Thursday, July 31, 2014

Who Shutdown Your Exchange Servers

Hi folks,

Let me share with you a small script that will help to identify when and by whom Exchange servers have been restarted. Since it queries Event Log it can be used for all the other servers, no matter what role they are running.

What the script does checking System log of your Windows box for event 1074 and then you can output details that you need to CSV file.

In my case I'm running this script against Exchange servers which are the part of AD domain (which excludes Edge Transport servers). You can run it on Edge servers locally and therefore script text will slightly change (with no need to create variable that has all Exchange servers.

Therefore my text looks like this:

$ExServers=Get-ExchangeServer | Where-Object {$_.ServerRole -ne "Edge"}

$ExServers | foreach {Get-EventLog -ComputerName $_.Name -LogName system |Where-Object {$_.EventID -eq "1074"}} |Select EventID,MachineName,Message,TimeGenerated,TimeWritten,UserName |Export-Csv D:\Software\Event-1074.csv

Enjoy, hope it helps you as it did help me.