Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Evntwin and 4740 lockout events

When we were on Windows 2003 AD, we used a combination of "evntwin" on the domain controllers to fire off traps for 644 events (locked out user) and Orion Trap Viewer to send an email when one of these traps was received. The Trap Viewer was configured to trigger on the trap OID of "EVENT-LOG-TRAP-MIB:security.0.644". As most people know, in Windows 2008/2012 these are now 4740 events. I re-configured "evntwin" on 2012 to send the trap, but the problem is the trap OID is so long, Orion does not let you enter all the characters. The actual OID "EVENT-LOG-TRAP-MIB:eventLogMib.35.77.105.99.114.111.115.111.102.116.45.87.105.110.100.111.119.115.45" gets truncated at the last occurrence of 111.

Is this still a valid method for alerting on lockouts, and if so, how do I skirt the character limitation? All the event monitors don't really give you what your Help Desk people need and that is who is locked out and maybe from where. A count of the number of locked out users is not what I am after. The relevant data (who is locked out) is contained in the trap event variables and just needs to be sent along in the notification email. Is there something I am missing to shorten the OID?

Jim

Find more posts tagged with

Accepted answers

All comments

jbartlett

Well, I have found one way of doing it. The gargantuan OID appears again in the trap details. I entered a regex on the trap details tab that matches on the OID and cleared the "conditions" tab. This seems to be working. Not pretty mind you, as the email is just the trap details, but gives the Help Desk all they need.

A word of warning to others though....what you see displayed in the trap details is not necessarily what is actually received by Orion character for character. Orion adds/removes some spaces, hyphens and/or colons, so we had to play with the regex to compensate for this. Orion's alerts operate on the received content, not the displayed content, so an extra space or colon here or there will render your regex useless.

aLTeReGo

Is there any reason why you're using SNMP Traps and not the Windows Event Log Monitor? With the Windows Event Log Monitor you would get the full event message details in the alert notification and Orion web console as seen in the original Windows event.

jbartlett

Initially, I was going to use the event log monitor when we had 2003 domain controllers, but there was an article floating around on Thwack that mentioned using evntwin and traps was a "more reliable" way of dealing with it. If I recall, the event log monitor had some timing issues or something related to the sample interval.

However, if you see no reason NOT to use the event log monitor, I will just switch to that method since it is a little more visible in the Orion interface and easier to manage.

Jim

jbartlett

I found the article in question, find it at:

The event details are exactly what I need forwarded to the Help Desk (much cleaner than the trap details). Preferably via an email alert, but I could entertain other ideas as well. This article seems to indicate they could not get the event details to be included with the alert. Has this been fixed? What is the variable to use?

jbartlett

Found the variable, ${WindowsEventMessages}, will see if this works

aLTeReGo

See, you didn't need me after all. Glad you found what you were looking for. You should find SAM's Windows Event Log Monitor a far superior solution to managing Windows Events than doing so through SNMP Traps.