How to generate readable alerts based on SNMP traps in MOM 2005
This article describes how to configure a Microsoft Operations Manager 2005 Management Server or a MOM 2005 Agent to generate a readable alert when an SNMP trap is received. This allows you to monitor SNMP-enabled devices and applications by configuring them to send traps to MOM. The article does not cover sending SNMP traps from MOM 2005 to a third-party ticketing system as an alert response.
There is MOM 2000 documentation that describes how to generate a MOF file from a MIB using smi2smir.exe. These documents describe compiling the MOF and using the SNMP WMI Provider to translate received traps into alerts. This process is unreliable and unnecessary. The smi2smir.exe is a Windows 2000 utility that is no longer supported. Also, the utility doesn't work with most newer MIB files because the standard has been updated since the development of smi2smir.exe.
This article contains a VBScript that will parse a trap received by the SNMP WMI Provider. You can use the script as a response in a MOM 2005 rule. The script will generate an event with a numbered list of every parameter in the trap.
Once you know the event parameters, you can modify the rule to generate an alert with the desired parameters in the Alert Source, Alert Description and Custom Fields.
To use the script, install the SNMP Service and WMI SNMP Provider on the management server or agent that will act as the trap catcher. To do this on Windows Server 2003, open Add or Remove Programs, click Add/Remove Windows Components and select the Simple Network Management Protocol and WMI SNMP Provider components from the Management and Monitoring Tools category. To do this on Windows Server 2008, open Server Manager, click Add Features and select SNMP Service and SNMP WMI Provider in the Add Features Wizard.
The next step is to configure the service to receive traps from the SNMP device(s). To do this, open the Services snap-in, double-click the SNMP Service, click the Security tab and add the community name and IP address of each monitored SNMP device under "Accepted community names" and "Accept SNMP packets from these hosts", respectively.
After you install and configure the service, create an event rule to run the VBScript response when an SNMP trap is received.
When you create the rule, select the rule type that says "Alert on or Respond to Event (Event)". For "Provider name", select SNMP Trap Catcher. Do not make any changes on the Criteria, Schedule, Alert and Alert Suppression tabs. On the Responses tab, click Add and then click "Launch a script". For "Script name", click New. Enter a name for the script, such as SNMP Trap Response. Click Next and paste the contents of the below script:
Option Explicit
Const EVENT_TYPE_INFORMATION = 4
Dim oTrap, oEvent, sComputer, sDomain, i, sDescription
Set oTrap = ScriptContext.Event
Set oEvent = ScriptContext.CreateEvent()
sComputer = ScriptContext.TargetNetbiosComputer
sDomain = ScriptContext.TargetNetbiosDomain
For i = 1 to oTrap.EventParameterCount
sDescription = sDescription & Chr(13) & "Parameter " & i & ": " & oTrap.EventParameter(i)
Next
With oEvent
.EventSource = "SNMP Trap Catcher"
.EventNumber = 1349
.EventType = EVENT_TYPE_INFORMATION
.LoggingComputer = sComputer
.LoggingDomain = sDomain
.Message = sDescription
End With
ScriptContext.Submit(oEvent)
Set oEvent = Nothing
Set oTrap = Nothing
Create a computer group that contains only the trap catcher and associate the computer group with the rule group where you created the rule.
You can use trapgen.exe to generate test traps, if necessary. The following Web site has download links and a user guide:
https://www.ncomtech.com/trapgen.html
When you send a trap to the trap catcher, the script will submit a MOM event. You will see the event in the Events view of the MOM 2005 Operator Console. The Source will be "SNMP Trap Catcher" and the Event Number will be 1349. The Description will contain a numbered list of the event parameters. View the list to determine which event parameters you are interested in.
Once you know the event parameters, double-click the rule to modify it. On the Responses tab, select the script response and click Remove. On the Alert tab, enable the "Generate alert" option. Delete $Source Name$ and $Description$ from the "Alert source" and Description boxes. Click the arrow buttons to add the desired fields and parameters from the event.
On the Alert Suppression tab, enable the boxes for Alert Description and Alert Source, if desired. This way, traps with unique values will generate new alerts instead of updating the repeat count.
Be aware that alerts generated this way will only return the first 25 parameters of the SNMP WMI event. If you need Parameter 26 or above to be in the alert, you have to use a script to generate the alert. In this case, disable the "Generate alert" option in the rule and use a script response that submits an alert with the desired event parameters. Here is an example script:
Option Explicit
Dim oEvent, oAlert, sDescription
Set oEvent = ScriptContext.Event
sDescription = "The interesting value from the trap is: " & oEvent.EventParameter(26)
Set oAlert = ScriptContext.CreateAlert()
oAlert.Name = "SNMP Trap Received"
oAlert.Description = sDescription
oAlert.AlertLevel = 50
oAlert.Owner = "[unassigned]"
oAlert.ResolutionState = 0
ScriptContext.Submit(oAlert)
Set oEvent = Nothing
Set oAlert = Nothing
Michael Sadoff | Senior Support Escalation Engineer
