Table of Contents
SNMP-MS Windows
Preface
Probably you are wondering why I’m going to write about SNMP at MS Windows server as it is not open source product.
To be correct I’ll need to say that many peoples still using mentioned OS and related applications. According to this I think it can be beneficial for some IT engineers to know about this possibility.
SNMP is an open protocol and can be used on any platform. According to this it is really great tool for passive and active monitoring.
The greatest benefit of using SNMP protocol on MS Windows server is that you do not need to install additional application, as the SNMP Agent is delivered with the OS.
SNMP demon
Start SNMP demon
Please follow this steps to enable and start SNMP demon:
MS Win 7 Enterprise
To enable SNMP demon:
- Open this: "Start" -> "Control Panel" -> "Programs and Features" -> "Turn Windows Features on or off" - Search and mark (use checkbox): "Simple Network Management Protocol (SNMP)" - Search and mark (use checkbox): "WMI SNMP Provider" - Click on "OK"
To start SNMP demon:
- Open this: "Start" - Write in to "Search programs and files" the word "Services" - Press "Enter" - Search for "SNMP Service" - Right click on it and go to "Properties" - Configure: - - "General"(tab) -> "Startup type" -> to -> "Automatic" # This will start SNMP Angent after boot
- - "Agent" (tab) -> "Contact:" -> "Provide mail for admin of this system" # It is not mandatory but nice to have this information - - "Agent" (tab) -> "Location:" -> "Provide location of system" # It is not mandatory but nice to have this information - - "Agent" (tab) -> "Service" -> "It is possible to choose the interesting services for us"
# To Send SNMP Trap:
- - "Traps" (tab) -> "Community name" -> "Provide community name for sending SNMP Traps"
-> Click on "Add to list"
-> "Trap destination" -> Click on "Add" -> "Provide IP where to send SNMP Traps"
-> Click "Add"
# To Handle SNMP requests:
- - "Security" (tab) -> "Accepted community names"
-> Click on "Add" -> Select "Community rights"
-> Paste secret "Community Name" # Configure Community String
-> Click on "Add" # To confirm configuration
-> Select "Accept SNMP packet from any host" # !!!!! I do not recommend it !!!!!
-> Select "Accept SNMP packets from these hosts" # This is recommended as only defined IP can request SNMP data
-> Click on "Add" - Provide "IP/FQDN" # This will define who can request SNMP data
-> Click on "Add" # To confirm configuration
- - Click on "OK" # To safe changes - Right click on "SNMP Service" -> Click on "Stop" # After Restart SNMP service will start to use new configuration - Right click on "SNMP Service" -> Click on "Start"
MS Win 2008 R2 Enterprise
To enable SNMP demon (At description of “MS Win 7 Enterprise” it is possible to see screenshots, I just will prevent duplicating it.) :
- Open this: "Start" -> "Control Panel" -> ("Programs and Features" ->) "Turn Windows Features on or off" -> "Features" -> "Add Features"
- Search and mark (use checkbox): "SNMP Services" # You will need to mark this
- Search and mark (use checkbox): "SNMP Service" # Only check that it is marked as well
- Search and mark (use checkbox): "SNMP WMI Provider" # Only check that it is marked as well
- Click on "Next"
- Click on "Install" # You shell see that "Installation succeeded"
- Click on "Close"
To start SNMP demon:
- Open this: "Start"
- Write in to "Search programs and files" the word "Services"
- Press "Enter"
- Search for "SNMP Service"
- Right click on it and go to "Properties"
- Configure:
- - "General"(tab) -> "Startup type" -> to -> "Automatic" # So that the demon will start after boot
- - "Agent" (tab) -> "Contact:" -> "Provide mail for admin of this system" # It is not mandatory but nice to have this information
- - "Agent" (tab) -> "Location:" -> "Provide location of system" # It is not mandatory but nice to have this information
- - "Agent" (tab) -> "Service" -> "It is possible to choose the interesting services for us"
# To Send SNMP Traps:
- - "Traps" (tab) -> "Community name" -> "Provide community name for sending SNMP Traps"
-> Click on "Add to list"
-> "Trap destination" -> Click on "Add" -> "Provide IP where to send SNMP Traps"
-> Click "Add"
# To Handle SNMP requests:
- - "Security" (tab) -> "Accepted community names"
-> Click on "Add" -> Select "Community rights"
-> Paste secret "Community Name" # Configure Community String
-> Click on "Add" # To confirm configuration
-> Select "Accept SNMP packet from any host" # !!!!! I do not recommend it !!!!!
