Goal of this How To
The Evntwin program from Microsoft provides a way to forward any
Events (visible in the Windows Event Viewer) as an SNMP Trap to
LoriotPro.
You can use this graphical tool to easily create a configuration
file and then use the configuration file with evntcmd at the command
prompt to quickly configure traps on multiple computers.
The list of Event log to forward as trap is applied from either
Evntcmd or Evntwin to the SNMP Event Agent.
Preliminary Tasks
The Event to trap forwarder works if the Windows SNMP agent is
configured to send Traps. Read the How
to install and configure Windows (2000 -XP) SNMP agent first.
Windows Event Configuration
The first step consist of setting Event. Events within Microsoft
Windows are displays in the local Event viewer window. All the Events
are not displayed by default. but if you see the Event in one of
the Event log you could forward it as a Trap.
There are three types of event logs:
System log
Tracks miscellaneous system events, e.g. track events during system
startup and hardware and controller failures.
Application log
Tracks application related events, e.g. applications generate informational
such as failing to load a DLL will appear in the log.
Security log
Tracks events such as logon, logoff, changes to access rights, and
system startup and shutdown. NOTE: By default the security log is
turned off.
To receive security events in the Event Viewer for example, Audit
policy should be activated.
To set Audit, open the Control Panel, select 
and 
If we Audit system events and somebody clear the Security Event
log the Event viewer will display the following event.
Each Event as an ID which we will use in the next step to filter
Event. Before starting the Evntwin program, be sure to have the
type of Event (application, security, system) and the ID number.
Configure the Event to
Trap forwarder (evntwin.exe)
The Evntwin configures the translation of events to traps, trap
destinations, or both based on information in a configuration file.
Start the evntwin program from the Start RUN menu option.
The job consist of finding the Event number that you want to forward
as a Trap to LoriotPro
First we select the Custom radio button and the Edit Button. The
upper windows appears.
Select in the down left pane the Event sources. The event to capture
is viewed in the Event log under Application Event log, Security
Event Log or System Event Log.
In our example we want to forward a security Event log so we choose
Security.
When done the down right pane shows the Events available, ordered
by ID number.
We choose the 517 which is the number of the Event send when Security
log is cleared.
We press add button and the upper pane "Events to be translated
to traps" now contains our Event/Trap.
Do the same process for each Event you want to add in the Trap
list.
When done, click the Apply button
After you have defined the traps you want, click Export to create
a file suitable for use with evntcmd.
You can use Event to Trap Translator to easily create a configuration
file and then use the configuration file with evntcmd at the command
prompt to quickly configure traps on multiple computers.
In our exemple, each time we clear the Security Event log, LoriotPro
receive the following traps
Trap within LoriotPro could start actions (refers to the
Event and trap filter in the LoriotPro Documentation)
Evntwin.exe advanced configuration
Advanced configuration is possible on each Forwarded Event
Click on the setting button
It is possible to limit the lenght of the Trap sent. When this
limit is activated, you have the choice to select what you want
to keep if the message is truncated. Choose between String or message.
The Trap throttle prevent excessive SNMP Trap messages from flooding
the network.
By default if more than 500 Traps are sent within les than 300 seconds,
the program stops to send traps.
The properties button gives you access to more settings for the
current Event
We could see the the Enterprise OID of the Trap, Specific Trap
ID which is simply the same as the Event ID.
The Trap is by default generated each time the event occurs. You
could set a count threshold that specifies the number of Event needed
before generating a Trap.
The time interval specifies the maximum time in which this Event
count should occur.
Command Line Interface (Evntcmd - Microsoft TM)
You can also use the evntcmd command (command line interface) to
configure SNMP traps based on events recorded in system logs. You
can also use this command to specify where trap messages are sent
within an SNMP community.
Syntax
evntcmd [/s ComputerName] [/v VerbosityLevel] [/n] FileName
Parameters
/s ComputerName
Specifies, by name, the computer on which you want to configure
the translation of events to traps, trap destinations, or both.
If you do not specify a computer, the configuration occurs on the
local computer.
/v VerbosityLevel
Specifies which types of status messages appear as traps and trap
destinations are configured. This parameter must be an integer between
0 and 10. If you specify 10, all types of messages appear, including
tracing messages and warnings about whether trap configuration was
successful. If you specify 0, no messages appear.
/n
Specifies that the SNMP service should not be restarted if this
computer receives trap configuration changes.
FileName
Specifies, by name, the configuration file that contains information
about the translation of events to traps and trap destinations you
want to configure.
/?
Displays help at the command prompt.
Remarks
If you want to configure traps but not trap destinations, you can
create a valid configuration file by using Event to Trap Translator,
which is a graphical utility. If you have the SNMP service installed,
you can start Event to Trap Translator by typing evntwin at a command
prompt. After you have defined the traps you want, click Export
to create a file suitable for use with evntcmd. You can use Event
to Trap Translator to easily create a configuration file and then
use the configuration file with evntcmd at the command prompt to
quickly configure traps on multiple computers.
The syntax for configuring Event forwarding directly in the cnf
is as follow:
#pragma ADD|DELETE|DELETE_TRAP_DEST|ADD_TRAP_DEST EventLogFile EventSource EventID [Count [Period]]
Here is our example of .cnf file with Event 517 generated by the
Evntwin program
The text #pragma must appear at the beginning of every entry in
the file.
| ADD |
specifies that you want to add an event
to trap configuration. |
| DELETE |
specifies that you want to remove an event
to trap configuration |
| DELETE_TRAP_DEST |
specifies that you do not want trap messages
to be sent to a specified host within a community |
| ADD_TRAP_DEST |
specifies that you want trap messages to
be sent to a specified host within a community. |
| CommunityName |
specifies, by name, the community in which
trap messages are sent. |
| HostID |
specifies, by name or IP address, the host
to which you want trap messages to be sent |
| EventLogFile |
specifies the file in which the event is
recorded |
| EventSource |
specifies the application that generates
the event. |
| EventID |
specifies the unique number that identifies
each event |
To find out what values correspond to particular events, start
Event to Trap Translator by typing evntwin at a command prompt.
Click Custom, and then click Edit. Under Event Sources, browse the
folders until you locate the event you want to configure, click
it, and then click Add. Information about the event source, the
event log file, and the event ID appear under Source, Log, and Trap
specific ID, respectively.
Examples:
The following examples illustrate entries in the configuration file
for the evntcmd command. They are not designed to be typed at a
command prompt.
To send a trap message if the Event Log service is restarted, type:
#pragma ADD System "Eventlog" 2147489653
To send a trap message if the Event Log service is restarted twice
in three minutes, type:
#pragma ADD System "Eventlog" 2147489653
2 180
To stop sending a trap message whenever the Event Log service is
restarted, type:
#pragma DELETE System "Eventlog" 2147489653
To send trap messages within the community named Public to the host
with the IP address 192.168.100.100, type:
#pragma ADD_TRAP_DEST public 192.168.100.100
To send trap messages within the community named Private to the
host named Host1, type:
#pragma ADD_TRAP_DEST private Host1
To stop sending trap messages within the community named Private
to the same computer on which you are configuring trap destinations,
type:
#pragma DELETE_TRAP_DEST private localhost
|
