perhaps build a new variable?

                • Re: Sam reboot alert on windows servers that includes information from the event log
                  aLTeReGo

                  You could write a script that queries this information and includes it in the "Notes" field of the alert using the Orion SDK. You would then want to delay the sending of the alert notification by a minute or two using alert escalation so the script has an opportunity to fully run and populate the notes field of the alert before sending the email notification. The "Notes" field is of course a variable which can be included as part of the alert message.

                    • Re: Sam reboot alert on windows servers that includes information from the event log
                      muckman

                      I gave up on trying to combine external scripting with native functionality and went with a single powershell script that does everything.

                        • Re: Sam reboot alert on windows servers that includes information from the event log
                          stephen.black

                          Could you share the powershell script that worked for you? I too am trying to accomplish a similar task here and would appriciate any info you can share.

                           

                          Thanks in advance

                            • Re: Sam reboot alert on windows servers that includes information from the event log
                              muckman

                              Below is the Powershell script I run from the Node Reboot Alert Trigger Action. It works well for Windows servers but doesn't work at all for non-Windows systems.

                               

                              Header 1

                              Add-PSSnapin SwisSnapin

                              $swis = Connect-Swis -host "<OrionServer>" -username 'Admin' -password '<Password>'

                              #Collect information from AlertStatus

                              $ActiveObject = Get-SwisData $swis "SELECT ActiveObject FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

                              $Node = Get-SwisData $swis "SELECT ObjectName FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

                              $Time = Get-SwisData $swis "SELECT TriggerTimeStamp FROM Orion.AlertStatus WHERE AlertDefID = '<Node Reboot Alert ID #>'"

                              $Description = Get-SwisData $swis "SELECT Description FROM Orion.Nodes WHERE NodeID = '$ActiveObject'"

                              $IP =  Get-SwisData $swis "SELECT IPAddress FROM Orion.Nodes WHERE NodeID = '$ActiveObject'"

                              #Collect Custom Properties of Node

                              $Environment = Get-SwisData $swis "SELECT NodeEnvironment FROM Orion.NodesCustomProperties WHERE NodeID = '$ActiveObject'"

                              $Location = Get-SwisData $swis "SELECT DeviceLocation FROM Orion.NodesCustomProperties WHERE NodeID = '$ActiveObject'"

                               

                               

                               

                              # Get Event Log Info. Looks for Event ID 1074 in the past 5 minutes.

                              $EventInfo = Get-WinEvent -ComputerName $Node -FilterHashtable @{logname='System'; id=1074; StartTime=(get-date).AddMinutes(-5)} -MaxEvents 1

                              if ($EventInfo) {$EventInfo | ForEach-Object {

                              $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment

                              $rv.Date = $_.TimeCreated

                              $rv.User = $_.Properties[6].Value

                              $rv.Process = $_.Properties[0].Value

                              $rv.Action = $_.Properties[4].Value

                              $rv.Reason = $_.Properties[2].Value

                              $rv.ReasonCode = $_.Properties[3].Value

                              $rv.Comment = $_.Properties[5].Value

                              $rv

                              }}

                              #If it cant find a 1074 event in the past 5 minutes it will return an "Unknown" for the variable.

                              else {

                              $rv = New-Object PSObject | Select-Object Date, User, Action, Process, Reason, ReasonCode, Comment

                              $rv.Date = $Time

                              $rv.User = "Unknown"

                              $rv.Process = "Unknown"

                              $rv.Action = "Unknown"

                              $rv.Reason = "Unknown"

                              $rv.ReasonCode = "Unknown"

                              $rv.Comment = "Unknown"

                              $rv

                              }

                               

                               

                               

                              # SMTP EMAIL SETTINGS

                              $From = ""

                              $To = ""

                              #$Cc = ""

                              $Subject = $Node + " has Rebooted"

                              #My Email body contains custom properties that will differ from your system.

                              $Body = "$Node has rebooted at $($rv.Date) by $($rv.User) `r`n`r`nOS: $Description `r`nIP Address: $IP `r`nEnvironment: $Environment `r`nLocation: $Location"

                              $SMTPServer = ""

                              $SMTPPort = "25"

                               

                               

                              # Send Email

                              Send-MailMessage -From $From -to $To -Subject $Subject -Body $Body -SmtpServer $SMTPServer

                      • Re: Sam reboot alert on windows servers that includes information from the event log
                        dodo123

                        Hi,

                         

                        I'm struggling with this can someone breakdown which parts of this PowerShell I need to change to my environment. as The PowerShell is breaking my server.

                         

                        Thanks