All Apps and Add-ons

Monitoring ServiceNow logons with Splunk Add-on

capilarity
Path Finder

We are trying to monitor who is logging on to our ServiceNow instance. We have the add-on installed and we are getting data from various tables with ServiceNow but none on them appear to show who has logged on and when.
we are currently ingesting the following tables:

  • syslog_transations
  • sysevent
  • sys_user_list
  • syslog
  • sys_audit
  • sys_user

All 6 tables are being indexed, but none of them show which user have logged in. Ideally, we would like to set up reporting/alerting when admins and third party support users log on

Thanks

0 Karma
1 Solution

atolia_splunk
Splunk Employee
Splunk Employee

It can be found in sysevent table. Please try searching with (sourcetype="snow:sysevent" name=login) in Splunk search. It will give the events of login success for a particular ServiceNow instance which will have username details as well.

View solution in original post

Yuvaraja
Observer

Can you please say, what do we need to enable on servicenow instance to send it's log to splunk. I enabled sysevent and syslog_audit on splunk instance. But not receiving logs. What to do? 

0 Karma

artelia
Explorer

Hi capilarity,

Were you able to ingest all those tables without any issues?
We are currently trying to do (almost) the same, but are experiencing the following issue:

"2022-02-10 09:08:31,159 ERROR pid=12171 tid=Thread-20 file=snow_data_loader.py:collect_data:181 | Failure occurred while getting records for the table: syslog_transaction from https://---net/. The reason for failure= {'message': 'Transaction cancelled: maximum execution time exceeded', 'detail': 'maximum execution time exceeded Check logs for error trace or enable glide.rest.debug property to verify REST request processing'}. Contact Splunk administrator for further information."

In case you did also experience this before eventually succeeding with your task, do you remember what you did to prevent the above message to pop up in the Splunk logs instead of pulling in the relevant data?

Thanks!

0 Karma

atolia_splunk
Splunk Employee
Splunk Employee

It can be found in sysevent table. Please try searching with (sourcetype="snow:sysevent" name=login) in Splunk search. It will give the events of login success for a particular ServiceNow instance which will have username details as well.

capilarity
Path Finder

Thanks, That's found it!! I was looking for usernames, but it actually uses email addresses.

0 Karma

atolia_splunk
Splunk Employee
Splunk Employee

It can be found in sysevent table with 'name=login' included in the search query which will give the login success events for a particular ServiceNow instance.

0 Karma

hkubavat_splunk
Splunk Employee
Splunk Employee

You can try ingesting em_event table. It should have logging activities.

0 Karma

capilarity
Path Finder

Thanks for the quick response.

I get {"reason":null,"error":"Invalid table: em_event"}

as a response to the call https://ourinstance.service-now.com/em_event.do?JSONv2&sysparm_query=sys_created_on>=2019-12-01+00:0... ourinstance.service-now.com

I guess that means they haven't set it up? or is a default table. Not a ServiceNow expert, unfortunatly neither are our support providers!!

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...