How to check if a SNMP Trap is received.

I had wanted to give you a post on a new location OM2012 widget but I had some issues with the prototype and couldn’t figure it out yet. So that one is coming soon. But I still wanted to do my weekly post. So here we are.

Problem

A question I hear a lot, why is SCOM not detecting/reporting a SNMP trap. I’m sure it is send out but I do not see it in SCOM.

Analyze

Okay we could face several problems here. For example the SNMP trap isn’t send at all or it is not send/received at the SCOM agent OR it is received but the MP has a bug so the workflow isn’t processing the trap event. First I would look if the trap is received at all, because most of the time this is the problem.

Solution

There are several tools to use for this. But I like using build-in tools. So it will be WMI to use. WMI has a SNMP provider that will do the job for us. Below I will describe in simple steps how to check if a SNMP trap is coming in at all.

1. Stop the SCOM agent.

Yes it sounds strange but since the agent uses also the SNMP trap port it will block the WMI trap receiver. By stopping the SCOM agent you set the port free.

2. Install if needed the SNMP and SNMP Trap providers

3. Restart NT service “SNMP Trap” and “Windows Management Instrumentation”.

By doing this you will reactivate the Trap listener.

4. Setup the Trap event sink

We can do this in 2 ways. (1) using WBEMTEST (2) Using PowerShell.

(1) using WBEMTEST

Open a command prompt and type “WBEMTEST”

Press on Connect to establish the connection and fill in the namespace “root\snmp\localhost”

 

Configure the Trap Sink press on “Notification Query” and enter

“ SELECT * FROM SnmpNotification ” (no quotes)

Now if there will be send a SNMP TRAP to this machine you will see this trap event in this window.

For example this test trap below

So now you will know the TRAP is received.

(2) Using PowerShell

Start PowerShell in admin mode and look at the 2 command lines below:

# register trap Register-WmiEvent -Query “SELECT * FROM SnmpNotification” -Namespace ‘root\snmp\localhost’  -sourceIdentifier “SNMPTRAP” -action { Write-Host [Time:] $newEvent.SourceEventArgs.NewEvent.TIME_CREATED [IP:] $newEvent.SourceEventArgs.NewEvent.AgentAddress  [OID:] $newEvent.SourceEventArgs.NewEvent.Identification  } # use to unregister trap Get-EventSubscriber | where {$_.SourceIdentifier  -eq ‘SNMPTRAP’} | % {Unregister-Event $_.SubscriptionID}

First execute the register trap.

Then you get a output saying the sink is started:

Id              Name            State      HasMoreData     Location             Command                 
—              —-            —–      ———–     ——–             ——-                 
34              SNMPTRAP        NotStarted False                                 Write-Host [Time:] $n…

Now generate the Trap on your snmp box. And you will see this below in the PS window.

[Time:] 129856918917535702 [IP:] 172.29.3.9 [OID:] 1.3.6.1.6.3.1.1.5.1

So now you will know the TRAP is received.

Now you unregister the TRAP by running the 2’d command

Conclusion:

You see its very easy to get this working. I prefer using PS for this. If the TRAP is received you have to use the WFanalyzer to see why it isn’t processed by the MP.

 

Happy SCOMMING

Michel Kamp

Advertisements