Use Microsoft Operations Management Suite Search to track shutdown events
Summary: Learn how to find and parse server shutdown events by using Microsoft Operations Management Suite.
Good morning everyone. Ed Wilson here. It is gorgeous outside this morning here in central Florida. It is a crisp 60 degrees, and the grass is damp with the morning dew. The air hangs heavy with humidity, and there are organic smells from fallen leaves and the hundreds of palm trees and other plants in the yard. The squirrels have awakened, and they are dashing about on the grass, leaving somewhat random tracks in the moisture on the ground.
Speaking of random tracks…
Today I want to examine the shutdown events of my servers. I will use the way cool MS OMS Search capability to peruse event logs from my servers.
Note This post is part of a seven part series about using MS OMS Search. The series includes:
- Easy Microsoft Operations Management Suite Search queries
- Accessing different data types in Microsoft OMS Search
- Filter data returned by Microsoft Operations Management Search
- Filter more data with Microsoft Operations Management Suite Search
- Query event log data with Operations Management Suite Search
- Use Microsoft Operations Management Suite search to track shutdown events
- Using Microsoft Operations Management Suite Search Strings
Search for shutdown events
If I search for shutdown, a full text search across fields such as Description and Name returns. (I talk about this in Easy Microsoft Operations Management Suite Search queries.) This query returns over a thousand events, but it is more than I want for my purposes:
Track by event source
I happen to remember that the Shutdown Event Tracker feature, which was introduced in Windows XP and Windows Server 2003, generates events from a source of User32, and it writes to the System event log. So I decide to add an event type of filter for the System EventLog and with a source of User32. Here is my revised search query:
shutdown Type=Event EventLog=System Source=User32
Here is the query and the output from the search:
I see that I have 120 search results. I can scroll through them, or I can look at the left pane, which provides a quick view into the data. I scroll down a bit, and see that I have two event levels: 118 information events and 2 warnings.
Obviously, I am more interested in the warning messages, but I do not know anything about them. So I decide to group by EventLevelName:
shutdown Type=Event EventLog=System Source=User32 | measure count() by EventLevelName
The search string and the returned data are shown here:
If I click Warning in my search results, it changes the query to the following:
shutdown Type=Event EventLog=System Source=User32 EventLevelName=warning
When I open the first record, I see that it was the RANDS\Administrator that performed an unplanned shutdown:
That is all I have for you today. Join me tomorrow when I’ll talk about more cool OMS stuff.
I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy! Blog. If you have any questions, send email to me at firstname.lastname@example.org. I wish you a wonderful day, and I’ll see you tomorrow.
Microsoft Operations Management Team