Event to Trap Translator

If you currently use or have used an SNMP management application, the information in this section may be interesting because SMS 2.0 includes a means of collecting SNMP information. In this section, we will briefly review the concept behind SNMP management and then see how SMS 2.0 can add value to SNMP management.

SNMP and Systems Management Server 2.0

SNMP is actually part of the TCP/IP protocol suite. Contrary to popular thinking, TCP/IP consists of several protocol components that together provide connection mechanisms among computers and other devices. SNMP is used primarily for monitoring IP-addressable devices such as routers, gateways, hubs, switches, network printers, and mini and mainframe computers as well as Windows NT computers.

Agents running on these devices respond to requests for information or generate information based on events that occur at that device. The information is then forwarded to a configured SNMP management server, which organizes it in a reportable fashion, generating graphical maps of the network infrastructure, notifying administrators of events, and so on. This type of information is known as a trap. For example, when a computer is running low on disk space, or when a switch has experienced a port failure, a trap is generated and forwarded to an SNMP manager for action.

Microsoft does not itself offer an SNMP management application as part of its product line. However, it does provide SNMP services that can be installed on Windows NT computers to generate traps for other SNMP management applications and respond to requests for information from those applications. For example, Windows NT computers can report DHCP lease information or WINS name registrations and resolutions.

NOTE

---

The SNMP Service must be installed on a Windows NT computer to enable TCP/IP counters in Performance Monitor, even if the computer is not participating in an SNMP community.

So what does all this have to do with SMS 2.0? Plenty, actually. SMS 2.0 provides the Event to Trap Translator, which can translate any configured Windows NT event into an SNMP trap that can then be forwarded to an SNMP management server. Essentially, any Windows NT event recorded by the Windows NT event log can be translated by this utility into an SNMP trap. Because such events can contain large amounts of text, the Event to Trap Translator truncates the string-based trap to 4 KB to avoid using unnecessary bandwidth.

For the Event to Trap Translator to work, the following conditions must be met:

• Your system must be running Windows NT 3.51 with Service Pack 4 or later or Windows NT 4.0 with Service Pack 3 or later.
• Your system must be using TCP/IP as its network protocol.
• The SNMP Service must be installed and configured for the SNMP community and manager it will communicate with.

CAUTION

---

As with any other Windows NT service, after you install the SNMP Service, be sure to reapply the Windows NT Service Pack before restarting your computer, since you added a service from the original Windows NT 4.0 CD. Remember that when you install a new component from the original Windows NT source files, one or more files that were upgraded by the service pack may get overwritten by old files. Also, verify that the SNMP Service is configured to start up automatically. Otherwise, you will have to manually start it each time you restart your system. Refer to the Windows NT 4.0 Administrator's Guide in the Readme file for Windows NT 4.0 for more information about the SNMP Service.

Because the Event to Trap Translator Client Agent (also sometimes referred to as the Event to Trap Translator Agent) is installed on SMS 2.0 clients by default, you need to perform an update configuration or repair installation operation on the client to initiate the client agent. This initiation process is discussed in detail in Chapter 8. For now, here's a brief overview of the procedure to perform on the SMS client:

1. On the client computer, open the Control Panel and double-click on the Systems Management icon to display the Systems Management Properties window.
2. On the Components tab, select NT Event To SNMP Trap Translator and click Repair Installation to initiate the client agent reinstallation.
3. Click OK to close the Systems Management Properties window.

NOTE

---

In general, it is incumbent upon you as the SMS administrator to keep the site systems and clients up to date with the most current service packs and fixes appropriate to your particular SMS sites.

REAL WORLD  Is the Event to Trap Translator Installed on the Client?

If you have not deployed SMS 2.0 Service Pack 1, you may experience a failure in enabling the Event to Trap Translator on some SMS clients. In this case, the Systems Management application in the Control Panel will still show the Event to Trap Translator as uninstalled. The other way to confirm the problem is through the Windows NT registry. In the registry, navigate to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents

Look for the value SOFTWARE\Microsoft\SNMP_EVENTS\Eventlog, which represents the Event to Trap Translator utility. If this value does not appear, the client agent has not been installed. The first course of action in solving this problem is to perform a repair installation operation as described earlier or to shut down and restart the client to force a client component update.

If this doesn't work, you can enable the agent manually by executing the Stsinstl.exe program to run the SMS NT Event To SNMP Trap Translator Installation Wizard. This program is located in the SMS\Inboxes\Clicomp.src\Snmpelea\platform directory, where platform is either Alpha or i386. Running this simple wizard will ensure that the Event to Trap Translator will be installed on the SMS 2.0 client. If you recheck the registry entry and the Systems Management application in the Control Panel, you will see that the agent has been successfully installed.

Configuring the Event to Trap Translator

To avoid network traffic issues, no Windows NT or SMS events are converted to SNMP traps by default. It is entirely up to the SMS administrator to determine just what events should be configured, and how.

Events are configured on a per-computer basis. More specifically, only computers that have installed the SNMP Service can generate successful SNMP traps. To select these computers and configure trap translation on them through the SMS Administrator Console, follow these steps:

1. Navigate to the Collections folder and select an appropriate collection, such as All Systems.
2. Right-click on the name of the computer for which you want to configure the Event to Trap Translator, choose All Tasks from the context menu, and then choose Start Event to Trap Translator to display the Event To Trap Translator window, as shown in Figure 6-17.



Figure 6-17. The Event To Trap Translator window.

3. Select Custom and then click Edit to expand the window and add events, as shown in Figure 6-18.



Figure 6-18. The expanded Event To Trap Translator window.

4. The Event Sources section contains three folders related to the three Windows NT event logs: Application, Security, and System. Select Windows NT events to translate into SNMP traps by navigating through these folders, selecting the events you want from the Events list, and clicking Add. In Figure 6-18, Windows NT security event ID 529 (a logon failure due to unknown user name or bad password) has been selected and added to the list of events to be translated.
5. When you add an event, that event's Properties window is displayed, as shown in Figure 6-19.



Figure 6-19. The Event Properties window.

This window includes the SNMP mapping for the event object known as the Enterprise OID, the log that the event is written to, the event and trap-specific IDs, and a description of the event. None of these settings can be configured.

6. You can set a threshold before the event is translated, however. In the If Event Count Reaches text box, enter the number of this kind of event that must be generated. If you enable the Within Time Interval option, enter the number of seconds within which the specified number of events must occur before the event is translated into an SNMP trap. In this example, if three bad logon attempts occur within 3 minutes (180 seconds), the bad logon event will be translated into an SNMP trap.
7. Click OK to save your changes. The Event To Trap Translator window will reflect the changes you made.
8. In the Event To Trap Translator window click Settings to display the Settings dialog box, shown in Figure 6-20.

Here you can change the default string length limit of 4 KB (4096 bytes) and control how many traps are sent by modifying the Trap Throttle settings. Click OK to close this dialog box.



Figure 6-20. The Settings dialog box.

9. In the Event To Trap Translator window, click Export to display the Export Events dialog box, where you can export the translated events to a text file or to a Config Tool (.CNF) format file containing the Windows NT events that the Event to Trap Translator should translate into SNMP traps. You can use these export files for the SNMP manager if it requires configuration to receive and display these traps properly or to configure the Event to Trap Translator to trap the same events on other SNMP clients. Click Save to close the dialog box.
10. Click OK to close the Event To Trap Translator window.

Unlike SMS 1.2, SMS 2.0 does not provide an SNMP Trap Receiver, which means that you have no way to actually record the trapped event and view it through the SMS 2.0 database. The only way to be certain that the event was generated is to check through the SNMP manager for the trap or to use a traffic analysis tool such as Network Monitor to identify the creation and sending of an SNMP frame from the computer generating the trap to the SNMP manager.

REAL WORLD  Configuring Multiple Clients for SNMP Traps Remotely

The configuration process we've been looking at involves selecting individual clients through the Collections folder and launching the Event to Trap Translator. The Export feature in the Event To Trap Translator window, however, also produces a .CNF file, which can be used to advertise the same event to trap configuration to several clients using SMS advertisements.

To configure multiple clients for SNMP traps, first you need to create the .CNF file. Click the Export button in the Event To Trap Translator window, and save the file as a .CNF file. Next create an SMS package using this file and the Remote Configuration Tool (Eventcmt.exe). This command-line tool can be found in the SMS\Scripts\00000409\Eventcmt folder under the appropriate platform directory; it enables you to automatically configure many clients with the same configuration. The package would be created with the command Eventcmt.exe filename.cnf. Command-line options for Eventcmt.exe include the following:

• /NOMIF Suppresses the creation of a status MIF for SMS
• /NOLOG Suppresses the writing of an Eventcmt log for the client
• /DEFAULT Directs Eventcmt to run only if the configuration file is not designated as Custom
• /SETCUSTOM Changes the current configuration designation to Custom
• /NOSTOPSTART Directs Eventcmt to not stop and restart the SNMP Service on the client when the configuration file is applied.

By default, the Remote Configuration Tool will generate a status MIF for SMS to indicate whether the events were configured successfully as well as write a more detailed log file (Eventcmt.log) in the System Root\MS\SMS\Logs folder on the SMS client.

The configuration files can also be created manually. Like all other script-like files, this process requires learning some additional script commands. If this prospect appeals to you, you can refer to the SMS online help for more information about creating your own configuration files.