Auditing components

  • Release version: Zurich
  • Updated September 5, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Auditing components

    This content explains the auditing features in ServiceNow Zurich release, focusing on how auditing works for tables, deletions, and exemptions. It clarifies the behavior of auditing for parent and child tables, system tables, and deletions performed via forms, lists, or scripts. The document also covers information that is audited, what is excluded from auditing, and improvements made to audit records in terms of transaction cancellations.

    Show full answer Show less

    Auditing Tables and Deletions

    • Parent and Child Tables: Auditing settings do not cascade between parent and child tables. For example, enabling auditing on cmdbci only audits records in that base table, while enabling it on cmdbcicomputer audits computer CI records including derived fields.
    • System Tables: By default, deletions from system tables are not audited. To audit them, add the system table to the glide.ui.auditdeletedtables property list.
    • Auditing Deletions: Deletions from forms are audited by default unless the table’s dictionary attribute noauditdelete is set. For deletions from lists, auditing occurs if the table audit is enabled and the table is not listed in the glide.db.audit.ignore.delete property.
    • System Property for Ignored Deletes: The glide.db.audit.ignore.delete property is not present by default and must be added manually to override default values. This property controls which tables’ deletions are excluded from auditing.

    Information Audited and Exemptions

    • Tracked Data: Auditing records changes including record sysid, changed field, old and new values, update count, timestamp, user, change reason, and internal checkpoint ID.
    • Exemptions: Auditing excludes updates made by upgrades, import sets, parent or child tables, fields with noaudit attribute, certain system tables, system fields prefixed with sys (except sysclassname and sysdomainid), UI pages triggering silent updates, inactivity monitors, manual Performance Analytics score changes, and Update Set import XML processing.

    Configuring Auditing on Tables

    • You can audit all fields in a table by enabling auditing on the table or selectively audit fields via exclusion listing (audit all except specified fields) or inclusion listing (audit only specified fields).
    • Exclusion listing is suitable when most fields should be audited; inclusion listing is best for auditing only a few fields.

    Non-cancellable Audit Records

    • Zurich release introduces immediate creation of audit records in the same transaction thread as the target record modification, reducing missed audit records due to transaction cancellations.
    • Previously, audit records were created in background threads, which could miss operations if the transaction was cancelled.
    • This new behavior is enabled by default and controlled by the glide.db.audit.lazy property, which defaults to False in Zurich. If set to True, the enhanced audit process is disabled.
    • It is recommended to delete the glide.db.audit.lazy property if present and set to True to leverage the improved auditing behavior.

    Explore the following auditing components for a better understanding of auditing tables, deletions, and exemptions.

    Auditing parent and child tables

    Tables don’t derive the audit flags from parent or child audited tables.
    • For example, if you enable auditing for the Configuration Items [cmdb_ci] table, only CIs stored in that base table are audited.
    • Likewise, if you enable auditing for the Computers [cmdb_ci_computer] table, only the computer CI records are audited, including any fields on the Computers [cmdb_ci_computer] table that is derived from the Configuration Items [cmdb_ci] table.

    Auditing system tables

    By default, the system doesn’t audit the deletion of a record from system tables. To audit a system table, add it to the list of tables in the glide.ui.audit_deleted_tables property list.

    Auditing deletions from a form or list

    By default, the system audits deletions of individual records from a form. To prevent auditing, set the table's dictionary attribute no_audit_delete.

    The system audits deletions from a list when it audit is selected on the table dictionary, and the table isn’t listed in the glide.db.audit.ignore.delete property.
    Note:
    By default, the glide.db.audit.ignore.delete property isn’t present in the System Property [sys_properties] table. To change the property, and its associated values, you must first manually add it. However, when manually added, it overwrites the following default values:

    glide.db.audit.ignore.delete = sys_mutex,sys_db_cache,sys_lucene_block,sys_lucene_file,sys_lucene_directory,sys_user_preference,sys_audit,sc_cart,sc_cart_item,sys_trigger,wf_context,wf_activity,wf_condition,wf_executing,wf_history,wf_log,wf_transition,wf_transition_history, cmdb_ci_windows_service, cmdb_sam_sw_install, cmdb_software_instance, cmdb_sam_sw_usage, sam_sw_counter_detail

    To learn more about adding system properties, see Add a system property

    It is to be noted that by default, the audit deletes are enabled whether the record is deleted from the form view, list view, or through a script/scheduled job.

    Information audited

    Auditing tracks the following record changes:
    • Unique Record Identifier (sys_id) of the record that changed
    • Field that changed
    • New field value
    • Old field value
    • Number of times this record and field have been updated
    • Date and time when the change occurred
    • User who made the change
    • Reason for the change (if any reason is associated with the change)
    • Internal checkpoint ID for the record, if the record has multiple versions.

    Information exempted from auditing

    Some updates aren’t audited despite enabling auditing on a table. For example, you may see 132 updates in a record's history, but only seven audited ones.
    Auditing excludes the following information:
    • Updates made by an upgrade.
    • Updates are made through import sets.
    • Records in parent or child tables.
    • Fields with the no_audit dictionary attribute.
    • System tables are not listed in the glide.ui.audit_deleted_tables property list.
    • Fields that begin with the sys_ prefix (system fields), except the sys_class_name and sys_domain_id columns.
    • UI Pages can sometimes trigger updates to a record without creating an audit log.
    • Anytime an inactivity monitor touches a record. It prevents you seeing possibly hundreds of updates listed against an incident, with the noise drowning out the useful data.
    • Manual changes to Performance Analytics scores.
    • Applying Update Set
    • Import XML

    Auditing a table

    For instructions on how to audit a table, see Configuring auditing for a table.
    By default, the system tracks all fields in an audited table. You can audit a subset of fields in a table in one of two ways:
    • You can enable auditing for the entire table, then exclude those fields you don’t want to include. It’s appropriate when you want to audit most, but not all, fields, and is referred to as an exclusion listing. For more information, see Exclude a field from being audited (exclusion listing).
    • You can enable auditing for the table, but only for specified fields. It’s appropriate when you want to audit only a small number of the table's fields and is referred to as an inclusion listing. For information on how to include a field using an inclusion listing, see Include a table field in auditing (inclusion listing).

    Non-cancellable audit records

    Reduce the chances of audit records not being recorded when a transaction is canceled with the new default setting.

    Audits have been set to create a record immediately in the same transaction with the target record write operations. If the target record gets deleted, the audit still gets created and retained under NCA Test Audit Delete module.
    Note:
    The enhanced audit process is enabled by default. If the glide.db.audit.lazy property is set to True, the enhanced audit process is disabled.
    Prior to Zurich release, if a transaction is cancelled, certain auditable operations were missed being recorded. This is because the platform executes some operations between the record change and is cancelled before audit creation. But, now audits are created immediately after the record is changed, reducing the chances of a cancelled transaction aborting the operation before the audit is recorded.
    Audits are now recorded in the same thread as the transaction. Earlier audits were created in a background thread. This change redefines the default value of the glide.db.audit.lazy property from True to False. This property is not usually defined in the Properties table because the majority of instances start using the new default value and behavior. On some instances, this property might be already present and set as True, which means that these instances won’t be able to use this change to audit behavior.
    Note:
    It is recommended to delete this property to leverage the update.