- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache Tomcat
- 45. APC Automatic Transfer Switch
- 46. Apple macOS kernel
- 47. ArcSight Common Event Format (CEF)
- 48. Box
- 49. Brocade Switches
- 50. Browser History Logs
- 51. Check Point
- 52. Cisco ACS
- 53. Cisco ASA
- 54. Cisco FireSIGHT
- 55. Cisco IPS
- 56. Cloud Instance Metadata
- 57. Common Event Expression (CEE)
- 58. Dell EqualLogic
- 59. Dell iDRAC
- 60. Dell PowerVault MD Series
- 61. Devo
- 62. DHCP logs
- 63. DNS Monitoring
- 64. Docker
- 65. Elasticsearch and Kibana
- 66. F5 BIG-IP
- 67. File Integrity Monitoring
- 68. FreeRADIUS
- 69. Graylog
- 70. HP ProCurve
- 71. IBM QRadar SIEM
- 72. Industrial Control Systems
- 73. Linux Audit System
- 74. Linux system logs
- 75. Log Event Extended Format (LEEF)
- 76. McAfee Enterprise Security Manager (ESM)
- 77. McAfee ePolicy Orchestrator
- 78. Microsoft Active Directory Domain Controller
- 79. Microsoft Azure
- 80. Microsoft Azure Event Hubs
- 81. Microsoft Azure Sentinel
- 82. Microsoft Exchange
- 83. Microsoft IIS
- 84. Microsoft SharePoint
- 85. Microsoft SQL Server
- 86. Microsoft System Center Endpoint Protection
- 87. Microsoft System Center Configuration Manager
- 88. Microsoft System Center Operations Manager
- 89. MongoDB
- 90. Nagios Log Server
- 91. Nessus Vulnerability Scanner
- 92. NetApp
- 93. .NET application logs
- 94. Nginx
- 95. Okta
- 96. Osquery
- 97. Postfix
- 98. Promise
- 99. Rapid7 InsightIDR SIEM
- 100. RSA NetWitness
- 101. SafeNet KeySecure
- 102. Salesforce
- 103. Snare
- 104. Snort
- 105. Solarwinds Loggly
- 106. Splunk
- 107. Sumo Logic
- 108. Symantec Endpoint Protection
- 109. Synology DiskStation
- 110. Syslog
- 111. Sysmon
- 112. Ubiquiti UniFi
- 113. VMware vCenter
- 114. Windows AppLocker
- 115. Windows Command Line Auditing
- 116. Windows Event Log
- 117. Windows Firewall
- 118. Windows Group Policy
- 119. Windows Management Instrumentation (WMI)
- 120. Windows PowerShell
- 121. Microsoft Windows Update
- 122. Windows USB auditing
- 123. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
87. Microsoft System Center Configuration Manager
System Center Configuration Manager (SCCM) is a software management suite that enables administrators to manage the deployment and security of devices, applications and operating system patches across a corporate network. SCCM is part of the Microsoft System Center suite. NXLog can collect and forward the log data created by SCCM.
87.1. SCCM log types
SCCM log files can be organized into three categories:
Client log files |
Logs related to client operation and installation. |
Server log files |
Logs on the server or related to specific system roles. |
Log files by functionality |
Logs related to application management, endpoint protection, software updates and so on. |
SCCM stores log files in various locations depending on the process originator and system configuration.
87.2. Collecting SCCM logs from log files
SCCM client and server components record process information in log files. These log files are usable for initial troubleshooting if needed.
SCCM enables logging for client and server components by default. NXLog can collect these events with the im_file module.
