When monitoring Windows Servers you have one monitoring tool that every System Administrator should master. This is of course is Windows Event Viewer. From personal experience this tool has been useful for monitoring outages when you are not hosting the hardware on site. In this article I shall share the particular steps I use in doing this.
Boot up Event Viewer by hitting start and simply searching for it (I have this app pinned to Start for easy access).
Navigate to the following directory to find the System events you want to be filtering through:
Event Viewer (Local) > Windows Logs > System
Once within here, under “Actions” on the right hand pane hit “Filter Current Log…”. For this exercise we simply want to view all the useful logs that may show more information on system restarts and shutdowns. To narrow down this filter, we add the Event IDs we want to look at in the Event ID field. The particular Event IDs we want to be looking for are as follows:
Event ID: 41
The kernel power event ID 41 error occurs when the computer is shut down, or it restarts unexpectedly. Useful for identifying if a machine has uncleanly rebooted/shut down.
Event ID: 1074
Indicates that an application or a user initiated a restart or shutdown. Useful for identifying a rogue service causing these events.
Event ID: 1076
A really useful one as this one records your notes when the system has restored after an unexpected restart/shutdown. Usually I put in a resolution not here to record what I identified the cause to be.
Event ID: 6008
Records that the system started after it was not shut down properly. May identify other things that may have been missed.
With these selected, the setup should be as follows (nothing else needs amending):
Using this filter will show you all the events that were captured during unscheduled restarts and shutdowns. For me this is extremely useful as when this happens it’s vital in knowing what caused it.
To import this filter into your own Event Viewer you can download this already preset here: