ServiceNow Logs Keyword Identification

Sherry Lee · ‎07-29-2025

I would like to have the various activities captured and ingest to Elastic.
- superadmin account success/failure logins
- creation of additional accounts or roles
- modification of accounts or role privileges
- deletion of accounts or roles
- user action of clearing of log

What are the keyword and which table to monitor the information?

Bert_c1 · ‎09-01-2025

sys_user_login_history (for 1st bullet)

sys_user and sys_user_role (for 2nd and 4th bullet)

sys_user, sys_user_has_role, sys_security_acl, and sys_user_grmember (3rd bullet)

Be more specific on bullet 5.

Shashank_Jain · ‎09-01-2025

@Sherry Lee ,

Activity Table(s) to Monitor Important Fields Keywords

Superadmin logins	syslogins	user, status, source	login, success, failed
Account/role creation	sys_user, sys_user_has_role, sys_audit	action=insert	insert, role added
Account/role modification	sys_audit, sys_user, sys_user_role	action=update	update, role changed
Account/role deletion	sys_audit_delete, sys_user, sys_user_role	action=delete	delete, role removed
Log clearing	syslog, sys_audit_delete	message, operation	purge, log cleared

If this works, please mark it as helpful/accepted — it keeps me motivated and helps others find solutions.
Shashank Jain