Critical System Protection

I am trying to build an IDP Policy to detect when a server has been reset, but I am having a few issues.

I am currently looking for Event ID:

6005 - Event Log Service Started

6006 - Event Log Stopped

6008 - Unexpected Shutdown

512 - Windows is starting up

I believe that the issue is that the events are being logged either before CSP has started, or after CSP has been closed. I was expecting CSP to look at the Event Log once the CSP Agent has started. I assumed that it would flag any events which were logged before the CSP Agent was started. Is this incorrect?

Is there a better way to identify a machine which has been shutdown, reset, or unexpectedly powered down? I am open to anything which has been proven to work!

You are better to report on the Agent Health.  Then the agent will report if it gets restarted rather than relying on Event logs, let the agent report on itself!

Is it possible to force the Agent to start before the Windows Event Log? I have a few machines on which the agents constantly restart, and I cannot think of any other way to detect a restart.