Sending SNMP Traps of Windows Events

Furthering my build-out for a monitoring solution which includes Observium as the primary SNMP polling system, I am writing an application to handle SNMP traps from my Windows servers.

Most of my servers are Windows 2008 R2 or Windows 2012 R2. With that being said, I can use evntwin.exe on the servers to setup traps for specific event logs on my Windows servers and send them to my trap receiver to further classify and alert/notify.

There are a few steps involved in the overall process here.

Create a Custom Event Log Source

Before I can translate a specific event log entry, I create an event log source DevTrap and use an Event ID of 1000.  This is optional, as you’ll see in the next step you can dig right in and start filtering traps from any existing Event Log sources.

C:>eventcreate /T success /id 1000 /l application /d Test event to be trapped. /so DevTrap

2016-06-14_123757

Translate Events to Traps

Using evntwin.exe, I click on Custom and then Edit >>

2016-06-14_124208

From here, I can navigate the event log tree in the left pane and find my DevTrap source in the Application log.

2016-06-14_124334

Double clicking on the row will give me some properties for the event and allow me to modify when to generate the trap based on number of events within a specific time period.  I left this as default since I’ll be testing manually and this won’t generate hundreds of traps.

2016-06-14_124452

Now the event is listed in the Events to be translated to traps box.  I need to Apply and then Export the trap translations.  If I wanted to add more, I could simply keep going before clicking Apply and Export.

2016-06-14_124506

When the Export dialog box opens, it wants to know where to save the configuration for the translations.  Choose a location that makes sense.  After saving, you can close evntwin.exe program.

2016-06-14_124825

A Look at events.cnf

So the events.cnf file was exported in the previous step.  This file contains commands that will be used with evntcmd.exe to actually process and do something with the translations.  Here is what my file contains thus far.

2016-06-14_124937

The format of the #pragma add line is:

#pragma add <LogName> <SourceName> <EventID> <EventCount> <TimeInterval>

I need to add a trap destination and community to this file:

#pragma ADD_TRAP_DEST public 10.147.204.88

I add the line and save my changes and the file looks as follows.

2016-06-14_125836

Here is a useful table if you want to build the file manually and include the trap destination.  Find more information on the use of evntcmd.exe at Microsoft’s TechNet article.

ADDspecifies that you want to add an event to trap configuration.
DELETEspecifies that you want to remove an event to trap configuration
DELETE_TRAP_DESTspecifies that you do not want trap messages to be sent to a specified host within a community
ADD_TRAP_DESTspecifies that you want trap messages to be sent to a specified host within a community.
CommunityNamespecifies, by name, the community in which trap messages are sent.
HostIDspecifies, by name or IP address, the host to which you want trap messages to be sent
EventLogFilespecifies the file in which the event is recorded
EventSourcespecifies the application that generates the event.
EventIDspecifies the unique number that identifies each event

Using evntcmd.exe

Now that I have the configuration file as needed, I use evntcmd.exe to configure the trap translations and trap destinations.  Run the command from an elevated command prompt.

evntcmd.exe events.cf

Here is what the output looks like after running the command.

2016-06-14_130149

At this point, any event logged in Application as source of DevTrap with ID of 1000 will send a trap to my manager on 10.147.204.88.  I can test this by generating an event and monitoring my trap manager server to make sure I see it come across.

C:>eventcreate /T success /id 1000 /l application /d Test event to be trapped. /so DevTrap

Monitor ESXi Free using SNMP

ESXi 4.1 and 5.0 Enable SNMP

SSH to host and edit the SNMP.XML file:

vi /etc/vmware/snmp.xml

Make the following changes:

<config>
<snmpSettings>
<enable>true</enable>
<communities>public</communities>
<targets>192.168.1.100@public</targets>
</snmpSettings>
</config>

Restart management agents with the following command:

/etc/init.d/hostd restart

On ESXi 5.1 and 5.5 enable SNMP

SSH to host and run the following command:

esxcli system snmp set --communities=public --enable=yes --targets=192.168.1.100/public

Test SNMP trap

vicfg-snmp --server <ESXiServerIP> --username root --password <Password> --test

Reviewing the SNMP configuration

When I look at my SNMP configuration using vCLI (once again, this is a read operation so I can use vCLI), I see the following.

vi-admin@vma:~> vicfg-snmp --server <ESXiServerIP> --username root --password <Password> -s

Current SNMP agent settings:
Enabled : 1
UDP port : 161

Communities :
public

Notification targets :
192.168.1.100@162/public

Options :
EnvEventSource=indications