How to Generate SNMP traps from Windows Events

Background

Microsoft have an extension capability to the Windows events system that allows conversion of windows events to SNMP traps which can be sent to an external fault management system. There are some nasty aspects to the SNMP trap generated, but it does allow management with no change to your code.

Procedure

Reference:

Start -> Control Panel -> Add Remove Programs

Start -> Control Panel -> Administration Tools -> Services

Start -> Run. Then evntwin

SNMP trap identification

The Enterprise OID is under a Microsoft naming branch.

enterprises.microsoft(311).software(1).eventlog(13).evntagent(1).<len>.<application...> * Where <len> is the length of the registered application name e.g. 18 * <application...> are the ascii values for the characters of the application name.

e.g. 1.3.6.1.4.1.311.1.13.1.18.83.80.69.32.69.110.103.105.110.101.32.77.97.110.97.103.101.114

1.3.6.1.4.1.311

.1.13.1.

18

83

80

69

32

69

110

103

105

110

101

32

77

97

110

97

103

101

114

Microsoft

evntwin?

length

S

P

E

[sp]

E

n

g

i

n

e

[sp]

M

a

n

a

g

e

r

The specific trap number is a combination of the windows 16 bit event number (e.g. 1) plus some high bits depending on whether a system event, and also incorporates the severity. e.g. 1073872897 = 0x40020001. The top 2 bits are encoded -:

The trap arguments are

  1. eventText (Full description text as it appears in event viewer)
  2. eventUserId (user name (minus the domain))
  3. eventSystem (PC hostname (minus domain))
  4. eventType (severity, which seems to correctly reflect the event compared to the trap number bit munging) http://msdn.microsoft.com/library/en-us/debug/base/event_types.asp
  5. eventCategory http://msdn.microsoft.com/library/en-us/debug/base/event_categories.asp

SNMP Manager to display received traps

The windows SNMP trap service receives SNMP traps and provides an API for aware applications to register and be passed these. It doesn't have a UI however.

The snmptrapd utility from NETSNMP on Unix/Linux is a text based manager that will display received traps. See http://net-snmp.sourceforge.net/

For the above we see (in the debug trace)

snmptrapd: Trap OID: SNMPv2-SMI::enterprises.311.1.13.1.18.83.80.69.32.69.110.103.105.110.101.32.77.97.110.97.103.101.114.0.1073872897
 
dumpv_recv:            ObjID: SNMPv2-SMI::enterprises.311.1.13.1.9999.1.0
:
dumpv_recv:            String:  Application program C:\\cygwin\\home\\dsm\\SPEC\\spec\\out\\spec\\out\\send_receive.exe 
run by user dhorton on host DHORTON-PC called the Security Protection Engine.
 
INIT FILE not available
GUID not available
.\\module\\engine\\spe_manager.c line:2385
Security descriptor out of range : 10019