0 Replies Latest reply on Apr 4, 2012 8:26 AM by texnet

    Windows event log traps - OID event source and ID translation

    texnet

      Windows has the built in ability to send traps for the event log with the Evntcmd and the Eventwin utilities.It sends much of the information from the event in the trap details, but it does not send the event ID or the event source in a text format. However, it does encode the source name and event ID in the trap OID itself. Microsoft has a KB article of the format here - How to translate event log messages to SNMP OIDs

       

      Here is an example of a trap from the DB of our solarwinds server-

       

      event-1.jpg

       

      The trap was generated from a test event using the DOS command "eventcreate /L Application /T Information /SO "Solarwinds" /ID 100 /D "Solarwinds Test Event". If you look at the trap snmpTrapEnterprise value it is 1.3.6.1.4.1.311.1.13.1.10.83.111.108.97.114.119.105.110.100.115 . Translating that from the MS KB article you have the following -


      1.3.6.1.4.1.311.1.13.1.10.83.111.108.97.114.119.105.110.100.115 <----Full OID

      1.3.6.1.4.1.311.1.13.1                                                                       <--- EVNTAGENT-MIB:evntagent 

                                        .10.                                                                  <--- 10 Characters in source name

                                              83.111.108.97.114.119.105.110.100.115  <--- Source name in ASCII
                                              S   o     l      a   r     w    i       n    d      s     <--- Source name in Text

      The value snmpTrapOID takes this a step further and adds a 0 and the event ID (.0.100) to the OID.


      Can a feature be added into SNMP Trap Veiwer that can process the Microsoft trap format into the event source and ID then have that value called as a variable in an alert action?