Microsoft Systems Management Server 2.0 Training Kit

[Previous] [Next]

Converting Windows NT/2000 events into SNMP traps involves the Event to Trap Translator Client Agent, the SNMP service, and the Event to Trap Translator application. These programs support the conversion of Windows NT/2000 events into SNMP traps, which can then be forwarded to an NMS such as HP Openview or Sun's Net Manager.

NOTE


The Windows NT Server Resource Kit contains a tool called SNMPUTIL, which can be used to monitor for traps. This simple tool is used in a later exercise to verify that events are being translated into traps on Computer 2 and that they are being sent to Computer 1.


After this lesson, you will be able to Estimated Completion Time: 40 minutes

Overview and Requirements

The SMS Event to Trap Translator translates selected Windows NT/2000 events to SNMP traps, which are then sent to an NMS. Any Windows NT/2000 event captured by the Event Logging Service and sent to the Event Viewer application's system, application, and security logs can be translated; however, no events are translated by default. Events are not translated by default in order to prevent flooding the network with Windows NT/2000 events.

Events are sent to the Event to Trap Translator as strings of data. Since some Windows NT/2000 events include a lot of text, the Event to Trap Translator allows traps to be trimmed. The default is 1024 bytes. If traps are too large they are often dropped by routers.

Event-to-trap translation is supported on Windows NT/2000 client computers in the site. The Event to Trap Translator Client Agent has the following requirements to function properly:

Computer 2 should have been configured to meet all these requirements. In Exercise 43, you will install the Event to Trap Translator Client Agent on Computer 2.

The SNMP Event to Trap Translator Client Agent is enabled from the Client Agents node in the SMS Administrator console, as shown in Figure 7-19. Select the Client Agents node (labeled 1 in Figure 7-19). From the details pane, select the Event to Trap Translator Client Agent (2). From the Action menu, choose Properties (3) and the Event to Trap Translator Client Agent Properties dialog box appears (4). Select the `Enable event to trap translation on clients' checkbox (5) so that the Event to Trap Translator Client Agent is installed on all Windows NT/2000 client computers in the site.

Figure 7-19. Enabling the SNMP Event to Trap Translator Client Agent.

If the SNMP service is installed on the client computer after the Event to Trap Translator Client Agent is installed, you must run the Client Configuration Manager. The Client Configuration Manager enables the Event to Trap Translator Client Agent once the SNMP service is installed and configured. This can be forced by clicking the Update Configuration button in the Control Panel — Systems Management application.

If the Event to Trap Translator Client Agent is installed on the client computer after the SNMP service is installed, the SNMP service must be stopped and restarted before event-to-trap translation can occur. You can either stop and start the SNMP service, or simply restart the client computer.

Configuring the SNMP Event To Trap Translator

Once the client computers are configured for SNMP event-to-trap translation, you decide which events should be translated into SNMP traps and then use the SMS Administrator console to configure these events (Figure 7-20).

To configure events for translation, select a Windows NT/2000 client computer from a collection (labeled 2 in Figure 7-20).

NOTE


The selected client computer must be running the SNMP service or the Event to Trap Translator will not start.

From the Action menu, select All Tasks. Then choose Start Event to Trap Translator (3). The SNMP Event to Trap Translator application starts (4). While the application is starting, it finds the client computer running the SNMP service and reads the registry in order to load all translatable events. Administrator equivalence to the client computer is necessary to complete this procedure.

Figure 7-20. Configuring the Event to Trap Translator in the SMS Administrator console.

Editing the List of Translated Events

In the Event to Trap Translator window, all events that are to be translated into SNMP traps are displayed. By default, no events are translated, so the list is empty. If events have already been added to the list, they can be reconfigured by clicking Properties.

New events are added by clicking Edit to expand the Event to Trap Translator window, as shown in Figure 7-21. From the bottom pane, the built-in events that can be translated appear.

Figure 7-21. The expanded Event to Trap Translator window.

Events that appear in the Windows NT Event Viewer's application, security, or system logs can be translated into SNMP traps by selecting the appropriate event log source, and then choosing the specific event to be translated. When you click Add, the Properties dialog box for the specific event appears, allowing you to configure when the event is converted into a trap. For example, you can configure the number of occurrences of an event that must occur in a specific period of time before a trap is created.

Configuration Considerations

Event-to-trap translation requires configuration to maximize the effectiveness of this feature. Use the following functions in the Event to Trap Translator window to configure trap translation:

Exercise 43: Installing and Configuring Event-to-Trap Translation

In this exercise, you will configure the Event to Trap Translator Client Agent and the Event to Trap Translator to convert a Windows NT event into a trap. It is not expected that you have an NMS available to test event-to-trap translation. Instead, the SNMPUTIL Windows NT Server Resource Kit utility will be used to verify that events are being converted to traps.

If the SMS Administrator console is not running, start it now.

  1. Select the Client Agents node from the SMS console tree.
  2. The details pane appears.

  3. Select the Event to Trap Translator Client Agent from the details pane.
  4. From the Action menu, choose Properties.
  5. The Event to Trap Translator Client Agent Properties dialog box appears.

  6. Select the `Enable event to trap translation on clients' checkbox and then click OK.
  7. The SMS Administrator Console appears.

In the following steps, you will verify that the Event to Trap Client Agent has been installed on Computer 2. Complete these steps from Computer 2.

  1. Open the Systems Management application in Control Panel.
  2. The Systems Management Properties dialog box appears.

  3. Select the Components tab.
  4. The installed client components appear.

  5. Verify that the NT Event to SNMP Trap Translator appears in the list and that its status is Installed.
  6. If the NT Event to SNMP Trap Translator does not appear in the list, select the Sites tab and click Update Configuration. If the NT Event to SNMP Trap Translator does appear in the list but the status is Not Available, return to Exercise 41 to install and configure the SNMP service.
  7. Once the NT Event to SNMP Trap Translator is properly installed, close the Systems Management Properties dialog box.

In the following steps you will configure the Event to Trap Translator application in the SMS Administrator console. Complete these steps from Computer 1 in the SMS Administrator console.

  1. Select the All Systems node under the Collections node.
  2. The details pane appears showing all client computers in the site.

  3. Select COMPUTER2 from the details pane.
  4. From the Action menu, select All Tasks. Then choose Start Event to Trap Translator.
  5. The Loading Trap Configuration progress box appears briefly followed by the Event to Trap Translator - SMS - [Default Settings] window.

  6. Select the `Custom' radio button and then click the Edit button.
  7. The Event to Trap Translator — SMS - [Custom Settings] window appears with a top and bottom pane. Under `Event Sources,' notice the addition of the Application, Security, and System folders. These correspond to Windows NT Event Viewer logs by the same name.

  8. From the 'Event Sources' box, select Security\Security.
  9. Under 'Events,' a set of events for the Security log appears.

  10. From the 'Event ID' column, select 529 and then click Add.
  11. The Properties dialog box appears, displaying all the properties of Security event 529. Notice the values present, including the trap specific ID of 529.

  12. In the `If Event Count Reaches' box, type 2 and then click OK.
  13. The Event to Trap Translator — SMS - [Custom Settings] windows displays security event 529 as an event that will be translated into an SNMP trap.

  14. Click OK.
  15. A Saving Trap Configuration progress box appears while the event-to-trap translator information is saved. After the configuration is saved, the SMS Administrator console appears.

In the following steps, you enable auditing on Computer 2. Unless Computer 2 audits and generates events for logon failures, the operating system will not create security events for translation into SNMP traps. Complete these steps from Computer 1.

  1. Open User Manager for Domains.
  2. From the Policies menu, select Audit.
  3. The Audit Policy dialog box appears.

  4. Select the 'Audit These Events' radio button. Then after `Logon and Logoff,' select the `Failure' checkbox.
  5. Click OK.
  6. Close User Manager for Domains.
  7. Open a command prompt.
  8. Create a directory on Computer 1 called TRAP.
  9. Copy all of the files in the CHAPT07\EXFILES\EX43 directory to the TRAP directory.
  10. Change to the TRAP directory and type SNMPUTIL trap (the "trap" option is case sensitive).
  11. The command prompt displays:

    snmputil: listening for traps...

  12. Computer 1 is now ready to monitor for event-to-trap translation from Computer 2.

In the following steps, you will generate a security event, verify that it is appearing in the security log, and then monitor event-to-trap translation from Computer 2 to Computer 1. Complete these steps on Computer 2.

  1. Log off.
  2. The Begin Logon dialog box appears.

  3. Attempt to log on as USER1 with no password.
  4. A Logon Message appears, indicating logon was unsuccessful due to an unknown user account or bad password. Before completing the next step, make sure that you can see the command prompt running the SNMPUTIL command on Computer 1.

  5. Attempt to log on as USER1 again with no password.
  6. A Logon Message appears, indicating logon was unsuccessful due to an unknown user account or bad password. Attempting to log on twice with a bad password should generate a security event and that security event generates an SNMP trap from the Security log.

  7. Log on as ADMINISTRATOR, open Event Viewer on Computer 2, and change to the Security log to verify that bad logon attempts were logged.
  8. Check Computer 1 to verify that SNMPUTIL received the trap from Computer 2. The command prompt window running SNMPUTIL should display a string of data that lists the contents of the trapped event.

Категории