SCOM Alert Rule to Detect Server Reboot / Shutdown

Hi,

I'm trying to set a rule to send a message when a server is rebooted or turned off, I followed the steps of this page:http://dynamicdatacenter.wordpress.com/2012/10/09/quick-win-scom-alert-rule-to-detect-server-reboot-shutdown/, but I'm still unable to see the alerts when a server is rebooted, the rule is enable by default and I'm using the Event Id 1074 to create the alert.

I would appreciate any suggestion to have working this.

Thanks

January 2nd, 2013 6:47pm

Hi Graham,

Thanks for your reply, I'm think using event id 1074 works very well for what I want, create an alert when a server admin reboots or turns off a server.

So the alert will tell us who did it and the reason or comment for that.

event ids 6008 and 6009 are for unexpected events and that doesn't work for the kind of alert that I want.

Regards.

January 2nd, 2013 8:41pm

Hi

Check you have specified the correct log - the 600x events are in the system log.

If you have applied the filters from the blog article then I would remove 2 of them and just start by looking for event 1074. Make sure that works. And then add on the filters one by one.

Also check that you have targetted windows computer.

Cheers

Graham

Free Windows Admin Tool Kit Click here and download it now
January 2nd, 2013 8:50pm

ThanksI'll try your suggestion, also when I look on events view of the server on monitoring-->windows computers-->servername-->right click-->open-->Event View, I don't see the events 1074,6008,6009 I wonder if this also could be a reason of the alert not working.

January 2nd, 2013 9:08pm

Yep - that would be the first thing.

You do have events 6005 and 6006 - are you shutting the server down and starting it again? Or restarting? They might well log different event id:

http://support.microsoft.com/kb/196452

Free Windows Admin Tool Kit Click here and download it now
January 2nd, 2013 10:00pm

I'm making a restart, on the event viewer on the server that I'm using to test the alert I can see the event id 1074 comming first (see my screenshot on my first reply), then I see event 6006 then 6009 and 6005, but the SCOM console is not showing all the event id, I wonder if is this the cause of why we are not getting the alerts.

 

January 2nd, 2013 10:13pm

About monitoring server reboot or shutdown, please refer to the following threads:

Is there a monitor that detects a Reboot? 

http://social.technet.microsoft.com/Forums/en-us/operationsmanagergeneral/thread/8087a713-a294-4b8d-bb7b-bd68d11a91da

PC shutdown/restart notification 

http://social.technet.microsoft.com/Forums/en/operationsmanagergeneral/thread/ff8ce5e9-a534-4224-b9e6-57a757b1e37a

Thanks.
Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2013 4:44am

Hi Carlos

SCOM doesn't collect all events by default so don't look in SCOM for the events. Look in the event log on the actual server itself. This does not affect the alerting. SCOM event collection and SCOM alerts are 2 seperate types of rules and are not related at all.

Can you put up screenshots of your rule.

1) Make sure you get the event on the target server by running eventvwr.exe and connecting to the remote server and checking the log.

2) Make sure that the management pack that contains the monitoring is running on the target server (health service state\Management Packs folder within Program files \ Microsoft System Center)

3) Double check that when you are creating your rule you are creating an NT ALerting rule based upon the system event log.

Cheers

Graham

January 3rd, 2013 8:05am

Hi Graham,

Thanks for the clarification, here are the screenshots:

  • Edited by Carlos GC Thursday, January 03, 2013 1:18 PM add screenshots
Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2013 1:15pm

January 3rd, 2013 1:18pm

What is on the Configuration, Data Source Tabs? You should have a logname and expression tab there.

Also on the responses, make sure that you have selected to generate an alert.

Cheers

Graham

Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2013 1:19pm

On the expression tab, can you remove Parameter1 and Event Source entries.

Let's just try to alert on event id 1074 to see if that works and then look to add other parameters ..

Can you also check that the server you are rebooting:

- has a scom agent installed

- is generating event 1074 in the system log

- has the Windows Server - overrides management pack downloaded to its local Management Packs folder (Program files\System Center Operations Manager\Agent\Health Service State\Management Packs 

-- if you have multiple copies of the management pack in the folder then delete them all from there and restart the System Center Management Service (the scom agent) so it will just download the latest copy.

Cheers

Graham

January 3rd, 2013 1:25pm

I checked as you suggested and the agent is installed, the server is generating the event 1074 in system log, the Windows Server - overrides MP its downloaded on the serer, also just was a copy of it,

Making the test just trying with the event id 1074 I got 2 alerts very similar because the server creates two events 1074, now I'll try adding the other parameters.

Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2013 1:52pm

Ideally just add one and then test again ... chances are one of them will cause the alert to stop occuring.

Cheers

Graham

January 3rd, 2013 1:54pm

Graham,

My mistake was using "explorer.exe" instead of "Explorer.EXE" for the Parameter 1

Thank you very much for your time and patience to help me with this!!

Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2013 2:36pm

Graham

Can you tell how i can add pc name /Workstation name in the alert description that from which workstation /pcname is the system is reboot or shutdown. It very urgent for me.

Regards,

Tauseef

January 10th, 2013 11:25am

Hi, In the Alert Description click the button on the right...then you can for example choose Data->LoggingComputer

$Data/LoggingComputer$

Free Windows Admin Tool Kit Click here and download it now
January 10th, 2013 12:51pm

Is it possible to pass the server name into the "Alert name" field so it appears on an SMS message ?
June 23rd, 2015 7:14pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics