MID Server command audit log

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server command audit log

    The MID Server command audit log captures and records the commands executed by the MID Server specifically for the Discovery application. This log helps ServiceNow customers monitor and review commands to identify anomalies or errors during discovery processes. It is particularly useful for auditing Powershell commands (WMI and WinRM) and SSH commands via SSNC, although J2SSH commands are not supported.

    Show full answer Show less

    Enabling and Accessing the Command Audit Log

    The command audit log is disabled by default. To enable it, set the property mid.log.commandaudit.enable to true in the MID Server Properties table. Once enabled, audit logs can be accessed within the ServiceNow instance by navigating to MID Server > Command Audit Logs. Users must have the agentsecurityadmin role to view or modify these logs.

    Data Recorded in the Audit Log

    • Command Name and Hash: Logs the name and a hash generated from the command or script content. The hash remains constant even if the script name changes.
    • Script Execution: For complex commands (e.g., WMIRunner with multiple WMI fields), temporary scripts are generated and executed on the MID Server host, then deleted post-execution.
    • Execution Status: Logs whether the command was successfully run or failed to run. Note that success indicates the command ran, not that it completed successfully in gathering data.
    • JEA Profile Support: For WinRM, if Just Enough Administration (JEA) profiles are used, the audit log records the profile associated with the command.

    Additional Details

    The command audit log data is rotated every seven days by default to manage storage. The log supports auditing commands only during discovery, particularly in the Quebec release. It also integrates with other MID Server security and governance features such as certificate checks, authentication credentials, unified key store, FIPS enforcement, and SSL/TLS configurations.

    Practical Benefits for ServiceNow Customers

    • Enables detailed monitoring of MID Server commands during discovery for troubleshooting and security audits.
    • Helps identify failed command executions or unusual command activity.
    • Supports compliance by recording command hashes and execution metadata.
    • Enhances security posture by integrating with JEA profiles and other MID Server security features.

    The command audit log records the commands run by the MID Server for the Discovery application. Review the commands to check for anomalies or errors.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    The MID Server command audit log is a record of the commands the MID Server runs during discovery. For example, executing one pattern may run many separate commands. The MID Server command audit log supports Powershell commands for WMI and WinRM. For SSH commands, the audit log supports SSNC but not J2SSH. In Quebec, the command audit log only supports recording the commands run during discovery.

    Enable the command audit log

    The MID Server audit log is enabled with the MID Server property mid.log.command_audit.enable, which is set to false by default. Add the property in the MID Server Properties table [ecc_agent_property_list.do]. Once enabled, the MID Server command audit logs are accessed in the instance by navigating to MID Server > Command Audit Logs [ecc_agent_command_audit_log_list.do]. To see or change this table, the user must have the role agent_security_admin.

    Typical data in the MID Server command audit logs.

    Data recorded in the command audit logs

    The MID Server command audit log records the name of the command and the command hash. If, for example, during discovery a probe does not run a command but instead runs a script then the script name is recorded. The command hash is calculated based on the content of the script, regardless of the name. Therefore, changing the name does not affect the command hash.

    When a probe, such as a WMIRunner, runs a command with multiple WMI fields then WMI creates one script to query those fields. The script is created temporarily on the MID Server host in the temp folder. After the script is run, it is removed from the temp folder. The script is given a name based on the fields and a random number. However, the hash key is always the same given the same contents.

    The command audit log reports the execution status as either a success or failure. The record entry is a success if the command was run, or a failure if it was unable to run. The command audit log does not consider the result of the command being run. For example, a command which runs but fails gather data is still listed in the execution status as a success.

    Discovery supports JEA profiles for WinRM. The MID Server command audit log records the JEA profile of the discovery command, if it is available. See Microsoft Just Enough Administration (JEA) for Discovery for more information on JEA profiles.

    By default, the table is rotated every seven days. For more information, see Table Rotation.