This is a Quick Win. It only takes a few minutes to create and it gives you an interesting result.
If you have a lot of servers it’s hard to keep track of who’s rebooting which server. With this SCOM rule, you will get a message in Operations Manager telling you who initiated the reboot/shutdown and for which reason. The only thing you have to do, is make people aware to put a nice comment in the shutdown / restart comment field.
This can also be used to detect unexpected reboots or you could start reporting on all reboots on a periodic bases.
- System center operations manager
- The event id for shutdown / restart (1074 for Win 2008 servers)
- A logparser (i did this one for you, if you want more info read it here)
Open your Operations Manager console and go to the Authoring pane. Start by making a new “NT Event Log” rule.
Name it and target it to the “Windows Computers”
The reboot event appears in the “System” log.
The Next step is to create some sort of filtering. You can figure out the parameter stuff by using a logparser.
To have a nice output in your alert, you can use this example.
Now if someone restarts a server and correctly fills the comment field you’ll et an output like this