Home
  •  

Windows 重新啟動事件 (從錯誤檢查重新啟動) 的收集規則

Microsoft.Windows.Server.10.0.OperatingSystem.RebootFromBugCheck.Collection (Rule)

指出 Windows 已從錯誤檢查重新啟動之事件的收集規則

Knowledge Base article:

摘要

此規則會收集指出作業系統發生當機的事件。

設定

根據預設,會停用 Windows 重新開機事件 (因 Bug 檢查而重新開機) 的集合規則。 啟用方法如下:

在 [製作] 區域中選擇 [規則],於 [尋找] 中輸入「 Windows 重新開機事件 (因錯誤檢查而重新開機) 的收集規則」,然後按一下 [立即尋找]。

覆寫規則,以設定 Enabled = "True"。

Element properties:

TargetMicrosoft.Windows.Server.10.0.OperatingSystem
CategoryEventCollection
EnabledTrue
Alert GenerateFalse
RemotableTrue
Event LogSystem

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default
WriteToDW WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default

Source Code:

<Rule ID="Microsoft.Windows.Server.10.0.OperatingSystem.RebootFromBugCheck.Collection" Enabled="true" Target="ServervNext!Microsoft.Windows.Server.10.0.OperatingSystem" ConfirmDelivery="true">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>System</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventSourceName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>BugCheck</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <Or>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery>EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value>1000</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery>EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value>1001</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

            </Or>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>