-> Select "Accept SNMP packets from these hosts" # This is recommended as only defined IP can request SNMP data
-> Click on "Add" - Provide "IP/FQDN" # This will define who can request SNMP data
-> Click on "Add" # To confirm configuration
- - Click on "OK" # To safe changes
- Right click on "SNMP Service" -> Click on "Stop" # After Restart SNMP service will start to use new configuration
- Right click on "SNMP Service" -> Click on "Start"
SNMP traps
In some cases we are not allowed to install additional software on server where we need to provide failure monitoring of this server.
SNMP agent is delivered at MS Windows server directly with the OS installation. According to this it is possible to use SNMP protocol for active as well for passive monitoring of the server.
Active monitoring at MS Windows server can be done with help of SNMP protocol in same way as for another platforms. It is required to configure MS Windows server to accept SNMP requests from SNMP manager server. This was described in previous part of this document.
Passive monitoring of MS Windows server can be done as well with help of SNMP protocol. With help of SNMP traps. In this case MS Windows server will send SNMP trap to SNMP Master Server based on the configuration of SNMP Agent. In general it is possible to say that all events in that are present in Event Viewer at MS Windows server is possible to forward as SNMP trap to remote SNMP Master Server.
Identify Interesting Event
As first step we will need to identify interesting events that are present at MS Windows Event Viewer.
According to this in cause that you are investigating new issue it is good practice to look at Event Viewer for related messages, so that you can extend your monitoring for additional events.
After identification of interesting events it is possible to configure SNMP trap’s forwarding for this alarms. In many cases this kind of integration will safe your time, as well it can help you to provide better service for your customers.
- Open this: "Start"
- Write in to "Search programs and files" the word "Event Viewer"
- Press "Enter"
- Search for "Interesting event log" # I know that it's probably too easy to say search for interesting event log.
# On another hand as system admin you shall know what you are looking for.
Please remember this information (as we’ll need them later on): - Log Name: (This is category of event log type) - Source: (Name of related application to the log) - Event ID: (Unique log ID for mentioned event) Based on this information we’ll be able to identify this interesting event with help of envtwin application to forward this event like SNMP trap to SNMP trap destination.
SNMP trap for Interesting Event Only
In many cases you will prefer to have your own definition of SNMP Traps that you would like to handle as:
- In this way you can prevent flooding of you SNMP trap receiver server with not interesting SNMP traps.
- It is possible to do customization of the correlation for duplicate events directly on you MS Windows server.
- …
In general it is possible to say that it’s pointless to send all events like SNMP traps to you SNMP trap receiving server as:
- Until your SNMP trap receiver do not know how to handle particular SNMP trap it will be probably discarded or in better case logged to log file only.
- In this way you are spending your resources for not interesting SNMP traps, as well you can run out of your resources really soon.
- In some cases you can overflow the queue of SNMP trap receiver server and lose interesting SNMP traps.
- ….
According to the described points it is really important to know what we are doing when we are going to configure SNMP traps. This can save us resources and help us to provide better service. I would propose to try to start with just hand full of events that you will forward to SNMP trap receiver. It will be still possible to extend this list when you will see an interesting event (for example during investigation of some issue). In this way is possible to have your MS Windows server as well SNMP trap receiver configured to handle same list of SNMP traps.
