SNMP Trap monitoring with SCOM 2012 R2


<!--[if lt IE 9]>

<![endif]-->


Comments (108)

  1. MWeterings says:

    Please remove/ignore the previous post, i hope this is more readable;

    Hi Kevin,

    Great article! I do have a question though, despite your very clear description.

    Let’s say i want to create an alert based on multiple snmpVarBind conditions. I was hoping to achieve this by separating my expressions by inserting AND in between, but that’s probably not how it should work. SCOM also refuses to import the modified MP. Any
    ideas?

    This is what i tried;

    [code]

    EventData/DataItem/SnmpVarBinds/SnmpVarBind[7]/Value

    Equal

    99

    AND

    EventData/DataItem/SnmpVarBinds/SnmpVarBind[8]/Value

    Equal

    99

    AND

    EventData/DataItem/SnmpVarBinds/SnmpVarBind[9]/Value

    Equal

    99

    [/code]

  2. Kevin Holman says:

    Are you receiving V1 or V2 traps from the device? What do the traps look like? Does agent-addr contain the same IP address as the discovered device? Have you tested with traps from a Linux box like the article shows?

  3. Kevin Holman says:

    SNMP on the OS should have ZERO bearing on any of this – SCOM does not use the SNMP service on the OS. To accept V1 traps, the rule taking action needs to have the tag removed from the XML, and you need to ensure the community string is the same as the
    discovered community string. If they are different, add that community string in your list of available community strings, or hard code the string for that rule.

  4. Kapil Dham says:

    Astonishing but true, I see the value under Simple Network Management Protocol in Wireshark for the trap that were received called snmp.community: SNMP_trap but the device has the Read community string totally different. Maybe that seems to be the issue.
    I added the comunity string within SCOM and distributed it to the resource pool but still no cigar. Suggestions?

  5. MWeterings says:

    Ah, of course, that makes sense. Better yet, SCOM imports the management pack now without any errors, Thanks Kevin!

  6. Kapil Dham says:

    So finally made it work!!! took an out of the box approach and changed the community string of the device in question to match the SNMP community string returned by traps as per Wireshark and it piped straight into SCOM console. I had to rediscover the
    device with new community string, make change to the Alert rule by removing SNMP version dependency as per Kevin’s suggestion by editing the xml file for the MP and worked just fine. Now the device is discovered as a SNMP v2 device, SCOM is able to receive
    traps as V1 and right into SCOM console.

    Thanks Kevin for a great write-up.

    Regards,

    Kapil Dham

  7. Kevin Holman says:

    Did you make sure you disabled/aren’t running the SNMP TRAP service?
    Is there a chance that you discovered the device using a specific community string – but the trap is sent using a different community string? Look at the community in wireshark.

  8. Kevin Holman says:

    @Martijn –

    Yes, you just need to use the correct expression syntax for an AND statement in XML. There are many examples of this, you could make one just by making an event rule with two event ID's to see an example of the XML. Here is a sample.

    https://msdn.microsoft.com/en-us/library/ee692979.aspx
     
     
     
    <Expression>
      <And>
        <Expression>
          <SimpleExpression>
             <ValueExpression>
               <XPathQuery Type="String">EventData/DataItem/SnmpVarBinds/SnmpVarBind[3]/Value</XPathQuery>
             </ValueExpression>
             <Operator>Equal</Operator>
             <ValueExpression>
               <Value Type="String">12345</Value>
             </ValueExpression>
          </SimpleExpression>
        </Expression>
        <Expression>
          <SimpleExpression>
             <ValueExpression>
               <XPathQuery Type="String">EventData/DataItem/SnmpVarBinds/SnmpVarBind[4]/Value</XPathQuery>
             </ValueExpression>
             <Operator>Equal</Operator>
             <ValueExpression>
               <Value Type="String">foo</Value>
             </ValueExpression>
          </SimpleExpression>
        </Expression>
      </And>
    </Expression>
     
     

  9. Kevin Holman says:

    @SajMo –

    That’s good – with wireshark we know we are receiving the trap. Couple things to check:

    1. If multiple management servers – did you lock down the network monitoring pool to a single MS and that is where traps are going?
    2. Are you receiving traps from a discovered device, that shows up as ICMPSNMP access mode?
    3. Did you strip out the line of code for in the rule to make sure that if we are getting a V1 trap we will still log it?

