locked
Missing Event Detection monitor RRS feed

  • Question

  • Hi,

    Using the Windows Event reset monitor (I am assuming that is the correct one) I want to see if a server has been restarted at least every 40 days. (i.e. if it is over 40 days since System Event 6005 has occurred, then pls alert).

    All looks good until I get to the part where I wish to put in 40 days. Comes back saying the max input is 28 days.

    Is there another way to do what I want, or a way to get around the 40 day limit?

    Thx,

    John Bradshaw


    Sunday, September 19, 2010 11:38 PM

Answers

  • John, here is a script that you'd setup as a timed script RULE, and it returns uptime in hours and writes it to the Application Log under event id 2, source WSH, event level Warning.  You could change what is written to the event log to something static like, "System Uptime is over 40 days", and then have an event rule look for that text in the description.

    <pre lang="x-vbnet">strComputer = "."
    
    set objShell = CreateObject("wscript.shell")
    Set objWMIService = GetObject("winmgmts:" _
     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colOperatingSystems = objWMIService.ExecQuery _
     ("Select * from Win32_OperatingSystem")
     
    For Each objOS in colOperatingSystems
     dtmBootup = objOS.LastBootUpTime
     dtmLastBootupTime = WMIDateStringToDate(dtmBootup)
     dtmSystemUptime = DateDiff("h", dtmLastBootUpTime, Now)
     'Wscript.Echo dtmSystemUptime 
    Next
     
    Function WMIDateStringToDate(dtmBootup)
     WMIDateStringToDate = CDate(Mid(dtmBootup, 5, 2) & "/" & _
      Mid(dtmBootup, 7, 2) & "/" & Left(dtmBootup, 4) _
       & " " & Mid (dtmBootup, 9, 2) & ":" & _
        Mid(dtmBootup, 11, 2) & ":" & Mid(dtmBootup,13, 2))
    End Function
    
    If dtmSystemUptime > 960 Then 
    objShell.Logevent 2, "System Uptime is " & dtmSystemUptime & " hours."
    End If
    
    I'm not great with vbscript, but i quickly tested this and it seemed to work. ;-)  Or you could rewrite it a bit to make it a monitor.
    Layne
    • Edited by LayneR Thursday, September 30, 2010 11:08 PM added info about monitor
    • Marked as answer by bradje Friday, October 1, 2010 1:12 AM
    Thursday, September 30, 2010 11:07 PM

All replies

  • why don't you look at the uptime reports or just pick up this event and create your own custom (monthly) report.


    Rob Korving
    http://jama00.wordpress.com/
    • Proposed as answer by Nicholas Li Monday, September 27, 2010 2:49 AM
    Monday, September 20, 2010 3:32 PM
  • Hi Rob,

    I cannot make head nor tail of the availability reports. They certainly do not only reflect when a server is offline or when it has rebooted. What they show I am not exactly sure.

    How would u create a custom report that looks at the numer of times an Event has occurred and when it occurred?

    Thx,

    John Bradshaw


    Monday, September 20, 2010 8:24 PM
  • Hey John 

    The availability report show the length of time a server is in a warning or critical state.

    In terms of how to report on a specific event you should have a look at Kevins useful SQL queries.

    http://blogs.technet.com/b/kevinholman/archive/2007/10/18/useful-operations-manager-2007-sql-queries.aspx

     

    and then how to create custom reports 

    http://technet.microsoft.com/en-us/library/cc179609.aspx

     


    Paul Keely
    Thursday, September 30, 2010 6:56 AM
  • Thx Paul,

    The queries were great for other problems I was having!

    Just wondering how you could use some to achieve the original goal of seeing if an Event has occurred in at least a 40 day interval?

    Thx,

    John Bradshaw


    Thursday, September 30, 2010 8:49 AM
  • Hi.  Perhaps you could run a timed script that queries win32_operatingsystem and evaluates if LastBootUpTime is > 40?
    Layne
    Thursday, September 30, 2010 3:04 PM
  • Thx Layne.....I found some scripts, and I could use Task Scheduler to run the scripts. How could I modify the 1st script to say create and Event 100, if the return is >40 (or I guess 40x24 = 960 hours) ?

