How to Generate SNMP traps from Windows Events

Background

Microsoft have an extension capability to the Windows events system that allows conversion of windows events to SNMP traps which can be sent to an external fault management system. There are some nasty aspects to the SNMP trap generated, but it does allow management with no change to your code.

Procedure

Reference:

• http://www.ehsco.com/reading/20050715.html
  
• http://www.microsoft.com/technet/prodtechnol/speech/support/ snmp/default.mspx#_Using_ETT_to_Translate_Events_to_Tr
  
• http://support.microsoft.com/kb/160969/en-us
  

Start -> Control Panel -> Add Remove Programs

• Add/Remove Windows Components
• Select Management and Monitoring Tools, and ensure Simple Network Management Protocol is enabled.

Start -> Control Panel -> Administration Tools -> Services

• Select SNMP Service and properties
• Select the Traps panel
• set community name to public (if not already done).
• Add and enter the hostname or IP of the SNMP manager system. (The box running OpenView, NetView, or one of the other brand of NMS applications).

Start -> Run. Then evntwin

• Select Custom Configuration type, and Edit >>
• In the Event sources, select the Application. e.g. SPE Engine Manager and click Add.
• Take note of
  • Enterprise OID
  • Trap specific ID
• Click OK, Apply, OK.

SNMP trap identification

The Enterprise OID is under a Microsoft naming branch.

enterprises.microsoft(311).software(1).eventlog(13).evntagent(1).<len>.<application...> * Where <len> is the length of the registered application name e.g. 18 * <application...> are the ascii values for the characters of the application name.

e.g. 1.3.6.1.4.1.311.1.13.1.18.83.80.69.32.69.110.103.105.110.101. 32.77.97.110.97.103.101.114

The specific trap number is a combination of the windows 16 bit event number (e.g. 1) plus some high bits depending on whether a system event, and also incorporates the severity. e.g. 1073872897 = 0x40020001. The top 2 bits are encoded -:

• 00 - Success 01 - Informational 10 - Warning 11 - Error

The trap arguments are

1. eventText (Full description text as it appears in event viewer)
2. eventUserId (user name (minus the domain))
3. eventSystem (PC hostname (minus domain))
4. eventType (severity, which seems to correctly reflect the event compared to the trap number bit munging) http://msdn.microsoft.com/library/en-us/debug/base/event_types.asp
   • 1 = Error
   • 2 = Warning
   • 4 = Informational
   • 8 = Success Audit
   • 16 = Failure Audit
5. eventCategory http://msdn.microsoft.com/library/en-us/debug/base/event_categories.asp

SNMP Manager to display received traps

The windows SNMP trap service receives SNMP traps and provides an API for aware applications to register and be passed these. It doesn't have a UI however.

The snmptrapd utility from NETSNMP on Unix/Linux is a text based manager that will display received traps. See http://net-snmp.sourceforge.net/

For the above we see (in the debug trace)