- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2025 05:42 AM - edited 08-22-2025 06:50 AM
Good morning,
We are in the process of populating our CMDB. We are using Discovery ingestion. However, on the Linux server park, several SSH connections are being opened without any command execution, which has been increasing the size of our logs. Is there a way to prevent these open connections from the procedure that have no command execution?
Sincerely,
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2025 08:47 AM
Hi @gilsondo ,
As per my understanding why this happens
When ServiceNow Discovery runs against Linux servers, the Patterns/Probes/Sensors (depending on whether you are using Pattern-based Discovery or Legacy Probes) will establish SSH connections to validate access and to check for commands. In some cases:
* A probe opens an SSH session but doesn’t execute a command (e.g., credential check, fallback authentication attempt).
* Multiple retries or mid-server keepalive connections cause "empty" SSH sessions.
* These sessions still get logged on the Linux server, increasing log size.
Best Practice Solutions
1. Credential Affinity / Restriction
* Make sure Discovery only attempts valid credentials for Linux.
* Remove unnecessary or unused SSH credentials from Credential list to avoid repeated connection attempts.
* Enable Credential Affinity (Discovery > Credentials > Affinity Rules) so that the right credential is used per IP/CI, reducing failed or unused sessions.
2. Tune Discovery Behavior
* In Discovery Patterns, check the SSH Command activity blocks. Ensure commands like uname, df, ls etc. are actually configured.
* If "Connection Section" in a Pattern opens SSH but doesn’t execute anything (test or fallback branch), you can disable that branch or adjust conditionals.
3. Use MID Server Connection Settings
* Set mid.ssh.connection.reuse to true (default is true, but confirm). This keeps a single session alive for multiple commands rather than opening/closing multiple connections.
* Adjust mid.ssh.keepalive and timeout values in the MID Server agent.properties to reduce "empty" sessions.
4. Enable Connection Logging in ServiceNow
* Check Discovery Status > ECC Queue logs for probes/pattern steps that are opening sessions with no commands.
* Modify or remove unnecessary probes if they are redundant (example: legacy "SSH Credential Test" probe when patterns already verify credentials).
5. Exclude Unwanted Targets
* If certain Linux devices don’t need Discovery, define Discovery Schedules with IP Ranges or use Exclusion Filters to avoid hitting them unnecessarily.
6. Work with Security/Infra Team
* If logs are critical for audit size, you can configure syslog filtering on Linux to exclude SSH "session opened but no command" events only from the MID Server account.
* This should be done carefully with infra/security alignment.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2025 06:43 AM
Hi @gilsondo ,
For better understanding, Can you please write your question on english launguage.
Thanks
AJ- TechTrek with AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2025 03:57 AM
Good morning,
We are in the process of populating our CMDB. We are using Discovery ingestion. However, on the Linux server park, several SSH connections are being opened without any command execution, which has been increasing the size of our logs. Is there a way to prevent these open connections from the procedure that have no command execution?
Sincerely,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2025 08:47 AM
Hi @gilsondo ,
As per my understanding why this happens
When ServiceNow Discovery runs against Linux servers, the Patterns/Probes/Sensors (depending on whether you are using Pattern-based Discovery or Legacy Probes) will establish SSH connections to validate access and to check for commands. In some cases:
* A probe opens an SSH session but doesn’t execute a command (e.g., credential check, fallback authentication attempt).
* Multiple retries or mid-server keepalive connections cause "empty" SSH sessions.
* These sessions still get logged on the Linux server, increasing log size.
Best Practice Solutions
1. Credential Affinity / Restriction
* Make sure Discovery only attempts valid credentials for Linux.
* Remove unnecessary or unused SSH credentials from Credential list to avoid repeated connection attempts.
* Enable Credential Affinity (Discovery > Credentials > Affinity Rules) so that the right credential is used per IP/CI, reducing failed or unused sessions.
2. Tune Discovery Behavior
* In Discovery Patterns, check the SSH Command activity blocks. Ensure commands like uname, df, ls etc. are actually configured.
* If "Connection Section" in a Pattern opens SSH but doesn’t execute anything (test or fallback branch), you can disable that branch or adjust conditionals.
3. Use MID Server Connection Settings
* Set mid.ssh.connection.reuse to true (default is true, but confirm). This keeps a single session alive for multiple commands rather than opening/closing multiple connections.
* Adjust mid.ssh.keepalive and timeout values in the MID Server agent.properties to reduce "empty" sessions.
4. Enable Connection Logging in ServiceNow
* Check Discovery Status > ECC Queue logs for probes/pattern steps that are opening sessions with no commands.
* Modify or remove unnecessary probes if they are redundant (example: legacy "SSH Credential Test" probe when patterns already verify credentials).
5. Exclude Unwanted Targets
* If certain Linux devices don’t need Discovery, define Discovery Schedules with IP Ranges or use Exclusion Filters to avoid hitting them unnecessarily.
6. Work with Security/Infra Team
* If logs are critical for audit size, you can configure syslog filtering on Linux to exclude SSH "session opened but no command" events only from the MID Server account.
* This should be done carefully with infra/security alignment.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
