Parts 5 and 6 of this article series came out before Part 4, largely due to relevancy. Due to current limitations, SNMP alerts can be used for reporting, and delayed action. In Real-Time System Manager or Task Server SNMP alerts can be configured, and with Notification Server's SNMP receiver the SNMP alerts can be compiled and even have action initiated on them. The one caveat that lowers the power of this feature is the absence of a real-time system to act on critical alerts.

Introduction

SNMP alerts are supported by Intel AMT Systems. A range of alerts are available for configuration. Currently only a limited amount can be active at a given time, and this is where the ability to configure the alerts via the Altiris Manageability Toolkit for vPro Technology and Task Server comes in useful. The computer manufacturers can and have set default alerts, but all this can be changed via a Task Server task. Beyond that Notification Server's SNMP engine can accept incoming alerts and log them into the database, making the data available via Notification Server's reporting tools. As an extension of that, Reports can be made actionable by a Notification Policy, creating a Helpdesk incident or by kicking off a notification email.

Configuring SNMP Alerts

Task Server provided a one-to-many job that removes, adds, or otherwise updates the active SNMP Alerts within AMT. Since the manufacturer often enables some of these events by default, the following process should be used to setup those alerts you want in your environment.

1. In the Altiris Console browse to Manage > Jobs > Tasks and Jobs > Server Jobs > Real-Time Console Infrastructure.
2. Right-click on Real-Time Console Infrastructure and choose New > Job/Task.
3. In the New Task window browse down and select the Task: Update Intel® AMT Alert Settings.
4. Provide a new name to differentiate from the default task, ie: Update SNMP Alerts to Default.
5. Under 'SNMP Server' put in the IP address of the Notification Server.
   
   Note: This can be another SNMP Server if so desired if you have another SNMP solution available
6. Under 'SNMP community' add in the configured community string set on the Notification Server. The default is 'public'.
7. Check the option 'Send Intel AMT alerts' and click on the link [no alerts].
8. On the resulting window, check the box 'Remove previously applied alert subscriptions'. This will enable you to set the specific alerts you want without worrying about what alerts might already be enabled by the manufacturer.
   
   

   Click to view.

9. From the right-side list select those alerts you want to enable. You can left-click each alert you want. Holding down ctrl is unnecessary in this UI to select multiple alerts.
   
   Note: The maximum number of alerts you can enable depends on the manufacture of the computer. For example on a Dell 755 17 is the max number of enabled alerts.
10. Click the 'Add >>' button.
11. Click OK.
12. Click OK on the original screen to save the Task. The task is now available for use. Continue with step 13 on how to send the task out to target systems.
13. You'll see the new Task created under the Real-Time Console Infrastructure folder. Select the Task.
14. When the right-pane finishes loading, click the 'Run Now' button.
15. Provide a run name. This refers to the execute instance and is for tracking purposes.
16. Review the Profile assignment to ensure the right AMT credentials are specified therein. If not, click on the link and select a working profile.
17. Click on the Select Computers link and manually add single computers or whole collections. Single-click on single computers to add; double-click collections to add all included computers.
18. Click OK and then click 'Run Now'.

You can double-click on the run instance down in the lower half of the page to watch the status. Note that the resulting screen will need to be refreshed to get the updated status.

The following details should be reviewed:

• Agent Presence alerts must have a supporting technology behind them for the alerts to be sent.
• The Circuit Breaker entry refers to Intel® System Defense, what is referred to as Network Filtering in Task Server and Real-Time System Manager
• Cover Open alert must be supported by the system. A system that does not have chassis intrusion technology available will not send this type of event.

Receiving SNMP Data

Setting up SNMP Capture

The first item is the SNMP Service provided by Windows. This is found under Add/Remove Programs > Windows Components > Management and Monitoring Tools > Simple Network Management Protocol. Check this option and install it so it is available.

You may need to start the service once it has been installed. Lastly, double-click on the SNMP Service, click the Traps tab, and enter the community name that is configured on your AMT systems. Under the Security tab also add your community name as an accepted community name and choose the option to allow SNMP from any address.

A number of Solutions install the required component from Altiris for SNMP Alerts to function correctly. The following list provides some of them:

• HP Client Manager
• Altiris Dell Client Manager Standard
• Altiris Dell Client Manager Plus
• Philips SmartManage Administrator
• The Connector Solutions

This component is free of charge and can be installed without installing one of the above components. While there isn't a link to install the required piece within the Solution Center, it can be downloaded and installed manually.

