In this article, we will learn how to check shutdown/reboot logs on Windows 2012, 2016 and 2019 VPS servers.
Let's look at some of the most common codes associated with the start and shutdown of the server.
41: Indicates that your server has rebooted but not shut down completely.
6005: Indicates that the event log service has been started.
1074: This event indicates when the application is forcibly shutting down or restarting your VPS server. Thanks to this, you can find out when you, or someone else, restarted or shut down the server from the Start menu or via CTRL+ALT+DEL.
6008: This event occurs if your computer has been shut down or rebooted through the blue screen of death.
6006: This event indicates when the server has shut down gracefully.
How to view event data?
Press Win + R and type eventvwr
On the left side of the panel, open "Windows Logs => System"
In the Event ID column, we will see a list of events that occurred while Windows was running. The event log can be sorted by event ID.
In order to sort the events we need, on the right side, select "Filter the current log"
Now enter the events we need, separated by commas, 41, 1074, 6006, 6008, 6006 and click OK.
Now we can observe the event log with the shutdown of our VPS server.
We can also view the server uptime event log. This corresponds to the identifier 6013.
Viewing Server Shutdown and Restart Log Using PowerShell
If we need to quickly view the shutdown/reboot logs of the server, we can use the Get-EventLog command in the PowerShell shell.
To filter the last 1000 entries in the log, and display only those events that we need, (41, 1074, 6006, 6008, 6006) run this command in PowerShell:
Get-EventLog System -Newest 1000 | ` Where EventId -in 41,1074,6006,6008 | ` Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrapNow you can independently check for what reason your server was rebooted.