  10. Kevin Holman says:

    Should work fine. It has to be some data in the trap that is root cause…. most of the time it came down to version (fixed by removing this from the rule) or IP address (agent-addr in trap must match discovered device IP)

  11. Tero Ilenius says:

    Great article! Thanks!

    -Tero

  12. Yeah, thanks Mihai! I was more than confused reading your initial post in my feed reader and was asking myself "man, how did I make that work so often?" 🙂

  13. SajMo says:

    Excellent article. Not worked for me. Wirehshark shows SNMP traps but SCOM 2012 still not picking them up even though catch all trap rule set.

  14. SajoMo says:

    Only got one MS, but went ahead and created the resource pool anyway. Yes device discovered as ICMPSNMP. Yes to Q.3.

  15. SajMo says:

    SNMP Service and SNMP Trap are both disabled. Community name is the same as per discovery and what appears in Wireshark.

  16. SajMo says:

    V1 traps are being received in Wireshark. Agent-addr ip has now been added as network device, still no traps showing in SCOM. I am trying to get SCOM to monitor EMC RPA’s which use linux Net-SNMP agent 5.1.

  17. Kapil Dham says:

    Hello Kevin, I have a similar case like SajMo. The traps are getting received by SCOM 2012 R2 instance we have for few devices that are discovered as network device. Alerting is working fine too. The issue is that we discovered a new device that got discovered
    as SNMP v2. It sends trap using SNMP v1. I forced the discovery to be as a v1 device and it got discovered successfully.

    The issue is that the device is sending traps to one MS in our NMPool and I confirmed the same using WireShark. But not getting into SCOM. Created empty UID alert rule, collection rule and they capture all other traps from other devices but not from this one.
    One interesting thing you wrote is that to ensure the community string that the device is using should be same as one used to discover device. I can see the trap in wireshark but no reference to the community string within it. Any idea where can I find that
    info in a sample trap? will be a big help.
    Thanks. Just to let you know, you are considered a rockstar within my support team!!! Keep up giving back to the community.
    Regards,
    Kapil Dham

  18. SajMo says:

    SCOM discovers my EMC RPA cluster as snmp v2. I know the traps come in as v.1 only as set like that by storage guy. No option for v.2 only v1 and v.3. Is there a way I can configure SNMP on OS to look for v.1 only traps ? SNMP service now running.

  19. Frank says:

    Hi Kevin,

    several month ago I’ve published how to receive snmp traps from a MS windows based vCenter server on SCOM 2012 R2. Maybe this is worth a try:

    http://www.fricnet.de/scom2012r2-trapreceiver/scom2012r2-trapreceiver.html

    regards,

    Frank

  20. Roy Beard says:

    Thanks so much for this post Kevin! Great job as usual.

  21. Sean Tompkins says:

    Troubleshooting steps –
    1. Is the trap making it to the SCOM server?
    2. Is the originating IP in the "network" discovered section?
    3. Is your rule/monitor targeting "Node"?
    4. Is the SNMP trap received a different version than the device you discovered? (V1, V2) — see editing out the version filter above
    5. Is SCOM listening on the standard SNMP trap port? (If the SNMP service or Trap service is running, likely THEY are grabbing the trap)
    6. Is the originating IP a Windows machine? SNMP will be dropped from any Windows machine.
    7. This one needs tested… but my experience was that once I had installed the SNMP service, even if it was disabled, I still needed to update the Traps and Security sections of the SNMP service properties – I *think* the security section there was blocking
    some SNMP traffic.

  22. Martijn Weterings says:

    Hi Kevin,

    Great article! I do have a question though, despite your very clear description.

    Let’s say i want to create an alert based on multiple snmpVarBind conditions. I was hoping to achieve this by separating my expressions by inserting AND in between, but that’s probably not how it should work. SCOM also refuses to import the modified MP. Any
    ideas?

    This is what i tried;

    EventData/DataItem/SnmpVarBinds/SnmpVarBind[7]/Value

    Equal

    2

    AND

    EventData/DataItem/SnmpVarBinds/SnmpVarBind[8]/Value

    Equal

    99

    AND

    EventData/DataItem/SnmpVarBinds/SnmpVarBind[9]/Value

    Equal

    1

    Thanks,
    Martijn

  23. Ben Lambert says:

    THANK YOU! I can’t tell you how many hours I spent trying to get this to work using the various methods found on the internet. I stumbled across this today and had it working in less than an hour.

    If you feel like revising, if you could put in something about HOW to export and import the management pack, that threw me for a little bit (but I found it finally, duh).

  24. Any Linux agent for SNMP to work says:

    Hi Kevin, May we know if there is a need to install any SCOM agent to a linux server for SNMP to work and be discovered in SCOM? The network devices are found in the network devices in SCOM already.

  25. Niki4 says:

    any third party tool to convert MIBs into a MP?

  26. Niki4 says:

    Perfect i will look into that product.

  27. SV says:

    Kelvin, I have 300 Servers to be monitored from SCOM 2012 R2 all are Win2012 R2 and pls can you tell me will it be possible to install the SNMP Services on all the Server and generate the alerts using SNMP, the main reason for this is that the client want
    to integrate this will BMC Remedy and they want to configure this using SNMP Trap only..

  28. Kevin Holman says:

    @SV –

    My name is Kevin, not Kelvin. This is important in a dialogue. 🙂

    For some reason – the product group decided not to allow SNMP monitoring or traps from another Windows Computer object. These are filtered out. I have heard this is hackable – and you could change this, but I don’t have the info handy.

  29. Andrew says:

    I need to raise SNMP Trap alerts on 100+ OIDs all with ".1.3.6.1.4.1.3167.99.1.1.xxxx"

    Is it possible to create only one rule to capture all the traps to raise alerts?

  30. SV says:

    Dear Kevin, Apologize for the typo error in your name.. Extremely Sorry for that.. 🙂 🙂 Thanks a lot for your immediate response on my post… 🙂 🙂

  31. Kevin Holman says:

    @Andrew – yes – see the "catch all traps" rule – see if the OID is sent as a varbind – then create an expression.

    @SV – no worries. 🙂

  32. Vinayak_Giri says:

    Hi Kevin,

    Another great article. Your blogs always helps me. Thank you.

    I have a situation. On one my gateway server SNMP service is used by another application. So I have to keep it running.

    I have noticed the event id 12300 –
    Log Name: Operations Manager
    Source: Health Service Modules
    Date: 8/19/2015 7:43:56 PM
    Event ID: 12300
    Task Category: Health Service Module
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: *********
    Description:
    Error: The SNMP Trap port is already in use by another program. Please uninstall or disable other SNMP services.

    One or more workflows were affected by this.

    And then custom rules are failing…
    does this SNMP services used by another application causing this?

  33. Pacman says:

    Hi Kevin, do you know if these steps can be used to receive SNMP traps from another/different monitoring system running on Windows server since we won’t be able to discover it as a network device?

    Regards,
    MA

  34. Vinayak_Giri says:

    @Pacman,

    Kevin already answered it — "For some reason – the product group decided not to allow SNMP monitoring or traps from another Windows Computer object. These are filtered out."

  35. Marlon says:

    Hi All –

    I am going to monitor a UPS device (Eaton 93E UPS), there’s already available management pack and successfully imported in SCOM. The UPS device was discovered with SNMP v1. Windows SNMP service was uninstalled and SNMP Trap service was already disabled. We
    have setup the device to send trap and verified that is was also sending SNMP Trap under v1 but unfortunately SCOM did not received any traps. We are using network monitor to trace the trap and found that it was received by the MS but did not see on SCOM.

    Do i miss anything here?

    Thanks!

