An event was collected indicating an unexpected service termination.
This rule generates an alert when a Windows® service unexpectedly terminates. In addition to the service termination event, a Windows Error Reporting event (Source: Dr Watson; ID: 4097) is often created and will be collected by Operations Manager. This additional event may prove helpful when attempting to resolve the service termination Alert.
When a service unexpectedly terminates the application, Dr. Watson detects that the application has generated a general protection fault (GPF). A GPF occurs when an application attempts to read or write to a memory location that it does not have access to. This often results in the termination of the program and the loss of unsaved data.
When a service unexpectedly terminates, you can select one of the following options to address the issue:
Look for related support information at the software vendor’s Web site.
Install any service pack or product updates for the relevant application.
Install any service packs or updates for any relevant subsystems that the application depends on.
If the service terminates unexpectedly with unusual frequency, and related support information is unavailable, you should contact the software vendor for support.
Sample Event:
This rule generates an alert whenever any of the following events occur in the System Event Log:
About to revert to the last known good configuration because the %1 service failed to start.
The %1 service terminated with the following error: %n%2
The %1 service terminated with service-specific error %2.
The %1 service terminated unexpectedly. It has done this %2 time(s). The following corrective action will be taken in %3 milliseconds: %5.
The Service Control Manager tried to take a corrective action (%2) after the unexpected termination of the %3 service, but this action failed with the following error: %n%4
The %1 service terminated unexpectedly. It has done this %2 time(s).
Source: Service Control Manager; 7021; About to revert to the last known good configuration because the %1 service failed to start.
Source: Service Control Manager; 7023; The %1 service terminated with the following error: %n%2
Source: Service Control Manager; 7024; The %1 service terminated with service-specific error %2.
Source: Service Control Manager; 7031; The %1 service terminated unexpectedly. It has done this %2 time(s). The following corrective action will be taken in %3 milliseconds: %5.
Source: Service Control Manager; 7032; The Service Control Manager tried to take a corrective action (%2) after the unexpected termination of the %3 service, but this action failed with the following error: %n%4
Source: Service Control Manager; 7033; The Service Control Manager did not initialize successfully. The security configuration server (scesrv.dll) failed to initialize with error %1. The system is restarting...
Source: Service Control Manager; 7034; The %1 service terminated unexpectedly. It has done this %2 time(s).
Target | Microsoft.Windows.Server.10.0.OperatingSystem | ||
Category | EventCollection | ||
Enabled | False | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | System |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Windows.Server.10.0.OperatingSystem.ServiceTerminatedUnexpextedly.Alert" Enabled="false" Target="ServervNext!Microsoft.Windows.Server.10.0.OperatingSystem" ConfirmDelivery="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventSourceName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Service Control Manager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7021</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7024</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7031</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7032</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7033</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7034</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.10.0.OperatingSystem.ServiceTerminatedUnexpextedly.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>