I am trying to build an IDP Policy to detect when a server has been reset, but I am having a few issues.
I am currently looking for Event ID:
6005 - Event Log Service Started
6006 - Event Log Stopped
6008 - Unexpected Shutdown
512 - Windows is starting up
I believe that the issue is that the events are being logged either before CSP has started, or after CSP has been closed. I was expecting CSP to look at the Event Log once the CSP Agent has started. I assumed that it would flag any events which were logged before the CSP Agent was started. Is this incorrect?
Is there a better way to identify a machine which has been shutdown, reset, or unexpectedly powered down? I am open to anything which has been proven to work!