Posted: 31-January-2010 at 15:31 | IP Logged

I guess this is not common knowledge to most Wintel engineers/admins, but, if you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs , with the end result being that for each event of interests, an SNMP trap will be sent to your SNMP processor.

The assumption is that you already have SNMP services (SNMP Service and SNMP Trap Service) already configured (this is beyond the scope of this exercise, but if you research it at Microsoft or drop me a line you should be able to do this quite easily).

Upon installation of the SNMP Windows native services, a couple of libraries and tools are dropped in the System32 directory.

This is not really rocket sience, but here is high level approach to setting this up (these are the steps I've followed to set my own).

1. Ensure SNMP is installed and configured
2. Open Windows event log and filter events (application, security and system) with filters of your choice - Warning and Errors, Errors only, Failure audit, etc).
3. Locate the event you are interested to alert with an SNMP trap as soon as it occurs.
4. Start-up evntwin.exe from the system32 folder.
5. Use the CUSTOM and EDIT options, then FIND the source or description of the event of interest (as determined in step 3). Double click the event and Click OK - now the event is added to the translation list, so everytime is logged in the event log, your trap processor will receive an SNMP trap.
6. Repeat until you have added all application, system and security events of interest. Click APPLY.

BUT WAIT, THERE IS MORE!
7. Click the export button and select a file location and name (make a note of that)
8. Open a command promt and change directory to the system32 folder.
9. Invoking the evntcmd.exe tool, you can NOW PUSH this configuration to ANY server that has Remote registry and SNMP enabled.
(example:
C:\WINDOWS\system32\evntcmd.exe /s host01.dsi.net.nz  -v10 C:\windows\system32\events.cnf
Microsoft (R) Event To Trap Translator; Configuration Tool v2.00
Copyright (c) Microsoft Corporation 1998.  All rights reserved.

[Wrn08] Verbose level set to 10.
[Wrn05] Command line parsed successfully.
[Wrn08] Successfully parsed Trap(ADD, eventlog, 2147489656, 1, 0).
[Wrn10] lexic [2:0]: hit EOF.
[Wrn05] Configuration file 'C:\windows\system32\events.cnf' parsed successfully.

[Wrn08] Connecting to 'host01.dsi.net.nz' registry ...
[Wrn05] Registry connected to 'host01.dsi.net.nz'.
[Wrn10] Configured new source 'eventlog'.
[Wrn08] Successfully set new event '2147489656'.
[Wrn05] Commands processed successfully.
[Wrn08] No need to restart the SNMP service..

C:\WINDOWS\system32>
)

Voila! If you can script to automate this in a batch ...- totally easy.
The possibilities are endless. Combined with Microsoft's eventtriggers tool, this gives you maximum flexibility to integrate virtually any operational and monitoring aspects of your Windows-based systems and applications with your enterprise management tool.

For an MS-style application monitoring article, check out :
http://technet.microsoft.com/en-us/library/bb684482.aspx