win eventlog snmp monitoring (was: ev2T -> snmptrapd -> Nagios )

Dezider Góra gora at wittmann.sk
Thu Mar 18 09:34:58 CET 2004


Hi all,

after 3 days battle I'm glad to report success on this :-)
So here comes the story (if anyone's interested)...
Needed stuff
ev2T, http://www.ncomtech.com/download.htm
net-snmp package http://www.net-snmp.org
obviously nagios, libmcrypt, nsca
Docs:
http://nagios.sourceforge.net/docs/1_0/int-snmptrap.html

Install ev2T on windows machine, and configure it. There's one small bug 
in ev2T, so read the info on download page.
Configure it, set snmp server where to send traps, and set it to use 
snmp v2c. It's usefull to set filter on eventsource, otherwise it will 
raise trap everytime a new record appears in win eventlog. Also uncheck 
unneeded fields in sent trap ( like event description, event type, etc. )
Copy the mib file to mibs directory on target server and restart snmp.
Configure snmp traphandle to catch the trap from win station. Well, this 
was my biggest problem. I'm a total newbie in snmp, so it was a 
trial-failure procedure.... The only way I got it to work, was to use 
"number representation" of ::eventLogGeneralTrap OID.
So my snmptrapd.conf looks like this:
traphandle .1.3.6.1.4.1.2854.6.1.2.1.0.1 
/usr/local/nagios/libexec/eventhandlers/handle-eventlog-trap 2
Then it comes an easy part. Create shell script that handles passed snmp 
trap info and runs submit_check_results script as described at
http://nagios.sourceforge.net/docs/1_0/int-snmptrap.html
Passed information structure:
# First line passed from snmptrapd is IP address of host that sent the trap
read ip
# Second line passed from snmptrapd is FQDN of host that sent the trap
read host
# Third line is the SysUpTime, nothing to care about too much
# SNMPv2-MIB::sysUpTime.0 6:23:11:26.00
read sysup
# Next is OID that raised the trap
# SNMPv2-MIB::snmpTrapOID.0 EVENT-LOG-TRAP-MIB::eventLogTrapDef.0.1
read snmptrap
# Now comes interesting stuff
# EVENT-LOG-TRAP-MIB::eventNumber 104
read eventnum
# Type of the event
# EVENT-LOG-TRAP-MIB::eventType 0
read eventtype
# Event source - name of the service
# EVENT-LOG-TRAP-MIB::eventSource "WUSyncService"
# ev2T provides more informaitons, but they're not needed for nagios 
send_ncsa check
# Computername of the source event ( netbios name )
# EVENT-LOG-TRAP-MIB::eventComputerName "XXXXX"
# read eventcompname
# User specified in event
# EVENT-LOG-TRAP-MIB::eventUser "Not Specified"
# read eventuser
# Event category
# EVENT-LOG-TRAP-MIB::eventCategory 0
# read eventcat
Finaly run the script to pass check result to nagios.

This is how it works for me. I don't know why, but it works. I don't 
understand snmp, mibs, so if anyone can improve this and "shed a little 
light" for me, I'll be glad.

hope this helps.
regards,
    Dezider.




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list