Service Failure alert

Hi mlevock,

Sorry for delay, looks like notification about your request did not come due to the upgrade of this community site.

Well, the answer highly depends on the event that we choose as a trigger. If you have that specific event, please share it with us.

Meanwhile I will suggest a general solution and you can try it.

The service failure events in System log come from the Service Control Manager source, you may review them here: http://eventopedia.cloudapp.net/Events/?/Operating+System/Microsoft+Windows/Built-in+logs/Windows+2000-2003/System+Log/Source+Service+Control+Manager. I will take the first 4 and demonstrate how to create an alert in InTrust.

1. Open Quest InTrust Manager - Real-Time Monitoring - Rules
2. Right click on Windows/AD Security, New Rule - Single Event - Windows System Log - Custom Filter for System Log
3. Check the "Event ID" checkbox - Edit - Remove the existing range - Add rages 7000-7000, 7023-7023, 7031-7031, 7034-7034
4. Give descriptive name, e.g. "Service failed to start or terminated rule" and finish the rule wizard
5. Open the rule properties. Check "Enabled" on General tab, change severity on Alert tab e.g. to Major, add email notification on the Notification tab with default settings, click Apply and OK
6. Create a Real-Time Monitoring policy. Give the same name "Service failed to start or terminated policy", assign a Site e.g. "All Workstations', pick the rule "Service failed to start or terminated rule", add Notification operator, e.g. default one if it contains your email address, check the "Activate" checkbox and finish the policy wizard.
7. Commit the new configuration and test if the email comes to your inbox when events 7000, 7023, 7031 or 7034 occur.

I am attaching the result rule and policy, you can import them from Quest InTrust Manager. Right click on "Windows/AD Security" rule group and "Import..." the rule xml, then right click on "Real-Time Monitoring - Policies" and "Import..." the policy xml. Of course this is only a draft, you can change anything during creation process or later: the rule location, Site, Operator, Email template, and any of the rule properties.

20190926_External_ServiceFailedAlert.zip

Hi Igor. Thanks for the reply. I'm a bit unclear as to what those ranges mean, or how it would inform me of a specific event. Essentially, I have a application (Stream PDF) that allows users to print from a terminal session to pdf. Sometimes that service failrs, and needs to be restarted in the Windows Services module.  I can certainly set it to restart upon failure, but would like some sort of email when that failure occurs, preferably before users start calling   I'm sure this isn't a novel idea.

Do you have any further suggestions? I'd appreciate it. Or would still suggest using the Event log as a trigger?

Mike

InTrust is mainly about events. We collect events, react on events with response actions and send notifications about events.  7000, 7023, 7031 and 7034 events are Windows System log events about service failures and terminations. If that Stream PDF service fails, these events should occur. If they do not, what do you suggest to use as a trigger? What happens with the service, does it crash or hang? We have an option to create a script rule that will run on schedule and check if the service is stopped. But if it hangs, it might be difficult to catch such failure. So, please add more information how exactly the service fails and what signs of failure do we have in the system.

Thanks. It looks like the last time it failed was during server startup. "The service did not start or control request in a timely fashion." The Event ID is listed as 7000. Would that be enough to set up a trigger?

Yes, this fits into the suggested approach. Please try the rule attached to my first reply. The only thing you should add is a filter by service name. In the rule properties on the Matching tab edit the Event Filter: check the IS#1 checkbox and type the service name of Stream PDF service as it appears in the windows event 7000. This will guarantee that you receive alerts only about Stream PDF service. Fill free to ask any questions if something is unclear.