I want to create Windows/Linux shutdown/restart use case. For Windows, if use event id 1074, I can see two events for each server.
1) process as explorer.exe and result code as 0x84040001
2) process as winlogon.exe and result code as 0x500ff
To create proper windows shutdown/restart rule, which event id I should use? IS there anything else which I can use to drill down this situations.
Also for Linux servers which condition I should use to create such rule.
Need you help.