PowerShell function that super simplifies getting the right SCCM log

PowerShell function that super simplifies getting the right SCCM log

The solution to the "I don't know which SCCM log should I open?" question

Ondrej Sebela's photo
Ondrej Sebela
ยทNov 26, 2021ยท

4 min read

Subscribe to my newsletter and never miss my upcoming articles

Table of contents

  • TL;DR
  • What SCCM log should I open?
  • What is the log purpose?
  • Where are the SCCM logs stored?
  • What viewer use to open the logs?
  • What about archived logs?
  • Get-CMLog function to the rescue

As you probably know SCCM has great logging capability. Almost every action is logged...in some log which is stored somewhere. These words some and somewhere are really important though ๐Ÿ˜€.

To make it more interesting if you try to solve issue like "why isn't this application deploying?" you have to open not one, but several logs to get the solution. Moreover, some logs are stored on the client side, some on the server side. And there are also several locations where the logs are stored. Not mentioning the dynamically named logs.

There is a nice official page with list of all available logs and their description. But it's quite long and it can take a while to find the correct information.

So what I've done is that I've created PowerShell function Get-CMLog that solves all those complications I've mentioned above and more ๐Ÿคฏ!


TL;DR

Install module SCCMStuff , import it and call function Get-CMLog or download, dot source, and then run Get-CMLog function like this image.png

As you can see this test shows debugging SCCM client installation issue so the function opens ccmsetup, ccmrepair, client.msi,... logs in the Log Viewer application.


What SCCM log should I open?

This is the hardest part, right?

For each issue you can encounter there are different logs to check. For "Application Installation" there are 'AppDiscovery', 'AppEnforce', 'AppIntentEval', 'Execmgr'. For "PXE" related issues 'Distmgr', 'Smspxe', 'MP_ClientIDManager' etc.

To get some more examples, check official documentation, mainly the Log files by functionality part.

And that is what I did too when Get-CMLog function was created.

I took all these by-functionality-grouped logs and make them available through Area parameter which therefore lets you specify what kind of problem you have. For example: ApplicationInstallation, ClientInstallation, PolicyProcessing, Co-Management, PXE, Compliance, etc (its approx 50 of them). Get-CMLog function then decides what logs should be opened, output description for each of them, and opens them in preferred log viewer application ๐Ÿ‘.

TIP: you can use the parameter maxHistory to open archived logs too


What is the log purpose?

Log purpose/description can be found again in official documentation.

TIP: What I made to be able to show this information was to request the official documentation page content, extract just HTML tables and convert them to PSObject using my ConvertFrom-HTMLTable function and cache the results to an XML file (so the next request can be faster).


Where are the SCCM logs stored?

Client logs locations:

  • C:\Windows\CCM\Logs (SCCM client processing logs)
  • C:\Windows\ccmsetup\Logs (SCCM client installation logs)
  • C:\Windows\Temp (SCCM Remote Control logs)
  • C:\Windows\CCM\Logs\SMSTSLog (SMSTS log)
  • C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\AdminUILog\ (SCCM console logs)

Server logs locations:

  • C:\Program Files\SMS_CCM\Logs
  • C:\Program Files\Microsoft Configuration Manager\Logs
  • C:\Windows\Logs\DISM (image modifications)
  • C:\Program Files\Update Services\LogFiles (WSUS)
  • C:\Program Files\Configuration Manager\Logs\M365A (Service Connection Point)

But as I said, you don't have to worry about it anymore.


What viewer use to open the logs?

It is always better to open the logs in CMTrace instead of Notepad, but it is even better to use LogViewer or One Trace because these can merge multiple logs into one view ๐Ÿ˜€!

CMTrace LogViewer One Trace

Therefore function Get-CMLog tries to find these and if not successful, uses default associated viewer instead.


What about archived logs?

As you've probably noticed, SCCM automatically creates a new log when reaching internal threshold. Old log is then renamed to:

a) <originalLog>.lo_
image.png b) <originalLog>-date-time.log image.png

To take this into account function Get-CMLog has maxHistory parameter which lets you specify the number of archived logs you want to show (default is 0).


Get-CMLog function to the rescue

The solution to all mentioned "complications" can be my PowerShell function Get-CMLog which:

  • Offers dozens of predefined problems "areas" that groups logs by purpose and removes the need to know which log you should open when fixing issue XYZ i.e. opens the right log(s) for you
  • Supports TAB completion image.png
  • Supports opening logs by name too (function knows where every log should be stored, so just log name is enough information) image.png
  • Shows log(s) description image.png
  • Supports opening archived log(s)
  • Supports opening logs on remote computers

If the log is stored on the SCCM server, you will have to specify the parameter SCCMServer. Moreover, admin share C$ will be used to access such log, so run function under the proper account.


Problems (area) you have isn't listed?

Get-CMLog probably does not cover all possible SCCM-related problems you can encounter. In case you will miss something, you can customize it on your own or ping me on Twitter ( @AndrewZtrhgf ) and I will modify it.

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!

See recent sponsors |ย Learn more about Hashnode Sponsors
ย 
Share this