We are attempting to forward Windows event log events to Orion NPM/APM using the Microsoft Event-to-Trap-Translator (ETT) as described here:
We are doing this because the built-in Orion APM event log monitor is incompatible with Windows 2000 Server and uses WMI. See:
We wrote our own Windows script monitor that overcomes the limitations, but it still uses WMI. It works properly on W2K servers, but on some of them, WMI spikes the CPU for an unacceptable length of time, and so we have turned it off.
Using the Orion SysLog Forwarder is not an option because of the impact of the installation prerequisites across ~3000 servers. It also doesn't have an easy way to configure all the servers from a central location. SNMP is already installed on the servers, so we'd prefer to use its built-in ETT capability instead.
So we are now trying to forward the Windows event logs via SNMP using ETT. The traps are configured, and we can trigger them and see in the Orion Trap Viewer that they reach the main APM/NPM poller, but they are coming through garbled. We can also use the Trap Viewer to send an E-mail that contains the trap contents.
Example E-mail (where IP address, hostname, community string, domain, security ID, and Orion service account have been replaced - see X's):
Timestamp: 12/17/2009 2:38 PM
Message Type: EVNTAGENT-MIB:security.0.636
Message: SNMP Trap
Received Time:12/17/2009 2:38:04 PM
sysUpTime:= 1 hour 12 minutes 12.77 seconds (433277)
snmpTrapOID:= EVNTAGENT-MIB:security.0.636 (188.8.131.52.4.1.3184.108.40.206.220.127.116.11.18.104.22.168.121.0.636)
snmpTrapEnterprise:= EVNTAGENT-MIB:security (22.214.171.124.4.1.3126.96.36.199.188.8.131.52.184.108.40.206.121)
This trap is an ETT version of a Windows Security event log (ID: 636) that is created whenever an account is added to the local administrators account. As you can see above, the eventText field is completely unreadable. What are we doing wrong, and how can we fix it?
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.