Windows Server has a built in SNMP trap generator for the Windows Event Log/Viewer, which can send traps on the occurrence of arbitrary events.
Trap Form (OID)
These traps will conform to the Microsoft private enterprise MIB branch in the following form:
1.3.6.1.4.1.311.1.13.X.n.n.n.n.n.n.n.n.n...
Each "n" is a decimal encoding of an ASCII character octet from the Event Log source name, and the X designates the number of characters to follow.
So, for example, a trap generated by source "Prefect" (as seen in Event Viewer) would appear as:
1.3.6.1.4.1.311.1.13.7.80.114.101.102.101.99.116
Windows 2000 Server does not support this fully, and will generate traps of a slightly different format, but the procedure is otherwise identical. All newer versions of Windows server support this properly
Configuring Trap Sending
There are two built-in tools that you will use to set up trap generation.
evntwin: Create mapping of Event Log messages to SNMP traps
evntcmd: Load mapping created by evntwin so that traps are generated
Run evntwin from a command prompt: this will spawn a GUI. Select "Custom" under Configuration type, and then "Edit." You will now see a list of all possible event sources. Under the source in which you are interested, select the particular event ID on which you wish to generate traps. Then, click "Add."
Now, you will see the actual OID of the trap, the specific ID, and an option to set a time-based threshold of event occurrences before the trap would be sent.
Repeat until you have created a mapping for each particular trap/event combination you care about. Then, click "Apply," highlight all of the mappings, and then "Export..." Save the file, and exit the application.
Now, again from the command line, run evntcmd, specifying the name of the file you just created:
evntcmd myeventfile.cnf
From this point forward, the events you specified will generate SNMP traps, which will be sent to all trap receiver destinations you have configured in your SNMP service settings. Process them as you would any normal SNMP trap.
I did this with a cron script, stores current value in a temp file then next time uses it to calculate bandwidth utilization since last run.
#!/bin/bash
email_address=""
router_ip=""
# 80% BANDWIDTH [ (384000bps) 48,000Bps ] - 20% = 38,400 Bps
alertBW="76800"
lastBWFile="/var/log/ciscoGW.log"
lastBW=`cat $lastBWFile | awk '{print$2}'`
lastTime=`cat $lastBWFile | awk '{print$1}'`
curBW=` snmpget -c snmap_name -v 1 $router_ip IF-MIB::ifOutOctets.2 | awk '{print$4}'`
let diffBW=$curBW-$lastBW
#echo "Diff BW: $diffBW"
timeNow=`date +%s`
let diffTime=$timeNow-$lastTime
let alertBW=$alertBW*$diffTime
echo "$timeNow $curBW" > $lastBWFile
if [ $diffBW -gt $alertBW ]; then
# echo "Over limit!"
echo "Bandwith used over $diffTime seconds: $diffBW" | mail -s "BANDWIDTH OVER LIMIT!!!!" $email_address
fi
Since I was more interested in actual peaks I've since moved to using rrdtool:
#start 15 minutes ago
#end 5 minutes ago since rrdtool queries every 5 minutes
rrdtool fetch $FROM MAX -s -900 -e -300
Best Answer
You need to use event transforms in the eventClass where the event is getting transformed and use de-duplication.
De-dupid is a combination of
device | component | eventKey | eventClass | severity
For Example Blade 7 pulled out from chassis 10.2.3.4 eventClass is /Hardware dedupid will be
10.2.3.4 | Blade 7 | Blade_Key | /Hardware | 3 [3 means warning]
To clear the event all the field should be same except the severity
10.2.3.4 | Blade 7 | Blade_Key | /Hardware | 0 [0 is clear]
Event Tales Attributes
check the link