Detecting Windows Server Shutdown Events

Question: “How can i detect Windows Servers shutting down in ArcSight. Are there any specific process shutdown events that i can use to create a rule for windows shutdown”

Answer: You need to be gathering the System Event Logs from the hosts in question.

Have a look if you can see eventID 1074 in your logs prior to a graceful shutdown (see below). you should see that event prior to the host going down,

However, keep in mind it wont be there for an unplanned shutdown and if you have a busy Windows Connector (ArcSight WUC / WINC) there is a chance that the server will reboot before the connector cycles back round to the next batch of logs from that host – so in that instance you will only get the events when it has rebooted. Snare agents should manage to send the event before a reboot.

Use this in combination with critical device monitoring as a backup – i.e. critical device has not sent events in XX minutes may indicate a shutdown or other failure that needs investigation

Source: Source: User32 Event ID: 1074 (Windows Operating System 5.2) – Technet Events And Errors Message Center: Message Details

Other Event ID’s that are required to monitor the shutdown/restart status:

• 6005: Windows start-up

• 6006: Windows shutdown (properly)

• 6008: Windows shutdown (unexpectedly)

• 1074: Type of shutdown.

Here’s the description for the same:

• Event 6005 is logged at boot time noting that the Event Log service was started. It gives the message “The Event log service was started”.
• Event 6006 is logged as a clean shutdown. It gives the message “The Event log service was stopped”.
• Event 6008 is logged as a dirty shutdown. It gives the message “The previous system shutdown at time on date was unexpected”.
• Event 1074 is generated when an application causes the system to restart, or when the user initiates a restart or shutdown

More info: http://arnavsharma.net/windows-clients/track-windows-shutdown-using-event-logs