Exploring Auditing
Summarize
Summary of Exploring Auditing
The Auditing feature in ServiceNow allows customers to track changes made to auditing-enabled tables, including incidents, changes, and problems. This feature is important for maintaining a detailed history of record modifications, ensuring compliance, and enhancing data integrity within the system.
Show less
Key Features
- Change Tracking: By enabling auditing, customers can monitor the creation, updates, and deletions of records.
- Selective Field Auditing: Customers can choose to audit specific fields while excluding others by using dictionary attributes.
- Performance Considerations: Auditing high-traffic system tables can impact performance; thus, selective field auditing is recommended for tables like Event Management Alerts.
- Audit Information: Auditing records include the unique identifier, field changes, old and new values, timestamps, and the user who made changes.
- Exemptions: Certain updates (e.g., upgrades, import sets, system fields) are not audited, which can affect the visibility of changes in history logs.
- Enhanced Audit Process: Audits are now recorded immediately during the same transaction, reducing the risk of missing audit records from canceled transactions.
Key Outcomes
By effectively utilizing the auditing feature, ServiceNow customers can maintain a clear and accurate record of changes, ensuring compliance and facilitating troubleshooting. The new enhanced audit process minimizes the chances of losing audit records during canceled transactions, further bolstering the reliability of the audit logs.
Track record changes on auditing-enabled tables. By default, the system tracks changes to the incident, change, and problem tables, among others.
Enabling auditing tracks the creation, update, and deletion of all records in the table. If you want to audit individual fields in a table, you can hide fields you don’t want to track using a dictionary attribute.
- The Audit table.
- The Knowing about History sets table.
Auditing parent and child tables
- For example, if you enable auditing for the Configuration Items [cmdb_ci] table, only CIs stored in that base table are audited.
- Likewise, if you enable auditing for the Computers [cmdb_ci_computer] table, only the computer CI records are audited, including any fields on the Computers [cmdb_ci_computer] table that is derived from the Configuration Items [cmdb_ci] table.
Auditing system tables
By default, the system doesn’t audit the deletion of a record from system tables. To audit a system table, add it to the list of tables in the glide.ui.audit_deleted_tables property list.
Auditing deletions from a form or list
By default, the system audits deletions of individual records from a form. To prevent auditing, set the table's dictionary attribute no_audit_delete.
glide.db.audit.ignore.delete =
sys_mutex,sys_db_cache,sys_lucene_block,sys_lucene_file,sys_lucene_directory,sys_user_preference,sys_audit,sc_cart,sc_cart_item,sys_trigger,wf_context,wf_activity,wf_condition,wf_executing,wf_history,wf_log,wf_transition,wf_transition_history,
cmdb_ci_windows_service, cmdb_sam_sw_install, cmdb_software_instance, cmdb_sam_sw_usage, sam_sw_counter_detail
To learn more about adding system properties, see Add a system property
It is to be noted that by default, the audit deletes are enabled whether the record is deleted from the form view, list view, or through a script/scheduled job.
Information audited
Auditing tracks the following record changes:- Unique Record Identifier (sys_id) of the record that changed
- Field that changed
- New field value
- Old field value
- Number of times this record and field have been updated
- Date and time when the change occurred
- User who made the change
- Reason for the change (if any reason is associated with the change)
- Internal checkpoint ID for the record, if the record has multiple versions.
Information exempted from auditing
Some updates aren’t audited despite enabling auditing on a table. For example, you may see 132 updates in a record's history, but only seven audited ones.- Updates made by an upgrade.
- Updates are made through import sets.
- Records in parent or child tables.
- Fields with the no_audit dictionary attribute.
- System tables are not listed in the glide.ui.audit_deleted_tables property list.
- Fields that begin with the sys_ prefix (system fields), except the sys_class_name and sys_domain_id columns.
- UI Pages can sometimes trigger updates to a record without creating an audit log.
- Anytime an inactivity monitor touches a record. It prevents you seeing possibly hundreds of updates listed against an incident, with the noise drowning out the useful data.
- Manual changes to Performance Analytics scores.
- Applying Update Set
- Import XML
Auditing a table
For instructions on how to audit a table, see Configuring auditing for a table.- You can enable auditing for the entire table, then exclude those fields you don’t want to include. It’s appropriate when you want to audit most, but not all, fields, and is referred to as an exclusion listing. For more information, see Exclude a field from being audited (exclusion listing).
- You can enable auditing for the table, but only for specified fields. It’s appropriate when you want to audit only a small number of the table's fields and is referred to as an inclusion listing. For information on how to include a field using an inclusion listing, see Include a table field in auditing (inclusion listing).
Non-cancellable audit records
Reduce the chances of audit records not being recorded when a transaction is canceled with the new default setting.
glide.db.audit.lazy property is set to True, the enhanced audit process is disabled.glide.db.audit.lazy property from True to False.
This property is not usually defined in the Properties table because the majority of instances start using the new default value and behavior. On some instances, this property might be already present and set as True, which means
that these instances won’t be able to use this change to audit behavior.