     

    strComputer = "." ' Local computer

    set objWMIDateTime = CreateObject("WbemScripting.SWbemDateTime")
    set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    set colOS = objWMI.InstancesOf("Win32_OperatingSystem")
    for each objOS in colOS
     objWMIDateTime.Value = objOS.LastBootUpTime
     Wscript.Echo "Last Boot Up Time: " & objWMIDateTime.GetVarDate & vbcrlf & _
      "System Up Time: " &  TimeSpan(objWMIDateTime.GetVarDate,Now) & _
      " (hh:mm:ss)"
    next

    Function TimeSpan(dt1, dt2)
     ' Function to display the difference between
     ' 2 dates in hh:mm:ss format
     If (isDate(dt1) And IsDate(dt2)) = false Then
      TimeSpan = "00:00:00"
      Exit Function
            End If
     
            seconds = Abs(DateDiff("S", dt1, dt2))
            minutes = seconds \ 60
            hours = minutes \ 60
            minutes = minutes mod 60
            seconds = seconds mod 60
     
            if len(hours) = 1 then hours = "0" & hours
     
            TimeSpan = hours & ":" & _
                RIGHT("00" & minutes, 2) & ":" & _
                RIGHT("00" & seconds, 2)
    End Function

     

    ========================================================

     

    SET WshShell = WScript.CREATEOBJECT("WScript.Shell")
    
    strCommand = "eventcreate /T Error /ID 100 /L Scripts /D " & _
      CHR(34) & "Test event." & CHR(34)
    WshShell.Run strcommand

    Cheers,

    JB


    • Edited by bradje Thursday, September 30, 2010 11:11 PM
    Thursday, September 30, 2010 10:47 PM
  • John, here is a script that you'd setup as a timed script RULE, and it returns uptime in hours and writes it to the Application Log under event id 2, source WSH, event level Warning.  You could change what is written to the event log to something static like, "System Uptime is over 40 days", and then have an event rule look for that text in the description.

    <pre lang="x-vbnet">strComputer = "."
    
    set objShell = CreateObject("wscript.shell")
    Set objWMIService = GetObject("winmgmts:" _
     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colOperatingSystems = objWMIService.ExecQuery _
     ("Select * from Win32_OperatingSystem")
     
    For Each objOS in colOperatingSystems
     dtmBootup = objOS.LastBootUpTime
     dtmLastBootupTime = WMIDateStringToDate(dtmBootup)
     dtmSystemUptime = DateDiff("h", dtmLastBootUpTime, Now)
     'Wscript.Echo dtmSystemUptime 
    Next
     
    Function WMIDateStringToDate(dtmBootup)
     WMIDateStringToDate = CDate(Mid(dtmBootup, 5, 2) & "/" & _
      Mid(dtmBootup, 7, 2) & "/" & Left(dtmBootup, 4) _
       & " " & Mid (dtmBootup, 9, 2) & ":" & _
        Mid(dtmBootup, 11, 2) & ":" & Mid(dtmBootup,13, 2))
    End Function
    
    If dtmSystemUptime > 960 Then 
    objShell.Logevent 2, "System Uptime is " & dtmSystemUptime & " hours."
    End If
    
    I'm not great with vbscript, but i quickly tested this and it seemed to work. ;-)  Or you could rewrite it a bit to make it a monitor.
    Layne
    • Edited by LayneR Thursday, September 30, 2010 11:08 PM added info about monitor
    • Marked as answer by bradje Friday, October 1, 2010 1:12 AM
    Thursday, September 30, 2010 11:07 PM
  • Looking good...Thx Layne...Shall give it a try now.

     

    JB


    Thursday, September 30, 2010 11:13 PM
  • Yep works great. Just changed the 1st line to:

    strComputer = "."

    Thx Layne

    Cheers,

    JB


    Friday, October 1, 2010 1:12 AM
  • FWIW, a colleague (who I did not know wrote VB code) also came up with the following:

    -----------------------------------------------------------------------------------------------------

    ' Looks at local computer

    strComputer = "."

    Set objShell = CreateObject("wscript.shell")

    ' integorgate WMI for system uptime

    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

    Set colOperatingSystems = objWMIService.ExecQuery _

    ("Select * From Win32_PerfFormattedData_PerfOS_System")

    For Each objOS in colOperatingSystems

    ' converts to uptime from secs to days

    intSystemUptime = Int(objOS.SystemUpTime / 60 / 60 / 24)

    Wscript.Echo intSystemUptime & " days"

    Next

    ' checks if it is above 40 days

    if intSystemUptime >= 40 Then

    wscript.echo "The system has been up for longer than 40 days - Please ensure it is receiving it's WSUS updates"

    objShell.LogEvent 2, "System Uptime is " & intSystemUptime & " hours."

    else

    wscript.echo "The system has been rebooted within expected thresholds"

    End if

    Thursday, November 4, 2010 8:49 PM