How to forward Windows Events as Trap to LoriotPro

Goal of this How to
Preliminary Tasks
Windows Event Configuration
Configure the Event to Trap forwarder (Evntwin.exe)
Evntwin.exe advanced configuration
Commande Line Interface (EvntCMD)

Goal of this How To

The Evntwin program from Microsoft provides a way to forward any Events (visible in the Windows Event Viewer) as an SNMP Trap to LoriotPro.

You can use this graphical tool to easily create a configuration file and then use the configuration file with evntcmd at the command prompt to quickly configure traps on multiple computers.

The list of Event log to forward as trap is applied from either Evntcmd or Evntwin to the SNMP Event Agent.

Preliminary Tasks

The Event to trap forwarder works if the Windows SNMP agent is configured to send Traps. Read the How to install and configure Windows (2000 -XP) SNMP agent first.

Windows Event Configuration

The first step consist of setting Event. Events within Microsoft Windows are displays in the local Event viewer window. All the Events are not displayed by default. but if you see the Event in one of the Event log you could forward it as a Trap.

There are three types of event logs:

System log
Tracks miscellaneous system events, e.g. track events during system startup and hardware and controller failures.

Application log
Tracks application related events, e.g. applications generate informational such as failing to load a DLL will appear in the log.

Security log
Tracks events such as logon, logoff, changes to access rights, and system startup and shutdown. NOTE: By default the security log is turned off.

To receive security events in the Event Viewer for example, Audit policy should be activated.

To set Audit, open the Control Panel, select and

 

If we Audit system events and somebody clear the Security Event log the Event viewer will display the following event.

Each Event as an ID which we will use in the next step to filter Event. Before starting the Evntwin program, be sure to have the type of Event (application, security, system) and the ID number.

Configure the Event to Trap forwarder (evntwin.exe)

The Evntwin configures the translation of events to traps, trap destinations, or both based on information in a configuration file.

Start the evntwin program from the Start RUN menu option.

The job consist of finding the Event number that you want to forward as a Trap to LoriotPro

First we select the Custom radio button and the Edit Button. The upper windows appears.

Select in the down left pane the Event sources. The event to capture is viewed in the Event log under Application Event log, Security Event Log or System Event Log.

In our example we want to forward a security Event log so we choose Security.
When done the down right pane shows the Events available, ordered by ID number.

We choose the 517 which is the number of the Event send when Security log is cleared.

We press add button and the upper pane "Events to be translated to traps" now contains our Event/Trap.

Do the same process for each Event you want to add in the Trap list.

When done, click the Apply button

After you have defined the traps you want, click Export to create a file suitable for use with evntcmd. You can use Event to Trap Translator to easily create a configuration file and then use the configuration file with evntcmd at the command prompt to quickly configure traps on multiple computers.

In our exemple, each time we clear the Security Event log, LoriotPro receive the following traps

Trap within LoriotPro could start actions (refers to the Event and trap filter in the LoriotPro Documentation)

Evntwin.exe advanced configuration

Advanced configuration is possible on each Forwarded Event

Click on the setting button

It is possible to limit the lenght of the Trap sent. When this limit is activated, you have the choice to select what you want to keep if the message is truncated. Choose between String or message.

The Trap throttle prevent excessive SNMP Trap messages from flooding the network.
By default if more than 500 Traps are sent within les than 300 seconds, the program stops to send traps.

The properties button gives you access to more settings for the current Event

We could see the the Enterprise OID of the Trap, Specific Trap ID which is simply the same as the Event ID.

The Trap is by default generated each time the event occurs. You could set a count threshold that specifies the number of Event needed before generating a Trap.
The time interval specifies the maximum time in which this Event count should occur.

Command Line Interface (Evntcmd - Microsoft TM)

You can also use the evntcmd command (command line interface) to configure SNMP traps based on events recorded in system logs. You can also use this command to specify where trap messages are sent within an SNMP community.


Syntax

evntcmd [/s ComputerName] [/v VerbosityLevel] [/n] FileName

Parameters

/s ComputerName

Specifies, by name, the computer on which you want to configure the translation of events to traps, trap destinations, or both. If you do not specify a computer, the configuration occurs on the local computer.

/v VerbosityLevel

Specifies which types of status messages appear as traps and trap destinations are configured. This parameter must be an integer between 0 and 10. If you specify 10, all types of messages appear, including tracing messages and warnings about whether trap configuration was successful. If you specify 0, no messages appear.

/n

Specifies that the SNMP service should not be restarted if this computer receives trap configuration changes.


FileName

Specifies, by name, the configuration file that contains information about the translation of events to traps and trap destinations you want to configure.

/?

Displays help at the command prompt.

Remarks
If you want to configure traps but not trap destinations, you can create a valid configuration file by using Event to Trap Translator, which is a graphical utility. If you have the SNMP service installed, you can start Event to Trap Translator by typing evntwin at a command prompt. After you have defined the traps you want, click Export to create a file suitable for use with evntcmd. You can use Event to Trap Translator to easily create a configuration file and then use the configuration file with evntcmd at the command prompt to quickly configure traps on multiple computers.


The syntax for configuring Event forwarding directly in the cnf is as follow:

#pragma ADD|DELETE|DELETE_TRAP_DEST|ADD_TRAP_DEST EventLogFile EventSource EventID [Count [Period]]

Here is our example of .cnf file with Event 517 generated by the Evntwin program

The text #pragma must appear at the beginning of every entry in the file.

ADD specifies that you want to add an event to trap configuration.
DELETE specifies that you want to remove an event to trap configuration
DELETE_TRAP_DEST specifies that you do not want trap messages to be sent to a specified host within a community
ADD_TRAP_DEST specifies that you want trap messages to be sent to a specified host within a community.
CommunityName specifies, by name, the community in which trap messages are sent.
HostID specifies, by name or IP address, the host to which you want trap messages to be sent
EventLogFile specifies the file in which the event is recorded
EventSource specifies the application that generates the event.
EventID specifies the unique number that identifies each event

To find out what values correspond to particular events, start Event to Trap Translator by typing evntwin at a command prompt. Click Custom, and then click Edit. Under Event Sources, browse the folders until you locate the event you want to configure, click it, and then click Add. Information about the event source, the event log file, and the event ID appear under Source, Log, and Trap specific ID, respectively.


Examples:

The following examples illustrate entries in the configuration file for the evntcmd command. They are not designed to be typed at a command prompt.

To send a trap message if the Event Log service is restarted, type:
#pragma ADD System "Eventlog" 2147489653

To send a trap message if the Event Log service is restarted twice in three minutes, type:
#pragma ADD System "Eventlog" 2147489653 2 180

To stop sending a trap message whenever the Event Log service is restarted, type:
#pragma DELETE System "Eventlog" 2147489653

To send trap messages within the community named Public to the host with the IP address 192.168.100.100, type:
#pragma ADD_TRAP_DEST public 192.168.100.100

To send trap messages within the community named Private to the host named Host1, type:
#pragma ADD_TRAP_DEST private Host1

To stop sending trap messages within the community named Private to the same computer on which you are configuring trap destinations, type:
#pragma DELETE_TRAP_DEST private localhost