Windows Server 2008 Event Log SNMP Traps

Windows Server SNMP Trap Event Log Monitoring Overview

Setting up SNMP Traps is not a difficult process.  SNMP Trap Watcher http://www.bttsoftware.co.uk/snmptrap.html is useful in examining SNMP traps in Windows. Event Log SNMP traps fire when the event log error that is setup in evntwin.exe occurs.  WhatsUp Event Log Passive Monitor uses WMI to poll the device, but SNMP traps will fire right when the event occurs.

SNMP Server and SNMP Trap Service Setup on Windows Server you want to monitor was discussed in a previous post.

In Windows Server 2003/2008/2008 R2 a utilty called evntwin.exe is used as a SNMP trap generator for the Windows Event Log.   With the utility, examining windows event log errors and creating an SNMP trap for each event log error is easy.  If you right click on each event added and click on properties you can view the OID, event log text, major, and minor numbers needed.  If you add all of the events you want to trap and ctrl->click  on each and then click on export.  The events to trap will be exported to a text file.  This text file can be imported into another computer by using the evntcmd.exe program.  Open a command prompt on the server you want to add SNMP event log traps, enter in the command “evntcmd.exe ExportedFile.cnf”.  If you have an monitoring system setup to receive SNMP traps and the SNMP Service is configured to send traps to the Server with the monitoring system.  The traps will be sent when the event errors occur if they were setup  in evntwin.exe to generate a trap.  A useful command is “netstat -anop udp” this can be used to check if SNMP ports are listening on the monitoring system.

The SNMP Trap service has to be running on each server you want to monitor event log traps. It is a good idea to set this service to auto start.  If your monitoring system runs on windows then the SNMP Trap service needs to be disabled on the monitoring server because the monitoring server will have a SNMP trap listener.  A good snmp trap event to test with is the windows logon event.  You can temporarily setup the trap in your monitoring program and in evntwin.exe on the server you want to monitor.  Then login to the server you want to monitor and then examine you monitoring software for receipt of the trap.   This will verify that traps are working as expected.  Once you get confident after setting up several clients you can skip the logon event test.

I have used the logon event to test snmp traps. Setup evntwin.exe to generate a trap for the logon event. Setup monitoring for the logon event in your monitoring software or use SNMP Trap Watcher. Logon to the server and examine your monitoring software to see of the trap was received. (Just make sure that you have the settings setup correctly for testing and switch back to production settings when you are done.)
SNMP Trap Generic Types:

The SNMP standard provides a limited number of unsolicited messages (called traps) that are sent from a device to an SNMP application. These messages can be sent by the SNMP agent on the device to notify an SNMP application of a change in status. There are six standard traps (numbered 0 through 5) as well as vendor-provided traps (6):

Trap # Trap Description
0 Cold start The device is rebooting itself and may change its configuration or the SNMP agent’s configuration.
1 Warm start The device is rebooting itself but neither the device’s nor the SNMP agent’s configuration will change.
2 Link down One of the communication links for the device is down.
3 Link up One of the communication links for the device is back up.
4 Authorization failure The device has received a protocol message that is not properly authenticated.
5 EGP neighbor loss An EGP neighbor for which the device is an EGP peer is down and the peer relationship no longer exists.
6 Vendor-provided traps The SNMP specification lets vendors define enterprise specific traps, for example a trap that occurs on a particular vendor’s router.

Trap type 6 enterprise is used for Windows event log traps.

Windows Server 2003/2008 Event Log SNMP Trap Instructions

Evntwin Program

Evntwin.exe Program

  • Click on “Custom” radio button
  • Click on “Find” button
  • Navigate through the Event Sources and Add all of the desired Events that you want to monitor
  • Click on Event and then Click on Add button
  • When finished with events click on “Settings” button
Evntwin Settings

Evntwin Settings

  • Click on “Apply Throttle”.
  • Change “Number of traps” to max desired number of traps within time frame.
  • Change “Interval of time (seconds)” to desired time interval to continue sending traps after max reached.
Event Properties

Event Properties

  • Right click on each event.
  • Click on “Properties”.
  • Copy Enterprise OID value.
  • Paste OID value into your desired Monitoring Software Trap Monitor.
  • Copy Trap Specific ID or Copy snippet of text from the event description.
  • Repeat above steps for each event log trap you desire to monitor.
  • When finished click on Export button and save events you added in evntwin as cnf file.
  • The cnf file can be imported into next server you want to setup evntwin.exe by using “evntcmd.exe filename.cnf” from the command prompt.
Unexpected Shutdown Trap

Unexpected Shutdown Trap

  • Example of WhatsUp SNMP Trap Passive Monitor setup with description match on.
Physical Disk Failed Trap

Physical Disk Failed Trap

  • Example of WhatsUp SNMP Trap Passive Monitor with “Trap Specific ID”/”Specific Type (Minor)” filled out.
How to turn on SNMP Trap Listener in WhatsUp Gold on the Monitoring Server.

To enable the SNMP Trap listener:

1.    In the WhatsUp Gold console, select Configure > Program Options. The Program Options dialog appears.

2.    Select Passive Monitors Listeners.

3.    Select SNMP Trap, then click Configure. The SNMP Trap Listener Configuration dialog opens.

4.    Select Listen for messages on port and enter a port number to enable the SNMP Trap Listener (default port is 162).

5.    To collect data on unsolicited events as well, select Accept Unsolicited SNMP Traps.

6.    Click OK.

To disable the Microsoft Windows SNMP Trap Listener Service on the Monitoring server so that the WhatsUp Gold Listener works:

  1. Click Start and type services.msc in the search box. The Services console appears.
  2. Locate SNMP Trap Service in the list of services.
  3. Right-click SNMP Trap Service. and select Properties from the menu.
  4. Verify that the service status is Stopped. If the service status is Started, click the Stop button.
  5. Verify that the Startup type is Manual or Disabled. If the startup type is set to another type, select Manual from the Startup type menu.
  6. Click OK to close the SNMP Trap Properties dialog.

Resources:

Windows Event Log SNMP Traps

http://serverfault.com/questions/22489/how-do-i-passively-monitor-the-windows-event-log

Common SNMP Traps

SNMP Trap Watcher

http://www.bttsoftware.co.uk/snmptrap.html

OpenNMS Windows Event Log Traps

http://www.opennms.org/wiki/Windows_Event_Log_Traps

http://www.loriotpro.com/ServiceAndSupport/How_to/ForwardWINEvent_EN.php

Monitoring Speech to text Services using SNMP traps

http://technet.microsoft.com/en-us/library/bb684482.aspx#_Using_ETT_to_Translate_Events_to_Tr

WhatsUp SNMP Traps Setup

http://support.ipswitch.com/kb/WP-20050901-DM01.htm

Evntcmd.exe Explanation

http://www.networkcircus.com/articles/20050715.html

Microsoft Event Log Search

Event Searching

http://eventid.net

WhatsUp SNMP Trap Listener

http://docs.ipswitch.com/NM/79_WhatsUp%20Gold%20v15/03_Help/index.htm?29821.htm?toc.htm

Leave a Reply

%d bloggers like this: