TrapDirector & Windows server

Hello everybody!
I’ve been trying to get a Windows 2016 to generate a trap from an event log entry and I have some issues (It isn’t working), let me pick up your collective mind.
I installed TrapDirector (1.0.6), all checks are green and test traps from localhost work OK. I copied some Windows mibs

Folder listing
$ ls -l /usr/share/icingaweb2/modules/trapdirector/mibs
total 212
6179 nov 30 10:45 ftp.mib
48593 nov 30 10:45 hostmib.mib
59909 dic  3 09:36 HOST-RESOURCES-V2-MIB.mib
698 jun 18  2013 inetsrv.mib
6100 nov 30 10:45 lmmib2.mib
581 jul 16  2016 msft.mib
22462 nov 30 10:45 rfc2571.mib
4411 nov 30 10:45 smi.mib
 26236 nov 30 10:45 wins.mib

Updating the MIBS returned a lot of “Unlinked OIDs” and “Did not find X in Y”. Is this normal?
Windows AFAIK refuses to send any traps for the service start/stop event but every time I restart the machine it will generate a bunch of traps received by TrapDirector of “linkUp” type.Why are these traps being sent?

Finally if someone does know what I could be missing for W2016 to not generate the traps I setup (the events do keep appearing in the log) that would be quite welcome.

Program Version	2.11.3-1
Icinga web 2.8.2
PHP Version 7.3.11
trapdirector 1.0.6
director 1.7.2

Windows 2016 configured to send traps from specific Event Log entries (evntwin / evntcmd).
CentOS 7.7 with snmpd *receiving* traps


with the trapdirector I can’t help. But with sendung from windows and eventlogs. Sadly it’s a little bit complicated or better let’s say: very awkward in my opinion.

I did this this way in our setup:
There was also a talk last year at the OSMC. Here is the video auf it:
maybe this helps.

If not, how do you configure it on Windows?

Hi @stevie-sy

I configured it as explained in your first link. I created a .cnf file with evntwin command looking for two fairly common events.

#pragma add "Application" "Desktop Window Manager" 1073750851 1 0
#pragma add "System" "Service Control Manager" 1073748860 1 0

The second entry is for Event ID 7036 (Service Start/Stop) so I can generate events at will. I installed the traps with evntcmd but I can’t get any traps to Icinga. It’s only on server reboot that I get unrelated traps. I even tried with the Windows Firewall totally disabled and no change.
Next I’m thinking of checking with Wireshark if Windows is actually sending out the traps and perhaps snmptrapd drops them for …reasons.
Ideas are welcome

Ok, did you also configure the Windows Service “SNMP Service” as well? In the Tab “Trap” you have to enter the destination and the community name.

I do have it, when the Windows system starts it sends some traps to Icinga with the community name I setup: “trapdirector” (screenshot in my 1st msg) so it is picking up the destination server and the community name.
I confirmed with tcpdump that only these traps are arriving and nothing from the eventlog. Somehow there’s something wrong on the Windows side so I’ll have to go through it again even though it seems I have gone through the steps dozens of times now. :pensive:

For testing you could create some test events. e.g. with the PowerShell:

Write-EventLog -LogName [Log - e.g.Application] -Source “[Sourcename: .e.g Icinga2_Test” -EntryType Information -EventId [EventID Number] -Message “This is a test”`

And create a new rule with evntwin what is looking for entries

It is so amazing to be able to discuss these issues with other people, it helps me a lot to get new ideas and to get a fresh perspective.
Traps are being received now! :star_struck:

In evntwin I had selected “apply throttle” with what I thought was a rather generous margin but the moment I decided to switch to “Do not apply throttle” traps started to flow to trapdirector. Now the handling wars can begin!
I find puzzling that the “throttling” applied by Windows consist in sending 0 traps. It was driving me nuts.

Thank you @stevie-sy for all your ideas and your input.

1 Like

You’re welcome. :wink:

At this option I didn’t thought. In my config it is also disabled. Good hint to write this in our internal docs too :slight_smile: