97. Microsoft System Center Configuration Manager

Table of Contents

System Center Configuration Manager (SCCM) is a software management suite that enables administrators to manage the deployment and security of devices, applications and operating system patches across a corporate network. SCCM is part of the Microsoft System Center suite. NXLog can collect and forward the log data created by SCCM.

97.1. SCCM log types

SCCM log files can be organized into three categories:

Client log files	Logs related to client operation and installation.
Server log files	Logs on the server or related to specific system roles.
Log files by functionality	Logs related to application management, endpoint protection, software updates and so on.

SCCM stores log files in various locations depending on the process originator and system configuration.

97.2. Collecting SCCM logs from log files

SCCM client and server components record process information in log files. These log files are usable for initial troubleshooting if needed.

SCCM enables logging for client and server components by default. NXLog can collect these events with the im_file module.

Example 465. Configuration for file based logs

The following configuration uses the im_file module for collecting the log files and parses the contents via regular expressions to extract the fields. It contains two types of custom regular expressions for the usage of proper fields.

nxlog.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

  <Extension json>
    Module    xm_json
</Extension>

define  type1 /(?x)^(?<Message>.*)\$\$\<\
              (?<Component>.*)\>\<\
              (?<EventTime>.*).\d{3}-\d{2}\>\<thread=\
              (?<Thread>\d+)/s

define  type2 /(?x)^\<\!\[LOG\[(?<Message>.*)\]LOG\]\!\>\<time=\"\
              (?<Time>.*).\d{3}-\d{2}\"\s+date=\"\
              (?<Date>.*)\"\s+component=\"\
              (?<Component>.*)\"\s+context=\"\
              (?<Context>.*)\"\s+type=\"\
              (?<Type>.*)\"\s+thread=\"\
              (?<Thread>.*)\"\s+file=\"\
              (?<File>.*)\"\>/s


<Input in>
    Module    im_file
    File      'C:\WINDOWS\SysWOW64\CCM\Logs\*'
    File      'C:\WINDOWS\System32\CCM\Logs\*'
    File      'C:\Program Files\Microsoft Configuration Manager\Logs\*'
    File      'C:\Program Files\SMS_CCM\Logs\*'
    <Exec>
        if file_name() =~ /^.*\\(.*)$/ $Filename = $1;
        if $raw_event =~ %type1%;
        else
        if $raw_event =~ %type2%
            {
             $EventTime = $Date + " " + $Time;
             delete($Date);
             delete($Time);
            }
        else
        $Message = $raw_event;
        $EventTime = strptime($EventTime, '%m-%d-%Y %H:%M:%S');
        to_json();
    </Exec>
</Input>

Output sample from MP_Framework.log

{
  "EventReceivedTime": "2019-11-06T21:29:38.585187+01:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "Filename": "MP_Framework.log",
  "Component": "MpFramework",
  "Context": "",
  "File": "mpstartuptask.cpp:122",
  "Message": "Policy request file doesn't exist.",
  "Thread": "7824",
  "Type": "1",
  "EventTime": "2019-11-06T21:29:38.000000+01:00"
}

Link to this example.

97.3. Collecting SCCM logs from a Microsoft SQL Database

SCCM logs events into a Microsoft SQL Server database. NXLog can collect these events with the im_odbc module.

For this, an ODBC System Data Source need to be configured either on the server running NXLog or on a remote server, in the case you would like to get log data via ODBC remotely.

For more information, consult the relevant ODBC documentation; the Microsoft ODBC Data Source Administrator guide or the unixODBC Project.

The below configuration example contains two im_odbc module instances to fetch data from the following two views:

V_SMS_Alert — lists information about built-in and user created alerts, which might be displayed in the SCCM console.
V_StatMsgWithInsStrings — lists information about status messages returned by each SCCM component.

Note	SCCM provides an overview of audit related information in the Monitoring > Overview > System Status > Status Message Queries list in the GUI. SCCM stores audit related information in the V_StatMsgWithInsStrings view of the SQL database.

Note	Audit related messages are vital to track which accounts have modified or deleted settings in the SCCM environment. These messages are purged from the database after 180 days.

Queries are based on the Microsoft System Center Configuration Manager Schema. For more information, see the Status and alert views section in the SSCM documentation.

Example 466. Configuration with two SQL queries and a combined output

nxlog.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

  <Extension _json>
    Module              xm_json
</Extension>

<Input sccm_alerts>
    Module              im_odbc
    ConnectionString    DSN=SMS SQL;database=CM_CND;uid=user;pwd=password;
    SQL                 SELECT ID,TypeID,TypeInstanceID,Name,FeatureArea, \
                        ObjectWmiClass,Severity FROM V_SMS_Alert
</Input>

<Input sccm_audit>
    Module              im_odbc
    ConnectionString    DSN=SMS SQL;database=CM_CND;uid=user;pwd=password;
    SQL                 SELECT * FROM v_StatMsgWithInsStrings
</Input>

<Output outfile>
    Module              om_file
    File                'C:\logs\out.log'
    Exec                to_json();
</Output>

<Route sccm>
    Path                sccm_alerts, sccm_audit => outfile
</Route>

Output.log (audit query)

{
  "RecordID": 72057594037934110,
  "ModuleName": "SMS Provider",
  "Severity": 1073741824,
  "MessageID": 30063,
  "ReportFunction": 0,
  "SuccessfulTransaction": 0,
  "PartOfTransaction": 0,
  "PerClient": 0,
  "MessageType": 768,
  "Win32Error": 0,
  "Time": "2019-02-28T20:35:59.010000+01:00",
  "SiteCode": "CND",
  "TopLevelSiteCode": "",
  "MachineName": "Host.DOMAIN.local",
  "Component": "Microsoft.ConfigurationManagement.exe",
  "ProcessID": 1236,
  "ThreadID": 6112,
  "InsString1": "DOMAIN\\admin",
  "InsString2": "CND00001",
  "InsString3": "NXLog",
  "InsString4": "SMS_R_System",
  "EventReceivedTime": "2019-02-28T21:36:04.986375+01:00",
  "SourceModuleName": "sccm_in",
  "SourceModuleType": "im_odbc"
}

Link to this example.

Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 11 January 2020

You are here

97. Microsoft System Center Configuration Manager | Log Collection Solutions

NXLog User Guide