MID Server command audit log

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server command audit log

    The MID Server command audit log captures and records the commands executed by the MID Server during Discovery processes. This log helps ServiceNow customers monitor and review commands to detect anomalies or errors, ensuring transparency and aiding troubleshooting for Discovery activities.

    Show full answer Show less

    Enabling and Accessing the Command Audit Log

    The audit log is disabled by default and can be enabled by setting the MID Server property mid.log.commandaudit.enable to true in the MID Server Properties table. Once enabled, authorized users with the agentsecurityadmin role can access the logs through the instance under MID Server > Command Audit Logs.

    Key Features and Data Recorded

    • The log records the command name or script name if a probe runs a script instead of a command.
    • Each command or script is associated with a hash calculated from its content, ensuring identification regardless of script name changes.
    • For WMI commands with multiple fields, temporary scripts are generated on the MID Server host and hashed consistently based on contents.
    • Execution status is recorded as either success (command ran) or failure (command could not run), without evaluating the actual results of the command.
    • The audit log supports PowerShell commands for WMI and WinRM, and SSH commands via SSNC (not J2SSH).
    • In Quebec releases, logging is limited to commands run during discovery only.
    • JEA (Just Enough Administration) profiles used in WinRM commands are also logged when available.

    Maintenance and Rotation

    The command audit log table is rotated by default every seven days to manage log size and performance.

    Why This Matters

    By enabling and reviewing the MID Server command audit log, ServiceNow customers gain visibility into the exact commands executed during Discovery. This enables quicker identification of command execution issues, improved security monitoring, and compliance verification related to MID Server operations.

    The command audit log records the commands run by the MID Server for the Discovery application. Review the commands to check for anomalies or errors.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    The MID Server command audit log is a record of the commands the MID Server runs during discovery. For example, executing one pattern may run many separate commands. The MID Server command audit log supports Powershell commands for WMI and WinRM. For SSH commands, the audit log supports SSNC but not J2SSH. In Quebec, the command audit log only supports recording the commands run during discovery.

    Enable the command audit log

    The MID Server audit log is enabled with the MID Server property mid.log.command_audit.enable, which is set to false by default. Add the property in the MID Server Properties table [ecc_agent_property_list.do]. Once enabled, the MID Server command audit logs are accessed in the instance by navigating to MID Server > Command Audit Logs [ecc_agent_command_audit_log_list.do]. To see or change this table, the user must have the role agent_security_admin.

    Typical data in the MID Server command audit logs.

    Data recorded in the command audit logs

    The MID Server command audit log records the name of the command and the command hash. If, for example, during discovery a probe does not run a command but instead runs a script then the script name is recorded. The command hash is calculated based on the content of the script, regardless of the name. Therefore, changing the name does not affect the command hash.

    When a probe, such as a WMIRunner, runs a command with multiple WMI fields then WMI creates one script to query those fields. The script is created temporarily on the MID Server host in the temp folder. After the script is run, it is removed from the temp folder. The script is given a name based on the fields and a random number. However, the hash key is always the same given the same contents.

    The command audit log reports the execution status as either a success or failure. The record entry is a success if the command was run, or a failure if it was unable to run. The command audit log does not consider the result of the command being run. For example, a command which runs but fails gather data is still listed in the execution status as a success.

    Discovery supports JEA profiles for WinRM. The MID Server command audit log records the JEA profile of the discovery command, if it is available. See Microsoft Just Enough Administration (JEA) for Discovery for more information on JEA profiles.

    By default, the table is rotated every seven days. For more information, see Table Rotation.