Quick Win: SCOM Alert Rule to Detect Server Reboot / Shutdown

This is a Quick Win. It only takes a few minutes to create and it gives you an interesting result.

If you have a lot of servers it’s hard to keep track of who’s rebooting which server. With this SCOM rule, you will get a message in Operations Manager telling you who initiated the reboot/shutdown and for which reason. The only thing you have to do, is make people aware to put a nice comment in the shutdown / restart comment field.
This can also be used to detect unexpected reboots or you could start reporting on all reboots on a periodic bases.


  • System center operations manager
  • The event id for shutdown / restart (1074 for Win 2008 servers)
  • A logparser (i did this one for you, if you want more info read it here)

Let’s start

Open your Operations Manager console and go to the Authoring pane. Start by making a new “NT Event Log” rule.

Name it and target it to the “Windows Computers”

The reboot event appears in the “System” log.

The Next step is to create some sort of filtering. You can figure out the parameter stuff by using a logparser.


To have a nice output in your alert, you can use this example.

Now if someone restarts a server and correctly fills the comment field you’ll et an output like this


9 Responses to Quick Win: SCOM Alert Rule to Detect Server Reboot / Shutdown

  1. I love it! Excellent posting. Thank you for documenting this!

  2. Pattie says:

    Outstanding post, I believe people should larn a lot from this website its really user pleasant. So much great info on here :D.

  3. Ravi says:

    When selecting the Management Pack, are you creating a new pack, or using a stock management pack? What is the best practice to go about select the pack?

  4. […] Original link page: https://dynamicdatacenter.wordpress.com/2012/10/09/quick-win-scom-alert-rule-to-detect-server-reboot-… […]

  5. rtate says:

    I have this working but I was wondering if there is a way to get the resolution state to change to “Closed”. Right now I have to close the alert manually and I would like that to happen when the server comes back up.

    • Samuel Dubrul says:

      Hi, this is a basic principle in Operations Manager. Rules are used to generate alerts or collect data. A rule does not affect the health state of an object (green/red) as such a rule will not auto-close. What you could do is create a small powershell script that will close your alerts automatically.

  6. Jose@SPC says:

    Setup a Monitor instead of a Rule.

    Windows Events > Simple Event Detection > Windows Event Reset.
    Follow what he did except this time another event from the log can be used to Close/Make Healthy.

  7. Pradeep P says:

    please let me know how pull report from scom to know when is server/system is rebooted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s