My application required that I monitor event log errors. I wanted to use Zabbix, but didn't want to use any non-Microsoft components on the Windows machine, thus the Zabbix_agent was out of the question. I discovered that there are tools for configuring Windows event log entries to be sent as SNMP traps. The tools are apparently included with the SNMP service package when it is installed on Windows. The tools are called evntwin.exe and evntcmd.exe.
Use evntwin.exe to build a list of events to be sent as traps. Export the list for use in the next step. See
http://www.microsoft.com/resources/d....mspx?mfr=true for details.
Use evntcmd.exe to import the trap configuration into the Windows registry.
http://www.microsoft.com/resources/d....mspx?mfr=true for details.
Open the Managment Console on the Windows Computer, and click on the Services item. Scroll down to the SNMP Service, and double-click to edit its properties.
Now restart the SNMP Service. Your selected events should now be going out as SNMP traps.
======= ON TO ZABBIX! =======
Zabbix must be compiled with net-snmp (or ucd-snmp) support.
Catching traps requires external support tools:
snmptrapd, part of the net-snmp toolset.
snmptrap.sh, a shell script included with zabbix. Use it as a basis for your own script.
zabbix_sender, also included with zabbix. This is what relays the trap info to zabbix_server.
snmptrapd uses a configuration file, snmptrad.conf. It must be set up to direct the traps
received to a 'handler' script, snmptrap.sh in this case. Refer to
http://www.net-snmp.org/docs/man/snmptrapd.conf.html for details.
For my application, the /etc/snmptrapd.conf file reads
######
outputOption efnQs
traphandle default /bin/bash /path/to/zabbix/bin/snmptrap.sh
######
The outputOptions match my needs; your mileage my vary.
Insert the correct path to zabbix on your system.
Kill snmptrapd if it is running, and restart it with the command
"snmptrapd -C -c /etc/snmptrapd.conf -Lf /var/log/net-snmptrapd.log"
to make certain your configuration is being used. You can now check the log file for traps that may be received.
Now edit /path/to/zabbix/bin/snmptrap.sh. If not found, check the zabbix source tree, and
copy it to the zabbix/bin directory. For my application the following lines work great:
####### Begin snmptrap.sh #########
## GENERAL CONFIGURATION
ZABBIX_SERVER="zabbix-host"; # hostname of zabbix server
ZABBIX_PORT="nnnn"; # nnnn=same as 'Listen Port' in zabbix_server.conf
ZABBIX_SENDER="/path/to/zabbix/bin/zabbix_sender"; # insert you path
## END OF GENERAL CONFIGURATION
#According to the snmpdtrapd.conf man page, these
# fields should be received in the following order:
read hostname
read ip
read uptime
read trapoid
read payload
# there may be several more payload fields, but one is all I need.
# read more if it suits you.
hostname=`echo $hostname|cut -f1 -d'.'` # trim off the fluff
trapoid=`echo $trapoid|cut -f3 -d' '` # ditto
# I don't need uptime or ip right now ...
payload=`echo $payload1|cut -f3- -d' '` # ditto ditto
### This section records all traps under a 'dummy' host in zabbix, for debugging
### Delete if you don't need to do this.
### I use it to verify the OID of traps before using them as keys on specific hosts
# create a string to send to zabbix.
str="HOST=$hostname TRAP OID=$trapoid PAYLOAD=$payload"
# now set the key and host name for zabbix
KEY="alltraps";
HOST="trapperjohn";
#now call the zabbix_sender program with all parameters.
$ZABBIX_SENDER $ZABBIX_SERVER $ZABBIX_PORT $HOST $KEY "$str"
### End dummy host section
### This section records traps for specific for specific hosts.
### Edit as needed for you situation.
KEY="$trapoid";
HOST="$hostname";
str="$payload";
$ZABBIX_SENDER $ZABBIX_SERVER $ZABBIX_PORT $HOST $KEY "$str"
######### End snmptrap.sh ###########
Reference for original SuSE configuration:
Now, browse to the Zabbix web page, log in with an administrative account, and configure a
new host. For this example, a 'dummy' host is created. It doesn't need to have an address, as
it is not a real host, just a place for ALL the received traps to land.
Now configure a new item on the new host. It should be of type 'ZABBIX trapper', and for now
the type of information should be 'Text'. This will show the entire contents of the string sent above, and allow you to verify the OID used for each trap.
Save the new item, and watch for the trapped events to appear!
Now repret the process for the individual hosts you wish to monitor. Create the Items as type zabbix trapper, with data type of character. (This will ease the creation of triggers) Use the TrapOID as the key.
***** notes *****
I had to increase items.key_ field size from 64 to 128 to accomodate long OIDs as keys. This is on Zabbix 1.1
**** end notes ****
Creating Triggers:
Create a new trigger on the trap item, using an expression like:
({HOSTNAME:some.long.oid.str(sometext)}=1) & ({HOSTNAME:some.long.oid.nodata(60)}=0)
This will look for (sometext) in the string sent for the item having key=(some.long.oid). The nodata(60)=0 is required to make the trigger go false. Change the 60 to however many seconds you wish.
Use evntwin.exe to build a list of events to be sent as traps. Export the list for use in the next step. See
http://www.microsoft.com/resources/d....mspx?mfr=true for details.
