I’m trying to adjust a monitoring of system events. I want to catch a moment when a PC was unexpected shutdown. First, I’ve made monitoring by Event ID 41 and I’ve got alerts about event occurence with code 41. But those alerts are not about power switch off. There are another events sources with event id 41. I’ve seen in the event viewer that the event’s source is “Kernel-Power” and I’ve added a condition “Source = Kernel-Power”. But no more alerts were appeared, although I know that the PC often unexpected switch off. In a few days I found that the right event source name is “Microsoft-Windows-Kernel-Power”, and I’ve modified the condition to the right one. But I still don’t get the alerts about power switch off. How can I catch the event of pc power switch off? What should I specify in the condition as event source?
Hello @Viktor_Zinkevich
May we request from you a screenshot of the Event Viewer window showing the specific event that you are trying to monitor/catch? Please do make sure to highlight the line of the specific event so that the ‘General’ tab will display details of the highlighted event.
Is it possible to use wildcard in the event source field?
Yes, I’ve tried to use ‘Custom Script’ for other purposes. Now I’ve set the only one condition: Event Source == Microsoft-Windows-Kernel-Power. And alert messages about a power supply began to delivered. It seems when I use both conditions Event ID and Event Source, the monitoring is not longer working. Now I am testing a case when Event Source and Event Level are set simultaneously.
Hello @Viktor_Zinkevich
Thank you for letting us know.
We will complete this request and we will
update you via email.
Regards,
Jay
Please refer to this script, to generate alert if Microsoft Windows Kernel Power application has been crashed in your system.
https://scripts.comodo.com/frontend/…s-been-crashed
Please do let us know your feedback. Thanks.