Furthering my build-out for a monitoring solution which includes Observium as the primary SNMP polling system, I am writing an application to handle SNMP traps from my Windows servers.
Most of my servers are Windows 2008 R2 or Windows 2012 R2. With that being said, I can use evntwin.exe on the servers to setup traps for specific event logs on my Windows servers and send them to my trap receiver to further classify and alert/notify.
There are a few steps involved in the overall process here.
Create a Custom Event Log Source
Before I can translate a specific event log entry, I create an event log source DevTrap and use an Event ID of 1000. This is optional, as you’ll see in the next step you can dig right in and start filtering traps from any existing Event Log sources.
C:>eventcreate /T success /id 1000 /l application /d Test event to be trapped. /so DevTrap
Translate Events to Traps
Using evntwin.exe, I click on Custom and then Edit >>
From here, I can navigate the event log tree in the left pane and find my DevTrap source in the Application log.
Double clicking on the row will give me some properties for the event and allow me to modify when to generate the trap based on number of events within a specific time period. I left this as default since I’ll be testing manually and this won’t generate hundreds of traps.
Now the event is listed in the Events to be translated to traps box. I need to Apply and then Export the trap translations. If I wanted to add more, I could simply keep going before clicking Apply and Export.
When the Export dialog box opens, it wants to know where to save the configuration for the translations. Choose a location that makes sense. After saving, you can close evntwin.exe program.
A Look at events.cnf
So the events.cnf file was exported in the previous step. This file contains commands that will be used with evntcmd.exe to actually process and do something with the translations. Here is what my file contains thus far.
The format of the #pragma add line is:
#pragma add <LogName> <SourceName> <EventID> <EventCount> <TimeInterval>
I need to add a trap destination and community to this file:
#pragma ADD_TRAP_DEST public 10.147.204.88
I add the line and save my changes and the file looks as follows.
Here is a useful table if you want to build the file manually and include the trap destination. Find more information on the use of evntcmd.exe at Microsoft’s TechNet article.
| ADD | specifies that you want to add an event to trap configuration. |
| DELETE | specifies that you want to remove an event to trap configuration |
| DELETE_TRAP_DEST | specifies that you do not want trap messages to be sent to a specified host within a community |
| ADD_TRAP_DEST | specifies that you want trap messages to be sent to a specified host within a community. |
| CommunityName | specifies, by name, the community in which trap messages are sent. |
| HostID | specifies, by name or IP address, the host to which you want trap messages to be sent |
| EventLogFile | specifies the file in which the event is recorded |
| EventSource | specifies the application that generates the event. |
| EventID | specifies the unique number that identifies each event |
Using evntcmd.exe
Now that I have the configuration file as needed, I use evntcmd.exe to configure the trap translations and trap destinations. Run the command from an elevated command prompt.
evntcmd.exe events.cf
Here is what the output looks like after running the command.
At this point, any event logged in Application as source of DevTrap with ID of 1000 will send a trap to my manager on 10.147.204.88. I can test this by generating an event and monitoring my trap manager server to make sure I see it come across.
C:>eventcreate /T success /id 1000 /l application /d Test event to be trapped. /so DevTrap
