<

Free Windows Event log monitoring to SNMP traps or Syslog

Published on
22,738 Points
15,438 Views
8 Endorsements
Last Modified:
Approved
Community Pick
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs, with the result being that for each event of interests, an SNMP trap will be sent to your SNMP processor.


SNMP

The assumption is that you already have SNMP services (SNMP Service and SNMP Trap Service) configured. Installation is beyond the scope of this exercise, but if you research it at Microsoft or drop me a line you should be able to do this quite easily.
------------------------------------
WARNING: You should ALWAYS secure SNMP by retricting communities to READ-ONLY and allowing only authorized IP's to query SNMP on your deployed systems.
See the following for more details:
http://support.microsoft.com/kb/324261
http://technet.microsoft.com/en-us/library/cc959637.aspx
------------------------------------
This is not really rocket science, but here is high level approach to setting this up (these are the steps I've followed to set my own).

1

Ensure SNMP is installed and configured

2

Open Windows event log and filter events (application, security and system) with filters of your choice - Warning and Errors, Errors only, Failure audit, etc).

3

Locate the event you are interested to alert with an SNMP trap as soon as it occurs.

4

Start-up evntwin.exe from the system32 folder.

5

Use the CUSTOM and EDIT options, then FIND the source or description of the event of interest (as determined in step 3). Double click the event and Click OK - now the event is added to the translation list, so every time is logged in the event log, your trap processor will receive an SNMP trap.

6

Repeat until you have added all application, system and security events of interest. Click APPLY.
evntwin.jpg
BUT WAIT, THERE IS MORE!

7

Click the export button and select a file location and name (make a note of that)

8

Open a command prompt and change directory to the system32 folder.

9

Invoking the evntcmd.exe tool, you can NOW PUSH this configuration to ANY server that has Remote registry and SNMP enabled.

Example output of evtcmd.exe:
C:\WINDOWS\system32\evntcmd.exe /s host01.dsi.net.nz  -v10 C:\windows\system32\events.cnf
Microsoft (R) Event To Trap Translator; Configuration Tool v2.00
Copyright (c) Microsoft Corporation 1998.  All rights reserved.
[Wrn08] Verbose level set to 10.
[Wrn05] Command line parsed successfully.
[Wrn08] Successfully parsed Trap(ADD, eventlog, 2147489656, 1, 0).
[Wrn10] lexic [2:0]: hit EOF.
[Wrn05] Configuration file 'C:\windows\system32\events.cnf' parsed successfully.
[Wrn08] Connecting to 'host01.dsi.net.nz' registry ...
[Wrn05] Registry connected to 'host01.dsi.net.nz'.
[Wrn10] Configured new source 'eventlog'.
[Wrn08] Successfully set new event '2147489656'.
[Wrn05] Commands processed successfully.
[Wrn08] No need to restart the SNMP service..

Open in new window


Voila! If you can script to automate this in a batch, it's even easier.
The possibilities are endless. Combined with Microsoft's eventtriggers tool, this gives you maximum flexibility to integrate virtually any operational and monitoring aspects of your Windows-based systems and applications with your enterprise management tool.


For an MS-style application monitoring article, check out:
http://technet.microsoft.com/en-us/library/bb684482.aspx


SYSLOG

For the environments that have a Syslog server as an aggregation point only or in addition, read on.
I have failed to find a free and simple to use SNMP2Syslog forwarder, and am not even sure if there is such a tool/daemon. Instead, I have found a freeware program that installs as a service and forwards particular (or all) events to a Syslog server for further processing.
It can be acquired from http://sourceforge.net/projects/el2sl/ as an MSI, which means that you can quietly install it with your application deployment method of choice - AD, 3rd party, scripts. Once installed, run the el2slconf.exe from the installed directory (normally C:\Program Files\El2Sl) and configure the source and type of events you want forwarded (I have selected all the ERROR type events for example). Apply and restart the service and you should see them streaming at your Syslog console...
 el2sl.jpg

For mass deployment, I have exported the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\el2sl] to a .reg file - you can use your preferred method of applying this registry to a number of machines (GPO, scripts) - a quick restart of the deployed services will ensure the same configuration applies to them ...


Radu - DSI-Tech
8
Comment
Author:croitoru
3 Comments
 
LVL 73

Expert Comment

by:Qlemo
Interesting article. I'm with you in supposing this feature is commonly unknown, but useful.
Awarded Community Pick. And voted YES on "Helpful", of course.

Qlemo
Page Editor
0
 
LVL 38

Expert Comment

by:younghv
croitoru,
Good information for a wide variety of SysAdmins out here.
Thank you for putting it together.

"Yes" vote above.
0
 
LVL 28

Expert Comment

by:sunnyc7
Very good article. i am going to try this out.

Yes Vote
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

When you have multiple client accounts to manage, it often feels like there aren’t enough hours in the day. With too many applications to juggle, you can’t focus on your clients, much less your growing to-do list. But that doesn’t have to be the cas…
Wrapper-1-Query. Use an Excel function to calculate a column for an Access query. Part 1. Shows a query in Access that has a calculated column with the results of an Excel worksheet function. See how to call a wrapper function from a query, and …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month