Event Log Time for Windows VM Shutdown and Reboot Information

Question

Is it possible to collect information about whether a Windows VM with AMA and DCR installed was rebooted or shut down? Specifically, does AMA have sufficient time to forward the shutdown event to Log Analytics before the system shuts down, or is this information sent only when the system is next powered on?

Answer 1

Hi @Bombbe ,

Welcome to Microsoft Q&A Forum, thank you for posting your query here!

While AMA and DCR are designed to collect and forward various system events to Log Analytics, the specific behavior during a VM shutdown can vary depending on the exact timing of the shutdown process, network conditions, and the configuration of the agent.

Detailed Explanation:

1. Event Collection:
   • AMA continuously collects system events, including those related to system shutdown and startup.
   • DCR defines the specific events to be collected and forwarded to Log Analytics.  
2. Event Forwarding:
   • AMA periodically sends collected events to Log Analytics.  
   • The frequency of these transmissions can be configured.
3. Shutdown Process:

• When a VM is shut down, the OS initiates a sequence of events, including closing applications, flushing system buffers, and powering off hardware.
• During this process, AMA might have limited time to capture and forward the shutdown event. Potential Outcomes:
  1. Event Captured and Forwarded: If AMA has sufficient time and network connectivity, the shutdown event can be captured and forwarded to Log Analytics.
  2. Event Captured but Not Forwarded: The event might be captured locally by AMA but not sent to Log Analytics due to network issues or insufficient time.
  3. Event Not Captured: If the shutdown process is too rapid or the agent is not active, the event might not be captured at all.
     Best Practices to Improve Event Capture:
  4. Optimize AMA Configuration:
     Optimize AMA Configuration: Configure AMA to collect events frequently and transmit them promptly. Ensure the agent is running and has necessary permissions. Leverage Azure Automation DSC: Use DSC to automate the configuration of AMA agents, ensuring consistency and reliability. Consider Custom Scripting: Implement custom scripts to log additional details about the shutdown process, such as the reason and timestamp. Analyze Log Analytics Data: Use Log Analytics queries to identify patterns and trends in shutdown events, even if they were not captured in real-time. Key Event IDs for Server Shutdown:
  • 6006: Indicates a clean shutdown. This is the most common event ID for a normal shutdown.  
  • 6008: Indicates an unexpected or dirty shutdown. This could be due to a crash, power outage, or forced shutdown.  
  • 1074: Logged when an application or service initiates a system restart or shutdown.  
  • 41: Indicates a system reboot without a clean shutdown, often caused by a crash or unexpected power loss.
  Refer below MS document for more information: https://learn.microsoft.com/en-us/azure/azure-monitor/data-sources
  https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-data-collection

---

Please let me know if you need any help.
Thankyou

Answer 2

Hi Bomble,

Azure VM reboot and shutdown status will be captured in the Active logs and I assuming you are sending the Activity logs to Log Analytics workspace. If so you can run a query in the workspace to get the reboot and shutdown status. Below is the sample query,

AzureActivity | where CategoryValue == 'ResourceHealth' | where ActivityStatusValue <> "Resolved" | where ResourceProviderValue == 'MICROSOFT.COMPUTE' | extend p = parse_json(Properties) | evaluate bag_unpack(p, 'Properties_') | extend ep = parse_json(Properties_eventProperties) | evaluate bag_unpack(ep, 'EventProperties_' )