ServiceNow Logs Keyword Identification
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-29-2025 07:17 PM
I would like to have the various activities captured and ingest to Elastic.
- superadmin account success/failure logins
- creation of additional accounts or roles
- modification of accounts or role privileges
- deletion of accounts or roles
- user action of clearing of log
What are the keyword and which table to monitor the information?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
sys_user_login_history (for 1st bullet)
sys_user and sys_user_role (for 2nd and 4th bullet)
sys_user, sys_user_has_role, sys_security_acl, and sys_user_grmember (3rd bullet)
Be more specific on bullet 5.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Activity Table(s) to Monitor Important Fields Keywords
Superadmin logins | syslogins | user, status, source | login, success, failed |
Account/role creation | sys_user, sys_user_has_role, sys_audit | action=insert | insert, role added |
Account/role modification | sys_audit, sys_user, sys_user_role | action=update | update, role changed |
Account/role deletion | sys_audit_delete, sys_user, sys_user_role | action=delete | delete, role removed |
Log clearing | syslog, sys_audit_delete | message, operation | purge, log cleared |
Shashank Jain – Software Engineer | Turning issues into insights