Each SNMP trap created from a Windows NT event includes at least the following nine components.
The last five of these components comprise the variable bindings (VarBind) list. If any insertion strings are included in the message, they are added as additional VarBinds.
Object Identifier (Object ID)
The Object ID is used in all SNMP traps sent by the Event to Trap Translator. It contains three parts. The first two parts are Microsoft's Enterprise Object ID (1.3.6.1.4.1.311) and a sequence indicating that the traps are sent by the Event to Trap translator (1.4.1). So each Object ID sent by the Event to Trap Translator begins with the sequence
1.3.6.1.4.1.311.1.4.1
The remainder of the Object ID is generated from the Event Source as it appears in the Event Viewer—for example "SMS" or "MSSQLServer". The characters from the Event Source string are converted to ASCII values ("SMS" becomes 83 77 83), and this value is preceded by the length of the string (3 in this instance). So, for the string "SMS", the variable portion of the Object ID is 3.83.77.83 and the final Object ID is
1.3.6.1.4.1.311.1.4.1.3.83.77.83
Network Address
The IP address of the computer generating the trap.
Generic trap ID
For translated Windows NT events, this is always 6, indicating an enterprise-specific trap.
Specific trap ID
This is the 32-bit Event ID of the Windows NT Event.
Bits 31 and 32 of the 32-bit event ID are the default severity of the error, normally displayed either as an icon representation in the Windows NT Event Log, or as the Type entry when viewing an event in detail. They can be interpreted as follows:
00 | Success |
01 | Informational |
10 | Warning |
11 | Error |
In the Event Viewer, you only see the lower 16 bits of the event ID; the first 16 bits of the specific trap ID are actually the Windows NT event ID displayed within the Windows NT Event Log. To interpret the first 16 bits, you must convert them from hexadecimal to decimal: this gives you the Event ID number. You can then use this to look up the event for that Event ID.
You can use ERROR32.EXE, included with this Resource Kit, to display the text of an error message for a specified Windows NT (Win32 subsystem, driver, or service) error code.
Timestamp
The time (in hundredths of a second) since the SNMP agent was started.
Message
The message component is provided by calling the Win32 API FormatMessage() for the data from the Event Record. It is of SNMP type DisplayString. The message component lists the string associated with the event, with the string substitutions supplied. Any formatting characters, such as new lines and tabs, are also converted.
Each insertion string will be included as a separate VarBind. These insertion string VarBinds appear at the end of the trap.
UserName
This is the user name of the account from which the event was generated. It is equivalent to the User field in the Event Viewer, and is of SNMP type DisplayString.
ComputerName
This is the name of the computer from which the event was generated. It is equivalent to the Computer field in the Event Viewer, and is of SNMP type DisplayString.
EventType
This is the classification type of the event by the NT operating system (for example, "Information," "Error," "Warning"). It is equivalent to the Type field in the Event Viewer, and is of SNMP type DisplayString.
EventCategory
This is the classification of the event, as defined by the source. It is equivalent to the Category field in the Event Viewer, and is of SNMP type DisplayString.