GUI SNMP Trap Configuration (" evntwin ")
In case that you are testing some new traps it is any time handy to know how to temporary enable particular SNMP Trap forwarding on your MS Windows server.
In the case that you are maintaining several (2 or more) MS Windows servers I would prefer to use the “CLI SNMP Trap Configuration” as it will safe your time, as well it will provide to you the possibility to use centralized configuration deployment for your servers.
- Open this: "Start" - Write in to "Search programs and files" the word "evntwin" - Press "Enter" # This will start configuration GUI - Chose "Custom" # In this way you can customize list of interesting events that will be handled as SNMP Traps - Click on "Edit" # Now you can select your Interesting Events from provided list of Events
- Go to “Event Source” and select “Log Name” (in our case “System”) based on our Interesting Event - - You will see a list of sub ordered applications in “Event Source” - Select application according to “Source” (in our case “SNMP”) based on our Interesting Event - - This will provide list of all known “Events” related to selected application - Select “Event” with “Event ID” (in our case “1001”) based on our Interesting Event
# Customize SNMP trap - Double click on the Event # This will open a new window with Event configuration options - - Enterprise OID: # Definition of the SNMP Trap OID that you can use at your SNMP Trap receiver server - - Trap Specific ID: # Enterprise Specific Trap ID - - Generate trap # At this section is possible to configure time and recurrent based correlation for our event - - - If event count reaches # Specification of recurrent count of event that need to be reached before SNMP Trap will be sent (In most cases 1 is enough) - - - within time interval # After this time interval (in seconds) counter for “if event count reaches” parameter will be set to “0” - - Description # Message text that will be sent to SNMP Trap receiver.
- Click OK # You will see that the event was added to list of “Events to be translated to traps”
CLI SNMP Trap Configuration (" envtcmd ")
In the case that you are maintaining more as one MS Windows server it is better to use some kind of automaton to safe your time. At MS Windows is possible to use as well CLI tool to maintain SNMP Trap configuration.
According to this it is possible to (standardize your configuration across all MS Windows servers):
- Configure and test this configuration on one of your MS Windows server.
- Export this configuration in to config file.
- Update exported config file
- Upload actual config file to share drive (for example on SAMBA server)
- Write script:
- - to login to all of your MS Windows serves from central server (with help of “winexe” it is possible to do it as well from Linux)
- - to update local MS Windows server configuration based on config file from share drive.
It is nice scenario for integration, just our topic is limited to SNMP Trap configuration. According to this I will focus on configuration of SNMP Traps on MS Windows server. As I have mentioned the integration is pretty easy and I will describe it later in another document (any way I have mentioned all important tools that will be used).
Export existing config:
In the case that you are using one MS Windows Server for testing and developing of your SNMP Trap configuration it is possible to export this configuration in to config file that can be modified or deploy on another MS Windows Server.
