dayley replied on Thu, Dec 17 2009 3:13 PM

rated by 0 users

We are attempting to forward Windows event log events to Orion NPM/APM using the Microsoft Event-to-Trap-Translator (ETT) as described here:

http://www.eric-a-hall.com/articles/20050715.html

and

http://technet.microsoft.com/en-us/library/bb684482.aspx#EDAA

We are doing this because the built-in Orion APM event log monitor is incompatible with Windows 2000 Server and uses WMI.  See:

http://thwack.com/forums/p/15079/75073.aspx

We wrote our own Windows script monitor that overcomes the limitations, but it still uses WMI.  It works properly on W2K servers, but on some of them, WMI spikes the CPU for an unacceptable length of time, and so we have turned it off.

Using the Orion SysLog Forwarder is not an option because of the impact of the installation prerequisites across ~3000 servers.  It also doesn't have an easy way to configure all the servers from a central location.  SNMP is already installed on the servers, so we'd prefer to use its built-in ETT capability instead.

So we are now trying to forward the Windows event logs via SNMP using ETT.  The traps are configured, and we can trigger them and see in the Orion Trap Viewer that they reach the main APM/NPM poller, but they are coming through garbled.  We can also use the Trap Viewer to send an E-mail that contains the trap contents.

Example E-mail (where IP address, hostname, community string, domain, security ID, and Orion service account have been replaced - see X's):

 Timestamp:  12/17/2009 2:38 PM

Message Type:  EVNTAGENT-MIB:security.0.636 

Message:  SNMP Trap
     Received Time:12/17/2009 2:38:04 PM
     Source:XIP.XIP.XIP.XIP(XXHostnameXX)
     Community:XXCommunityStringXX
     Variable Bindings
          sysUpTime:= 1 hour 12 minutes 12.77 seconds (433277)
          snmpTrapOID:= EVNTAGENT-MIB:security.0.636 (1.3.6.1.4.1.311.1.13.1.8.83.101.99.117.114.105.116.121.0.636)
          eventText:= U2VjdXJpdHkgRW5hYmxlZCBMb2NhbCBHcm91cCBNZW1iZXIgQWRkZWQ6DQoNCglNZW1iZXIgTmFtZToJLQ0KDQoJTWVtYmVyIElEOgkle1MtMS01LTIxLTE5MzQyMzc3OC0zNTUzNDQ0ODMtMTU5NzA3MzMyOC0xNTU3NzJ9DQoNCglUYXJnZXQgQWNjb3VudCBOYW1lOglBZG1pbmlzdHJhdG9ycw0KDQoJVGFyZ2V0IERvbWFpbjoJQnVpbHRpbg0KDQoJVGFyZ2V0IEFjY291bnQgSUQ6CSV7Uy0xLTUtMzItNTQ0fQ0KDQoJQ2FsbGVyIFVzZXIgTmFtZToJU1ZDX0VUU19Pcmlvbg0KDQoJQ2FsbGVyIERvbWFpbjoJS0hDDQoNCglDYWxsZXIgTG9nb24gSUQ6CSgweDAsMHg1OTNBMUZGKQ0KDQoJUHJpdmlsZWdlczoJLQ0KDQo=
          eventUserId:= XXOrionServiceAccountXX
          eventSystem:= XXHostnameXX
          eventType:= 8
          eventCategory:= 7
          eventVar1:= -
          eventVar2:= %{XXLongSecurityIDXX}
          eventVar3:= Administrators
          eventVar4:= Builtin
          eventVar5:= %{S-1-5-32-544}
          eventVar6:= XXOrionServiceAccountXX
          eventVar7:= XXDomainNameXX
          eventVar8:= (0x0,0x593A1FF)
          eventVar9:= -
          experimental.1057.1:= XIP.XIP.XIP.XIP
          snmpTrapEnterprise:= EVNTAGENT-MIB:security (1.3.6.1.4.1.311.1.13.1.8.83.101.99.117.114.105.116.121)

This trap is an ETT version of a Windows Security event log (ID: 636) that is created whenever an account is added to the local administrators account.  As you can see above, the eventText field is completely unreadable.  What are we doing wrong, and how can we fix it?