How to check if a SNMP Trap is received.

2 Jul

I had wanted to give you a post on a new location OM2012 widget but I had some issues with the prototype and couldn’t figure it out yet. So that one is coming soon. But I still wanted to do my weekly post. So here we are.

Problem

A question I hear a lot, why is SCOM not detecting/reporting a SNMP trap. I’m sure it is send out but I do not see it in SCOM.

Analyze

Okay we could face several problems here. For example the SNMP trap isn’t send at all or it is not send/received at the SCOM agent OR it is received but the MP has a bug so the workflow isn’t processing the trap event. First I would look if the trap is received at all, because most of the time this is the problem.

Solution

There are several tools to use for this. But I like using build-in tools. So it will be WMI to use. WMI has a SNMP provider that will do the job for us. Below I will describe in simple steps how to check if a SNMP trap is coming in at all.

1. Stop the SCOM agent.

Yes it sounds strange but since the agent uses also the SNMP trap port it will block the WMI trap receiver. By stopping the SCOM agent you set the port free.

2. Install if needed the SNMP and SNMP Trap providers

3. Restart NT service “SNMP Trap” and “Windows Management Instrumentation”.

By doing this you will reactivate the Trap listener.

4. Setup the Trap event sink

We can do this in 2 ways. (1) using WBEMTEST (2) Using PowerShell.

(1) using WBEMTEST

Open a command prompt and type “WBEMTEST”

Press on Connect to establish the connection and fill in the namespace “root\snmp\localhost”

Configure the Trap Sink press on “Notification Query” and enter

“ SELECT * FROM SnmpNotification ” (no quotes)

Now if there will be send a SNMP TRAP to this machine you will see this trap event in this window.

For example this test trap below

So now you will know the TRAP is received.

(2) Using PowerShell

Start PowerShell in admin mode and look at the 2 command lines below:

# register trap
Register-WmiEvent -Query “SELECT * FROM SnmpNotification” -Namespace ‘root\snmp\localhost’ -sourceIdentifier “SNMPTRAP” -action { Write-Host [Time:] $newEvent.SourceEventArgs.NewEvent.TIME_CREATED [IP:] $newEvent.SourceEventArgs.NewEvent.AgentAddress [OID:] $newEvent.SourceEventArgs.NewEvent.Identification }

# use to unregister trap
Get-EventSubscriber | where {$_.SourceIdentifier -eq ‘SNMPTRAP’} | % {Unregister-Event $_.SubscriptionID}

First execute the register trap.

Then you get a output saying the sink is started:

Id              Name            State      HasMoreData     Location             Command
—              —-            —–      ———–     ——–             ——-
34              SNMPTRAP        NotStarted False                                 Write-Host [Time:] $n…

Now generate the Trap on your snmp box. And you will see this below in the PS window.

[Time:] 129856918917535702 [IP:] 172.29.3.9 [OID:] 1.3.6.1.6.3.1.1.5.1

So now you will know the TRAP is received.

Now you unregister the TRAP by running the 2’d command

Conclusion:

You see its very easy to get this working. I prefer using PS for this. If the TRAP is received you have to use the WFanalyzer to see why it isn’t processed by the MP.

Happy SCOMMING

Michel Kamp

Tags: Authoring, SCOM, scom2012, SNMP

Comments 9 Comments
Categories AUTHORING, Management Pack, SCOM2012, SNMP

9 Responses to “How to check if a SNMP Trap is received.”

Joey Washburn July 2, 2012 at 23:06 #

Do you plan on covering how to do some basic troubleshooting with the VSAE? We have validated the TRAPs are getting to SCOM, but the problem is SCOM isnt actually doing anything with them.

Reply
Mohammad Shaaban February 17, 2013 at 15:07 #

Hello, i tried this and the error i received when rinning the query on wbemtest is , please help.

Number: 0x80041004
Facility: WMI
Description: Provider failure

Reply
- Michel Kamp March 13, 2013 at 07:13 #
  
  hi, you must install the wmi snmp/trap provider in windows.this is a windows feature.
  
  michel
  
  Reply
Michael G. September 3, 2014 at 22:01 #

So I was tinkering around with the PowerShell code you provided (which worked fine to receive traps in PowerShell), and for whatever reason, I removed the PowerShell Job that Register-WMIEvent created with “remove-job” instead of the “unregister-event” cmdlet.

Now PowerShell can never receive traps via this method again, even after a system restart, although I can confirm the traps are arriving at the machine with WBEMTEST.

I’ve tried uninstalling/reinstalling the PowerShell SNMP provider, and Get-EventSubscriber reveals no jobs named SNMPTRAP to remove. Any ideas? Thanks!

Reply
- Michel Kamp September 5, 2014 at 07:45 #
  
  Hi,
  
  Strange issue. What happens if you do :
  Get-EventSubscriber
  Get-Job
  
  Does it returns any rows ?
  
  you could try to remove all wmievents by :
  get-job | Remove-Job –Force
  
  Michel
  
  Reply
  - Michael G. September 5, 2014 at 14:22 #
    
    Thank you for your reply!
    
    Unfortunately, neither Get-EventSubscriber nor Get-Job return any results at all. Very strange indeed.
christopher keyaert October 31, 2014 at 10:11 #

Hi Michel,

For me the $newEvent variable is empty, I had to replace it by $Event, like

$Event.SourceEventArgs.NewEvent.TIME_CREATED

And now I’ve got the value 🙂

Thx
Christopher

Reply
- Denis Osipov January 10, 2017 at 15:24 #
  
  Thanks dude, you save me a lot of time!
  
  Reply

Trackbacks/Pingbacks

How To Fix 0x80041004 Provider Failure Errors - Windows Vista, Windows 7 & 8 - October 29, 2014
[…] How to check if a SNMP Trap is received. | Touching SCOM – Jul 02, 2012 · # register trap Register-WmiEvent -Query “SELECT * FROM SnmpNotification” -Namespace ‘rootsnmplocalhost’ -sourceIdentifier “SNMPTRAP” …… […]

Search

How to check if a SNMP Trap is received.

Problem

Analyze