--- original_url: "https://jace.pro/blog/where-are-the-logs/" format: markdown ai_optimized: true --- Where are the logs?- # Where are the logs? February 17, 2018 [servicenow](/tags/servicenow/) Enable AI AnimationA [post was made](https://community.servicenow.com/thread/292580) and I was working through some security tasks of my one. I felt inspired to make a post about it. Below is a list of logs we need to review for ServiceNow Can anyone provide us with Names, Tables, and Sources for the logs listed? Authentication successes and failures [Successes](https://.service-now.com/sysevent_list.do?sysparm_query=sys_created_onONToday%40javascript%3Ags.daysAgoStart(0)%40javascript%3Ags.daysAgoEnd(0)%5Ename%3Dlogin) - [Failures](https://.service-now.com/sysevent_list.do?sysparm_query=sys_created_onONToday%40javascript%3Ags.daysAgoStart(0)%40javascript%3Ags.daysAgoEnd(0)%5Ename%3Dlogin.failed) - Authorization (access control) failures This would be verbose and you wouldn’t want this. - Do you mean code failures? They would show up as errors in the logs… but not explicitly listed for an acl, an code error. - Application startups and shutdowns So. Application startups depends on what you mean “applications”. If you mean NODES than thats on `sys_cluster_state` in the payload look for `servlet.started` xml node. - If you mean something else I don’t think that’s how this works. - Configuration changes this is available on `sys_update_xml` - Changes to code files or memory This is the same as configuration changes. Servicenow has no files you can change like a traditional server, at least not that we can access. - Application errors and system events e.g. syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors [Errors](https://.service-now.com/syslog_list.do?sysparm_query=sys_created_onONToday%40javascript%3Ags.daysAgoStart(0)%40javascript%3Ags.daysAgoEnd(0)%5Elevel%3D2) - Input validation failures e.g. protocol violations, unacceptable encodings, invalid parameter names and values I’d guess this would be in the syslog_list, but I’m not sure the types of items you’re expecting. - Output validation failures e.g. database record set mismatch, invalid data encoding I’d guess this would be in the syslog_list, but I’m not sure the types of items you’re expecting. - Session management failures e.g. cookie session identification value modification - Acceptance of EULA/terms of use Not ootb, but if you applied [servicenowguru’s](https://www.servicenowguru.com/system-definition/login-terms-conditions-dialog/) then you’d look on the “Terms Acceptance table”. I can’t find the update set to download. - Personal data usage notification/consent Not sure what you mena by this. Do you mean like HIPAA, PII and the like? If so there’s nothing to say this ssn, or address is added as a comment in the system. You’d have to add that via a customization. - Attack detection e.g. excessive authentication failures, file upload virus detection See [Auth Failures](https://.service-now.com/sysevent_list.do?sysparm_query=sys_created_onONToday%40javascript%3Ags.daysAgoStart(0)%40javascript%3Ags.daysAgoEnd(0)%5Ename%3Dlogin.failed) - There is no virus checking to my knowledge of uploaded files, you can control the upload types and sizes from these properties `glide.ui.strict_customer_uploaded_content_types` restricts what can be loaded vs downloaded to stop xss - `glide.security.file.mime_type.validation` restricts the file’s mime type on upload - `glide.ui.strict_customer_uploaded_static_content` restricts the files somehow - `glide.attachment.extensions` restricts the files extensions allowed to be uploaded - `glide.image_provider.security_enabled` restricts access to uploads to authenticated users - `glide.ui.attachment.download_mime_types` restricts downloadable mime types - Any other logs that would help identify suspicious, unacceptable, unexpected behavior, or other possibly malicious activities. --- [View this page on GitHub](https://github.com/jacebenson/jace.pro/tree/main/./src/posts/2018/2018-02-16-where-are-the-logs.md). [Where are the logs?](https://jace.pro/blog/where-are-the-logs/) [Jace Benson](https://jace.pro) ![Jace Benson](https://jace.pro/icon-512x512.png) --- *This content is from Jace Benson's ServiceNow and tech blog at jace.pro* *Original post: https://jace.pro/blog/where-are-the-logs/*