How can we monitor for EventID 6008 entries?

Article:HOWTO10238  |  Created: 2009-06-04  |  Updated: 2009-06-04  |  Article URL http://www.symantec.com/docs/HOWTO10238
Article Type
How To



Question

Servers are configured to automatically write to the event logs when a situation occurs that forces them to be rebooted unexpectedly.  Such events have an eventid of 6008.

How can this be monitored?

Answer
As monitor solution only captures live data for NTLog metrics, it is not feasible to use it as the monitor agent itself will most likely not be running before the event is created.

WQL (WMI query language) doesn't allow more than one WMI class to be included in a WQL statement, so a monitor solution WMI metric or a CustInv WMI scan isn't possible, however, VBS can do this and can also create a NSI file.

The attached VBS file extracts the EventID 6008 entry which is created after boot up, and places it into a NSI file.  The VBS file will check to see if the machine is a 32bit or 64bit system, and then place the NSI into the correct “.\Altiris\eXpress\Inventory\” directory, so that the AeXNSInvCollector.exe can create a NSE file and send it to the NS for processing.

In the attached Solution.rar file, you will find the VBS file as well as a NSI file it created on one of your test machines.  I have placed this NSI file onto one of my machines and have had the collector do its thing, and can confirm that the Inv_AeX_OS_EventID_6008 data class is created and populated.

Implementation:
1. Place the EventID6008.ini and EventID6008.vbs files into the “.\X86\Inventory Solution\” folder on the NS.
2. Update the Inventory Client Agent packages distribution point.
3. Create a new program for that package so that it uses the following command line:  AeXInvSoln.exe /hidden /s EventID6008.ini
4. Create a new task that uses that program and schedule it to run At System Startup.

Whenever one of your servers has problems and reboots itself and then records an EventID 6008, the NS will receive a NSE from that server.  In order to be aware of this situation, you can create a report that uses the following query and have it run once a day to send you an email of its contents:

SELECT i.[Name] AS [Server],e.SourceName,e.Logfile,e.Type,e.Message,e.TimeGenerated
FROM Item i JOIN Inv_AeX_OS_EventID_6008 e ON i.Guid = e._ResourceGuid
ORDER BY e.TimeGenerated,i.[Name] ASC


Attachments

Solution.rar (2 kBytes)

Legacy ID



47486


Article URL http://www.symantec.com/docs/HOWTO10238


Terms of use for this information are found in Legal Notices