- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How can I monitor SCCM 2012 logs with Splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I monitor SCCM 2012 logs with Splunk?
We have Splunk as our log and event management solution and are getting ready to roll out Microsoft System Center Configuration Manager 2012. I'd like to use Splunk to index the SCCM logs from our SCCM servers and our SCCM clients - and then build searches and dashboards for SCCM. Is there an app for that? Or, do we need to use the app for Windows and build from there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently got Splunk and SCCM to play nice together. What I ended up doing was taking Ricapars searches, and creating new views in my SQL server using them, because putting the searches into DBConnect wouldn't allow me to save them. From there I created new dbconnect searches using just those queries and rebuilt the dashboards. I'm working on getting the permissions from the company to publish the app, so hopefully that will help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have MS-SCCM in my Customer Location and integrated with Splunk with the help of DB-Connect. Can anyone help with the queries for Client Status Messages, Client Software Inventory, Client Health and Client Endpoint Protection?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, I am moving this to a comment under the question itself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have already created a separate thread for the same.
https://answers.splunk.com/answers/657104/sccm-queries-for-integration-with-splunk.html
Anyways, thanks for showing the missing details on this question.
Work was done so far: Successfully configure the DB-Connect on Splunk to read the entire SCCM-DB.
SCCM version: 2012 R2 (Build : 1706)
Splunk Version: 6.5.0 (on premise)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
princemanto,
You would be much better served by creating a new question for your problem. This thread is several years old.
What you wrote above is a great start to that question, if you could just add in which SCCM version you are using (And isn't MS hosting a version of that in the cloud now? If so, make sure to specify if it's on prem or cloud), and what you've done so far, I think someone can help you with an answer!
Thanks, and looking forward to your question!
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Everyone,
I recommend this app: https://github.com/Ricapar/splunk-sccm
I believe it was designed for the challengepost.com competition and was one of the winner(s).
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, cam343,
Do you have experience using this? And have you been successful in getting Endpoint Protection data into Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're hosting a contest for the best SCCM app.
http://splunk.challengepost.com/
Microsoft SCCM - The first place winner in the Microsoft SCCM app category wins $30,000 and a complimentary pass to .conf 2015 - Splunk's premier annual user conference. Value: approx. $1,695.
Innovation - The first place winner in the Innovation category wins $20,000 and a complimentary pass to .conf 2015 - Splunk's premier annual user conference.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yea someone made a nice app for that, then disappeared it from the internet, so.... not fun.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah Splunk gave him $30k for an app that immediately ceased to work and he did not bother to fix the app and just ran with the money. Fun.
Thirty. Thousand. Dollars.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the goal is to get data from SCCM --> Splunk. So I don't know if that would work but it's a great suggestion. http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_SiteSiteServerLog This technet article has a listing of all of the log files. I believe the ones I'd be looking at getting in first are Site Server Logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wonder if the SCOM 2012 app would work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm really curious about this as well. Any updates on this??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You posted this in 2013. It's now 2019.
And guess what? We're still waiting.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
