Wondering how to identify event tracking in EC2 Windows? We can help you.

As a part of our AWS Support Services, we often receive similar requests from our AWS customers.

Today, let’s see the steps followed by our Support Techs to help our customers.

Event tracking in EC2 Windows

We can stop, reboot, or terminate instance through AWS using the AWS Management Console, the AWS CLI, AWS PowerShell, AWS APIs or an AWS SDK.

If the event occurred in the last 90 days, then you can get more information about the event using AWS CloudTrail logs.

To view the event on CloudTrail, follow these steps:

1. Firstly, open the CloudTrail console.
2. Then in the navigation pane, choose Event history.
3. Next in the Lookup attributes dropdown menu, select Event name.
4. For Enter an event name, enter StopInstances if your instance was stopped.
Enter RebootInstances if your instance was reboot. Enter TerminateInstances if your instance was terminate.
5. To see more information about an event, choose the event name.
On the StopInstances, RebootInstances, or TerminateInstances event details page, you can see the user name of the AWS Identity and Access Management (IAM) user that initiated the event.

If the instance was stopped or rebooted within the Windows OS

If the instance wasn’t stopped or rebooted through AWS, then the event was likely initiated within the Windows OS.

To find more information about this event within the Windows OS, follow these steps while logged in to the instance:

1. Firstly, open Event Viewer.
2. Then, on the navigation pane, expand Windows Logs and then choose System.
3. On the Actions pane, choose Filter Current Log.
4. Next, in the All Event IDs field, enter 1074 or 1076.
5. The event log indicates which user initiated the event in the Source field.

[Need help with more AWS queries? We’d be happy to assist]

Conclusion

In short, today we discussed the steps followed by our Support Engineers  to identify Event tracking in EC2 Windows.