Monitoring SCCM deployments in LEM

It looks like SCCM creates messages to audit all the possible actions that might be taken (How to configure SCCM Security Auditing) but I don't have any idea where it puts those logs or information at this moment.  It doesn't look like SCCM writes this to a flat-file or one of the system logs.  If we can figure out where it's stored and in what format, a connector might be possible.

Like Curtis, I was able to find the how but not the where. There are ways to pull the data from within SCCM so it's out there somewhere, but I'm not sure if it's in flat files (there are a bunch of logging files for SCCM - our own Patch Manager pulls and uses some of them) or if it's in the database itself somewhere.

Either way it's technically possible for us to build an integration, one is just more expedient (flat files)

Here's a link our Patch Manager team shared about all the logs for SCCM - holy moly (): Log Files in System Center Configuration Manager 2012 · Herman Arnedo Mahr

This looks promising, though it's logged on the console side:

This may also be useful on the server side:

You might check those two logs out and see if either of them fit the bill (or check out the big list and see if you spot others).

Cheers folks, have been doing a bit more digging on this and as far as I can see that the messages are stored in the SCCM site database

in the StatusMessages table.

With knowing this how would be the best way to get this info running through LEM?

You'll want to open a support ticket.

What we'll probably need to know is the credentials for that table, to know what sort of DB it is, and we'll probably want an export of the DB/table so that we can test against it.

As curtis mentioned, we'll need more info, with that we'll build a connector. If you're a customer, open a support ticket and they'll help. If you're working with a sales engineer and want us to validate that a connector can be built, they'll help gather the right info to confirm.

We have connected to the SCOM database to gather Forefront events, and we've connected to other MSSQL databases to gather other events, so I'm almost positive it's feasible. Sometimes it gets complicated by how the events are timestamped in the database and what the schema generally looks like, which is why we like to gather more info. Essentially we connect to the db on a given config (username/password/type), build a query to check for new events (how many rows since the last time/event #?) then a second query to gather only those events (return all events since the last time/event #) and drop them into LEM.

Many thanks folks, good to hear that creating a connector should be quite simple especially if you do similar things for the Forefront database

as the SCCM one will also be MS SQL. I hope to have example data available in the next two weeks and will engage my sales contact when I get it.

this thread is a bit old but wondering if there has been any progress.