Exploring ServiceNow Logs in Real-Time: A Reference Implementation for Log Export Service

As often happens around the holidays, I found myself with a lot more time that wasn't taken up by meetings, so I set out to better understand ServiceNow's Log Export Service (LES). I created a tool to demonstrate pulling logs in real time from ServiceNow's Log Export Service. I had a specific goal in mind: I wanted to show people how LES provides near-real-time logging of events without having to set up an entire Splunk instance for myself. But as the project evolved, it became something more—a tool that made it easier for me to explore the logs myself and correlate log lines with real events like MFA logins or failed authentication attempts. What started as a demonstration turned into a reference implementation for how you can pull real time logs into ANYTHING – whether that’s Splunk, or Logstash, or even just writing them to a folder and archiving them for long term storage. I'm excited to share this tool with the community. 

Why real-time log monitoring matters 

If you're responsible for a ServiceNow instance, you know that security and performance monitoring shouldn't happen in hindsight. Real-time access to log events enables you to respond immediately to suspicious activity, track performance issues as they occur, and understand exactly what's happening right now in your environment. 

Log Export Service uses Kafka—a distributed streaming platform—to deliver your ServiceNow logs in real-time to your SIEM or monitoring tools. Think of it as a firehose of events: every login, every configuration change, every integration call, flowing continuously to wherever you need it. And here's the best part: the first 100GB per month of log throughput is free, giving you runway to experiment and see the value before committing resources. 

The reality of getting started 

While enterprise SIEMs like Splunk offer pre-built connectors for ingesting ServiceNow logs (and other SIEM vendors may as well), sometimes you just want to see what's in those logs before making infrastructure decisions. That's where this project comes in. 

I built an application that connects to Log Export Service via Kafka, pulls log events in real-time, and displays them in a web interface with basic filtering and alerting. For example, it can flag admin impersonation events as they happen—a simple but powerful demonstration of real-time detection capabilities. 

What you can learn from this tool 

The kafka-sse-bridge application is intentionally basic—it's a reference implementation, not a full-featured SIEM. But it demonstrates what's possible when you have streaming access to your ServiceNow logs: 

• Security monitoring: Identify rogue integrations, detect reporting misuse, or track suspicious login patterns 

• AI agent attribution: As AI agents become more prevalent in ServiceNow, understanding which actions they're performing becomes critical for governance 

• Performance insights: Watch how your instance performs under load in real-time 

• Log exploration: See what's in syslog events, or dive into the detailed firehose of node logs 

The use cases extend far beyond what I've implemented. That's intentional—I want you to fork the code, experiment and discover what matters most for your environment. This tool can also help with developing your detection logic before you build that out in a more mature tool, like Splunk or Kibana. 

Try it yourself 

To get started, you'll need a basic understanding of Linux or Mac terminal. Python knowledge helps if you want to understand the code, but it's not required just to run it. You'll also need to follow the product documentation to create a Kafka topic for the application to subscribe to. In the code repository, you’ll find instructions in the README.md file on how to set up the required certificates and where to get the Kafka producer URLs you need to finish configuring the application.  

Once running, you'll see your ServiceNow logs streaming in real-time through a web interface. It's eye-opening to watch authentication events, configuration changes, and system activity unfold as they happen. 

An invitation to contribute 

This tool lives on GitHub, and I'd love to see what the community builds with it. Some ideas for contributions: 

• Additional filters for different security scenarios 

• A table view for login events as they're detected 

• Visualization improvements for specific log types 

That said, let's be clear about scope: this is a technical reference for understanding Log Export Service, not an attempt to build our own SIEM. Think of it as a learning tool and a launching pad for your own explorations. 

Get started 

Download the application from GitHub and give it a try in your environment. See what insights emerge when you have real-time visibility into your ServiceNow instance. And if you build something interesting on top of it, I'd love to hear about it in the comments or through GitHub issues. 

Real-time security monitoring starts with understanding what data you have. This tool gives you that understanding—what you build with it is up to you.