Export all admin activity (syslog) to external server

Go to solution
Brad59
Giga Guru

‎12-06-2022 08:19 AM

Our Infosec team has required that all admin activity that occurs in ServiceNow needs to be exported to an external syslog server. From initial review, it looked like the SecOps module included SIEM integrations. However, it appears that integration is to ingest SIEM events/logs and create incidents. 


Original research article that suggested SecOps:
Advantages of a Security Information and Event Man... - ServiceNow Community

From another post in this forum, I found a similar question and the response seems to indicate that the solution to my need will need to be mostly custom. From my prior experience this is a common request for InfoSec teams and I am curious how other companies have solved this. 

Similar post regarding our need:

Best Methods to export user login (Successful and ... - ServiceNow Community

Solution to prior mentioned post:

User login-logout statistics/report for an instance - Support and Troubleshooting (servicenow.com)

0 Helpfuls
  • 1,119 Views
1 ACCEPTED SOLUTION

Go to solution
Tim Boswell
ServiceNow Employee
ServiceNow Employee
In response to Brad59

‎12-07-2022 11:51 AM

In the Trust site, there is a link to the guide, and on pages 8 and 9, it discusses how to get ServiceNow logs into your own Syslog server of SIEM. Here is a direct link to that document:
https://support.servicenow.com/$viewer.do?sysparm_stack=no&sysparm_sys_id=a8f29b7a1bde95d0b4b577bc1d...

And on the docs site, you'll want to scroll down to: 
https://docs.servicenow.com/bundle/tokyo-platform-administration/page/integrate/vendor-specific-inte...

 

View solution in original post

4 REPLIES 4

Go to solution
Tim Boswell
ServiceNow Employee
ServiceNow Employee

‎12-06-2022 08:56 PM - edited ‎12-06-2022 08:56 PM

Hello, you should be able to locate the instructions you seek at:
https://docs.servicenow.com/bundle/tokyo-platform-security/page/administer/reference-pages/concept/p...
and 
https://www.servicenow.com/company/trust.html

0 Helpfuls

Go to solution
Brad59
Giga Guru
In response to Tim Boswell

‎12-07-2022 06:23 AM

Thank you for your reply. I do not see anything related to syslog exports in either of the links that you shared. Am I missing something?

0 Helpfuls

Go to solution
Tim Boswell
ServiceNow Employee
ServiceNow Employee
In response to Brad59

‎12-07-2022 11:51 AM

In the Trust site, there is a link to the guide, and on pages 8 and 9, it discusses how to get ServiceNow logs into your own Syslog server of SIEM. Here is a direct link to that document:
https://support.servicenow.com/$viewer.do?sysparm_stack=no&sysparm_sys_id=a8f29b7a1bde95d0b4b577bc1d...

And on the docs site, you'll want to scroll down to: 
https://docs.servicenow.com/bundle/tokyo-platform-administration/page/integrate/vendor-specific-inte...

 

Go to solution
Brad59
Giga Guru
In response to Tim Boswell

‎12-07-2022 12:53 PM

It does help quite a bit. It appears it will be mostly manually creating business rules for the tables listed on those pages.

0 Helpfuls