Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Any way to count number of traps per hour and alert on source IP inside the varbinds?

We have a need to monitor SMTP denials at the firewall where we get at least 25 hits within an hour's time from a single source.

I have the SMTP denied SNMP TRAPS coming in from the firewall which contain varbinds with Source and Destination. I forward these into Event Viewer Application log.

I then use APM EVENT LOG MONITOR to see these traps. I can then filter on their Event ID and Source (SolarWinds Trap Service). I can even filter using the (INCLUDE) on the 'src' IP address. I then can alert on these per polling minutes but I can't figure out how to do it based on a count. Does anyone have any ideas how to approach that? Thanks.

Find more posts tagged with

Accepted answers

RogerWong

In APM 3.1 you can use the Windows Event Log Monitor to count how many Event 3003s have been sent to the Application log in the past 60 minutes. Then, you can make the application go to warning if 1 or more are found, and to critical status if 25 or more are found.

The Windows Event Log monitor looks backwards in time depending on the polling frequency. You have to specify theumber of past polling intervals to search for events.

So if you want to scan the past hour of log entries, and your polling frequency is 5 minutes (300 seconds), you need to set the 'past polling intervals' to 12. (12 x 5 = 60 minutes).

1. APM Settings > Create New Application Template

2. Make these changes:

Template Name: Count Event 3003 in Application Log

Polling Frequency: 300 seconds

3. Click Add Component Monitor, and then add a Windows Event Log Monitor.

4. Make these changes:

Credential for Monitoring: (windows admin credential)

Log to Monitor: Application

Match Definition: Custom

Event Id: 3003

Event Type: Any event

Number of past polling intervals to search for events: 12

If a match is found in a polling period, component is: Up

Statistic Warning Threshold: greater than or equal to 1

Statistic Critical Threshold: greater than or equal to 25

5. Assign it to your node.

All comments

lchance

UPDATE

I did find an older APM MONITOR (circa v2) which is named Windows Event Log Count it has a vbscript to do this but I can't get it to work.

Do I need to open a support case on this?

RogerWong

Lchance, I don't think that's going to do the trick. The Windows Event Log Monitor (and its older sibling, the Windows Event Log Count script) uses pattern matching to look into a Windows event log and count the occurrences of a particular event in a given time frame, then report that number as a statistic.

So...

we can alert you regarding 25 SMTP denial messages in an event log found in the past hour.

we can't alert you about 25 SMTP denials from any single arbitrary IP address. That arbitrary IP address is a problem. We don't currently have that kind of logic in any of the monitors.

lchance

Roger:

I've assigned this (vbscript) APM monitor to that node where the Event ID 3003 is coming into the Application event log.

And I don't really understand what I'm doing with it - but I altered the arguments this way, is this correct?

-computer localhost -area Application -id 3003 -timespan 60

...so my question is this - should this trigger in 60 minutes if my Statistic Critical Threshold is at 25?

	-computer localhost -area Application -id 3003 -timespan 5

	-computer localhost -area Application -id 3003 -timespan 5

RogerWong

No, what that would do is scan the past 60 minutes of the application log for event id 3003, and return that number as the statistic. If you have the statistic critical set to greater than 25, 26 event 3003s in the past hour will trigger the monitor to go to Critical status.

Do you have APM 3.1? If you do, I can show you the actual event log monitor we added in 3.1 so you don't have to mess around with the script and its command line switches.

RogerWong

Do you have APM 3.1? If you do, I can show you the actual event log monitor we added in 3.1 so you don't have to mess around with the script and its command line switches.

lchance

Yes - I have APM 3.1