Health Log Analytics configuration preferences

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Health Log Analytics configuration preferences

    This document outlines the essential configuration preferences for Health Log Analytics in ServiceNow, focusing on MID Server settings and log source retention policies. It provides guidance to optimize log ingestion performance, compliance requirements, and customization options for log retention.

    Show full answer Show less

    Key Configuration for MID Servers

    • Enable Log Ingestion Capability: The MID Server must have log ingestion enabled, either specifically or by enabling all capabilities.
    • Dedicated MID Servers: Use dedicated MID Servers for log ingestion when possible to improve performance.
    • Resource Recommendations: Preferred specifications include 8 CPUs, 32 GB RAM, up to 10 Gbps network bandwidth, and 8 GB Java heap size for optimal throughput.
    • Minimum Requirements: At least 4 CPUs, 16 GB RAM, and 8 GB Java heap size to support streaming logs.
    • Throughput Expectations: For a Washington DC instance, log ingestion throughput varies by log size, from approximately 20,000 messages per second for 300-byte logs to around 7,970 messages for 2 KB logs.
    • Ulimit Settings: Adjusting the open files ulimit on MID Servers can impact throughput; different queue types (in-memory vs. disk-based) have distinct performance characteristics based on log size.
    • Lightning gRPC Client: Starting August 2024, enabling the Lightning gRPC client can increase log streaming speeds by up to six times but requires manual activation.
    • Data Input Limits: The number of data inputs per MID Server is limited to 10 by default but can be configured per MID Server or globally.
    • Java Runtime Requirements: MID Servers running Health Log Analytics must use Java Runtime Environment 11 or higher, compatible with both FIPS and non-FIPS modes.
    • Version Compliance: To support BC-FIPS 2.0, Health Log Analytics must be upgraded to version 34.0.37 by December 2024.

    Log Source Retention Settings

    • Default log retention per source is three days and is not modifiable on earlier versions.
    • Starting with Health Log Analytics version 22.0.12 (December 2021) and later, log retention policies can be customized per source or for multiple sources through the application available on the ServiceNow Store.

    This configuration guidance helps ServiceNow customers optimize log ingestion performance, ensure compliance with security standards, and manage log retention effectively within Health Log Analytics.

    Commonly used settings for Health Log Analytics properties and general configuration.

    MID Server settings

    • The MID Server log ingestion capability must be enabled.
      Note:
      Enabling All capabilities on the MID Server includes enabling the log ingestion capability.
    • Use dedicated MID Servers for log ingestion whenever possible.
    • To enable MID Servers to run multiple products, Health Log Analytics must have at least the Java Virtual Machine (JVM) memory setting for the standard product for each MID Server thread configuration.
    The preferred MID Server settings for Health Log Analytics are:
      • CPUs: 8
      • RAM: 32 GB
      • Network Bandwidth: Up to 10 Gbps
      • EBS Bandwidth: Up to 4,750 Mbps
      • Maximum Java heap size for MID Server: 8,192 MB
      With the above specifications, the expected log ingestion throughput on a Washington DC instance is as follows:
      • For a log message of 300 bytes: 20,000
      • For a log message of 1.1 KB: 12,300
      • For a log message of 2 KB: 7,970
      The minimum requirements for streaming logs to Health Log Analytics are:
      • CPUs: 4
      • RAM: 16 GB
      • Java heap size for MID Server: 8 GB

      For general information, see: MID Server system requirements.

    • To increase log ingestion throughput, you can either increase the ulimit or the network bandwidth, or decrease the size of the logs being streamed. The ulimit setting can be configured on an individual MID Server. However, the correlation between the ulimit and the throughput can’t be modified.

      The following table lists the ulimit settings for open files relating to network throughput on the MID Server. It shows the size of the logs being streamed from the MID Server to the agent, and the gRPC streaming rate equivalent to the throughput.

      Table 1. Ulimit settings in relation to throughput
      Queue Type Log line size gRPC rate
      In Memory Queue 300 bytes 18,000
      In Memory Queue 1.1 KB 13,000
      In Memory Queue 2 KB 10,000
      Disk-based Queue 300 bytes 11,000
      Disk-based Queue 1.1 KB 5,000
      Disk-based Queue 2 KB 3,000

      Starting from the August 2024 release, you can enhance MID Server communication with the ServiceNow instance by using the Lightning gRPC client, which can increase log streaming speeds to Health Log Analytics by up to six times. The Lightning gRPC client requires manual configuration to activate. For more information, see the Lightning gRPC client - Enabling the new MID gRPC streaming architecture [KB1648419] article in the Now Support Knowledge Base.

    • By default, the number of data inputs per MID Server is limited to 10. You can configure this limitation for an individual MID Server or for all MID Servers.
    • Both in FIPS and non-FIPS mode, MID Servers with Health Log Analytics capability must run on the Java Runtime Environment (JRE) 11 or above.
      Note:
      To support BC-FIPS version 2.0, Health Log Analytics requires an upgrade to version 34.0.37, December 2024.

    Log source retention settings

    By default, log retention per source is set to three days. This setting can't be modified.

    When using Health Log Analytics application, Version 22.0.12 - December 2021 and later, available from the ServiceNow Store , you can modify the log retention policy per source or for multiple sources together. For more information, see Modify the log source retention period in Health Log Analytics.