MID Server command audit log

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server command audit log

    The MID Server command audit log records all commands executed by the MID Server during Discovery processes, enabling ServiceNow customers to review these commands for anomalies or errors. This audit log captures a detailed history of commands such as PowerShell commands for WMI and WinRM, and SSH commands executed via SSNC (excluding J2SSH). It specifically logs commands run during discovery activities and is essential for monitoring and troubleshooting MID Server operations.

    Show full answer Show less

    Enabling and Accessing the Command Audit Log

    The command audit log is disabled by default and can be enabled by setting the MID Server property mid.log.commandaudit.enable to true in the MID Server Properties table. Once enabled, authorized users with the agentsecurityadmin role can access these logs via the application path: MID Server > Command Audit Logs.

    Data Captured in the Audit Log

    • Command Name and Hash: The log records the command or script name executed and a unique hash derived from the script content, ensuring consistent identification even if the script name changes.
    • Execution Status: Each command entry notes whether the command was successfully run or failed to execute. Note that a “success” status means the command was executed, not necessarily that it returned successful results.
    • Script Handling: For commands involving multiple WMI fields, temporary scripts are created on the MID Server host and removed after execution. These scripts have names generated based on their content and a random number, but their hash remains consistent for identical content.
    • JEA Profile Support: For WinRM commands using Microsoft Just Enough Administration (JEA) profiles, the audit log records the JEA profile associated with the discovery command if available.
    • Log Rotation: The command audit log table is rotated by default every seven days to manage data volume.

    Practical Benefits for ServiceNow Customers

    • Provides transparency and traceability of MID Server command execution during discovery.
    • Helps identify command execution failures or unexpected behavior for faster troubleshooting.
    • Supports security and compliance by logging commands and associated JEA profiles.
    • Enables audit and operational governance of MID Server activities.

    Related Capabilities

    Customers managing MID Server security and authentication can integrate this audit logging with related features such as certificate check policies, mutual authentication setup, encrypted configuration file values, Azure Key Vault integration, and SSL certificate management. These combined capabilities enhance the security posture and governance of the MID Server environment.

    The command audit log records the commands run by the MID Server for the Discovery application. Review the commands to check for anomalies or errors.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    The MID Server command audit log is a record of the commands the MID Server runs during discovery. For example, executing one pattern may run many separate commands. The MID Server command audit log supports Powershell commands for WMI and WinRM. For SSH commands, the audit log supports SSNC but not J2SSH. In Quebec, the command audit log only supports recording the commands run during discovery.

    Enable the command audit log

    The MID Server audit log is enabled with the MID Server property mid.log.command_audit.enable, which is set to false by default. Add the property in the MID Server Properties table [ecc_agent_property_list.do]. Once enabled, the MID Server command audit logs are accessed in the instance by navigating to MID Server > Command Audit Logs [ecc_agent_command_audit_log_list.do]. To see or change this table, the user must have the role agent_security_admin.

    Typical data in the MID Server command audit logs.

    Data recorded in the command audit logs

    The MID Server command audit log records the name of the command and the command hash. If, for example, during discovery a probe does not run a command but instead runs a script then the script name is recorded. The command hash is calculated based on the content of the script, regardless of the name. Therefore, changing the name does not affect the command hash.

    When a probe, such as a WMIRunner, runs a command with multiple WMI fields then WMI creates one script to query those fields. The script is created temporarily on the MID Server host in the temp folder. After the script is run, it is removed from the temp folder. The script is given a name based on the fields and a random number. However, the hash key is always the same given the same contents.

    The command audit log reports the execution status as either a success or failure. The record entry is a success if the command was run, or a failure if it was unable to run. The command audit log does not consider the result of the command being run. For example, a command which runs but fails gather data is still listed in the execution status as a success.

    Discovery supports JEA profiles for WinRM. The MID Server command audit log records the JEA profile of the discovery command, if it is available. See Microsoft Just Enough Administration (JEA) for Discovery for more information on JEA profiles.

    By default, the table is rotated every seven days. For more information, see Table Rotation.