I had wanted to give you a post on a new location OM2012 widget but I had some issues with the prototype and couldn’t figure it out yet. So that one is coming soon. But I still wanted to do my weekly post. So here we are.
Problem
A question I hear a lot, why is SCOM not detecting/reporting a SNMP trap. I’m sure it is send out but I do not see it in SCOM.
Analyze
Okay we could face several problems here. For example the SNMP trap isn’t send at all or it is not send/received at the SCOM agent OR it is received but the MP has a bug so the workflow isn’t processing the trap event. First I would look if the trap is received at all, because most of the time this is the problem.
Solution
There are several tools to use for this. But I like using build-in tools. So it will be WMI to use. WMI has a SNMP provider that will do the job for us. Below I will describe in simple steps how to check if a SNMP trap is coming in at all.
1. Stop the SCOM agent.
Yes it sounds strange but since the agent uses also the SNMP trap port it will block the WMI trap receiver. By stopping the SCOM agent you set the port free.
2. Install if needed the SNMP and SNMP Trap providers
3. Restart NT service “SNMP Trap” and “Windows Management Instrumentation”.
By doing this you will reactivate the Trap listener.
4. Setup the Trap event sink
We can do this in 2 ways. (1) using WBEMTEST (2) Using PowerShell.
(1) using WBEMTEST
Open a command prompt and type “WBEMTEST”
Press on Connect to establish the connection and fill in the namespace “root\snmp\localhost”
Configure the Trap Sink press on “Notification Query” and enter
“ SELECT * FROM SnmpNotification ” (no quotes)
Now if there will be send a SNMP TRAP to this machine you will see this trap event in this window.
For example this test trap below
So now you will know the TRAP is received.
(2) Using PowerShell
Start PowerShell in admin mode and look at the 2 command lines below:
# register trap # use to unregister trap |
First execute the register trap.
Then you get a output saying the sink is started:
Id Name State HasMoreData Location Command
— —- —– ———– ——– ——-
34 SNMPTRAP NotStarted False Write-Host [Time:] $n…
Now generate the Trap on your snmp box. And you will see this below in the PS window.
[Time:] 129856918917535702 [IP:] 172.29.3.9 [OID:] 1.3.6.1.6.3.1.1.5.1
So now you will know the TRAP is received.
Now you unregister the TRAP by running the 2’d command
Conclusion:
You see its very easy to get this working. I prefer using PS for this. If the TRAP is received you have to use the WFanalyzer to see why it isn’t processed by the MP.
Happy SCOMMING
Michel Kamp
Do you plan on covering how to do some basic troubleshooting with the VSAE? We have validated the TRAPs are getting to SCOM, but the problem is SCOM isnt actually doing anything with them.
Hello, i tried this and the error i received when rinning the query on wbemtest is , please help.
Number: 0x80041004
Facility: WMI
Description: Provider failure
hi, you must install the wmi snmp/trap provider in windows.this is a windows feature.
michel
So I was tinkering around with the PowerShell code you provided (which worked fine to receive traps in PowerShell), and for whatever reason, I removed the PowerShell Job that Register-WMIEvent created with “remove-job” instead of the “unregister-event” cmdlet.
Now PowerShell can never receive traps via this method again, even after a system restart, although I can confirm the traps are arriving at the machine with WBEMTEST.
I’ve tried uninstalling/reinstalling the PowerShell SNMP provider, and Get-EventSubscriber reveals no jobs named SNMPTRAP to remove. Any ideas? Thanks!
Hi,
Strange issue. What happens if you do :
Get-EventSubscriber
Get-Job
Does it returns any rows ?
you could try to remove all wmievents by :
get-job | Remove-Job –Force
Michel
Thank you for your reply!
Unfortunately, neither Get-EventSubscriber nor Get-Job return any results at all. Very strange indeed.
Hi Michel,
For me the $newEvent variable is empty, I had to replace it by $Event, like
$Event.SourceEventArgs.NewEvent.TIME_CREATED
And now I’ve got the value 🙂
Thx
Christopher
Thanks dude, you save me a lot of time!