    Marlon

  36. Please ignore my post above because I have found the root cause of the problem. The protocol that the device used to communicate back to the management server is port 162 and we have manually assigned it with port 161.

    Thanks Kevin for this very helpful blog! More power!

  37. CyrAz says:

    Hi Kevin,

    I’ve add two new MS to my management group, added them to my "network monitoring" resource pool but they don’t seem to enable their "snmp trap receiver" feature…
    I can see using wireshark that they receive snmp traps, but their answer is "port unreachable".
    "Netstat -na | findstr 162" shows that they are not listening on port 162.

    Am I missing something here? For now, the traps are still received by the old MS but I’ll have to take it offline sooner or later, so I need my new MS to be able to receive traps as well.

    Any idea?

    Thanks!

  38. Kevin Holman says:

    @Cyraz –

    Try changing your network device discovery to be run by a new MS. I believe only the MS that discovers the SNMP device will listen for traps.

  39. CyrAz says:

    Done that in the first place as it was part of my "migration process", and re-ran the discovery rule.
    I just did it again I do have events showing that this has been taken into account such as 12121/12127/12003/12004 (topology cleared/proceeding to discover/probing/probing completed), but it’s still not listening on udp 162…

  40. CyrAz says:

    (thanks for this incredebly fast answer, though!)

  41. Dan_IT says:

    Hi Kevin,
    Nice work with this custom SNMP Alerting, exactly what I needed 🙂

    I followed to the letter what you did and it worked like a charm, i’d like to push this further, and I am wondering if you could help.
    We are trying to monitor Tripp Lite batteries, and if work well.. i.e:
    Trap filtered to ti OID of the batteries, limiting the "spam" on the trap, which is perfect.
    Made and alert like you explained and when we unplug the battery we get and alert
    $Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[5]/Value$ >> it Reports "On Battery", meaning the power is off, which is great

    Now I have noticed there is and Alert Suppression button on the Alerting page, so my question is this.
    How can I have this alert resolve automatically when I plug back the power… It reports "On Utility power" with the same varbind.
    I dunno much about xml programming unfortunately, so I don’t know how to capture in a variable and pass it in the expression to suppress the alert, or the steps required, if any, to modify the MP for it to work.

    Thanks

  42. justin says:

    What about the HP Storage , Proliant and Blade MP?
    In my environment they all throw out SNmp and require snmp config of the trap service. How do you set those up now?

  43. sam says:

    Excellent Article. Its worked for me. One doubt, when the alert triggered, with in 1 minute it is moving to closed state. What is the reason for that.

  44. Anonymous says:

    I previously wrote about using the network device monitoring in SCOM here:
    http://blogs.technet.com/b

  45. Harun Akboga says:

    If the Device is not discoverable (like DELL TPAM), it does not allow incomming PING or SNMP, how to manually add the device anyway? even if they are not discoverable.
    Harun Akboga

  46. Md Nur Hossain says:

    Thanks. Nice Article.

  47. Cloud-Ras says:

    Kevin, i’m a fan of your blogs 🙂

  48. Bob Compono says:

    This is a really old entry and my question is a little off topic, but what if you have SNMP trap messages being sent from an application running on another server, in my case AIX and Linux? Is there no way to simply set up SCOM to listen for traps from
    a particular address? The server doesn’t run SNMP as it’s not needed just to send trap messages, so it can’t be discovered by SCOM.

  49. Kevin Holman says:

    @ Bob Compono –

    SCOM unfortunately must discover an object in order to receive traps from it. I dislike this requirement, and if I ever find time, I think we can add network devices on our own via script based discovery. I was planning on showing an example of that, using
    scripts to read a CSV file, and discover network objects for just this very purpose, bypassing the interrogation method that is built into SCOM.

  50. Hi,

    I want to send Snmp trap from SCOM 2012 R2 to Nagios, how can I do that .I think the above code is for receiving trap to SCOM.
    Can anybody say me about how to send snmp trap from SCOM to Nagios, Please.
    Thank You.

  51. Ash says:

    Great article but I have a few questions if anyone can help answer these that would be great.