- Open this: "Start" - Write in to "Search programs and files" the word "evntwin" - Press "Enter" # This will start configuration GUI - Click on "Export" # Now you will be asked for destination path to store exported config on your HDD
In the case that you would like to modify exported “ events.cnf ” file, it is possible to use standard editor vi/vim/notepad/… to edit and modify this config:
events.cnf: #pragma add "System" "SNMP" 1090454505 1 0 # You shall see this in the case that you have exported same event like me
evntcmd / events.cnf
MS Windows Command “ evntcmd “ is used for maintaining of SNMP Trap configuration. It is possible to store the whole SNMP Trap configuration in config file usually called “ events.cnf “ (but it is not mandatory to use this name)
Syntax: evntcmd [/s sysname] [/v number] [/n] FileName
Usage: evntcmd [options] filename [options]
options: -?,-h usage help;
-s sysname target 'sysname' for configuration;
-v number verbose level: 0(silent)-10(detailed);
-n don't restart SNMP service on trap changes;
Syntax: events.cnf (file) #pragma ADD|DELETE EventLogFile EventSource EventID [Count [Period]] # To configure forwarding of Interesting event to SNMP Trap destination or #pragma ADD_TRAP_DEST|DELETE_TRAP_DEST CommunityName HostID # To configure SNMP Trap destination ADD # specifies that you want to add an event to trap configuration. DELETE # specifies that you want to remove an event to trap configuration EventLogFile # specifies the file in which the event is recorded EventSource # specifies the application that generates the event. EventID # specifies the unique number that identifies each event DELETE_TRAP_DEST # specifies that you do not want trap messages to be sent to a specified host within a community ADD_TRAP_DEST # specifies that you want trap messages to be sent to a specified host within a community. CommunityName # specifies, by name, the community in which trap messages are sent. HostID # specifies, by name or IP address, the host to which you want trap messages to be sent
Example of “ events.conf ”:
#pragma delete_trap_dest aaaa 10.0.0.1 # This will delete old SNMP Trap destination #pragma add_trap_dest private 10.0.0.2 # This will configure new SNMP Trap destination #pragma delete "System" "SNMP" 1090454505 1 0 # This will remove configuration for already configured Interesting event #pragma add "System" "SNMP" 1090454505 1 0 # This will add new Interesting event to our list events that will be forwarded to SNMP trap destination
CLI Configuration Import/Update:
c:\evntcmd evnts.cnf # This will import/update configuration list of SNMP trap destinations and list of Interesting events handled as SNMP Traps
Test
To test my configuration I will customize list of my Interesting Events to include event:
“Event Source”/“Log Name”: “System”
“Source”: “SNMP”
“Event ID”: “1001”
After restarting of “ SNMP Service ” on MS Windows Server we shall see:
Iptabels rules
At first we can test if we have received SNMP trap with iptabels rules:
[root@SNMP-Server ~]# iptables -I INPUT -p UDP --dport 162 -j ACCEPT # This is accepting all SNMP Traps
[root@SNMP-Server ~]# iptables -I INPUT -p UDP --dport 162 -j LOG # This rule will log header of all SNMP Trap packets
# in to " /var/log/messages " or in another file based on syslog configuration
Iptabels check captured packages
To check if some packet has matched our iptabels rules:
[root@SNMP-Server ~]# iptables -L -v -n # To check if we have received some SNMP traps
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 322 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:162 LOG flags 0 level 4 # We have received/Logged 2 SNMP traps
2 322 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:162 # We have Accepted 2 SNMP Traps
Iptables Log "/var/log/messages"
To check logged information based on iptabels ruels:
[root@SNMP-Server ~]# grep "kernel" /var/log/messages Apr 13 21:08:41 SNMP-Server kernel: IN=eth0 OUT= MAC=08:00:27:2a:d1:3c:08:00:27:a5:bd:75:08:00 SRC=10.0.0.2 DST=10.0.0.1 LEN=72 TOS=0x00 PREC=0x00 TTL=128 ID=285 PROTO=UDP SPT=60615 DPT=162 LEN=52 Apr 13 21:08:41 SNMP-Server kernel: IN=eth0 OUT= MAC=08:00:27:2a:d1:3c:08:00:27:a5:bd:75:08:00 SRC=10.0.0.2 DST=10.0.0.1 LEN=250 TOS=0x00 PREC=0x00 TTL=128 ID=287 DF PROTO=UDP SPT=60615 DPT=162 LEN=230
TCPUMP:
In the case that we can see incoming SNMP Traps with iptables it is not really required to check as well tcpdump as we will see the same information (as iptabels is working on lover level as tcpdump). On another hand in some cases we cannot modify iptabels rules and we will need to use tcpdump.