The following configuration uses the im_file module for collecting the log files and parses the contents via regular expressions to extract the fields. It contains two types of custom regular expressions for the usage of proper fields.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<Extension json>
Module xm_json
</Extension>
define type1 /(?x)^(?<Message>.*)\$\$\<\
(?<Component>.*)\>\<\
(?<EventTime>.*).\d{3}-\d{2}\>\<thread=\
(?<Thread>\d+)/s
define type2 /(?x)^\<\!\[LOG\[(?<Message>.*)\]LOG\]\!\>\<time=\"\
(?<Time>.*).\d{3}-\d{2}\"\s+date=\"\
(?<Date>.*)\"\s+component=\"\
(?<Component>.*)\"\s+context=\"\
(?<Context>.*)\"\s+type=\"\
(?<Type>.*)\"\s+thread=\"\
(?<Thread>.*)\"\s+file=\"\
(?<File>.*)\"\>/s
<Input in>
Module im_file
File 'C:\WINDOWS\SysWOW64\CCM\Logs\*'
File 'C:\WINDOWS\System32\CCM\Logs\*'
File 'C:\Program Files\Microsoft Configuration Manager\Logs\*'
File 'C:\Program Files\SMS_CCM\Logs\*'
<Exec>
if file_name() =~ /^.*\\(.*)$/ $Filename = $1;
if $raw_event =~ %type1%;
else
if $raw_event =~ %type2%
{
$EventTime = $Date + " " + $Time;
delete($Date);
delete($Time);
}
else
$Message = $raw_event;
$EventTime = strptime($EventTime, '%m-%d-%Y %H:%M:%S');
to_json();
</Exec>
</Input>
{
"EventReceivedTime": "2019-11-06T21:29:38.585187+01:00",
"SourceModuleName": "in",
"SourceModuleType": "im_file",
"Filename": "MP_Framework.log",
"Component": "MpFramework",
"Context": "",
"File": "mpstartuptask.cpp:122",
"Message": "Policy request file doesn't exist.",
"Thread": "7824",
"Type": "1",
"EventTime": "2019-11-06T21:29:38.000000+01:00"
}
Link to this example.
87.3. Collecting SCCM logs from a Microsoft SQL Database
SCCM logs events into a Microsoft SQL Server database. NXLog can collect these events with the im_odbc module.
For this, an ODBC System Data Source need to be configured either on the server running NXLog or on a remote server, in the case you would like to get log data via ODBC remotely.
For more information, consult the relevant ODBC documentation; the Microsoft ODBC Data Source Administrator guide or the unixODBC Project.
The below configuration example contains two im_odbc
module instances to fetch data from the following two views:
-
V_SMS_Alert — lists information about built-in and user created alerts, which might be displayed in the SCCM console.
-
V_StatMsgWithInsStrings — lists information about status messages returned by each SCCM component.
Note
|
SCCM provides an overview of audit related information in the Monitoring > Overview > System Status > Status Message Queries list in the GUI. SCCM stores audit related information in the V_StatMsgWithInsStrings view of the SQL database. |
Note
|
Audit related messages are vital to track which accounts have modified or deleted settings in the SCCM environment. These messages are purged from the database after 180 days. |
Queries are based on the Microsoft System Center Configuration Manager Schema. For more information, see the Status and alert views section in the SSCM documentation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<Extension _json>
Module xm_json
</Extension>
<Input sccm_alerts>
Module im_odbc
ConnectionString DSN=SMS SQL;database=CM_CND;uid=user;pwd=password;
SQL SELECT ID,TypeID,TypeInstanceID,Name,FeatureArea, \
ObjectWmiClass,Severity FROM V_SMS_Alert
</Input>
<Input sccm_audit>
Module im_odbc
ConnectionString DSN=SMS SQL;database=CM_CND;uid=user;pwd=password;
SQL SELECT * FROM v_StatMsgWithInsStrings
</Input>
<Output outfile>
Module om_file
File 'C:\logs\out.log'
Exec to_json();
</Output>
<Route sccm>
Path sccm_alerts, sccm_audit => outfile
</Route>
{
"RecordID": 72057594037934110,
"ModuleName": "SMS Provider",
"Severity": 1073741824,
"MessageID": 30063,
"ReportFunction": 0,
"SuccessfulTransaction": 0,
"PartOfTransaction": 0,
"PerClient": 0,
"MessageType": 768,
"Win32Error": 0,
"Time": "2019-02-28T20:35:59.010000+01:00",
"SiteCode": "CND",
"TopLevelSiteCode": "",
"MachineName": "Host.DOMAIN.local",
"Component": "Microsoft.ConfigurationManagement.exe",
"ProcessID": 1236,
"ThreadID": 6112,
"InsString1": "DOMAIN\\admin",
"InsString2": "CND00001",
"InsString3": "NXLog",
"InsString4": "SMS_R_System",
"EventReceivedTime": "2019-02-28T21:36:04.986375+01:00",
"SourceModuleName": "sccm_in",
"SourceModuleType": "im_odbc"
}
Link to this example.