Getting Data In

How can I monitor SCCM 2012 logs with Splunk?

LarryParker
New Member

We have Splunk as our log and event management solution and are getting ready to roll out Microsoft System Center Configuration Manager 2012. I'd like to use Splunk to index the SCCM logs from our SCCM servers and our SCCM clients - and then build searches and dashboards for SCCM. Is there an app for that? Or, do we need to use the app for Windows and build from there?

Tags (2)
0 Karma

pl2345
Path Finder

I recently got Splunk and SCCM to play nice together. What I ended up doing was taking Ricapars searches, and creating new views in my SQL server using them, because putting the searches into DBConnect wouldn't allow me to save them. From there I created new dbconnect searches using just those queries and rebuilt the dashboards. I'm working on getting the permissions from the company to publish the app, so hopefully that will help.

0 Karma

princemanto2580
Path Finder

I have MS-SCCM in my Customer Location and integrated with Splunk with the help of DB-Connect. Can anyone help with the queries for Client Status Messages, Client Software Inventory, Client Health and Client Endpoint Protection?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Also, I am moving this to a comment under the question itself.

0 Karma

princemanto2580
Path Finder

I have already created a separate thread for the same.

https://answers.splunk.com/answers/657104/sccm-queries-for-integration-with-splunk.html

Anyways, thanks for showing the missing details on this question.

Work was done so far: Successfully configure the DB-Connect on Splunk to read the entire SCCM-DB.
SCCM version: 2012 R2 (Build : 1706)
Splunk Version: 6.5.0 (on premise)

0 Karma

Richfez
SplunkTrust
SplunkTrust

princemanto,

You would be much better served by creating a new question for your problem. This thread is several years old.

What you wrote above is a great start to that question, if you could just add in which SCCM version you are using (And isn't MS hosting a version of that in the cloud now? If so, make sure to specify if it's on prem or cloud), and what you've done so far, I think someone can help you with an answer!

Thanks, and looking forward to your question!
-Rich

0 Karma

cam343
Path Finder

HI Everyone,

I recommend this app: https://github.com/Ricapar/splunk-sccm
I believe it was designed for the challengepost.com competition and was one of the winner(s).

Cheers

0 Karma

jeremyarcher
Path Finder

Thanks, cam343,

Do you have experience using this? And have you been successful in getting Endpoint Protection data into Splunk?

0 Karma

carasso
Splunk Employee
Splunk Employee

We're hosting a contest for the best SCCM app.

http://splunk.challengepost.com/

Microsoft SCCM - The first place winner in the Microsoft SCCM app category wins $30,000 and a complimentary pass to .conf 2015 - Splunk's premier annual user conference. Value: approx. $1,695.

Innovation - The first place winner in the Innovation category wins $20,000 and a complimentary pass to .conf 2015 - Splunk's premier annual user conference.

bsbrignac
Engager

Yea someone made a nice app for that, then disappeared it from the internet, so.... not fun.

0 Karma

nick405060
Motivator

Yeah Splunk gave him $30k for an app that immediately ceased to work and he did not bother to fix the app and just ran with the money. Fun.

Thirty. Thousand. Dollars.

0 Karma

ryanoconnor
Builder

I think the goal is to get data from SCCM --> Splunk. So I don't know if that would work but it's a great suggestion. http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_SiteSiteServerLog This technet article has a listing of all of the log files. I believe the ones I'd be looking at getting in first are Site Server Logs

treinke
Builder

I wonder if the SCOM 2012 app would work?

There are no answer without questions
0 Karma

ryanoconnor
Builder

I'm really curious about this as well. Any updates on this??

0 Karma

nick405060
Motivator

You posted this in 2013. It's now 2019.

And guess what? We're still waiting.

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...