Microsoft System Center Configuration Manager
System Center Configuration Manager (SCCM) is a software management suite that enables administrators to manage the deployment and security of devices, applications and operating system patches across a corporate network. SCCM is part of the Microsoft System Center suite. NXLog can collect and forward the log data created by SCCM.
SCCM log types
SCCM log files can be organized into three categories:
Client log files |
Logs related to client operation and installation. |
Server log files |
Logs on the server or related to specific system roles. |
Log files by functionality |
Logs related to application management, endpoint protection, software updates and so on. |
SCCM stores log files in various locations depending on the process originator and system configuration.
Collecting SCCM logs from log files
SCCM client and server components record process information in log files. These log files are usable for initial troubleshooting if needed.
SCCM enables logging for client and server components by default. NXLog can collect these events with the im_file module.
The following configuration uses the im_file module for collecting the log files and parses the contents via regular expressions to extract the fields. It contains two types of custom regular expressions for the usage of proper fields.
<Extension json>
Module xm_json
</Extension>
define type1 /(?x)^(?<Message>.*)\$\$\<\
(?<Component>.*)\>\<\
(?<EventTime>.*).\d{3}-\d{2}\>\<thread=\
(?<Thread>\d+)/s
define type2 /(?x)^\<\!\[LOG\[(?<Message>.*)\]LOG\]\!\>\<time=\"\
(?<Time>.*).\d{3}-\d{2}\"\s+date=\"\
(?<Date>.*)\"\s+component=\"\
(?<Component>.*)\"\s+context=\"\
(?<Context>.*)\"\s+type=\"\
(?<Type>.*)\"\s+thread=\"\
(?<Thread>.*)\"\s+file=\"\
(?<File>.*)\"\>/s
<Input in>
Module im_file
File 'C:\WINDOWS\SysWOW64\CCM\Logs\*'
File 'C:\WINDOWS\System32\CCM\Logs\*'
File 'C:\Program Files\Microsoft Configuration Manager\Logs\*'
File 'C:\Program Files\SMS_CCM\Logs\*'
<Exec>
if file_name() =~ /^.*\\(.*)$/ $Filename = $1;
if $raw_event =~ %type1%;
else
if $raw_event =~ %type2%
{
$EventTime = $Date + " " + $Time;
delete($Date);
delete($Time);
}
else
$Message = $raw_event;
$EventTime = strptime($EventTime, '%m-%d-%Y %H:%M:%S');
to_json();
</Exec>
</Input>
{
"EventReceivedTime": "2019-11-06T21:29:38.585187+01:00",
"SourceModuleName": "in",
"SourceModuleType": "im_file",
"Filename": "MP_Framework.log",
"Component": "MpFramework",
"Context": "",
"File": "mpstartuptask.cpp:122",
"Message": "Policy request file doesn't exist.",
"Thread": "7824",
"Type": "1",
"EventTime": "2019-11-06T21:29:38.000000+01:00"
}
Collecting SCCM logs from a Microsoft SQL Database
SCCM logs events into a Microsoft SQL Server database. NXLog can collect these events with the im_odbc module.
For this, an ODBC System Data Source need to be configured either on the server running NXLog or on a remote server, in the case you would like to get log data via ODBC remotely.
For more information, consult the relevant ODBC documentation; the Microsoft ODBC Data Source Administrator guide or the unixODBC Project.
The below configuration example contains two im_odbc
module instances to fetch data from the following two views:
-
V_SMS_Alert — lists information about built-in and user created alerts, which might be displayed in the SCCM console.
-
V_StatMsgWithInsStrings — lists information about status messages returned by each SCCM component.
SCCM provides an overview of audit related information in the Monitoring > Overview > System Status > Status Message Queries list in the GUI. SCCM stores audit related information in the V_StatMsgWithInsStrings view of the SQL database. |
Audit related messages are vital to track which accounts have modified or deleted settings in the SCCM environment. These messages are purged from the database after 180 days. |
Queries are based on the Microsoft System Center Configuration Manager Schema. For more information, see the Status and alert views section in the SSCM documentation.
<Extension _json>
Module xm_json
</Extension>
<Input sccm_alerts>
Module im_odbc
ConnectionString DSN=SMS SQL;database=CM_CND;uid=user;pwd=password;
SQL SELECT ID,TypeID,TypeInstanceID,Name,FeatureArea, \
ObjectWmiClass,Severity FROM V_SMS_Alert
</Input>
<Input sccm_audit>
Module im_odbc
ConnectionString DSN=SMS SQL;database=CM_CND;uid=user;pwd=password;
SQL SELECT * FROM v_StatMsgWithInsStrings
</Input>
<Output outfile>
Module om_file
File 'C:\logs\out.log'
Exec to_json();
</Output>
<Route sccm>
Path sccm_alerts, sccm_audit => outfile
</Route>
{
"RecordID": 72057594037934110,
"ModuleName": "SMS Provider",
"Severity": 1073741824,
"MessageID": 30063,
"ReportFunction": 0,
"SuccessfulTransaction": 0,
"PartOfTransaction": 0,
"PerClient": 0,
"MessageType": 768,
"Win32Error": 0,
"Time": "2019-02-28T20:35:59.010000+01:00",
"SiteCode": "CND",
"TopLevelSiteCode": "",
"MachineName": "Host.DOMAIN.local",
"Component": "Microsoft.ConfigurationManagement.exe",
"ProcessID": 1236,
"ThreadID": 6112,
"InsString1": "DOMAIN\\admin",
"InsString2": "CND00001",
"InsString3": "NXLog",
"InsString4": "SMS_R_System",
"EventReceivedTime": "2019-02-28T21:36:04.986375+01:00",
"SourceModuleName": "sccm_in",
"SourceModuleType": "im_odbc"
}