Export all admin activity (syslog) to external server

Brad59
Giga Guru

Our Infosec team has required that all admin activity that occurs in ServiceNow needs to be exported to an external syslog server. From initial review, it looked like the SecOps module included SIEM integrations. However, it appears that integration is to ingest SIEM events/logs and create incidents. 


Original research article that suggested SecOps:
Advantages of a Security Information and Event Man... - ServiceNow Community

From another post in this forum, I found a similar question and the response seems to indicate that the solution to my need will need to be mostly custom. From my prior experience this is a common request for InfoSec teams and I am curious how other companies have solved this. 

Similar post regarding our need:

Best Methods to export user login (Successful and ... - ServiceNow Community

Solution to prior mentioned post:

User login-logout statistics/report for an instance - Support and Troubleshooting (servicenow.com)

1 ACCEPTED SOLUTION

Tim Boswell
ServiceNow Employee
ServiceNow Employee

In the Trust site, there is a link to the guide, and on pages 8 and 9, it discusses how to get ServiceNow logs into your own Syslog server of SIEM. Here is a direct link to that document:
https://support.servicenow.com/$viewer.do?sysparm_stack=no&sysparm_sys_id=a8f29b7a1bde95d0b4b577bc1d...

And on the docs site, you'll want to scroll down to: 
https://docs.servicenow.com/bundle/tokyo-platform-administration/page/integrate/vendor-specific-inte...

 

View solution in original post

4 REPLIES 4

Tim Boswell
ServiceNow Employee
ServiceNow Employee

Thank you for your reply. I do not see anything related to syslog exports in either of the links that you shared. Am I missing something?

Tim Boswell
ServiceNow Employee
ServiceNow Employee

In the Trust site, there is a link to the guide, and on pages 8 and 9, it discusses how to get ServiceNow logs into your own Syslog server of SIEM. Here is a direct link to that document:
https://support.servicenow.com/$viewer.do?sysparm_stack=no&sysparm_sys_id=a8f29b7a1bde95d0b4b577bc1d...

And on the docs site, you'll want to scroll down to: 
https://docs.servicenow.com/bundle/tokyo-platform-administration/page/integrate/vendor-specific-inte...

 

It does help quite a bit. It appears it will be mostly manually creating business rules for the tables listed on those pages.