Go to http://www.solutionsam.com/solutions/6_0/. Locate the file Altiris_SNMPManage.exe, as shown here:

Click to view.

After it is installed, no further configuration needs to be done in order to have Notification Server capture and log the events.

Reporting SNMP Events

When events are received on the Notification Server, they are logged into the database. The data is immediately available for reporting. No out of box reports exist for AMT SNMP Alerts, so reports need to be created to view the data. The data is kept in the following tables in the Altiris database:

• SnmpTrapType - This table contains the trap types available. Note the Type and Description columns for types.
• SnmpReceivedTrapEnterprise - This table contains the Enterprise type for received traps.
• SnmpReceivedTrapName - The name refers to the SysObjectID used to send the event.
• SnmpReceivedTraps - This table contains the Source IP Address, key to linking the trap to a resource within Notification Server. This also contains the Key value, which connects the other tables using the ReceivedTrapKey values.
• SnmpReceivedVariables - This table contains multiple information values per event, designated by the ReceivedTrapKey.
• SnmpPetReceivedVariables - This table contains specific information about the PET alert that generated the event.

A few tips when creating Reports on AMT SNMP Alert data:

1. If you know SQL, the sky is the limit on how you construct your report. If you need to use the report building, considering the following:
   • The report should be built off the Computer resource type.
   • The criteria will depend on what type of event you're looking to report on. Typically, using the SnmpPetReceivedVariables table, and the columns VariableName = Event Type, and Value = your criteria, linking to an IP Address using the ReceivedTrapKey value linked to an IP Address contained in the SnmpReceivedTraps table, which is then linked to a computer via Basic Inventory, you can then create a report showing you what you want.
   • SQL knowledge is a must to create a working report. Mining the tables as events are coming in will familiarize you with how events are reported.
2. You should choose to run and save the report on a reoccurring schedule for those that will be keys for Notification Policies. This can be done by:
   
   1. After the Report is created, at the main report screen as shown in the below screenshot, click the 'Schedule this report to run'.
      
      

      Click to view.

   2. Check the box 'Enable Schedule'.
   3. Choose a schedule that will correspond to the Notification Policy, if you will use it in this manner, or schedule it for how often you want the data to be refreshed.
      
      

      Click to view.

   4. Click Apply to save the schedule.
   5. After a schedule has been set, you can view the saved reports using the 'View saved reports' link on the main page for the report, or you can click the 'Run this report' to refresh the data immediately.
3. Test the Report to ensure it is working as designed before setting up Notifications to be sent out based off of it. Erroneous reports won't look good!

Creating a Notification Policy

After reports have been created to report SNMP events, Notification Policies can be created to take action against those reports. While limited, this does provide the ability to provide warning on systems that may be compromised, OS failing, or other hardware related failures. Use the following process to setup a Notification Policy to send an email based on a Report:

1. Since Real-Time Console Infrastructure does not have an area of Notification Policies, it is recommended to use the area located at View > Tasks > Incident Resolution > Incidents > Alert Manager > Notification Policies.
2. Right-click on Notification Policies and choose New > Notification Policy.
3. Provide a Name and Description for label and tracking purposes.
4. Under Source choose Report, and then click the link to select a report. Select the report you wish this Notification Policy to key off of.
5. Under Enabled Schedule choose an appropriate schedule for how often you'd like the Notification Policy to fire.
6. Under Add Action Type, choose Email automated Action from the dropdown and click the 'Add' button.
   
   

   Click to view.

7. Provide a Name and Description for the action type and check the 'Enabled' box.
8. Select either Only Once or Once Per Row depending on the nature of the action.
   
   Note: the Once Per Row is not advised unless it is a severe event such as hard-drive failure events
9. Provide the email addresses you wish this email to go to, and provide an appropriate subject name. It is advised to provide a message that will tell the target individuals the nature of the email and what is expected of them.
10. Click OK to save the action type, and click 'Apply' to save the Notification Policy.
11. Click Test Notification Policy to see if it functions as you'd expect, but note you will need at least one report generated and saved.

Conclusion

We recognize that the strength of our SNMP integration is in reporting only, and that for critical alerts our implementation is insufficient. The future of these alerts within the Altiris infrastructure will be improved as newer versions are released.