Logging security events

amberestes · ‎06-05-2017

Hello,

I have a requirement to report Security relevant events. I have checked the transaction log, the event log and the system log. I am unable to find events/logs for these items:

Elevating privileges (security admin)
Adding a role to a user(specifically the admin role)

How are these events captured in ServiceNow?

naveenaechan · ‎06-05-2017

I just checked the events table, when we elevate the user role to security admin, security.elevated_role.enabled event is fired. You can check in sysevent.list

On the other hand, you can register your custom event on any table ( here sys_user_has_role or sys_user) and fire the events. There after capture the events data and use as required.

Check out

Event Registry - ServiceNow Wiki

http://wiki.servicenow.com/index.php?title=Events_and_Email_Notification#gsc.tab=0

I dint tried this, but this is just an idea.

Thanks

Naveen

amberestes · ‎06-05-2017

Hi Naveen,

Thanks for the reply.

I am able to see the security.elevated_role.enabled event in the event log when I elevate privs. However, when I browse to the event registry, I do not see a listing for this event.

Also, is this event sent to syslog? I don't see it in the Log File.

Thanks,

Amber

naveenaechan · ‎06-06-2017

Nope event security.elevated_role.enabled is not logged.
Yes, event security.elevated_role.enabled is not registered and it is not associated with any table.

You can listen to this event by registering with the same name.

Script Action:

And in the logs:

Let me know if this helps.

Thanks

Naveen