How to monitor Windows Service using SNMP (Part 1)
When a Windows Service starts stops or for that matter crashes,an entry is made in the Windows Event Log. You can try this by stopping a windows Service and then (Windows+R) 'Run' and then type eventvwr, then check in Event Viewer -> Windows Logs->System , an entry will be there indicating that the service has entered in to the stopped state. Similar entries will be made for other actions related to the services.
Now, Windows provide a utility program called "Evntwin" also called "Event to Trap Translator" that uses these message in Event Viewer to generate SNMP traps. We can then use the Windows SNMP service running on the same system either to log these traps in any SNMP Management system
There are two ways in which we can configure this:-
Option 1) By adding events manually.
This option involves manually adding each event. Although it is a lengthy method then option 2 discussed later , but can come in handy if option 1 fails. The following are the steps to achieve this:
1. Start the evntwin utility from the Start -> Run menu by typing evntwin and then clicking ok. In the window that comes up, click the radio button for "Custom" under Configuration type. Then click the Edit >> button to expand the list of event sources. The window will now look like this:
2.In the Event Source Section above (on bottom left side), expand the System Folder and then select “Service Control Manager” Folder. The Events section above (on bottom right side) will show a list of Events with many fields like EventID, Severity etc.
Select the Item with Event ID as 7034. The Add button will become Active. Press the Add button. The Following Properties Window will appear.
Click the Ok Button.
Notice the Trap specific ID here: [3221232506]. We will use this in Option 2 when we will use a script to configure these Events.
We can see in the below snapshot that our event is added to “Events to be translated to traps” section. Now Select the Apply button to save changes
Repeat the above steps for Event Id 7000, 7001, 7009, 7011, 7016, 7022, 7023, 7024, 7031, 7032, 7035, 7036
Our Event to Trap Translator will look like:
Click Ok to close the above window.
Option 2) By using a script to add events.
As mentioned in the previous option that we can use Trap specific ID to create a script to configure these Events. For e.g for Event ID 7034 as we have Trap specific ID 3221232506
The following is the command to be used in the script to configure this event.
#pragma add "System" "Service Control Manager" 3221232506 1 0
Similarly collect the ID for other events and create a file called "events.cnf"
The content of "events.cnf" will look like:-
#pragma add "System" "Service Control Manager" 3221232472 1 0
#pragma add "System" "Service Control Manager" 3221232473 1 0
#pragma add "System" "Service Control Manager" 3221232481 1 0
#pragma add "System" "Service Control Manager" 3221232483 1 0
#pragma add "System" "Service Control Manager" 3221232488 1 0
#pragma add "System" "Service Control Manager" 3221232494 1 0
#pragma add "System" "Service Control Manager" 3221232495 1 0
#pragma add "System" "Service Control Manager" 3221232496 1 0
#pragma add "System" "Service Control Manager" 3221232503 1 0
#pragma add "System" "Service Control Manager" 3221232504 1 0
#pragma add "System" "Service Control Manager" 3221232506 1 0
#pragma add "System" "Service Control Manager" 1073748859 1 0
#pragma add "System" "Service Control Manager" 1073748860 1 0
Copy the events.cnf file in to a particular directory for e.g. C:\Documents and Settings\Administrator>
To export the events added to the events.cnf file, Open the command prompt and go to the same directory as above. Now type:
evntcmd events.cnf
If we see the following screen, we have successfully configured our events
Now restart the Windows SNMP Service so that these configurations can be picked up and now the event monitoring subsystem will wait for the events configured to occur and will then send the corresponding SNMP trap to the Destinations as configured in the SNMP Service.
In the next post we will discuss How to use a SNMP manager tool called SNMPc - castle rock to capture these Traps and the corresponding MIB configurations.
Now, Windows provide a utility program called "Evntwin" also called "Event to Trap Translator" that uses these message in Event Viewer to generate SNMP traps. We can then use the Windows SNMP service running on the same system either to log these traps in any SNMP Management system
There are two ways in which we can configure this:-
Option 1) By adding events manually.
This option involves manually adding each event. Although it is a lengthy method then option 2 discussed later , but can come in handy if option 1 fails. The following are the steps to achieve this:
1. Start the evntwin utility from the Start -> Run menu by typing evntwin and then clicking ok. In the window that comes up, click the radio button for "Custom" under Configuration type. Then click the Edit >> button to expand the list of event sources. The window will now look like this:
2.In the Event Source Section above (on bottom left side), expand the System Folder and then select “Service Control Manager” Folder. The Events section above (on bottom right side) will show a list of Events with many fields like EventID, Severity etc.
Select the Item with Event ID as 7034. The Add button will become Active. Press the Add button. The Following Properties Window will appear.
Click the Ok Button.
Notice the Trap specific ID here: [3221232506]. We will use this in Option 2 when we will use a script to configure these Events.
We can see in the below snapshot that our event is added to “Events to be translated to traps” section. Now Select the Apply button to save changes
Repeat the above steps for Event Id 7000, 7001, 7009, 7011, 7016, 7022, 7023, 7024, 7031, 7032, 7035, 7036
Our Event to Trap Translator will look like:
Click Ok to close the above window.
Option 2) By using a script to add events.
As mentioned in the previous option that we can use Trap specific ID to create a script to configure these Events. For e.g for Event ID 7034 as we have Trap specific ID 3221232506
The following is the command to be used in the script to configure this event.
#pragma add "System" "Service Control Manager" 3221232506 1 0
Similarly collect the ID for other events and create a file called "events.cnf"
The content of "events.cnf" will look like:-
#pragma add "System" "Service Control Manager" 3221232472 1 0
#pragma add "System" "Service Control Manager" 3221232473 1 0
#pragma add "System" "Service Control Manager" 3221232481 1 0
#pragma add "System" "Service Control Manager" 3221232483 1 0
#pragma add "System" "Service Control Manager" 3221232488 1 0
#pragma add "System" "Service Control Manager" 3221232494 1 0
#pragma add "System" "Service Control Manager" 3221232495 1 0
#pragma add "System" "Service Control Manager" 3221232496 1 0
#pragma add "System" "Service Control Manager" 3221232503 1 0
#pragma add "System" "Service Control Manager" 3221232504 1 0
#pragma add "System" "Service Control Manager" 3221232506 1 0
#pragma add "System" "Service Control Manager" 1073748859 1 0
#pragma add "System" "Service Control Manager" 1073748860 1 0
Copy the events.cnf file in to a particular directory for e.g. C:\Documents and Settings\Administrator>
To export the events added to the events.cnf file, Open the command prompt and go to the same directory as above. Now type:
evntcmd events.cnf
If we see the following screen, we have successfully configured our events
In the next post we will discuss How to use a SNMP manager tool called SNMPc - castle rock to capture these Traps and the corresponding MIB configurations.
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete