Microsoft Systems Management Server 2.0 Training Kit
Converting Windows NT/2000 events into SNMP traps involves the Event to Trap Translator Client Agent, the SNMP service, and the Event to Trap Translator application. These programs support the conversion of Windows NT/2000 events into SNMP traps, which can then be forwarded to an NMS such as HP Openview or Sun's Net Manager.
NOTE
The Windows NT Server Resource Kit contains a tool called SNMPUTIL, which can be used to monitor for traps. This simple tool is used in a later exercise to verify that events are being translated into traps on Computer 2 and that they are being sent to Computer 1.
After this lesson, you will be able to
- Describe the purpose of the Event to Trap Translator Client Agent.
- Install and Configure the SMS 2.0 Event to Trap Translator.
Overview and Requirements
The SMS Event to Trap Translator translates selected Windows NT/2000 events to SNMP traps, which are then sent to an NMS. Any Windows NT/2000 event captured by the Event Logging Service and sent to the Event Viewer application's system, application, and security logs can be translated; however, no events are translated by default. Events are not translated by default in order to prevent flooding the network with Windows NT/2000 events.
Events are sent to the Event to Trap Translator as strings of data. Since some Windows NT/2000 events include a lot of text, the Event to Trap Translator allows traps to be trimmed. The default is 1024 bytes. If traps are too large they are often dropped by routers.
Event-to-trap translation is supported on Windows NT/2000 client computers in the site. The Event to Trap Translator Client Agent has the following requirements to function properly:
- Windows NT version 3.51 running SP 4 or later or Windows NT version 4.0 or later
- The TCP/IP protocol installed on all computers involved in SNMP event-to-trap translation
- SNMP service installed and configured on the client computers with appropriate community names and trap destinations specified
Computer 2 should have been configured to meet all these requirements. In Exercise 43, you will install the Event to Trap Translator Client Agent on Computer 2.
The SNMP Event to Trap Translator Client Agent is enabled from the Client Agents node in the SMS Administrator console, as shown in Figure 7-19. Select the Client Agents node (labeled 1 in Figure 7-19). From the details pane, select the Event to Trap Translator Client Agent (2). From the Action menu, choose Properties (3) and the Event to Trap Translator Client Agent Properties dialog box appears (4). Select the `Enable event to trap translation on clients' checkbox (5) so that the Event to Trap Translator Client Agent is installed on all Windows NT/2000 client computers in the site.
Figure 7-19. Enabling the SNMP Event to Trap Translator Client Agent.
If the SNMP service is installed on the client computer after the Event to Trap Translator Client Agent is installed, you must run the Client Configuration Manager. The Client Configuration Manager enables the Event to Trap Translator Client Agent once the SNMP service is installed and configured. This can be forced by clicking the Update Configuration button in the Control Panel — Systems Management application.
If the Event to Trap Translator Client Agent is installed on the client computer after the SNMP service is installed, the SNMP service must be stopped and restarted before event-to-trap translation can occur. You can either stop and start the SNMP service, or simply restart the client computer.
Configuring the SNMP Event To Trap Translator
Once the client computers are configured for SNMP event-to-trap translation, you decide which events should be translated into SNMP traps and then use the SMS Administrator console to configure these events (Figure 7-20).
To configure events for translation, select a Windows NT/2000 client computer from a collection (labeled 2 in Figure 7-20).
NOTE
The selected client computer must be running the SNMP service or the Event to Trap Translator will not start.
From the Action menu, select All Tasks. Then choose Start Event to Trap Translator (3). The SNMP Event to Trap Translator application starts (4). While the application is starting, it finds the client computer running the SNMP service and reads the registry in order to load all translatable events. Administrator equivalence to the client computer is necessary to complete this procedure.
Figure 7-20. Configuring the Event to Trap Translator in the SMS Administrator console.
Editing the List of Translated Events
In the Event to Trap Translator window, all events that are to be translated into SNMP traps are displayed. By default, no events are translated, so the list is empty. If events have already been added to the list, they can be reconfigured by clicking Properties.
New events are added by clicking Edit to expand the Event to Trap Translator window, as shown in Figure 7-21. From the bottom pane, the built-in events that can be translated appear.
Figure 7-21. The expanded Event to Trap Translator window.
Events that appear in the Windows NT Event Viewer's application, security, or system logs can be translated into SNMP traps by selecting the appropriate event log source, and then choosing the specific event to be translated. When you click Add, the Properties dialog box for the specific event appears, allowing you to configure when the event is converted into a trap. For example, you can configure the number of occurrences of an event that must occur in a specific period of time before a trap is created.
Configuration Considerations
Event-to-trap translation requires configuration to maximize the effectiveness of this feature. Use the following functions in the Event to Trap Translator window to configure trap translation:
- The Settings function
- The Export function
- The Properties function
The Settings dialog box is accessed from the Settings button (see Figure 7-21 for the location of this button). From the Settings dialog box, you can trim the traps to a byte length that will not be discarded by some networking hardware, such as routers. Most Windows NT/2000 events include descriptive messages. Some of these messages could be translated into traps that are larger than can be accommodated by network hardware. For example, SNMP-enabled routers may contain size limits for SNMP data. If the data exceeds this limit, the router discards it and the NMS will never receive the trap.
The settings function is also used to set SNMP trap throttling. After a client computer has reached a number of traps specified here, SNMP trap translation will stop. SNMP trap throttling can also be reset from here.
This Export dialog box is accessed from the Export button (see Figure 7-21 for the location of this button; the button is gray in the figure). If your SNMP management software requires configuration to receive and display the SMS-generated traps properly, you need to use Export to export the translated events into a file that can be imported and processed at the NMS. The exported file becomes either a Text (*.TXT) or a Config Tool (*.CNF) format. The *.TXT format is typically used to import configuration data to an NMS.
This exported configuration data can also be used to specify the events to be translated into traps on all Windows NT/2000 client computers in the site. The Remote Configuration Tool (EVENTCMT.EXE) reads the exported *.CNF file to automatically configure event-to-trap translation on client computers. To automate event-to-trap translation, first create a package and a program using the exported configuration file and EVENTCMT.EXE. Second, target a Windows NT collection through an advertisement that uses the Remote Configuration Tool and the exported configuration data. For more information, read the "Remotely Modify the Client Configuration for SNMP" document, which is located in the Systems Management Server Administrator Help file.
Once you have configured which events are to be translated into SNMP trap messages, the behavior of the individual traps are modified by clicking the Properties button (see Figure 7-21 for the location of the button; the button is gray in the figure). From the Properties dialog box, trap translation thresholds are configured. Events generated on client computers are translated into SNMP trap messages if a specific event exceeds a configurable threshold, either based on count or based on count and time. For example, you may want the NMS to be sent a trap when a client computer's pagefile has increased to its maximum capacity more than five times in one week. This may indicate that the pagefile must be increased in size, additional pagefiles must be added, or the client computer requires more RAM.
Exercise 43: Installing and Configuring Event-to-Trap Translation
In this exercise, you will configure the Event to Trap Translator Client Agent and the Event to Trap Translator to convert a Windows NT event into a trap. It is not expected that you have an NMS available to test event-to-trap translation. Instead, the SNMPUTIL Windows NT Server Resource Kit utility will be used to verify that events are being converted to traps.
If the SMS Administrator console is not running, start it now.
- Select the Client Agents node from the SMS console tree.
- Select the Event to Trap Translator Client Agent from the details pane.
- From the Action menu, choose Properties.
- Select the `Enable event to trap translation on clients' checkbox and then click OK.
The details pane appears.
The Event to Trap Translator Client Agent Properties dialog box appears.
The SMS Administrator Console appears.
In the following steps, you will verify that the Event to Trap Client Agent has been installed on Computer 2. Complete these steps from Computer 2.
- Open the Systems Management application in Control Panel.
- Select the Components tab.
- Verify that the NT Event to SNMP Trap Translator appears in the list and that its status is Installed.
- If the NT Event to SNMP Trap Translator does not appear in the list, select the Sites tab and click Update Configuration. If the NT Event to SNMP Trap Translator does appear in the list but the status is Not Available, return to Exercise 41 to install and configure the SNMP service.
- Once the NT Event to SNMP Trap Translator is properly installed, close the Systems Management Properties dialog box.
The Systems Management Properties dialog box appears.
The installed client components appear.
In the following steps you will configure the Event to Trap Translator application in the SMS Administrator console. Complete these steps from Computer 1 in the SMS Administrator console.
- Select the All Systems node under the Collections node.
- Select COMPUTER2 from the details pane.
- From the Action menu, select All Tasks. Then choose Start Event to Trap Translator.
- Select the `Custom' radio button and then click the Edit button.
- From the 'Event Sources' box, select Security\Security.
- From the 'Event ID' column, select 529 and then click Add.
- In the `If Event Count Reaches' box, type 2 and then click OK.
- Click OK.
The details pane appears showing all client computers in the site.
The Loading Trap Configuration progress box appears briefly followed by the Event to Trap Translator - SMS - [Default Settings] window.
The Event to Trap Translator — SMS - [Custom Settings] window appears with a top and bottom pane. Under `Event Sources,' notice the addition of the Application, Security, and System folders. These correspond to Windows NT Event Viewer logs by the same name.
Under 'Events,' a set of events for the Security log appears.
The Properties dialog box appears, displaying all the properties of Security event 529. Notice the values present, including the trap specific ID of 529.
The Event to Trap Translator — SMS - [Custom Settings] windows displays security event 529 as an event that will be translated into an SNMP trap.
A Saving Trap Configuration progress box appears while the event-to-trap translator information is saved. After the configuration is saved, the SMS Administrator console appears.
In the following steps, you enable auditing on Computer 2. Unless Computer 2 audits and generates events for logon failures, the operating system will not create security events for translation into SNMP traps. Complete these steps from Computer 1.
- Open User Manager for Domains.
- From the Policies menu, select Audit.
- Select the 'Audit These Events' radio button. Then after `Logon and Logoff,' select the `Failure' checkbox.
- Click OK.
- Close User Manager for Domains.
- Open a command prompt.
- Create a directory on Computer 1 called TRAP.
- Copy all of the files in the CHAPT07\EXFILES\EX43 directory to the TRAP directory.
- Change to the TRAP directory and type SNMPUTIL trap (the "trap" option is case sensitive).
- Computer 1 is now ready to monitor for event-to-trap translation from Computer 2.
The Audit Policy dialog box appears.
The command prompt displays:
snmputil: listening for traps... |
In the following steps, you will generate a security event, verify that it is appearing in the security log, and then monitor event-to-trap translation from Computer 2 to Computer 1. Complete these steps on Computer 2.
- Log off.
- Attempt to log on as USER1 with no password.
- Attempt to log on as USER1 again with no password.
- Log on as ADMINISTRATOR, open Event Viewer on Computer 2, and change to the Security log to verify that bad logon attempts were logged.
- Check Computer 1 to verify that SNMPUTIL received the trap from Computer 2. The command prompt window running SNMPUTIL should display a string of data that lists the contents of the trapped event.
The Begin Logon dialog box appears.
A Logon Message appears, indicating logon was unsuccessful due to an unknown user account or bad password. Before completing the next step, make sure that you can see the command prompt running the SNMPUTIL command on Computer 1.
A Logon Message appears, indicating logon was unsuccessful due to an unknown user account or bad password. Attempting to log on twice with a bad password should generate a security event and that security event generates an SNMP trap from the Security log.
Категории