Trapping Windows Events with SNMP

dayley · ‎12-17-2009

We are attempting to forward Windows event log events to Orion NPM/APM using the Microsoft Event-to-Trap-Translator (ETT) as described here:

http://www.eric-a-hall.com/articles/20050715.html

and

http://technet.microsoft.com/en-us/library/bb684482.aspx#EDAA

We are doing this because the built-in Orion APM event log monitor is incompatible with Windows 2000 Server and uses WMI. See:

We wrote our own Windows script monitor that overcomes the limitations, but it still uses WMI. It works properly on W2K servers, but on some of them, WMI spikes the CPU for an unacceptable length of time, and so we have turned it off.

Using the Orion SysLog Forwarder is not an option because of the impact of the installation prerequisites across ~3000 servers. It also doesn't have an easy way to configure all the servers from a central location. SNMP is already installed on the servers, so we'd prefer to use its built-in ETT capability instead.

So we are now trying to forward the Windows event logs via SNMP using ETT. The traps are configured, and we can trigger them and see in the Orion Trap Viewer that they reach the main APM/NPM poller, but they are coming through garbled. We can also use the Trap Viewer to send an E-mail that contains the trap contents.

Example E-mail (where IP address, hostname, community string, domain, security ID, and Orion service account have been replaced - see X's):

Timestamp: 12/17/2009 2:38 PM

Message Type: EVNTAGENT-MIB:security.0.636

Message: SNMP Trap
     Received Time:12/17/2009 2:38:04 PM
     Source:XIP.XIP.XIP.XIP(XXHostnameXX)
     Community:XXCommunityStringXX
     Variable Bindings
          sysUpTime:= 1 hour 12 minutes 12.77 seconds (433277)
          snmpTrapOID:= EVNTAGENT-MIB:security.0.636 (1.3.6.1.4.1.311.1.13.1.8.83.101.99.117.114.105.116.121.0.636)
          eventText:= U2VjdXJpdHkgRW5hYmxlZCBMb2NhbCBHcm91cCBNZW1iZXIgQWRkZWQ6DQoNCglNZW1iZXIgTmFtZToJLQ0KDQoJTWVtYmVyIElEOgkle1MtMS01LTIxLTE5MzQyMzc3OC0zNTUzNDQ0ODMtMTU5NzA3MzMyOC0xNTU3NzJ9DQoNCglUYXJnZXQgQWNjb3VudCBOYW1lOglBZG1pbmlzdHJhdG9ycw0KDQoJVGFyZ2V0IERvbWFpbjoJQnVpbHRpbg0KDQoJVGFyZ2V0IEFjY291bnQgSUQ6CSV7Uy0xLTUtMzItNTQ0fQ0KDQoJQ2FsbGVyIFVzZXIgTmFtZToJU1ZDX0VUU19Pcmlvbg0KDQoJQ2FsbGVyIERvbWFpbjoJS0hDDQoNCglDYWxsZXIgTG9nb24gSUQ6CSgweDAsMHg1OTNBMUZGKQ0KDQoJUHJpdmlsZWdlczoJLQ0KDQo=
          eventUserId:= XXOrionServiceAccountXX
          eventSystem:= XXHostnameXX
          eventType:= 8
          eventCategory:= 7
          eventVar1:= -
          eventVar2:= %{XXLongSecurityIDXX}
          eventVar3:= Administrators
          eventVar4:= Builtin
          eventVar5:= %{S-1-5-32-544}
          eventVar6:= XXOrionServiceAccountXX
          eventVar7:= XXDomainNameXX
          eventVar8:= (0x0,0x593A1FF)
          eventVar9:= -
          experimental.1057.1:= XIP.XIP.XIP.XIP
          snmpTrapEnterprise:= EVNTAGENT-MIB:security (1.3.6.1.4.1.311.1.13.1.8.83.101.99.117.114.105.116.121)

This trap is an ETT version of a Windows Security event log (ID: 636) that is created whenever an account is added to the local administrators account. As you can see above, the eventText field is completely unreadable. What are we doing wrong, and how can we fix it?

bshopp · ‎12-18-2009

So why aren't you using our Windows Events Forwarded utility? It can be found in your customer portal under additional components.

Also if you own APM, see this regarding the next release here

dayley · ‎04-06-2010

Because of its installation prereq.'s (e.g. .NET upgrades). Apparently, there is an older version that doesn't use .NET that we might be able to use.

bshopp · ‎04-06-2010

Did you look in the additional components section of the customer portal?