[root@SNMP-Server ~]# tcpdump udp port 162 -vvv -nnn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:51:10.147846 IP (tos 0x0, ttl 128, id 160, offset 0, flags [none], proto UDP (17), length 72)
10.0.12.120.50475> 10.0.12.119.162: [udp sum ok] { SNMPv1 C=aaaa { Trap(31) .1.3.6.1.4.1.311.1.1.3.1.2 10.0.12.120 coldStart 0 } }
SNMPTRAPD LOG Configuration " /etc/snmp/snmptrapd.conf " :
logoption f /var/log/snmptrapd.log # Log file destination !!! Enable this option only during investigation !!! outputoption n # Format of OID's in this case numerical
SNMPTRAPD LOG " /var/log/snmptrapd.log " :
2014-04-13 18:02:27 10.0.0.2(via UDP: [10.0.0.2]:50478→[10.0.0.1]) TRAP, SNMP v1, community aaaa .1.3.6.1.4.1.311.1.13.1.4.83.78.77.80 Enterprise Specific Trap (1090454505) Uptime: 0:00:02.62 # OID of the trap .1.3.6.1.4.1.311.1.13.1.9999.1.0 = STRING: "The SNMP Service has started successfully. # Condition OID with Message txt " .1.3.6.1.4.1.311.1.13.1.9999.2.0 = STRING: "Unknown" # Additional Condition OID's .1.3.6.1.4.1.311.1.13.1.9999.3.0 = STRING: "MS Win" .1.3.6.1.4.1.311.1.13.1.9999.4.0 = STRING: "4" .1.3.6.1.4.1.311.1.13.1.9999.5.0 = STRING: "0"
MIB files
In some cases you will need to import MIB files related to you MS Windows server or to Application running on mentioned server. According to this most used MIB files are deliver with your system and another MIB files you’ll need to search. In general it is possible to say that MS is using “1.3.6.1.4.1.311 “ address space defined at MSFT.MIB file. Any way sometime you will need to use more specific OID’s related to your application or OS.
Standard location of all available MIB files on MS Windows server is: “ %systemroot%\system32 ”
c:\> cd %systemroot%\system32 # Here are storred MIB files delivered with OS C:\Windows\System32> dir | findstr \.mib # List of available MIB files on my Server 06/10/2009 11:00 PM 14,032 accserv.mib 06/10/2009 11:00 PM 15,032 authserv.mib 06/10/2009 11:00 PM 4,597 dhcp.mib 06/10/2009 11:00 PM 6,179 ftp.mib 06/10/2009 11:00 PM 48,593 hostmib.mib 06/10/2009 11:00 PM 21,271 http.mib 06/10/2009 11:00 PM 698 inetsrv.mib 06/10/2009 11:00 PM 15,799 ipforwd.mib 06/10/2009 11:00 PM 26,100 lmmib2.mib 06/10/2009 11:00 PM 30,448 mcastmib.mib 06/10/2009 11:00 PM 107,882 mib_ii.mib 06/10/2009 11:00 PM 581 msft.mib 06/10/2009 11:00 PM 13,767 msipbtp.mib 06/10/2009 11:00 PM 34,317 msiprip2.mib 06/10/2009 11:00 PM 22,462 rfc2571.mib 06/10/2009 11:00 PM 4,411 smi.mib 06/10/2009 11:00 PM 26,236 wins.mib
MIB related URL's
http://www.mibdepot.com/cgi-bin/vendor_index.cgi?r=microsoft
http://www.oidview.com/mibs/311/md-311-1.html
http://support.microsoft.com/kb/237295
URL's
www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/evntcmd.mspx?mfr=true
http://technet.microsoft.com/en-us/library/ff963094.aspx
http://www.chapelhill.homeip.net/horton/publications/HowToGenerateSNMPtrapsFromWindowsEvents.html
http://www.loriotpro.com/ServiceAndSupport/How_to/ForwardWINEvent_EN.php
http://www.adminxp.com/windowsxp/index.php?aid=16
http://www.opennms.org/wiki/Windows_Event_Log_Traps
