What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

SNMP sensor for Windows Event IDs

Votes:

0

Your Vote:

Up

Down

I have used SNMP for account lockout alerts in the past, as well as various other event IDs that the client/company would consider "immediate notification" kind of things. I configured EvntWin as it should be, I created a custom SNMP sensor, entered the OID for the trap.

I think I did it wrong because the error is "No such object (SNMP error #222)", which from what I've read means it can't query SNMP? I switched SNMP from v2 to v1, gave a different error number, 2 I think, but it was pretty much the same.

I know there is a powershell extension, but I don't want PRTG to run scripts against domain controllers every 5 minutes to check for locked accounts. I would prefer that the server just send the trap, and the sensor just pick it up and send an email/alert/page/whatever.

Has anyone had success configuring Windows SNMP traps on Windows Event IDs to send data to PRTG for this kind of thing? SolarWinds can do it without issue, and I've used WhatsUP in the past as well, this is a first for me with PRTG. I like PRTG more than the others, I don't want to have to set up another tool just for this function. Please let me know if you need more information.

PRTG is running on Windows Server 2012 R2, DCs are the same.

4740 account-locked-out evntwin snmp

Created on Sep 23, 2016 9:55:47 PM by  p0wd3r (0) 1



8 Replies

Votes:

0

Your Vote:

Up

Down

Hello there,

In order to receive SNMP Traps you need to use the SNMP Trap Receiver Sensor and configure the include and error filters as needed.

There's also a video explaining the SNMP Trap Receiver Sensor.

Kind regards,

Erhard

Created on Sep 26, 2016 11:56:15 AM by  Erhard Mikulik [Paessler Support]



Votes:

0

Your Vote:

Up

Down

That sensor does indeed pick up the traps!

How do I tell PRTG to translate the message better (I imagine it will look "normal" when I fix the alert to send the email)? It seems to get the OID without issue, as well as all of the fields that I have defined for the trap on the windows server. Do I need to follow a specific format? Or do I need to set up a translation document of some kind? I saw a mention of an MIB file, is this required?

Created on Sep 27, 2016 10:12:15 PM by  p0wd3r (0) 1



Votes:

0

Your Vote:

Up

Down

Yes, the MIB file is the relevant part for "translating" those traps. You can copy the Management Information Base (MIB) file for your traps into the \MIB subfolder of your PRTG installation to translate the OIDs for the traps into readable messages. Could you maybe post a screenshot of what trap messages you're receiving? Alternatively send us an email with the screenshot ([email protected]; subject: Case PAE763510).

Kind regards,

Erhard

Created on Sep 28, 2016 9:08:12 AM by  Erhard Mikulik [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Here is a screenshot of the trap message from the PRTG web console.

http://p42.com/img/snmp-account-locked-ID4740.PNG

Here is the trap configuration from evntwin.

http://p42.com/img/EvntWin-account-locked-ID4740.PNG

The message gets the HTML formatting, you can see on the right, 3rd line, (A user account was locked out.<br, which would end up being formatted like this...

A user account was locked out.<br>
<br>
Subject:<br>
Security ID: S-1-5-18<br>
Account Name: NNNNNNNN$<br>
Account Domain: DDDDDDDDD<br>
Logon ID: 0x3e7<br>
<br>
Account That Was Locked Out:<br>
Security ID: S-1-5-21-XXXXXXXXXX<br>
Account Name: UUUUUUUUU<br>
<br>
Additional Information:<br>
Caller Computer Name: CCCCCCCCCC<br>

This tells me that the variables in the translator are correctly being sent, it just isn't getting arranged correctly in the console. I assume that I'll have to create the MIB data since PRTG doesn't seem to have it built in, is this correct? But that would only be if I cared to see it in the console (which I don't), and I know that if I email the message as is, the HTML data will get arranged correctly, but it'll just have some extra "stuff" that I can also filter.

What is the recommendation to send this specific event ID, 4740 Account Locked Out, via snmp to email?

BTW, thank you for the help, this product just keeps getting better, and good support is a fantastic bonus. :)

Created on Sep 28, 2016 3:22:21 PM by  p0wd3r (0) 1

Last change on Sep 29, 2016 6:57:04 AM by  Luciano Lingnau [Paessler]



Votes:

0

Your Vote:

Up

Down

Thank you for the flowers :)

Thinking about what you're trying to do, you could simply attach a task/action directly to the event in eventviewer. I mean what you're doing now is sending a trap for a specific event (ID 4740), which PRTG can indeed catch then, which then requires to have limits configured or threshold triggers in order to trigger then a notification. Instead you could right-click on the event in eventviewer and select to attach an action to it like sending an email when this event occurs. Wouldn't that be easier in the end in case you care especially about this specific event to get notified about?

Kind regards,

Erhard

Created on Sep 29, 2016 2:10:02 PM by  Erhard Mikulik [Paessler Support]



Votes:

0

Your Vote:

Up

Down

That would be easier, however I would have to permit the domain controllers (in this case 14 servers on 10 different subnets, and spread accross 4 data centers) to send email through the internal relay. Under less strict conditions, this would be fine, however this network has certain industry security standards that it must abide by, one of them being limited SMTP email capabilities.

That said, is this type of instant alert via email from event IDs possible? And if it is, how do I tell PRTG to send an email when any message is received? I tried setting the object triggers to "When sensor state is DOWN for at least 0 seconds perform TEST", where TEST is a notification that currently has a single email under it for testing.

Created on Sep 29, 2016 3:02:41 PM by  p0wd3r (0) 1



Votes:

0

Your Vote:

Up

Down

Ok, I see. You need configure limits then in each channel to receive notifications for traps in all categories/counters (messages/warnings/errors etc.). Click on one of the gauges showing the #/s value to enter its settings). At the bottom of the channel settings you can enable limits and set an upper error limit like 0.0001. Since traps are measured in traps per second you ensure that you get notified whenever traps of the regarding category were counted, because the sensor will enter error state for one interval when this limit is reached which then triggers the notification you configured.

Kind regards,

Erhard

Created on Sep 30, 2016 7:55:54 AM by  Erhard Mikulik [Paessler Support]



Votes:

0

Your Vote:

Up

Down

That solved the issue for the alerts! Thank you for your help.

Created on Oct 6, 2016 6:36:56 PM by  p0wd3r (0) 1



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.