ServiceNow Logs Keyword Identification

Sherry Lee
Tera Contributor

I would like to have the various activities captured and ingest to Elastic.
- superadmin account success/failure logins
- creation of additional accounts or roles
- modification of accounts or role privileges
- deletion of accounts or roles
- user action of clearing of log

What are the keyword and which table to monitor the information?

2 REPLIES 2

Bert_c1
Kilo Patron

sys_user_login_history (for 1st bullet)

sys_user and sys_user_role (for 2nd and 4th bullet)

sys_user, sys_user_has_role, sys_security_acl, and sys_user_grmember (3rd bullet)

Be more specific on bullet 5.

Shashank_Jain
Kilo Sage

@Sherry Lee ,

 

Activity Table(s) to Monitor Important Fields Keywords

Superadmin loginssysloginsuser, status, sourcelogin, success, failed
Account/role creationsys_user, sys_user_has_role, sys_auditaction=insertinsert, role added
Account/role modificationsys_audit, sys_user, sys_user_roleaction=updateupdate, role changed
Account/role deletionsys_audit_delete, sys_user, sys_user_roleaction=deletedelete, role removed
Log clearingsyslog, sys_audit_deletemessage, operationpurge, log cleared
If this works, please mark it as helpful/accepted — it keeps me motivated and helps others find solutions.
Shashank Jain – Software Engineer | Turning issues into insights