SlideShare a Scribd company logo
1 of 21
Download to read offline
1R3 - Internal
Monitoring Windows Events
(without monitoring Logfiles)
Martin Fürstenau, Oce Printing Systems GmbH & Co. KG
martin.fuerstenau@oce.com
O S M C , N o v e m b e r 2 0 1 9
2
About me
Out of interest
• Senior System Eningeer at Oce Printing Systems Gmbh & Co. KG in Poing near Munich
• 33 years IT, 30 years Unix, 25 years Linux, 15 years Oce, monitoring started with Netsaint.
• Currently maintaining Linux systems, our monitoring landscape … and writing plugins and
addons for NagiosIcinga(2)ShinkenNaemonandotherapicompatibleforks.
• Hobbies: Playing the blues (badly) and repairing electrical guitars (much better).
3
Oce European Data Center - Monitoring
● Datacenter Océ Printing Systems, Poing
● European Data Center
● Local Data Center
● Our quantity structure
● 2400 Hosts
● More than 50 % MS Windows
● More than 160 network components (Switches, Router,Firewalls)
● 23500 Services
● More than ca 50% running on MS Windows
● Rest is mainly Unix/Linux, SAN, NetApp Filer and network
4
Monitoring Windows Events
● Who needs it?
● And how are you doing it?
5
Using SNMP traps for Monitoring Windows Events
Setting up Windows - Modify your SNMP Configuration
6
Using SNMP traps for Monitoring Windows Events
An event from the Windows log
7
Using SNMP traps for Monitoring Windows Events
Setting up Windows - Mapping events to traps evntwin and evntcmd
8
Using SNMP traps for Monitoring Windows Events
Setting up Windows - Mapping events to traps evntwin and evntcmd
9
Using SNMP traps for Monitoring Windows Events
Setting up Windows - Mapping events to traps evntwin and evntcmd
10
Using SNMP traps for Monitoring Windows Events
On the Linux side - a MIB to convert for snmptt ?
● Yes
(EVNTAGENT-MIB.mib)
● NO
(EVNTAGENT-MIB.mib)
11
Using SNMP traps for Monitoring Windows Events
On the Linux side - snmptt -snmpttunknown.log
12
Using SNMP traps for Monitoring Windows Events
On the Linux side - a 1st configuration for snmptt
13
Using SNMP traps for Monitoring Windows Events
On the Linux side - a 2nd configuration for snmptt
EVENT LoginDenied .1.3.6.1.4.1.311.1.13.1.35.77.105.99.114…….
EXEC /root/work.duck/wintrap/duck "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9"
FORMAT FooFooFoo $*
SDESC
Get the traps from the event system
Variables:
EDESC #!/bin/bash
echo >> /root/work.duck/wintrap/duck.log
echo >> /root/work.duck/wintrap/duck.log
echo >> /root/work.duck/wintrap/duck.log
echo "1: $1" >> /root/work.duck/wintrap/duck.log
echo "2: $2" >> /root/work.duck/wintrap/duck.log
echo "3: $3" >> /root/work.duck/wintrap/duck.log
echo "4: $4" >> /root/work.duck/wintrap/duck.log
echo "5: $5" >> /root/work.duck/wintrap/duck.log
echo "6: $6" >> /root/work.duck/wintrap/duck.log
echo "7: $7" >> /root/work.duck/wintrap/duck.log
echo "8: $8" >> /root/work.duck/wintrap/duck.log
echo "9: $9" >> /root/work.duck/wintrap/duck.log
14
Using SNMP traps for Monitoring Windows Events
On the Linux side - a 2nd configuration for snmptt
15
Using SNMP traps for Monitoring Windows Events
On the Linux side - a 3rd configuration for snmptt
EVENT LoginDenied .1.3.6.1.4.1.311.1.13.1.35.77.105….
FORMAT FooFooFoo $*
EXEC /root/work.duck/wintrap/log_wintrap --logfile=/root/work.duck/wintrap/duck.log --
eventText="$1" --eventUserId="$2" --eventSystem="$3" --eventType="$4" --eventCategory="$5"
--eventVar1="$6" --eventVar2="$7" --eventVar3="$8" --eventVar4="$9" --eventVar5="$10" --
eventVar6="$11" --eventVar7="$12" --eventVar8="$13" --eventVar9="$14" --eventVar10="$15" --
eventVar11="$16" --eventVar12="$17" --eventVar13="$18" --eventVar14="$19" --eventVar15="$20"
SDESC
Get the traps from the event system
Variables:
EDESC
Using SNMP traps for Monitoring Windows Events
On the Linux side - a 3rd logfile for snmptt
17
How to proceed
wintrap2mon
• Will contain filter for each variable
• Should handle most events
• Should be expandable by adding filters from files
• Option to write all variables to logfile
18
Resources
• http://www.snmptt.org
• https://docs.microsoft.com/en-us/windows/win32/snmp/about-snmp
• https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/evntcmd
• https://wiki.opennms.org/wiki/Windows_Event_Log_Traps
• https://support.microsoft.com/de-de/help/324263/how-to-configure-the-simple-network-
management-protocol-snmp-service-i
• https://documentation.commvault.com/commvault/v11_sp5/article?p=features/alerts/
setup_alerts_snmp_trap.htm
19
Resources
• http://www.snmptt.org
• https://docs.microsoft.com/en-us/windows/win32/snmp/about-snmp
• https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/evntcmd
• https://wiki.opennms.org/wiki/Windows_Event_Log_Traps
• https://support.microsoft.com/de-de/help/324263/how-to-configure-the-simple-network-
management-protocol-snmp-service-i
• https://documentation.commvault.com/commvault/v11_sp5/article?p=features/alerts/
setup_alerts_snmp_trap.htm
20
Thank you for you patience with an old man
and
let’s have a drink now
(and a second, and a third and a…...)
OSMC 2019 | Monitoring Windows Events without Monitoring Logfiles  by Martin Fürstenau

More Related Content

Similar to OSMC 2019 | Monitoring Windows Events without Monitoring Logfiles by Martin Fürstenau

Lotus Foundations Start 1 0 English Version
Lotus Foundations Start 1 0 English VersionLotus Foundations Start 1 0 English Version
Lotus Foundations Start 1 0 English Version
Enzo Stanzione
 
Op Manager
Op ManagerOp Manager
Op Manager
ahawkins
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
webhostingguy
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
Mehrdad Jingoism
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 

Similar to OSMC 2019 | Monitoring Windows Events without Monitoring Logfiles by Martin Fürstenau (20)

Linux System Monitoring
Linux System Monitoring Linux System Monitoring
Linux System Monitoring
 
Lotus Foundations Start 1 0 English Version
Lotus Foundations Start 1 0 English VersionLotus Foundations Start 1 0 English Version
Lotus Foundations Start 1 0 English Version
 
The 1-hour Guide to Stuxnet.ppt
The 1-hour Guide to Stuxnet.pptThe 1-hour Guide to Stuxnet.ppt
The 1-hour Guide to Stuxnet.ppt
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguide
 
computing networks and operating system
computing networks and operating system computing networks and operating system
computing networks and operating system
 
Presentation1
Presentation1Presentation1
Presentation1
 
An Express Guide ~ SNMP for Secure Rremote Resource Monitoring
An Express Guide ~ SNMP for Secure Rremote Resource MonitoringAn Express Guide ~ SNMP for Secure Rremote Resource Monitoring
An Express Guide ~ SNMP for Secure Rremote Resource Monitoring
 
Op Manager
Op ManagerOp Manager
Op Manager
 
Ubuntu Core 技术详解
Ubuntu Core 技术详解Ubuntu Core 技术详解
Ubuntu Core 技术详解
 
OSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
OSMC 2008 | Monitoring Tools Shootout by Tom De CoomanOSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
OSMC 2008 | Monitoring Tools Shootout by Tom De Cooman
 
Nagios Conference 2012 - Robert Bolton - Custom SNMP OID Creation
Nagios Conference 2012 - Robert Bolton - Custom SNMP OID CreationNagios Conference 2012 - Robert Bolton - Custom SNMP OID Creation
Nagios Conference 2012 - Robert Bolton - Custom SNMP OID Creation
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
Intro xp linux
Intro xp linuxIntro xp linux
Intro xp linux
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Introduction to Embedded Linux
Introduction to Embedded LinuxIntroduction to Embedded Linux
Introduction to Embedded Linux
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 

Recently uploaded

Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Marc Lester
 

Recently uploaded (20)

Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insights
 
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
Abortion Pill Prices Mthatha (@](+27832195400*)[ 🏥 Women's Abortion Clinic In...
 
Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 

OSMC 2019 | Monitoring Windows Events without Monitoring Logfiles by Martin Fürstenau

