A post was made and I was working through some security stuff of my one. I felt inspired to make a post about it. Below is a list of logs we need to review regularly for ServiceNow

Can anyone provide us with Names, Tables, and Sources for the logs listed?

  • Authentication successes and failures
  • Authorization (access control) failures
    • This would be very verbose and you wouldn’t want this.
    • Do you mean code failures? They would show up as errors in the logs… but not explicitly listed for an acl, just an code error.
  • Application startups and shutdowns
    • So. Application startups depends on what you mean “applications”. If you mean NODES than thats on sys_cluster_state in the payload look for servlet.started xml node.
    • If you mean something else I don’t think that’s how this works.
  • Configuration changes
    • this is available on sys_update_xml
  • Changes to code files or memory
    • This is the same as configuration changes. Servicenow has no files you can modify like a traditional server, at least not that we can access.
  • Application errors and system events e.g. syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors
  • Input validation failures e.g. protocol violations, unacceptable encodings, invalid parameter names and values
    • I’d guess this would be in the syslog_list, but I’m not sure exactly the types of things you’re expecting.
  • Output validation failures e.g. database record set mismatch, invalid data encoding
    • I’d guess this would be in the syslog_list, but I’m not sure exactly the types of things you’re expecting.
  • Session management failures e.g. cookie session identification value modification
  • Acceptance of EULA/terms of use
    • Not ootb, but if you applied servicenowguru’s then you’d look on the “Terms Acceptance table”. However I can’t find the update set to download.
  • Personal data usage notification/consent
    • Not sure what you mena by this. Do you mean like HIPAA, PII and the like? If so there’s nothing to say this ssn, or address is added as a comment in the system. You’d have to add that via a customization.
  • Attack detection e.g. excessive authentication failures, file upload virus detection
    • See Auth Failures
    • There is no virus checking to my knowledge of uploaded files, however you can control the upload types and sizes from these properties
      • System Properties > glide.ui.strict_customer_uploaded_content_types restricts what can be loaded vs downloaded to stop xss
      • System Properties > glide.security.file.mime_type.validation restricts the file’s mime type on upload
      • System Properties > glide.ui.strict_customer_uploaded_static_content restricts the files somehow
      • System Properties > glide.attachment.extensions restricts the files extensions allowed to be uploaded
      • System Properties > glide.image_provider.security_enabled restricts access to uploads to authenticated users
      • System Properties > glide.ui.attachment.download_mime_types restricts downloadable mime types
  • Any other logs that would help identify suspicious, unacceptable, unexpected behavior, or other possibly malicious activities.

Edit this page

Jace Benson
ServiceNow Developer

ServiceNow is my day job, JAMStack is my passion.