    1. Will this work with systems using SNMP V3 ?

    2. How is this setup where the devices to be monitored by behind a firewall and the management servers are located in different DMZ ? Can gateway be used ?

    1. Kevin Holman says:

      @ Ash –

      Great article but I have a few questions if anyone can help answer these that would be great.

      1. Will this work with systems using SNMP V3 ?

      SNMP V3 devices are supported.

      2. How is this setup where the devices to be monitored by behind a firewall and the management servers are located in different DMZ ? Can gateway be used ?

      Yes, in a firewall scenario where a management server does not have SNMP access to a device, we support using Gateways in network monitoring resource pools to manage firewalled devices.

      1. Henrik Andersen says:

        When you say V3 devices are supported. Does that apply to V3 traps? Can only find articles that says it does not. Will V1/V2 traps work with devices discovered with snmp V3

        1. Mace says:

          Hi Henrik,
          SCOM 2012 does not and even SCOM 2016 does not (MS Request No.117021415314872). You can discover and monitor v3 devices, but you cannot catch their (v1/v2/v3) traps with SCOM 201x. Maybe we should vote that up to make it happen one day:
          https://systemcenterom.uservoice.com/forums/293064-general-operations-manager-feedback/suggestions/12332553-support-for-snmp-v3-traps

  52. Woodall77 says:

    To potentially save some poor fellow an hour or two, if you can’t reimport your MP after making the Condition changes, check your references to ensure that the “System” Alias is present against the System Library. I was saving my test Rules to general use, full of crap, Management Pack, which had that MP in already as a reference, but with a different Alias

  53. Sumi says:

    Hi Kevin,
    Thanks for this article,
    i couldn’t find the class “node” when creating the rules for the SNMP event trap.
    Instead i could see the below in the rule target when search for Node.

    Dell Sled Server Node
    Dell Sled Server Node with Operatinf system
    Dell sled Server Node without Operating system
    Dell Windows Sled Server Node

    1. Sumi says:

      Please ignore my previous post. I could find it.
      I searched in view common target instead of view all targets.
      Thanks.

  54. lchua says:

    is there any link that show how to insert expression for SCOM 2007R2 same as SCOM 2012 in the SNMP rule?

  55. lchua says:

    i have force discover windows based server as v1 to receive traps from vcenter.. i receive traps from both vcenter but only 1 of them is published into SCOM. both are using the same rule and the traffics are capture via wireshark. anywhere i need to check??

  56. Mark Derouen says:

    Ever needed to create a report on all the SNMP events you collect? I need to and cant seem to display any data. Trying to run a report on all traps received for a specific node. Tried from inside the console running a report on events where I target the object node and limit it to the specific device I want to report on.. “No go”, so then I search on the trap receiver server for an event log named SNMPEvent, and that doesn’t exist, so I search all the common logs for event ID 1501, and you guessed it, nada. Kind of stumped here.

  57. SergIT says:

    Hello, Kevin!

    I don’t understand this step:
    – Now increment the XML version of the MP in the Manifest section, and re-import the MP. This will limit confusion and SNMP version issues down the road.

    Could you explain?

    1) Export MP to XML
    2) Delete /
    3) Re-import MP – on this step error, that MP already present in system.

    1. SergIT says:

      Fuf it works! After few days and install test ubuntu 🙂

      In my questions:
      1) go administration-> management pack -> export created MP
      2) delete “version” as in article
      3) change “version” in manifest 1.0.0.0 -> to 1.0.0.1
      4) Import xml to SCOM

      Thanks Kevin! Good job!

  58. Dexter says:

    Hi Kevin, Is it possible for using SNMP trap to calculate HP storage capacity? If yes, could you please help with the procedure?

  59. Vance says:

    Fantastic article 🙂

    One issue I did run into was the listener didn’t start quickly on port 162. I left it over night and it started, also found a reboot will start it if you cannot wait.

  60. Vance says:

    Hi Kevin, I’ve been trying to setup a trap based monitor to capture if an appliances services are down or not (has 3 services that run). I have it working as a rule without any issues but when I try and recreate it via a monitor I have no success at all.

