All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitoring ServiceNow logons with Splunk Add-on

capilarity
Path Finder
‎12-18-2019 03:29 AM

We are trying to monitor who is logging on to our ServiceNow instance. We have the add-on installed and we are getting data from various tables with ServiceNow but none on them appear to show who has logged on and when.
we are currently ingesting the following tables:

  • syslog_transations
  • sysevent
  • sys_user_list
  • syslog
  • sys_audit
  • sys_user

All 6 tables are being indexed, but none of them show which user have logged in. Ideally, we would like to set up reporting/alerting when admins and third party support users log on

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

atolia_splunk
Splunk Employee
Splunk Employee
‎12-18-2019 05:11 AM

It can be found in sysevent table. Please try searching with (sourcetype="snow:sysevent" name=login) in Splunk search. It will give the events of login success for a particular ServiceNow instance which will have username details as well.

View solution in original post

Reply
Solved! Jump to solution
Solution

atolia_splunk
Splunk Employee
Splunk Employee
‎12-18-2019 05:11 AM

It can be found in sysevent table. Please try searching with (sourcetype="snow:sysevent" name=login) in Splunk search. It will give the events of login success for a particular ServiceNow instance which will have username details as well.

View solution in original post

Reply
Solved! Jump to solution

capilarity
Path Finder
‎12-18-2019 05:16 AM

Thanks, That's found it!! I was looking for usernames, but it actually uses email addresses.

0 Karma
Reply
Solved! Jump to solution

atolia_splunk
Splunk Employee
Splunk Employee
‎12-18-2019 05:07 AM

It can be found in sysevent table with 'name=login' included in the search query which will give the login success events for a particular ServiceNow instance.

0 Karma
Reply
Solved! Jump to solution

hkubavat_splunk
Splunk Employee
Splunk Employee
‎12-18-2019 03:49 AM

You can try ingesting em_event table. It should have logging activities.

0 Karma
Reply
Solved! Jump to solution

capilarity
Path Finder
‎12-18-2019 04:53 AM

Thanks for the quick response.

I get {"reason":null,"error":"Invalid table: em_event"}

as a response to the call https://ourinstance.service-now.com/em_event.do?JSONv2&sysparm_query=sys_created_on>=2019-12-01+00:0... ourinstance.service-now.com

I guess that means they haven't set it up? or is a default table. Not a ServiceNow expert, unfortunatly neither are our support providers!!

0 Karma
Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!