0

I've taken a look at this and it doesn't really help in my situation, although it does give some interesting background information. Basically, I logged into a Windows Server 2008R2 machine that I was using and left idle last night to find that the machine had unexpectedly rebooted (the reason I know this is because Windows asked me for a reason for the reboot).

I took a look at the Event Viewer log on the server, and from when MS SQL came back up (it logs a lot of activity to the application log when that happens) it looks like the reboot happened around 12:30AM. However, there's no 1074 event that accompanies it to help explain why the reboot occurred. As well, I don't see any errors reported.

For reference, no work was supposed to be occurring on the server last night. Server updates should not be occurring automatically, although I would expect that if they kicked off they would log something to the event viewer about how many updates were applied.

The roles on the server are Remote Server Administration tools (it functions as a RDP host) and IIS/File Services. SQL Server 2008 R2 and Visual Studio 2013 are both installed on this server as well.

The server is a VM living on an ESX server, but looking at vSphere client I don't see anything corresponding to that time.

What other logs could I look at to help determine the cause of the unexpected reboot?

Community
  • 1
Sean Long
  • 435
  • 1
  • 6
  • 18
  • Do you have any more detail to share? – ewwhite Jul 25 '14 at 12:50
  • I'm a little new to server administration so the above is all the research I've currently done. What other details would be pertinent? I can definitely pull more data that would be useful. – Sean Long Jul 25 '14 at 12:52
  • I added another paragraph with more details about the server itself and what is on it. – Sean Long Jul 25 '14 at 12:57

1 Answers1

3

I would first make sure that all logging is enabled. You should be able to find something in the event log referencing Kernel-Power. Under System, if the reboot was truly unexpected by the OS, event ID 41 should be logged. If this event is not present, try searching for ID 6006 (event logging service stopped). The items before or after that event, within your timeframe, should give a little more insight. I would also look for bug checks.

Didn't have enough rep to comment on this, I'm aware this may not answer your question.

bw.
  • 53
  • 3
  • No worries, that's still very useful information. I'm going to look into what other logging may be useful, as Kernel-Power events only really show me that things are coming back up. So more than likely this was only unexpected to me, rather than unexpected by the OS. – Sean Long Jul 25 '14 at 13:32