    Below is a trap captured in SCOM using your method in this post.

    Object Identifier Syntax Value
    .1.3.6.1.2.1.1.3.0 Timeticks 1167094645
    .1.3.6.1.6.3.1.1.4.1.0 Oid .1.3.6.1.4.1.23365.10000.0.1051
    .1.3.6.1.4.1.23365.10000.7.1.1.1 Integer 1

    I’m trying to set up the monitor using the using the expression below while having the “First SnmpTrapProvider” blank.

    SnmpVarBinds/SnmpVarBind[OID=”.1.3.6.1.4.1.23365.10000.7.1.1.1”]/Value

    Any insight as to why this isn’t working?

    1. Kevin Holman says:

      If you are using the UI – to create the monitor – there is a bug:

      https://social.technet.microsoft.com/Forums/systemcenter/en-US/282b61e6-69d9-4bd4-ba14-a9d43a40d093/snmp-integer-value-convert?forum=operationsmanagergeneral

      It defaults to string – and you cannot use an integer based expression with string – so you have to do some XML edits (see link above)

      1. Vance says:

        Thanks for your reply Kevin.

        I did try changing it but it still doesn’t trigger with the OID.

        SnmpVarBinds/SnmpVarBind[OID=”.1.3.6.1.4.1.23365.10000.7.1.1.1”]/Value

        Equal

        1

        SnmpVarBinds/SnmpVarBind[OID=”.1.3.6.1.4.1.23365.10000.7.1.1.1”]/Value

        Equal

        0

        I did get it working by using “SnmpVarBinds/SnmpVarBind[3]/Value” but this doesn’t allow me to monitor all 3 services individually.

  61. Mark Derouen says:

    I have SCOM as a trap receiver for a while now. We introduced some re-provisioned switches which were monitored from another system, and that system was trying to connect to these switches after we changed the community name on the switches. Over 1 million failed auth traps. We have fixed the other system to quit trying to authenticate to the switches and now I would like to clear out all the 1 million + traps. Any idea on how to do this since the health service is the trap receiver? I cant find anywhere these traps are stored. Clearing the health service state folder didn’t work, Any ideas?

    1. Kevin Holman says:

      Not sure I understand.

      Where is the “problem”? What do you want to delete?

      1. Mark Derouen says:

        I had over 1 million traps sitting in my view for All SNMP Traps. I corrected this by tuning the days to keep events in Administration\Settings\Database Grooming.

      2. Jesty says:

        Hi Kevin,

        We have SNMP monitoring configured and we would like to exclude few alert triggered with few keywords. Is this achievable?

  62. Jesty says:

    We have created a SNMP rule to monitor autosys jobs based on OID’s. We want to exclude few jobs from alerting from these rules. Is there an option to exclude few job failures from alerting?

    1. Kevin Holman says:

      Yes – you would simply add criteria where varbind (n) doesnt contain or doesnt equal “foo” in your rule.

      1. Jesty says:

        Thanks Kevin 🙂

  63. Erik says:

    Hi Kevin,

    Thank you for your clear step-by-step guide. I followed every step in detail, including testing from an ubuntu box. Small recap:
    – Ubuntu box is discovered as an snmp device, using snmp version 2c.
    – Wireshark shows incoming version 2c traps on the management server
    – Even though both traps and discovery are using the same version I modified filtered out the version requirement using the suggested export/edit/import method
    – I verified the snmp trap service is disabled on the management server
    – ‘netstat -ano’ shows UDP port 162 and a process ID, ‘get-process’ shows the corresponding process is monitoringhost
    However, the traps don’t appear in the console. To me it seems like the rule doesn’t process the incoming traps.

    What to do now?

    1. alexander says:

      Exactly the same problem. The port listens to the process, but there are no events.
      What to do?

      1. hnnycs says:

        Same problem here, any idea Guys?

  64. Adrien says:

    Thanks for the article very helpful.
    I succeeded to receive SNMP traps on my SCOM consol. Those traps are generated by a third party application on a Linux systems. The application is configured to send SNMP traps to 1 of my management server. But what will happens if this management server fall down? I’ve got two others in the same resource pool but they don’t received the SNMP traps…

    Any idea how I can manage the failover?

