MID Server command audit log

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server command audit log

    The MID Server command audit log captures and records all commands executed by the MID Server during Discovery processes. This log is essential for ServiceNow customers to monitor command execution, detect anomalies, and troubleshoot errors related to Discovery operations.

    Show full answer Show less

    Key Features

    • The audit log records commands run by the MID Server, including multiple commands triggered by a single pattern.
    • Supports PowerShell commands for WMI and WinRM, and SSH commands through SSNC (excluding J2SSH). In Quebec release, it only records commands during Discovery.
    • Logs include the command name, a command hash based on script content (not the script name), and execution status (success or failure based on command run, not outcome).
    • Temporary scripts generated by probes like WMIRunner are logged with consistent hashes despite random naming.
    • Supports recording of JEA profiles for WinRM commands, providing enhanced security context.
    • Command audit log data is stored in a dedicated table accessible via MID Server > Command Audit Logs, requiring the agentsecurityadmin role for access or modification.
    • By default, the audit log table rotates every seven days to manage data volume.

    Enabling and Accessing the Audit Log

    The audit log is disabled by default and can be enabled by setting the MID Server property mid.log.commandaudit.enable to true in the MID Server Properties table. Once enabled, customers can review command logs within their ServiceNow instance to support security auditing and troubleshooting.

    Practical Importance for ServiceNow Customers

    This feature empowers customers to maintain visibility into MID Server activities during Discovery, ensuring commands are executed as expected and facilitating early detection of anomalies or failures. The audit log is a critical tool for operational governance, security compliance, and effective troubleshooting of Discovery-related issues.

    The command audit log records the commands run by the MID Server for the Discovery application. Review the commands to check for anomalies or errors.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    The MID Server command audit log is a record of the commands the MID Server runs during discovery. For example, executing one pattern may run many separate commands. The MID Server command audit log supports Powershell commands for WMI and WinRM. For SSH commands, the audit log supports SSNC but not J2SSH. In Quebec, the command audit log only supports recording the commands run during discovery.

    Enable the command audit log

    The MID Server audit log is enabled with the MID Server property mid.log.command_audit.enable, which is set to false by default. Add the property in the MID Server Properties table [ecc_agent_property_list.do]. Once enabled, the MID Server command audit logs are accessed in the instance by navigating to MID Server > Command Audit Logs [ecc_agent_command_audit_log_list.do]. To see or change this table, the user must have the role agent_security_admin.

    Typical data in the MID Server command audit logs.

    Data recorded in the command audit logs

    The MID Server command audit log records the name of the command and the command hash. If, for example, during discovery a probe does not run a command but instead runs a script then the script name is recorded. The command hash is calculated based on the content of the script, regardless of the name. Therefore, changing the name does not affect the command hash.

    When a probe, such as a WMIRunner, runs a command with multiple WMI fields then WMI creates one script to query those fields. The script is created temporarily on the MID Server host in the temp folder. After the script is run, it is removed from the temp folder. The script is given a name based on the fields and a random number. However, the hash key is always the same given the same contents.

    The command audit log reports the execution status as either a success or failure. The record entry is a success if the command was run, or a failure if it was unable to run. The command audit log does not consider the result of the command being run. For example, a command which runs but fails gather data is still listed in the execution status as a success.

    Discovery supports JEA profiles for WinRM. The MID Server command audit log records the JEA profile of the discovery command, if it is available. See Microsoft Just Enough Administration (JEA) for Discovery for more information on JEA profiles.

    By default, the table is rotated every seven days. For more information, see Table Rotation.