Anyone who’s dealt with ConfigMgr knows that the log files are invaluable for troubleshooting issues and day-to-day monitoring. One of ConfigMgr’s strengths (IMO) is that nearly everything, in detail, is in a log file – somewhere.

The “problem” that often crops up is knowing which log file to look in; although the main purpose of each log file is documented on TechNet, it’s often difficult to narrow down exactly which log file to dig through. Log files also roll (by default) every 2MB: for some log files this is a lot, for others, like ccm.log, this might only last a couple of hours especially during a large client push.

Wouldn’t it be nice to have a single, searchable repository for all of your log files?

Enter Splunk. Splunk is a free tool (up to 500MB a day of logs) that will suck in and index all of the specified log files on a system. It does more than just text log files, but for ConfigMgr, that’s all we’re really concerned with. Splunk then provides a web based search page for all of the indexed data so we can search for all occurrences of a string. Splunk also creates fields based on name=value pairs, has an event definition mechanism, and provides data tagging.

Splunk allows you to forward the data from one system to another. The obvious application here is to forward all of the collected logs from all of the  site servers to a central Splunk server, perhaps your primary site server. You could forward everything from secondary site servers and child site servers also giving you a single, central, searchable repository for all of your logs from all of your sites.

There is an Enterprise version of Splunk that costs money, so it may be worth looking into if you have a large installation or require some extra security, but I think the standard free version would suffice for most installations.

I’m not a Splunk expert, but I see a lot value in using Splunk for ConfigMgr logs.