You can check SCCM audit logs through several key locations, including the SCCM console's System Status Messages, the SQL database, Windows Event Logs, and various SCCM-specific log files. Each method offers different levels of detail and insights into operations and administrative actions within your Configuration Manager environment.
Understanding SCCM Audit Logs
SCCM audit logs record critical information about activities, configurations, and administrative actions within your Configuration Manager hierarchy. These logs are essential for security monitoring, compliance, troubleshooting, and understanding how your environment is being used and managed. They capture details about who did what, when, and where.
Method 1: Using System Status Messages in the SCCM Console
The SCCM console provides a direct way to view specific audit events, particularly those related to system status and administrative actions like script execution.
Follow these steps to access audit information via System Status Messages:
- Navigate to Status Message Queries: In the SCCM console, go to
\Monitoring\Overview\System Status\Status Message Queries. - Select Reporting Period: Choose the appropriate status message query or create a new one to select the date or time range you wish to audit. This allows you to focus on a specific period of activity.
- Filter by Message ID: If you are looking for specific actions, such as script executions, identify the relevant message ID. For script auditing, filtering by the specific message ID associated with script activity can help narrow down the results significantly.
- Review Descriptions: Once filtered, examine the
Descriptioncolumn for detailed information about the audited event. This is where you will find the results and specific details of the action that occurred.
Practical Insight: This method is particularly useful for tracking administrative script executions, package deployments, or other component-specific status updates directly from the console, providing a quick overview of recent activities.
Method 2: Reviewing the SQL Database for Audit Data
Much of SCCM's audit information is stored in its underlying SQL Server database. Directly querying the database can provide the most comprehensive and granular audit trail.
- Key Tables: Relevant tables often include:
vSMS_StatusMessage: Contains status messages, which include many audit events.vSMS_AuditAction: Tracks administrative actions performed within the console.vSMS_R_System: Contains resource discovery information, often used in conjunction with other tables for context.
- Accessing Data: You can use SQL Server Management Studio (SSMS) to run queries against these tables.
- Example Query (Conceptual):
SELECT * FROM vSMS_AuditAction WHERE ActionTime BETWEEN 'YYYY-MM-DD HH:MM:SS' AND 'YYYY-MM-DD HH:MM:SS' ORDER BY ActionTime DESC;Note: Always use read-only queries when interacting with the SCCM database to prevent unintended data modification.
Method 3: Checking Windows Event Logs
Windows Event Logs on SCCM site servers and client machines capture various system, security, and application-level events that can be crucial for auditing.
- Security Logs: On SCCM site servers, the Windows Security log (accessible via
eventvwr.msc) records login attempts, administrative privilege usage, object access, and other security-related actions. - Application Logs: The Application log may contain events from SCCM components, though often less detailed than SCCM's native logs.
- System Logs: For general system health and component startup/shutdown events.
Method 4: Analyzing SCCM Log Files
SCCM components generate detailed log files on both server and client machines. These plaintext logs provide in-depth information about processes, errors, and actions.
- Server-Side Logs:
SMSProv.log: Records WMI provider activity and console actions.SMS_Executive.log: Logs general activities of the SMS Executive service.Distmgr.log: Distribution Manager component activities.Policypv.log: Policy Provider activity.WCM.logandwsynclmgr.log: Software Update Point synchronization and WSUS-related activities.
- Client-Side Logs:
AppEnforce.log: Application deployment enforcement.ContentTransferManager.log: Content download status.execmgr.log: Program and script execution.PolicyEvaluator.log: Client policy evaluation.RebootCoordinator.log: System restart management.ScanAgent.log: Software updates scanning.WUAHandler.log: Windows Update Agent interaction.
- Tools: Use the CMTrace tool (part of the SCCM toolkit or found in the
\toolsfolder on the site server) to easily view and monitor SCCM log files, as it provides real-time updates and error highlighting.
Summary of Audit Locations
| Audit Location | Primary Use Case | Key Information Provided | Access Method |
|---|---|---|---|
| SCCM Console | Administrative actions, component status | Script execution details, system health, high-level events | \Monitoring\Overview\System Status\Status Message Queries |
| SQL Database | Comprehensive, granular historical data | Detailed action logs, object modifications, user activity | SQL Server Management Studio (SSMS) |
| Windows Event Logs | System security, OS-level events, basic errors | Login attempts, service states, security policy changes | Event Viewer (eventvwr.msc) |
| SCCM Log Files | Component-specific processes, troubleshooting | Detailed operational flow, success/failure of tasks, errors | CMTrace tool (plaintext files) |
Best Practices for Auditing
- Define Audit Requirements: Clearly identify what events you need to audit for compliance, security, or operational purposes.
- Regular Review: Establish a routine for reviewing critical audit logs.
- Automate Reporting: Consider setting up custom reports in SCCM or using SQL queries to automate the extraction and reporting of key audit data.
- Centralized Logging: For advanced scenarios, integrate SCCM audit data with a Security Information and Event Management (SIEM) system for centralized logging and correlation.
