What caused the reboot on Windows

2AM in the morning, server is down

When one of the servers was temporarilly offline at 2 in the morning, we started investigating the reason for it through the Windows Event viewer. After some googling, it looks like the best eventIDs we can use to filter the logs are : 1074,6006,6008 and 41.

Event ID 1074 is logged when an application forces the computer to shut down or restart, or when a user initiates a manual shutdown or restart2 Event ID 6006 is logged when the Event Log system has been stopped during a good shutdown. Event ID 6008 is logged when the previous system shutdown was unexpected.

These event IDs can be used as filters to find information related to shutdown and restart events in the Windows event log. However, there are other event IDs that can also be useful, such as Event ID 41, which is logged when the system has rebooted without cleanly shutting down first