Best Practices around Log Shipping

srinivas79 · ‎05-04-2023

Customer wants to export all critical logs to their SIEM primarily for Audit and retention. We have the following optionsw:
Option 1 ) Export log tables on a daily basis
The concern is that since we are speaking huge volumes of data, this can have performance issues on the instance. Is there any best practice?

Option 2) syslog probe to SIEM (preferred)
Export logs to a SIEM solution through syslog probe i.e ". However, as per documentation we need to create business rules for the same which is not realistic as SIEM would want to capture all the logs and filtering would typically be handled at the SIEM layer.
This is not a practical scenario. Is there a way in which I can have all the selected log file forwarded to external syslog server instead of writing individual business rules?
Also, do we have any benchmarks around?
1) typical EPS from servicenow
2) any performance benchmarks that we should keep in mind

Chaitanya Redd1 · ‎05-04-2023

Hi,

Option 1: Exporting log tables on a daily basis can have performance issues on the instance if not done correctly. One best practice is to use a script to export the data instead of using the UI, which can be slower and more resource-intensive. Additionally, you may want to consider partitioning the log tables to reduce the amount of data that needs to be exported each day. This can also help with query performance when searching for logs in the instance.

Option 2: You can configure the ServiceNow syslog probe to forward logs to an external syslog server without creating individual business rules. This can be done by configuring the syslog target to use a specific syslog server and port in the instance's system properties. You can also configure the syslog target to include specific log levels or log sources, depending on your requirements.

As for benchmarks, the typical EPS (events per second) from ServiceNow can vary depending on the size and complexity of the instance, as well as the number of logs generated. It's important to monitor the performance of the instance when exporting logs to ensure that it doesn't negatively impact the instance's performance. ServiceNow provides performance benchmarks and best practices in their documentation, which can be helpful when planning for log exports. Additionally, it's important to work closely with the SIEM vendor to ensure that their requirements and recommendations are met.

srinivas79 · ‎05-04-2023

Thanks! Chaitanya...

I was checking for syslog destination option. However, as per https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0714743, it indicates that this will not work for global scope.. Any ideas/workarounds

saberhisham · ‎07-20-2023

The KB article URL is invalid. Please send the correct URL.

Do you still have that issue? If not, can you please share with us what you did?

Travis Rogers · ‎02-23-2024

The best option here is to use the Log Export Service. This streams via Kafka all Servicenow logs to external log retention sources like

Splunk, without the bandwidth concerns of using the syslogprobe (which was really meant for smaller targeted use cases, not entire syslog dumps)