Reading SCCM Logs with PowerShell

Updated: 2022-10-23 ∙ 6 mins read ∙ Tags: Dev, SCCM, Windows, PowerShell

How to write SCCM logs to the Event Log

Can’t we just use a logarithm?

• Objective
• Background
• Prerequisites
• The Script
• The Break Down
  • We Kind of Need These
  • It’s Strippin’ Time
  • Trim the Fat
  • Errors Will Be Errors
  • Grab the Glue
• Conclusion
• Related Links

Objective

SCCM log files follow a standard schema that we can use to parse these log files for the data we’re interested in (timestamp, log data, etc.). Once we’ve separated the important bits, we can do whatever we’d like with that data. In this case, let’s dive in on how we can write those logs to the Event Log for later forensic investigation.

This post covers how this can be done for an OS upgrade task sequence file (smsts.log), but this script can be adapted to take any log file and write the contents to the Event Log.

Background

If you’ve used SCCM, you know that all logs are written to log files on disk. You’ve likely found yourself questioning which of the dozens of log files you need to open, to troubleshoot Jim’s failed installation of Chrome (again!). You probably also have been longing for the ability to instantly, and remotely view any SCCM logs your heart desires.

Prerequisites

You’re going to learn a lot but you’re also expected to come to the table with a few things. If you plan to follow along, be sure you have the following:

1. A functioning SCCM environment, capable of deploying to clients
2. A deployed task sequence/package/software/etc.
3. Windows PowerShell 5.1 or newer, run as administrator

The Script

I’ll start by sharing the entire script, then walking through each section below. I’m always open to suggestions, so feel free to open a pull request or comment below!