Centralizing / Aggregating SCCM client logs

%3CLINGO-SUB%20id%3D%22lingo-sub-894573%22%20slang%3D%22en-US%22%3ECentralizing%20%2F%20Aggregating%20SCCM%20client%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-894573%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20options%20%2F%20methods%20for%20centralizing%20SCCM%20client%20log%20files%3F%26nbsp%3B%20I%20have%20roughly%2020%2C000%20clients%20in%20my%20environment%20across%20varying%20hardware%20(win7%2C%20win10%2C%20dell%2C%20lenovo%2C%20ect..)%20so%20every%20rollout%20of%20%3CINSERT%20application%3D%22%22%3E%20results%20in%20a%20large%20number%20just%20not%20going%20for%20some%20reason.%26nbsp%3B%20Right%20now%20we%20end%20checking%20end%20points%20individually%20trying%20to%20find%20common%20reasons%20why%20things%20fail%20but%20its%20very%20time%20consuming.%26nbsp%3B%3C%2FINSERT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20looking%20more%20into%20Desktop%20Analytics%20but%20I%20haven't%20seen%20any%20documentation%20that%20would%20indicate%20my%20SCCM%20client%20logs%20would%20end%20up%20in%20desktop%20analytics.%26nbsp%3B%20Perhaps%20other%20info%20is%20generated%20that%20is%3F%26nbsp%3B%20Anything%20in%20the%20intune%20co-management%20space%20perhaps%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurious%20if%20anyone%20else%20has%20ran%20into%20and%20addressed%20this%20scenario.%26nbsp%3B%20I%20do%20have%20splunk%20pulling%20windows%20logs%20if%20that%20sparks%20anything%20for%20someone.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-894573%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Elogging%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-969311%22%20slang%3D%22en-US%22%3ERe%3A%20Centralizing%20%2F%20Aggregating%20SCCM%20client%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-969311%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F402835%22%20target%3D%22_blank%22%3E%40LS593872%3C%2FA%3E%26nbsp%3Bif%20you%20have%20Splunk%20already%2C%20can%20you%20set%20it%20to%20pull%20client%20logs%3F%20That's%20where%20the%20gold%20is.%20However%2C%20the%20site%20server%20logs%20and%20reporting%20should%20also%20be%20giving%20you%20an%20idea%20of%20why%20things%20fail.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-984663%22%20slang%3D%22en-US%22%3ERe%3A%20Centralizing%20%2F%20Aggregating%20SCCM%20client%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-984663%22%20slang%3D%22en-US%22%3EI'm%20starting%20conversations%20with%20my%20splunk%20team.%20I%20kind%20of%20figured%20that%20was%20my%20best%20bet%20but%20wanted%20to%20verify.%20Thanks!%3C%2FLINGO-BODY%3E
Occasional Contributor

Are there any options / methods for centralizing SCCM client log files?  I have roughly 20,000 clients in my environment across varying hardware (win7, win10, dell, lenovo, ect..) so every rollout of <insert application, update, feature update here> results in a large number just not going for some reason.  Right now we end checking end points individually trying to find common reasons why things fail but its very time consuming. 

 

I've been looking more into Desktop Analytics but I haven't seen any documentation that would indicate my SCCM client logs would end up in desktop analytics.  Perhaps other info is generated that is?  Anything in the intune co-management space perhaps? 

 

Curious if anyone else has ran into and addressed this scenario.  I do have splunk pulling windows logs if that sparks anything for someone.

2 Replies

@LS593872 if you have Splunk already, can you set it to pull client logs? That's where the gold is. However, the site server logs and reporting should also be giving you an idea of why things fail.

I'm starting conversations with my splunk team. I kind of figured that was my best bet but wanted to verify. Thanks!