    Thanks in advance for your help.

    Adrien

    1. Kevin Holman says:

      In order to have high availability – you must send traps to all IP addresses of all servers in the resource pool.

      1. Adrien says:

        Hi Kevin,

        Thanks for your quick reply. Yes it’s what I thought, we will try this.

        Adrien

      2. Adrien says:

        Hi Kevin,

        After some tests it seems that SCOM only catch SNMP traps from the MS which discovered the device. I’ve got tree management servers in the same “Network ressouce pool” with the community string distributed on each one. But only one received the traps…

        Any idea ?

        Thanks in advance !

        1. Kevin Holman says:

          I already commented on this above.

          It is NOT the MS that discovers the device. It is the MS that HOSTS the device. If you have three MS in a pool hosting network devices, you must send the traps to ALL THREE Management servers, because of load balancing the network device object could be hosted on any of the management servers at any given time.

  65. Jonathan DeLong says:

    Hi Kevin, wondering if you can give me some help on an SNMP trap issue.

    I’ve done these steps I believe, but I also followed your other guide on setting up a Windows Server as an SNMP device.

    I did those steps, and I have my VEEAMONE server setup as an SNMP node in SCOM 2012 R2. I have several other SNMP devices as well. Confirming through Wireshark, I am getting the traps sent to my SCOM management server, but I am not getting the alerts showing up in my event view, but I am with the other SNMP traps I send.

    Help!! SCOM is not in production, but we are probably migrating towards it soon and need to be able to get these alerts sent from VEEAM ONE

  66. Hsanchez says:

    Hi! need a example that SCOM2012 Sends Traps to another system…. Is it Possible?

  67. John Sandman says:

    Hello,

    will this work with SCOM 2016 on Windows server 2016?

    Thanks

  68. hnnycs says:

    Hello,

    Will This Work on Windows Server 2016 (SCOM2016 aswell)?

    Thanks

  69. Thomas Frimo says:

    I have tried this, but it does not work. I even tried your MP. I can see in NETMONITOR that the traps go with the same community string, but the rule does not show any of them. 🙁

    1. Kevin Holman says:

      Did you place ONLY a single management server in the resource pool used for network monitoring?

      1. Thomas Frimo says:

        Yes, I did, but doesnt work. I have two MGMT, but only one in resource pool. 🙁

      2. hnnycs says:

        I got it, problem was with local firewall. Now its working perfectly!!
        Thanks

        1. Hi –

          May i know what firewall settings did you check for this? We are also experiencing same issue in SCOM 1807.

          Thanks!

        2. Hi –

          It this the local firewall you have modified?

          Operations Manager SNMP Response (disabled in our MS)

          Thanks!

  70. Breezer says:

    Has this been tested in SCOM2016 UR3? I’m trying to get SNMPv1 traps from a windows machine where commvault sends traps.

    I already enabled windows device discovery as network devices. So the device is discovered as a network device (SNMPv2). I have captured traffic with wireshark and confirms that the traps arrive at the ManagementServer. I followed the procedure of creating a view for all events and then removing the to be able to catch SNMPv1. But i can’t display it in events view.

    I have also imported the MP “demo – SNMP monitoring” to see if i messed up somewhere. But there i cannot see the events either. When i look at the events that are actually displayed it are all SNMPv2 events. But not the SNMP traps i’m looking for. The whireshark displays the traps as SNMPv1 traps. So i think there should be the issue. I checked the MP XML again for version tags, but they are all removed. Any suggestions on where to look to get the SNMPv1 traps from a windows machine in my console?

    1. Kevin Holman says:

      Make sure in your network resource pool you only place ONE of your management servers while testing. If you have more than one MS, you dont know which MS is hosting your network device. That is the MS which must receive the traps, otherwise you must send your traps to ALL management servers in the network devices resource pool.

