SNMP Traps - Low Diskspace Notification from Windows
Things get changed with time; having solid and generic infrastructure is must….DNS is good thing for this; ACLs should be based on DNS names instead of IPs…We should use “private DNS Servers” for our internal network devices….Use A records for your hosts and CNAME for your "services" e-g using snmpagent.yourdomain CNAME in ACLs
SNMP Services @ Windows
1. Install SNMP Services
2. Protect it; preferably using DNS; interestingly when SNMP Poller connects to Windows; Windows check its IP by DNS lookup….and even uses domain suffixes (default + suffix search lists)
3. Specify Traps Server; preferably using DNS
Setup SNMP Traps @ Windows
Snmp Traps is a good way (if available) to get notified from the device/software when certain situation occurred at device/software.
Now we need to setup Snmp Traps at device/software to send to our snmptrapd; we already have defined the Trap Agents in SNMP Service Settings…Snmp Traps can be generated from the Windows Event Logs; this is out of box feature…If configured; the same SnmpService monitors the Event Logs and generate the traps as configured. To configure the traps the GUI tool is evntwin. I checked the Eventlogs and picked my desired entry
And then in evntwin; I setup the SNMP Trap for this entry….
When you add; you get the following screen
The two options of event count and generate trap within interval is quite interesting…Some events are generated once; e-g last shut down was unexpected…and some events are reported number of times….e-g AccountingLogService failed to connect to FTP each 5 mins (as configured in the service). Further; if you are PROACTIVE in monitoring and you have AUTOMATED something based on the trap; e-g when CPU reaches 75% and remained there for 5mins a trap is generated and you have automated to reboot or restart some particular server for instance….now this automation can be useless if CPU has come back and trap got generated AFTER this condition (Snmp processing happens in low priority threads…even in devices like Routers)…so you can use the second option to try to generate the trap in the given specified time…and if system fails to generate the trap in the specified time; don’t generate the trap after this threshold time….
SNMP Trap Listener
Setup the SNMP Trap Listener; on Unix; snmptrapd is the famous one for this….
- Create /etc/snmp/snmptrapd.conf as per snmptrapd and your network settings
- Run it using snmptrapd –Lf /var/run/snmp-fifo –p /var/run/snmptrapd.pid
Search/Index/View the SNMP Traps
Splunk is a famous Unix based search engine that provides multiple data inputs/outputs along with email/Rss notifications and many more. I am using Splunk to search/index and view these SNMP traps. For my above snmptrapd; I did
- >touch /var/run/snmp-fifo
- In Splunk; define TAIL Data Input for /var/run/snmp-fifo
- Use Splunk’s web based interface to view these traps and configure your RSS feeds and/or email notifications