How to send EventLog entries as SNMP Traps with MonitorWare Agent.
Article created 2008-03-06 by Andre Lorbach.
This article will guide you to use MonitorWare Agent to
generate SNMP Traps from EventLog entries and send them to your SNMP management
software. This article also requires at least
MonitorWare Agent 5.2 or higher, and the custom ADISCON mibs which are
included since MonitorWare Agent 5.2.
- You can
download a preconfigured configuration from here, which you can import
on your target system. The configuration sample will have comments for
better understanding. The MonitorWare Agent Client can
import the XML/REG configuration file by using the "Computer Menu".
- To obtain the most recent custom ADISCON mib files, download these two
files und put them into your mibs directory of your MonitorWare Agent
installation.
ADISCON-MIB.txt
ADISCON-MONITORWARE-MIB.txt
1. Configuring MonitorWare Agent
1.1 Download and
Install MonitorWare Agent
1.2 Setup a
EventLog Monitor in MonitorWare Agent
2. Configuring the SNMP Trap
2.1 Create SNMP Trap Action
2.2 Filtering for
EventLog severity (Optional)
2.3 Start sending SNMP Trap
|
So if you haven't done so already, go to
www.mwagent.com and download
the latest MonitorWare Agent Version. It is always recommended to use the latest
Version of MonitorWare Agent. Once the Download is done, go ahead and install
it. You may have to restart after installation, this depends on your System.
|
|
 Start the MonitorWare Agent Client and skip the wizard on startup.
Then add a new EventLog Monitor called "Main EventLog Monitor". I have
set the Sleep time to 5 seconds, for testing purposes. But you can also set this
value to 5 seconds in production, it won't have much impact on the Servers
performance.
You also might unselect EventLog Types you do not want to monitor, for this
article I will allow all EventLog Types.
|
Back to Top
|
Now add a new Rule under your Default RuleSet called SendTrap. Then add a Send
SNMPTrap Action. The default values will already generate a generic "monitorwaretrap",
which is fine for most cases. But we are going to configure our own trap
properties.
So you have noticed that the Trap OID and the variable OID's are represented
numeric. Once you click on the Browser Button, the Client will automatically
load and display the installed mibs. You can configure the Configuration Client
to automatically load the mibs during each startup in the Client Options.
So as you can see you have a few trap OID's available, in this article we will
use the eventmontrap OID which is ".1.3.6.1.4.1.19406.1.2.3", or in human readable
form "ADISCON-MONITORWARE-MIB::eventmontrap". You can actually define the one or
the other form as OID, both will work but the textual representation only if you
have the ADISCON Mibs installed. The the numeric representation is always the
saver way to configure the OID's.
|
|
Back to Top
|
|
 Now what you don't see in the mib browser is the list of variables which are
connected with the SNMP Trap. For the eventmontrap, we need a few snmp
variables:
genMsg,
genSource,
eventlogEventID,
eventlogEventType,
eventlogEventSource,
eventlogEventSeverity,
eventlogEventCategoryID,
eventlogEventCategoryName,
eventlogEventUser
Start removing the default configured variable, and add our own ones (as in the
list above). Add one variable, and use the Mib Browser to select the suitable OID's and also the
correct variable values (See the screenshot for more).
|
Back to Top
|
 With
our current setup, you would send one SNMP Trap for each incoming Syslog
messages. But you may not want this, so you can optionally add some filters to
reduce the number of outgoing SNMP Traps.
For example you can add a Syslog Severity (Priority) filter, so that only
EventLog entries with
error messages will be send as trap to your SNMP Manager.
|
Back to Top
|
Now you are ready to start the MonitorWare Agent, note that you properly will
get a lot of SNMP Events during the first run.
To show you how the result looks like, here is the output of snmptrapd on a
linux machine. There are many SNMP Manager utilities out there, you can even
receive SNMP Traps with MonitorWare Agent itself if you like.
2008-03-07 15:18:31 172.16.0.122 [UDP:
[172.16.0.122]:1119]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (742090390) 85 days,
21:21:43.90 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.19406.1.2.1
SNMPv2-SMI::enterprises.19406.1.1.2.1 = STRING: "MWAgent: This is a Test no. 1"
SNMPv2-SMI::enterprises.19406.1.1.2.2 = INTEGER: 3
SNMPv2-SMI::enterprises.19406.1.1.2.3 = INTEGER: 16
When you receive the trap with MonitorWare Agent, the message output will look
like this:
MonitorWare: source="172.16.0.122" community="public" version="Ver2"
variables: snmp_var_1 = 'DISMAN-EVENT-MIB::sysUpTimeInstance: 'Timeticks:
(741870389) 85 days, 20:45:03.89'' , snmp_var_2 = 'SNMPv2-MIB::snmpTrapOID.0:
'OID: ADISCON-MONITORWARE-MIB::syslogtrap'' , snmp_var_3 =
'ADISCON-MONITORWARE-MIB::syslogMsg: 'STRING: "MWAgent: This is a Test Error
MEssage no. 1"'' , snmp_var_4 = 'ADISCON-MONITORWARE-MIB::syslogSeverity:
'INTEGER: error(3)'' , snmp_var_5 = 'ADISCON-MONITORWARE-MIB::syslogFacility:
'INTEGER: local0(16)''
As you can see eventlogEventCategoryID and eventlogEventCategoryName are
missing. Most EventLog entries do not have a Event Category assigned, so these
variables are not added into the SNMP Trap.
|
Back to Top
I hope this article will help you solving your tasks or shows you the
potential of MonitorWare Agent, and what you can archive with it. Feel free to
email me for recommendations or questions. Of course, the outlined actions are
only samples and you may do other things with them.
|