  • 1. 1R3 - Internal Monitoring Windows Events (without monitoring Logfiles) Martin Fürstenau, Oce Printing Systems GmbH & Co. KG martin.fuerstenau@oce.com O S M C , N o v e m b e r 2 0 1 9
  • 2. 2 About me Out of interest • Senior System Eningeer at Oce Printing Systems Gmbh & Co. KG in Poing near Munich • 33 years IT, 30 years Unix, 25 years Linux, 15 years Oce, monitoring started with Netsaint. • Currently maintaining Linux systems, our monitoring landscape … and writing plugins and addons for NagiosIcinga(2)ShinkenNaemonandotherapicompatibleforks. • Hobbies: Playing the blues (badly) and repairing electrical guitars (much better).
  • 3. 3 Oce European Data Center - Monitoring ● Datacenter Océ Printing Systems, Poing ● European Data Center ● Local Data Center ● Our quantity structure ● 2400 Hosts ● More than 50 % MS Windows ● More than 160 network components (Switches, Router,Firewalls) ● 23500 Services ● More than ca 50% running on MS Windows ● Rest is mainly Unix/Linux, SAN, NetApp Filer and network
  • 4. 4 Monitoring Windows Events ● Who needs it? ● And how are you doing it?
  • 5. 5 Using SNMP traps for Monitoring Windows Events Setting up Windows - Modify your SNMP Configuration
  • 6. 6 Using SNMP traps for Monitoring Windows Events An event from the Windows log
  • 7. 7 Using SNMP traps for Monitoring Windows Events Setting up Windows - Mapping events to traps evntwin and evntcmd
  • 8. 8 Using SNMP traps for Monitoring Windows Events Setting up Windows - Mapping events to traps evntwin and evntcmd
  • 9. 9 Using SNMP traps for Monitoring Windows Events Setting up Windows - Mapping events to traps evntwin and evntcmd
  • 10. 10 Using SNMP traps for Monitoring Windows Events On the Linux side - a MIB to convert for snmptt ? ● Yes (EVNTAGENT-MIB.mib) ● NO (EVNTAGENT-MIB.mib)
  • 11. 11 Using SNMP traps for Monitoring Windows Events On the Linux side - snmptt -snmpttunknown.log
  • 12. 12 Using SNMP traps for Monitoring Windows Events On the Linux side - a 1st configuration for snmptt
  • 13. 13 Using SNMP traps for Monitoring Windows Events On the Linux side - a 2nd configuration for snmptt EVENT LoginDenied .1.3.6.1.4.1.311.1.13.1.35.77.105.99.114……. EXEC /root/work.duck/wintrap/duck "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" FORMAT FooFooFoo $* SDESC Get the traps from the event system Variables: EDESC #!/bin/bash echo >> /root/work.duck/wintrap/duck.log echo >> /root/work.duck/wintrap/duck.log echo >> /root/work.duck/wintrap/duck.log echo "1: $1" >> /root/work.duck/wintrap/duck.log echo "2: $2" >> /root/work.duck/wintrap/duck.log echo "3: $3" >> /root/work.duck/wintrap/duck.log echo "4: $4" >> /root/work.duck/wintrap/duck.log echo "5: $5" >> /root/work.duck/wintrap/duck.log echo "6: $6" >> /root/work.duck/wintrap/duck.log echo "7: $7" >> /root/work.duck/wintrap/duck.log echo "8: $8" >> /root/work.duck/wintrap/duck.log echo "9: $9" >> /root/work.duck/wintrap/duck.log
  • 14. 14 Using SNMP traps for Monitoring Windows Events On the Linux side - a 2nd configuration for snmptt
  • 15. 15 Using SNMP traps for Monitoring Windows Events On the Linux side - a 3rd configuration for snmptt EVENT LoginDenied .1.3.6.1.4.1.311.1.13.1.35.77.105…. FORMAT FooFooFoo $* EXEC /root/work.duck/wintrap/log_wintrap --logfile=/root/work.duck/wintrap/duck.log -- eventText="$1" --eventUserId="$2" --eventSystem="$3" --eventType="$4" --eventCategory="$5" --eventVar1="$6" --eventVar2="$7" --eventVar3="$8" --eventVar4="$9" --eventVar5="$10" -- eventVar6="$11" --eventVar7="$12" --eventVar8="$13" --eventVar9="$14" --eventVar10="$15" -- eventVar11="$16" --eventVar12="$17" --eventVar13="$18" --eventVar14="$19" --eventVar15="$20" SDESC Get the traps from the event system Variables: EDESC
  • 16. Using SNMP traps for Monitoring Windows Events On the Linux side - a 3rd logfile for snmptt
  • 17. 17 How to proceed wintrap2mon • Will contain filter for each variable • Should handle most events • Should be expandable by adding filters from files • Option to write all variables to logfile
  • 18. 18 Resources • http://www.snmptt.org • https://docs.microsoft.com/en-us/windows/win32/snmp/about-snmp • https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/evntcmd • https://wiki.opennms.org/wiki/Windows_Event_Log_Traps • https://support.microsoft.com/de-de/help/324263/how-to-configure-the-simple-network- management-protocol-snmp-service-i • https://documentation.commvault.com/commvault/v11_sp5/article?p=features/alerts/ setup_alerts_snmp_trap.htm
  • 19. 19 Resources • http://www.snmptt.org • https://docs.microsoft.com/en-us/windows/win32/snmp/about-snmp • https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/evntcmd • https://wiki.opennms.org/wiki/Windows_Event_Log_Traps • https://support.microsoft.com/de-de/help/324263/how-to-configure-the-simple-network- management-protocol-snmp-service-i • https://documentation.commvault.com/commvault/v11_sp5/article?p=features/alerts/ setup_alerts_snmp_trap.htm
  • 20. 20 Thank you for you patience with an old man and let’s have a drink now (and a second, and a third and a…...)