-- -- This MIB file accompanies an explanatory article, which is located -- at http://www.networkcircus.com/articles/20050715.html -- EVNTAGENT-MIB DEFINITIONS ::= BEGIN IMPORTS OBJECT-TYPE, enterprises FROM SNMPv2-SMI TRAP-TYPE FROM RFC-1215; -- -- The OID tree through microsoft.software.eventlog.evntagent -- microsoft OBJECT IDENTIFIER ::= { enterprises 311 } software OBJECT IDENTIFIER ::= { microsoft 1 } eventlog OBJECT IDENTIFIER ::= { software 13 } evntagent OBJECT IDENTIFIER ::= { eventlog 1 } -- -- The next set of OID values identify the event source by name. See -- http://msdn.microsoft.com/library/en-us/debug/base/event_sources.asp -- for a discussion on event source naming. -- -- Note that the sequence of OID values represent multiple data elements. -- The first OID value provides the number of ASCII characters from the -- event source name itself (for example, "Service Control Manager" is 23 -- characters long so its first OID value is "23", while "DNS" has 3 -- characters so its first OID value is "3"). The OID values that follow -- provide the ASCII representation of the source name, with one OID per -- character (for example, the "DNS" event source has the OID sequence of -- "68.88.83", after the length indicator of "3"). -- -- The exception to this rule is the trap data, which always has the OID -- value of "9999". -- eventData OBJECT IDENTIFIER ::= { evntagent 9999 } security OBJECT IDENTIFIER ::= { evntagent 8 83 101 99 117 114 105 116 121 } svcCtlMgr OBJECT IDENTIFIER ::= { evntagent 23 83 101 114 118 105 99 101 32 67 111 110 116 114 111 108 32 77 97 110 97 103 101 114 } w32Time OBJECT IDENTIFIER ::= { evntagent 7 87 51 50 84 105 109 101 } -- -- the event trap data -- eventText OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The event message text. The message data is populated with the variable data below." ::= { eventData 1 } eventUserId OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The user ID of the process that generated the event." ::= { eventData 2 } eventSystem OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The computername of the host that generated the event." ::= { eventData 3 } -- -- The event type provides the event and/or auditing severity level. -- http://msdn.microsoft.com/library/en-us/debug/base/event_types.asp -- defines the event types that are available. -- -- NB: There is no "success" type. Event sources typically use the -- "Informational" event type to convey non-error events. -- -- 1 = Error -- 2 = Warning -- 4 = Informational -- 8 = Success Audit -- 16 = Failure Audit -- eventType OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The numeric code value of the event type." ::= { eventData 4 } -- -- The event category is a numbered sub-class for a specific event source. -- http://msdn.microsoft.com/library/en-us/debug/base/event_categories.asp -- briefly describes this model and its purpose. NB: the category values -- are specific to the different event sources, and are not global values. -- eventCategory OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "The numeric code value of the event category." ::= { eventData 5 } -- -- Each event provides additional structured data as a list of sequential -- variables. Sometimes the event variable array will also differ accross -- platform lines, even for the same event. -- eventVar1 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 6 } eventVar2 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 7 } eventVar3 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 8 } eventVar4 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 9 } eventVar5 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 10 } eventVar6 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 11 } eventVar7 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 12 } eventVar8 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 13 } eventVar9 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 14 } eventVar10 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 15 } eventVar11 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 16 } eventVar12 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 17 } eventVar13 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 18 } eventVar14 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 19 } eventVar15 OBJECT-TYPE SYNTAX OCTET STRING MAX-ACCESS read-only STATUS current DESCRIPTION "Event-specific variable data" ::= { eventData 20 } -- -- some common security audit events -- -- -- XP/SP2 doesn't issue this, but Server 2003/SP1 does -- w32SystemStartup TRAP-TYPE ENTERPRISE security VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory } DESCRIPTION "Windows is starting up." ::= 512 -- -- XP/SP2 issues this, but Server 2003/SP1 doesn't -- w32SystemShutdown TRAP-TYPE ENTERPRISE security VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory } DESCRIPTION "Windows is shutting down." ::= 513 -- -- Local logon, as opposed to network logon (see below) -- w32LogonSuccess TRAP-TYPE ENTERPRISE security VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "Logon succeeded." ::= 528 -- -- XP only uses 11 variables for logonFailure, while Windows Server 2003 -- uses 16 variables -- w32LogonFailure TRAP-TYPE ENTERPRISE security VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "Logon failed." ::= 529 w32LogoffSuccess TRAP-TYPE ENTERPRISE security VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "Logoff succeeded." ::= 538 -- -- Network logon, as opposed to local logon (see above) -- w32NetLogonSuccess TRAP-TYPE ENTERPRISE security VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "Network logon succeeded." ::= 540 -- -- some Service Control Manager Events -- w32ServiceDiedHung TRAP-TYPE ENTERPRISE svcCtlMgr VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "The service hung on starting." ::= 3221232492 w32ServiceDiedSysErr TRAP-TYPE ENTERPRISE svcCtlMgr VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "The service terminated with the following error." ::= 3221232493 w32ServiceDiedSvcErr TRAP-TYPE ENTERPRISE svcCtlMgr VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "The service terminated with a service-specific error." ::= 3221232494 w32ServiceStartHung TRAP-TYPE ENTERPRISE svcCtlMgr VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "The service terminated with the following error." ::= 3221232495 w32ServiceControlSuccess TRAP-TYPE ENTERPRISE svcCtlMgr VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "The service was successfully sent a state-change signal." ::= 1073748859 w32ServiceStateChange TRAP-TYPE ENTERPRISE svcCtlMgr VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "The service has changed its running state." ::= 1073748860 -- -- two NTP synchronization events -- -- -- These don't get trapped for some reason. One clue here is that the -- trap OID values are different from the Event ID values -- w32NtpSynchSuccess TRAP-TYPE ENTERPRISE w32Time VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "NTP time synchronization has succeeded." ::= 1113194531 w32NtpInaccessible TRAP-TYPE ENTERPRISE w32Time VARIABLES { eventText, eventUserId, eventSystem, eventSource, eventCategory, eventVar1, eventVar2, eventVar3, eventVar4, eventVar5, eventVar6, eventVar7, eventVar8, eventVar9, eventVar10, eventVar11, eventVar12, eventVar13, eventVar14, eventVar15 } DESCRIPTION "None of the NTP time providers are accessible." ::= 3260678173 END