NXLog Docs

Microsoft System Center Configuration Manager

System Center Configuration Manager (SCCM) is a software management suite that enables administrators to manage the deployment and security of devices, applications and operating system patches across a corporate network. SCCM is part of the Microsoft System Center suite. NXLog can collect and forward the log data created by SCCM.

SCCM log types

SCCM log files can be organized into three categories:

Client log files

Logs related to client operation and installation.

Server log files

Logs on the server or related to specific system roles.

Log files by functionality

Logs related to application management, endpoint protection, software updates and so on.

SCCM stores log files in various locations depending on the process originator and system configuration.

Collecting SCCM logs from log files

SCCM client and server components record process information in log files. These log files are usable for initial troubleshooting if needed.

SCCM enables logging for client and server components by default. NXLog can collect these events with the im_file module.

Example 1. Configuration for file based logs

The following configuration uses the im_file module for collecting the log files and parses the contents via regular expressions to extract the fields. It contains two types of custom regular expressions for the usage of proper fields.

<Extension json>
    Module    xm_json

define  type1 /(?x)^(?<Message>.*)\$\$\<\

define  type2 /(?x)^\<\!\[LOG\[(?<Message>.*)\]LOG\]\!\>\<time=\"\

<Input in>
    Module    im_file
    File      'C:\WINDOWS\SysWOW64\CCM\Logs\*'
    File      'C:\WINDOWS\System32\CCM\Logs\*'
    File      'C:\Program Files\Microsoft Configuration Manager\Logs\*'
    File      'C:\Program Files\SMS_CCM\Logs\*'
        if file_name() =~ /^.*\\(.*)$/ $Filename = $1;
        if $raw_event =~ %type1%;
        if $raw_event =~ %type2%
             $EventTime = $Date + " " + $Time;
        $Message = $raw_event;
        $EventTime = strptime($EventTime, '%m-%d-%Y %H:%M:%S'); 
Output sample from MP_Framework.log
  "EventReceivedTime": "2019-11-06T21:29:38.585187+01:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "Filename": "MP_Framework.log",
  "Component": "MpFramework",
  "Context": "",
  "File": "mpstartuptask.cpp:122",
  "Message": "Policy request file doesn't exist.",
  "Thread": "7824",
  "Type": "1",
  "EventTime": "2019-11-06T21:29:38.000000+01:00"

Collecting SCCM logs from a Microsoft SQL Database

SCCM logs events into a Microsoft SQL Server database. NXLog can collect these events with the im_odbc module.

For this, an ODBC System Data Source need to be configured either on the server running NXLog or on a remote server, in the case you would like to get log data via ODBC remotely.

For more information, consult the relevant ODBC documentation; the Microsoft ODBC Data Source Administrator guide or the unixODBC Project.

The below configuration example contains two im_odbc module instances to fetch data from the following two views:

  • V_SMS_Alert — lists information about built-in and user created alerts, which might be displayed in the SCCM console.

  • V_StatMsgWithInsStrings — lists information about status messages returned by each SCCM component.

SCCM provides an overview of audit related information in the Monitoring > Overview > System Status > Status Message Queries list in the GUI. SCCM stores audit related information in the V_StatMsgWithInsStrings view of the SQL database.
Audit related messages are vital to track which accounts have modified or deleted settings in the SCCM environment. These messages are purged from the database after 180 days.

Queries are based on the Microsoft System Center Configuration Manager Schema. For more information, see the Status and alert views section in the SSCM documentation.

Example 2. Configuration with two SQL queries and a combined output
<Extension _json>
    Module              xm_json

<Input sccm_alerts>
    Module              im_odbc
    ConnectionString    DSN=SMS SQL;database=CM_CND;uid=user;pwd=password;
    SQL                 SELECT ID,TypeID,TypeInstanceID,Name,FeatureArea, \
                        ObjectWmiClass,Severity FROM V_SMS_Alert

<Input sccm_audit>
    Module              im_odbc
    ConnectionString    DSN=SMS SQL;database=CM_CND;uid=user;pwd=password;
    SQL                 SELECT * FROM v_StatMsgWithInsStrings

<Output outfile>
    Module              om_file
    File                'C:\logs\out.log'
    Exec                to_json();

<Route sccm>
    Path                sccm_alerts, sccm_audit => outfile
Output.log (audit query)
  "RecordID": 72057594037934110,
  "ModuleName": "SMS Provider",
  "Severity": 1073741824,
  "MessageID": 30063,
  "ReportFunction": 0,
  "SuccessfulTransaction": 0,
  "PartOfTransaction": 0,
  "PerClient": 0,
  "MessageType": 768,
  "Win32Error": 0,
  "Time": "2019-02-28T20:35:59.010000+01:00",
  "SiteCode": "CND",
  "TopLevelSiteCode": "",
  "MachineName": "Host.DOMAIN.local",
  "Component": "Microsoft.ConfigurationManagement.exe",
  "ProcessID": 1236,
  "ThreadID": 6112,
  "InsString1": "DOMAIN\\admin",
  "InsString2": "CND00001",
  "InsString3": "NXLog",
  "InsString4": "SMS_R_System",
  "EventReceivedTime": "2019-02-28T21:36:04.986375+01:00",
  "SourceModuleName": "sccm_in",
  "SourceModuleType": "im_odbc"

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog version 5.5.7535
Windows Server 2019
Windows Server 2022

Last revision: 20 April 2022