8 Replies Latest reply on Sep 14, 2015 10:16 AM by dgassert

    Monitoring SCCM deployments in LEM

    conners

      Hey folks,

       

      Any one got any idea if it is possible using LEM to monitor who deployed a package in SCCM?

       

      Cheers in advance!

        • Re: Monitoring SCCM deployments in LEM
          curtisi

          It looks like SCCM creates messages to audit all the possible actions that might be taken (How to configure SCCM Security Auditing) but I don't have any idea where it puts those logs or information at this moment.  It doesn't look like SCCM writes this to a flat-file or one of the system logs.  If we can figure out where it's stored and in what format, a connector might be possible.

          1 of 1 people found this helpful
          • Re: Monitoring SCCM deployments in LEM
            nicole pauls

            Like Curtis, I was able to find the how but not the where. There are ways to pull the data from within SCCM so it's out there somewhere, but I'm not sure if it's in flat files (there are a bunch of logging files for SCCM - our own Patch Manager pulls and uses some of them) or if it's in the database itself somewhere.

             

            Either way it's technically possible for us to build an integration, one is just more expedient (flat files)

              • Re: Monitoring SCCM deployments in LEM
                nicole pauls

                Here's a link our Patch Manager team shared about all the logs for SCCM - holy moly (): Log Files in System Center Configuration Manager 2012 · Herman Arnedo Mahr

                 

                This looks promising, though it's logged on the console side:

                (Log Name) SmsAdminUI.log

                (Description) Records information about the operation of the Configuration Manager console.

                (Logged on) Computer that runs the Configuration Manager console

                 

                This may also be useful on the server side:

                (Log Name) Smsprov.log

                (Description) Records activities performed by the SMS Provider. Configuration Manager console activities use the SMS provider.

                (Logged on) Site server or site system server

                 

                You might check those two logs out and see if either of them fit the bill (or check out the big list and see if you spot others).

              • Re: Monitoring SCCM deployments in LEM
                conners

                Cheers folks, have been doing a bit more digging on this and as far as I can see that the messages are stored in the SCCM site database

                in the StatusMessages table.


                With knowing this how would be the best way to get this info running through LEM?

                  • Re: Monitoring SCCM deployments in LEM
                    curtisi

                    You'll want to open a support ticket.

                     

                    What we'll probably need to know is the credentials for that table, to know what sort of DB it is, and we'll probably want an export of the DB/table so that we can test against it.

                    • Re: Monitoring SCCM deployments in LEM
                      nicole pauls

                      As curtis mentioned, we'll need more info, with that we'll build a connector. If you're a customer, open a support ticket and they'll help. If you're working with a sales engineer and want us to validate that a connector can be built, they'll help gather the right info to confirm.

                       

                      We have connected to the SCOM database to gather Forefront events, and we've connected to other MSSQL databases to gather other events, so I'm almost positive it's feasible. Sometimes it gets complicated by how the events are timestamped in the database and what the schema generally looks like, which is why we like to gather more info. Essentially we connect to the db on a given config (username/password/type), build a query to check for new events (how many rows since the last time/event #?) then a second query to gather only those events (return all events since the last time/event #) and drop them into LEM.