Securing Windows Server 2016 — Question 120

You implement Log Analytics in Microsoft Operations Management Suite (OMS) on all servers that run Windows Server 2016.
You need to generate a daily report that identifies which servers restarted during the last 24 hours.
Which query should you use?

Answer options

• A. EventLog:Application EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
• B. EventLog:System EventId:6009 Type:Event TimeGenerated>NOW+24HOURS
• C. EventLog:System EventId:6009 Type:Event TimeGenerated>NOW-24HOURS
• D. EventLog:Application EventId:6009 Type:Event TimeGenerated>NOW+24HOURS

Correct answer: C

Explanation

The correct answer is C because it queries the System event log for EventId 6009, which indicates a system restart, and it filters for events generated in the last 24 hours. Options A and D incorrectly query the Application event log, which is not where restart events are found, and option B uses an incorrect time filter by looking for events in the future instead of the past.