Use evntcmd.exe to import the trap configuration into the Windows registry.
http://www.microsoft.com/resources/d....mspx?mfr=true for details.
Open the Managment Console on the Windows Computer, and click on the Services item. Scroll down to the SNMP Service, and double-click to edit its properties.
- GENERAL TAB : Startup should be automatic.
- LOG ON TAB : Local System account should be selected
- RECOVERY TAB : Defaults are OK, change if desired
- AGENT TAB : Put something meaningful in the Name and Location fields. Select as many services as you want to monitor.
- TRAPS TAB : Enter the desired community name, and click the Add to List button. Click the bottom Add button, and enter the hostname or IP addres of the zabbix machine that will catch your sent traps.
- SECURITY TAB : This should match your network policies for secuity. I recommend adding a READ ONLY community name for traps.
- DEPENDENCIES TAB : Nothing to configure here.
Now restart the SNMP Service. Your selected events should now be going out as SNMP traps.
======= ON TO ZABBIX! =======
Zabbix must be compiled with net-snmp (or ucd-snmp) support.
Catching traps requires external support tools:
snmptrapd, part of the net-snmp toolset.
snmptrap.sh, a shell script included with zabbix. Use it as a basis for your own script.
zabbix_sender, also included with zabbix. This is what relays the trap info to zabbix_server.
snmptrapd uses a configuration file, snmptrad.conf. It must be set up to direct the traps
received to a 'handler' script, snmptrap.sh in this case. Refer to
http://www.net-snmp.org/docs/man/snmptrapd.conf.html for details.
For my application, the /etc/snmptrapd.conf file reads
######
outputOption efnQs
traphandle default /bin/bash /path/to/zabbix/bin/snmptrap.sh
######
The outputOptions match my needs; your mileage my vary.
Insert the correct path to zabbix on your system.
Kill snmptrapd if it is running, and restart it with the command
"snmptrapd -C -c /etc/snmptrapd.conf -Lf /var/log/net-snmptrapd.log"
to make certain your configuration is being used. You can now check the log file for traps that may be received.
Now edit /path/to/zabbix/bin/snmptrap.sh. If not found, check the zabbix source tree, and
copy it to the zabbix/bin directory. For my application the following lines work great:
####### Begin snmptrap.sh #########
## GENERAL CONFIGURATION
ZABBIX_SERVER="zabbix-host"; # hostname of zabbix server
ZABBIX_PORT="nnnn"; # nnnn=same as 'Listen Port' in zabbix_server.conf
ZABBIX_SENDER="/path/to/zabbix/bin/zabbix_sender"; # insert you path
## END OF GENERAL CONFIGURATION
#According to the snmpdtrapd.conf man page, these
# fields should be received in the following order:
read hostname
read ip
read uptime
read trapoid
read payload
# there may be several more payload fields, but one is all I need.
# read more if it suits you.
hostname=`echo $hostname|cut -f1 -d'.'` # trim off the fluff
trapoid=`echo $trapoid|cut -f3 -d' '` # ditto
# I don't need uptime or ip right now ...
payload=`echo $payload1|cut -f3- -d' '` # ditto ditto
### This section records all traps under a 'dummy' host in zabbix, for debugging
### Delete if you don't need to do this.
### I use it to verify the OID of traps before using them as keys on specific hosts
# create a string to send to zabbix.
str="HOST=$hostname TRAP OID=$trapoid PAYLOAD=$payload"
# now set the key and host name for zabbix
KEY="alltraps";
HOST="trapperjohn";
#now call the zabbix_sender program with all parameters.
$ZABBIX_SENDER $ZABBIX_SERVER $ZABBIX_PORT $HOST $KEY "$str"
### End dummy host section
### This section records traps for specific for specific hosts.
### Edit as needed for you situation.
KEY="$trapoid";
HOST="$hostname";
str="$payload";
$ZABBIX_SENDER $ZABBIX_SERVER $ZABBIX_PORT $HOST $KEY "$str"
######### End snmptrap.sh ###########
Reference for original SuSE configuration:
Now, browse to the Zabbix web page, log in with an administrative account, and configure a
new host. For this example, a 'dummy' host is created. It doesn't need to have an address, as
it is not a real host, just a place for ALL the received traps to land.
Now configure a new item on the new host. It should be of type 'ZABBIX trapper', and for now
the type of information should be 'Text'. This will show the entire contents of the string sent above, and allow you to verify the OID used for each trap.
Save the new item, and watch for the trapped events to appear!
Now repret the process for the individual hosts you wish to monitor. Create the Items as type zabbix trapper, with data type of character. (This will ease the creation of triggers) Use the TrapOID as the key.
***** notes *****
I had to increase items.key_ field size from 64 to 128 to accomodate long OIDs as keys. This is on Zabbix 1.1
**** end notes ****
Creating Triggers:
Create a new trigger on the trap item, using an expression like:
({HOSTNAME:some.long.oid.str(sometext)}=1) & ({HOSTNAME:some.long.oid.nodata(60)}=0)
This will look for (sometext) in the string sent for the item having key=(some.long.oid). The nodata(60)=0 is required to make the trigger go false. Change the 60 to however many seconds you wish.
Comment