JumpCloud Community

Hello community!

With the new command-execution alert rules, it's easy to set up alerts to monitor the Window event logs for specific events. Here is how you could create a monitoring rule to trigger an alert whenever a service crash occurs. [Even though Windows automatically restarts many services, recurring crashes indicate underlying problems that need addressing]

You can easily change this to get alerted on any other Windows event logs of interest. 

Step 1: Create a PowerShell Command

Create a new PowerShell command to check the Windows Event Log. In this example we are monitoring Event ID 7031 (service crashes). 

# PowerShell script to monitor for service crashes (Event ID 7031) in the last 24 hours
$StartTime = (Get-Date).AddHours(-24)
$EndTime = Get-Date

# Define parameters for event search
$EventParams = @{
    LogName = 'System'  # Service crash events are in System log
    StartTime = $StartTime
    EndTime = $EndTime
    ID = 7031
}

try {
    # Get matching events
    $Events = Get-WinEvent -FilterHashtable $EventParams -ErrorAction SilentlyContinue

    # If events found, extract details and exit with status 1 (will trigger alert)
    if ($Events -and $Events.Count -gt 0) {
        # Extract service names and crash counts
        $serviceCrashes = @{}
        foreach ($Event in $Events) {
            # Extract service name from message using regex
            if ($Event.Message -match "The (.*) service terminated unexpectedly") {
                $serviceName = $Matches[1]
                if ($serviceCrashes.ContainsKey($serviceName)) {
                    $serviceCrashes[$serviceName]++
                } else {
                    $serviceCrashes[$serviceName] = 1
                }
            }
        }
        
        # Build detailed report
        $crashReport = "ALERT: Detected $($Events.Count) service crash event(s) in the last 24 hours on $(hostname).`n"
        $crashReport += "----------------------------------------`n"
        foreach ($service in $serviceCrashes.Keys) {
            $crashReport += "- $service crashed $($serviceCrashes[$service]) time(s)`n"
        }
        
        # Most recent crash details
        $mostRecent = $Events | Sort-Object TimeCreated -Descending | Select-Object -First 1
        $crashReport += "`nMost recent crash: $($mostRecent.TimeCreated)`n"
        $crashReport += "Message: $($mostRecent.Message)`n"
        
        # Return details to JumpCloud
        Write-Host $crashReport
        exit 1
    } else {
        # No events found, exit with status 0 (success)
        Write-Host "No service crashes (Event ID 7031) detected in the last 24 hours."
        exit 0
    }
} catch {
    # Handle any errors in script execution
    Write-Host "Error checking for service crash events: $_"
    exit 2
}

 Schedule this command to run daily, or at the frequency of your choice. 

Step 2: Create the Alert Rule

This is where the magic happens with the alerting features! Create a command execution alert rule with these settings:

1. Go to Alerts → Alert Rules → + Create Rule
2. Select Command Execution Failure rule type
3. The most important field to configure is Conditions. For this, select the PowerShell command created above
4. Configure the name, description, priority to your liking 

Now, whenever the script runs and finds service crashes (exit code 1), it triggers an alert:

Clicking on the alert brings up the details including exit code and output from the script which shows the failing service. 

Thanks for reading and happy monitoring!