Use Microsoft Operations Management Suite Search to track shutdown events

Summary: Learn how to find and parse server shutdown events by using Microsoft Operations Management Suite.

Good morning everyone. Ed Wilson here. It is gorgeous outside this morning here in central Florida. It is a crisp 60 degrees, and the grass is damp with the morning dew. The air hangs heavy with humidity, and there are organic smells from fallen leaves and the hundreds of palm trees and other plants in the yard. The squirrels have awakened, and they are dashing about on the grass, leaving somewhat random tracks in the moisture on the ground.

Speaking of random tracks…

Today I want to examine the shutdown events of my servers. I will use the way cool MS OMS Search capability to peruse event logs from my servers.

Note This post is part of a seven part series about using MS OMS Search. The series includes:

Search for shutdown events

If I search for shutdown, a full text search across fields such as Description and Name returns. (I talk about this in Easy Microsoft Operations Management Suite Search queries.) This query returns over a thousand events, but it is more than I want for my purposes:

Image of menu

Track by event source

I happen to remember that the Shutdown Event Tracker feature, which was introduced in Windows XP and Windows Server 2003, generates events from a source of User32, and it writes to the System event log. So I decide to add an event type of filter for the System EventLog and with a source of User32. Here is my revised search query:

shutdown Type=Event EventLog=System Source=User32

Here is the query and the output from the search:

Image of menu

I see that I have 120 search results. I can scroll through them, or I can look at the left pane, which provides a quick view into the data. I scroll down a bit, and see that I have two event levels: 118 information events and 2 warnings.

Obviously, I am more interested in the warning messages, but I do not know anything about them. So I decide to group by EventLevelName:

shutdown Type=Event EventLog=System Source=User32 | measure count() by EventLevelName

The search string and the returned data are shown here:

Image of menu

If I click Warning in my search results, it changes the query to the following:

shutdown Type=Event EventLog=System Source=User32 EventLevelName=warning

When I open the first record, I see that it was the RANDS\Administrator that performed an unplanned shutdown:

Image of menu

That is all I have for you today. Join me tomorrow when I’ll talk about more cool OMS stuff.

I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy! Blog. If you have any questions, send email to me at scripter@microsoft.com. I wish you a wonderful day, and I’ll see you tomorrow.

Ed Wilson
Microsoft Operations Management Team