  71. Miguel says:

    For processing vast amounts of SNMP traps an efficient solution is to have a Linux machine receiving the traps. This server is monitored by SCOM and then we use the SCOM agent to send the resulting SNMP alerts to the SCOM itself… More details at https://scomart.blogspot.pt/2017/10/using-linux-machine-for-receiving-snmp.html

  72. Nikolay Hristozov says:

    Hi Kevin,

    Any idea why I don`t have the Node monitoring target, when I try to create the rule. I am running SCOM 2012 R2.

  73. Mr2urbo says:

    Hi Kevin,

    First thank you for the great article. I was wondering if you can help. I have SCOM 2016 environment with 2 mgmt servers in a pool. I imported your MP and tested test trap, which it work for v2. But for snmp devices that are discovered with snmp version, 1 I’m not able to receive any alerts or traps. I ran wireshark and I can see the traps going through. I ran a test using this article (https://michelkamp.wordpress.com/2012/07/02/how-to-check-if-a-snmp-trap-is-received/) and I was able to verify the scom server is receiving the traps. I have tried it with 1 mgm serverin my snmp pool and still not registring in All SNMP Traps and All SNMP Alerts. I have tried creting a new one receive all event trap with specific OID and nothing coming through All SNMP Traps and All SNMP Alerts. I verified the MP you have didn’t have the version tag, which is good. I verified no firewall on windows or any type of appliance firewall between the snmp device and scom mgmt server. Anything else to try?

    1. Mr2urbo says:

      I fixed my own issue. Just thought I’d share. After reading this article https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2014/02/14/opsmgr-customizing-the-snmp-trap-collection-rule-for-all-snmp-version-traps/
      Which I believe I found it here reading to someone else posting. The line/note below.
      “Note: The field requires an input value in order to complete the rule creation. However, a dummy input value can be entered first and removed later by modifying the rule configuration in the Operations Console. ”

      So what I did just for curiousity I edit Kevins Rule “Collect all traps” and enter a dummy OID, then waited for a min or 2. Then remove the dummy OID and then sent another test trap that has snmp v1 and immediately receiving the traps!

  74. Hi Kevin,

    Is it possible, using a SNMP probe monitor, to set a minimum amount of time the data source must be in breach condition to generate an alert?

    We have configured IP SLA in our Cisco routers, and this feature gives me an OID with a specific value. The monitor has been created, however I need to find a way to generate alerts only after 3 consecutive reads above defined SLA, which is not working. The monitor runs each 2 minutes, so using my logic an alert should be generates only after 6 minutes out of defined threshold, but I did not find any option for this.

    Do you know how can I implement this on this monitor?

  75. mm79 says:

    Hi Kevin

    I managed to get SCOM to alert on SNMP traps generated by hardware issues on HP Gen 10 servers. Is there a limit to the number or traps that can be received by a 3 server resource pool before it would start having an impact on ‘normal’ monitoring?

    Thanks

    1. Kevin Holman says:

      I doubt anyone knows the answer to that question. I would expect the amount of traps capable to be inspected to be incredibly high. The number of traps converted into alerts per second would also be very high, just as if this were an agent generating alerts…. but if a single rule generates more than 50 alerts in 60 seconds it will be temporarily disabled by SCOM.

  76. Hi Kevin –

    Thanks a lot for this blog and it helps us customizing SNMP monitoring in SCOM.

    We are already in the stage of upgrading SCOM 2012 R2 to SCOM 1807, upon our testing of management packs, we cannot work the SNMP trap monitoring in SCOM 1807.

    We use MS Network Monitor tool and confirmed that trap was successfully sent to the SCOM server, however it is not reflecting in SCOM console.

    Your help is highly appreciated.

    Thanks.

    Marlon

    1. Hi Kevin –

      I have tried to enable below firewall settings and SCOM 1807 is now receiving SNMP Traps.

      netsh advfirewall firewall set rule name=”Operations Manager SNMP Response” new enable=yes
      netsh advfirewall firewall set rule name=”Operations Manager SNMP Trap Listener” new enable=yes

      Will consult this with our Server Team.

      Thank you all!

Skip to main content