Submit a ticketCall us

WebinarFREE IT Monitoring Webcast

Don’t miss out on our webcast, Essential IT Monitoring with SolarWinds ipMonitor, where we will show you how to keep an eye on your IT environment from one centralized, affordable, and lightweight monitoring tool: SolarWinds® ipMonitor®.

Register now.

Home > Success Center > ipMonitor > ipMonitor - Knowledgebase Articles > Monitor multiple events on a remote system when you cannot use the ipMonitor Event Log Monitor

Monitor multiple events on a remote system when you cannot use the ipMonitor Event Log Monitor

Updated October 1, 2018

Overview

When you configure ipMonitor to monitor event log files on a remote server, there may be instances when you cannot use the Event Log Monitor. For example:

  • Using a credential to represent the administrator account.
  • RPC connectivity is not working properly
  • RPC connectivity is not allowed
  • IP address of the system targeted by the Event Log Monitor is NATed (hidden)

On these occasions, use the Evntwin.exe Windows utility and the SNMP Trap Monitor to monitor for specific events in Event Log files.

There are a number of advantages to this setup:

  • The SNMP Trap Monitor is easy to configure.
  • This setup will work on a stand-alone system, as well as across non-trusted domains provided that SNMP connectivity exists between both systems.
  • This setup results in a non-intrusive, low network overhead monitoring process.
How the Process Works

The SNMP Trap Monitor listens for incoming traps sent from remote systems and network devices. When a trap is received, it is analyzed to determine if an Information Alert should be sent. If the incoming trap matches the pre-configured trap filtering settings, an Information Alert is sent as configured in a related Profile.

The following diagram illustrates this process:
event_to_trap_diagram.gif

In this illustration, the Evntwin.exe process detects the set condition in the Event Log and sends a trap to the ipMonitor installation. When the trap is received, ipMonitor sends an information alert.

For more information regarding the SNMP Trap Monitor, see Monitors in the ipMonitor context-sensitive help system, and then select Monitor Types > QA Trap. You can access the help by clicking the Help link in the ipMonitor Administration web interface.

Details

Configure the remote system

Before you create an SNMP Trap Monitor to implement the example outlined in this article, ensure that the Windows SNMP Service is configured and enabled on the remote system. When you are finished, configure the SNMP Service on the remote system to send traps to the ipMonitor installation.

  1. Verify that the SNMP service is installed on the remote system.
    If the service is installed, go to step 2.
    If the service is not installed, perform the following steps:
    1. Click Start / Control Panel / Add or Remove Programs / Add/Remove Windows Components.
    2. In Components, click Management and Monitoring Tools and then click Details.
    3. Select the Simple Network Management Protocol check box, and then click OK.
    4. Click Next, and then Finish.
  2. Configure the SNMP Service.
    1. Click Start / Control Panel / Administrative Tools.
    2. Double-click the Services MMC Snap-in.
    3. Right-click SNMP Service and select Properties.
    4. Click the General tab.
    5. Ensure that the Startup Type is set to Automatic.
    6. Click the Traps tab.
    7. In the tab window, enter the Community Name to use.
      2.gif
    8. In the Trap destinations box, add the IP Address of the ipMonitor installation.
    9. Click OK.

Configure the ipMonitor host

Disable the SNMP Trap Service on the ipMonitor host machine. Otherwise, it will interfere with the SNMP Trap Monitor.

If the SNMP component was not installed on the ipMonitor host, the SNMP Trap Service will not be listed. In that case, proceed to the next section.

  1. Click Start / Control Panel / Administrative Tools.
  2. Double-click Services MMC Snap-in.
  3. Select the SNMP Trap Service.
  4. Click the Action drop-down menu and select Properties.
  5. Stop the service (if running).
  6. Set the Startup Type to Disabled.
  7. Click Apply, and then click OK.
  8. Close the Services window.

 Verify that ipMonitor is configured to listen to incoming traps

  1. Click Start / Program Files / SolarWinds ipMonitor.
  2. Double-click Configure ipMonitor.
  3. Select Communications > Web Server Ports.
  4. Configure the SNMP Trap Listener settings.
    3.png
    1. In the SNMP Trap Listener box, enter the SNMP listening IP address.
      Entering 0.0.0.0 will have the ipMonitor installation listen for incoming traps on all IP Addresses bound to the system.
    2. In the Port (UDP) field, enter the listening.
      The default SNMP Listening Port number is 162.
    3. Check the Enabled checkbox.

Configure the Evntwin.exe Windows Utility on the remote server

Beginning with Windows 2000, Windows Operating Systems now include the Eventwin.exe utility. This utility allows you to configure the remote system to forward specific event(s) to another system using an SNMP trap. Since Eventwin.exe is a graphical tool that connects to the Event viewer, it's easy to select which event(s) should be forwarded to ipMonitor. 

This section describes how you can use the Evntwin.exe utility to monitor specific security events on a remote system. This section will refer to the following events:

  • Event ID: 529 | Type: Failure | Audit Description: Logon Failure | Reason: Unknown user name or bad password
  • Event ID: 533 | Type: Failure | Audit Description: Logon Failure | Reason: User not allowed to logon at this computer

The Evntwin.exe can only send traps for security events visible in the system's Security log. To log security events, the Audit policy must be activated on the system:

  1. Open a Run box and execute:
    evntwin.exe
  2. In the Configuration type box, select Custom.
    4.gif
  1. Click Edit.
  2. In the Event sources pane, maximize Security and select the Security folder.
    5.gif
  3. In the Events pane, select the Event ID you want to monitor, and then click Add.
  4. Click Settings.
  5. View and configure the general settings for the traps to be sent.
    For example, you may choose to control the maximum number of traps to be sent within a specific period of time.
    7.gif

    The resulting process will parse the Security Event Log file and will send a trap when the specified Event IDs are detected. Since evntwin.exe was previously configured, it will run by default when the server is rebooted without requiring you to be logged in. Below are sample monitor settings.

    Monitor Name SNMP Trap :: Event trap
    Monitor Type SNMP Trap
    Community public
    Allowed IP Address Range (start) 10.0.0.0
    Allowed IP Address Range (end) 10.255.255.255
    Generic Type Any
    Enterprise OID 1.3.6.1.4.1.311.1.13.1.*
  6. When you are finished, click OK.
  7. Click Properties.
  8. In the Event ID Properties screen, configure the settings in the Generate trap box.
    For example, with Event ID 529, you may want to avoid sending a trap when a password is mistyped once. However, if the password is mistyped more than five times over the course of three minutes, this may indicate a potential intrusion attempt that requires a notification sent to you.
    6.gif
  9. When you are finished, click OK.

Verify the monitor settings

The imported Monitor is initially disabled. This allows you to make changes to the default settings before the monitor is enabled to go live in a production environment. After you import the monitor, verify the following monitor settings and adjust if required:

  • Community
  • Allowed IP Address Range (start)
  • Allowed IP Address Range (end)

Configure the SNMP Trap Monitor

This article addresses the pre-configured  monitor included in the XML resource download. Alternatively, you can create a new monitor.

  1. Click Monitors and then click Add a Monitor.
  2. Under Multi-Transaction / QA, select SNMP Trap Monitor.
  3. In the Identification window, enter a unique name for the monitor in the Name field.
    8.gif
  4. Click the Add to Group drop-down menu and add the new monitor to a specific group.
  5. Select the Enabled checkbox.

Configure trap filtering

  1. In the Trap Filtering window, enter the SNMP community string that allows traps to communicate with ipMonitor.
    9.gif
  2. In the Allowed IP Address Range section in the Range Start field, enter the first allowed IP address. This is the start of the range of IP Addresses used to determine which SNMP Traps will be accepted.
  3. In the Range End field, enter the last allowed IP address. This is the last IP address in the address range used to determine which SNMP traps will be accepted.
  4. If you want to use the IP address specified by the agent in the incoming trap packet to perform its allowed IP address range validation, select the checkbox under the Range End field. Otherwise, leave this checkbox blank. 
  5. Click the Generic Type drop-down menu and select the generic type. The incoming generic trap must be one of the predefined SNMPv1 trap types. Any indicates that any of the trap types listed below will be accepted.
    • coldStart(0) signifies that the sending protocol entity is reinitializing itself such that the agent's configuration or the protocol entity implementation may be altered.
    • warmStart(1) signifies that the sending protocol entity is reinitializing itself such that neither the agent configuration nor the protocol entity implementation is altered.
    • linkDown(2) signifies that the sending protocol entity recognizes a failure in one of the communication links represented in the agent's configuration.
    • linkUp(3) signifies that the sending protocol entity recognizes that one of the communication links represented in the agent's configuration has come up.
    • authenticationFailure(4) signifies that the sending protocol entity is the addressee of a protocol message that is not properly authenticated.
    • egpNeighborLoss(5) signifies that an EGP neighbor for whom the sending protocol entity was an EGP peer has been marked down and the peer relationship no longer exists.
    • enterpriseSpecific(6) signifies that the sending protocol entity recognizes that some enterprise-specific event has occurred. The specific-trap field identifies the particular trap which occurred.
  6. In the Enterprise OID field, enter the Enterprise object identifier (OID) that identifies the network management subsystem that generated the SNMP Trap.

Configure the Analysis of Test Results window

For this setup, it is not necessary to analyze and filter the incoming traps based on their bindings.
10.gif

Configure the Notification Control window

The SNMP Trap Monitor uses Information Alerts to notify you that a trap was received. The Information Alert can use the Default Content Generator, or you can create a Custom Content Generator to include the content of the received trap in the Information Alert being sent.
11.gif

For more information regarding Information Alerts and Content Generators, see Information Alerts in the ipMonitor context-sensitive help. You can access the context-sensitive help by clicking the Help link located in the ipMonitor Administrator web interface.

Monitor additional events

To monitor additional events, see the list of suggested Event IDs below. This list is not a comprehensive list of all available events you can monitor.

  • Event ID 529 : Unknown user name or bad password
  • Event ID 530 : Logon time restriction violation
  • Event ID 531 : Account disabled
  • Event ID 532 : Account expired
  • Event ID 533 : Workstation restriction - not allowed to logon at this computer
  • Event ID 534 : Inadequate rights - as in user account attempting console login to server
  • Event ID 535 : Password expired
  • Event ID 536 : Net Logon service down
  • Event ID 539 : Logon Failure: Account locked out
  • Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password
  • Event ID 644 : User account Locked out
  • Event ID 675 : Pre-authentication failed
Last modified

Tags

Classifications

Public