Health Log Analytics (Zurich): Ingest Power BI Activity Events via MID Server without Azure Log Anal

Pallavi37 · 3 weeks ago

I’m looking for expert guidance on configuring ServiceNow Health Log Analytics (HLA) to ingest Power BI Activity Events directly into ServiceNow without using Azure Log Analytics, as Azure Log Analytics is disabled at the organization level and cannot be enabled.

Environment Details

ServiceNow Release: Zurich (latest patch 37.0.15)
Health Log Analytics Version: 37.0
MID Server: Installed, validated, and enabled for log ingestion
Azure Log Analytics: ❌ Not available / disabled at org level
Data Source: Power BI Admin Activity Events API
https://api.powerbi.com/v1.0/myorg/admin/activityevents

What Is Already Configured

Health Log Analytics plugin is enabled
MID Server is configured and operational
Outbound REST Message created under:
- System Web Services > Outbound > REST Message
OAuth authentication configured successfully
REST Message test returns HTTP 200 and valid Power BI activity event payload

Requirements

Pull Power BI Activity Events every 1 hour
Support incremental ingestion (delta/continuation-based)
Use MID Server for outbound API execution
Push data directly into ServiceNow Health Log Analytics
Azure Log Analytics must NOT be used

Guidance Requested

I’m looking for product-aligned, Zurich-supported guidance on:

Ingestion Architecture
- Supported methods to send external REST API log data into Health Log Analytics without Azure Log Analytics
- Whether HLA supports direct ingestion from:
  - MID Server
  - Custom log sources
  - Scripted ingestion APIs or pipelines
REST Message → HLA Integration
- How to process REST Message responses and forward them to Health Log Analytics
- Required data formats for HLA ingestion
- Any parsers, log sources, or ingestion rules that must be created
Incremental Log Collection
- Recommended approach to track:
  - Last processed timestamp
  - Continuation tokens from Power BI API
- Scheduling mechanism (Scheduled Script / Flow / Job)
Health Log Analytics Configuration
- Creating custom log sources (if supported)
- Parsing and normalization of Power BI activity events
- Validation steps to confirm logs are indexed in HLA
Anomaly Detection
- Best practices to configure anomalies for Power BI activity events
- Examples:
  - Spikes in export/download actions
  - Unusual user activity
  - Sudden increase in API operations
- Threshold-based vs ML-based anomaly detection in HLA

Important Notes

Please base recommendations strictly on:
- Official ServiceNow documentation
- ServiceNow KBs
- ServiceNow blogs, demos, or community-verified implementations
Avoid assumptions or unsupported features
Clearly call out any limitations of Health Log Analytics in Zurich

Matthew_13 · 3 weeks ago

For Zurich,

Health Log Analytics is documented as a push-based ingestion platform. Logs are ingested through Data Inputs that receive data via the MID Server. There is no official documentation that supports pulling data from external REST APIs directly into HLA using Scheduled Scripts, Flow Designer, or REST Messages. Those mechanisms basically are not endorsed as HLA ingestion paths.

From what I have experienced; ServiceNow blogs, demos, and community examples consistently show the same supported pattern: External collector or Log producer -> HLA REST API Data Input -> MID Server -> HLA.

Azure Log Analytics is often referenced in examples I see, but its not mandatory and can be replaced with a custom external collector that pushes logs.

Known Zurich limitations:

HLA ingestion is push-only
MID Server is used to receive and forward logs, not to poll external APIs for HLA
Internal REST-based pull designs are considered custom and unsupported

Based on these sources, My Recommendations stay within what ServiceNow documents, supports, and what I have seen the community successfully implemented in Zurich, without having to rely on assumptions or unsupported features.

@Pallavi37 - I hope this info assists, Please give Accepted Solution and Thumbs Up if you found Helpful!!

Pallavi37 · 2 weeks ago

Thanks for your time and detailed information, Mathew.
Do you think installing Filebeat or Winlogbeat on the Windows MID Server to pull activity events from Power BI and then forward them to the HLA MID Server Data Input would work?

Matthew_13 · 2 weeks ago

It can work, but I don't think its a good idea.

Installing Filebeat or Winlogbeat on a MID Server isn’t really recommended. The MID Server isn’t meant to run third-party log shippers, and it usually leads to support, upgrade, and resource issues.

Also, Power BI activity logs don’t live in Windows event logs by default they’re pulled via Power BI / M365 APIs. So you would still need an API pull first, which makes Beats unnecessary.

Recommended cleaner approach:
Pull Power BI logs via API and send them directly into ServiceNow Import Set / Table API using the MID Server only as a network bridge if needed.

@Pallavi37 - I hope this info assists, Please give Accepted Solution and Thumbs Up if you found Helpful!!

Pallavi37 · 2 weeks ago

Hi Mathew,

Based on my understanding, the Import Set API and Table API are not supported ingestion mechanisms for Health Log Analytics. These APIs load data into surf (staging) tables, and surf tables are not supported as input sources for HLA ingestion. I have raised a support case with ServiceNow to confirm on the approach and am currently awaiting their response.