Exclusion list Auditing - How to activate/deactivate auditing for a specific table or field - Support and Troubleshooting

Exclusion list Auditing - How to activate/deactivate auditing for a specific table or field Issue In a default, out-of-box ServiceNow instance, the system is configured to audit a specific number of specific tables and fields. However, in certain cases it may be necessary to disable this auditing on a certain table or field or to enable auditing on such a table or field. This article will describe how this auditing can be enabled and disabled on specific tables or fields within a table.

There are two standard mechanisms of auditing supported by the system on a specific table, inclusion list auditing, and exclusion list auditing. In inclusion list auditing, the specific fields on a table which are to have modifications audited are specified. In exclusion list auditing, all fields of the table are configured to be audited, except for specific fields which are configured not to be audited.

The normal auditing mechanism will record in the auditing tables (such as sys_audit) changes in the value of a field on a specific table.

For instance, with auditing of the State field on the Incident table enabled, changing the value of the State field on an Incident record might produce an audit record similar tolike the following.

This article details the general steps for auditing specific fields or specific tables. However, in certain cases, a user might want to configure table auditing inclusion list configuration instead. Inclusion list auditing is ideal in the case in which the admin wants to audit only a small number of specific fields from a certain table but not the remainder of the field on that table. See the Additional Information section for details and instructions on how to configure and use inclusion list auditing with some tables.

Procedure Auditing can be enabled or disabled at the field or table level. The following sections will detail the steps to modify the auditing options at the table level (which will cause all fields on that table, by default, to be audited), and auditing at a field level on a particular table.

1. Configure Auditing for Individual Tables A specific table on the instance can be configured to globally audit all fields on that table. This will thus cause all non-system level fields on that table to be audited. System fields are generally thosethose that start with the "sys" prefix. These steps can be performed to configure this auditing for a table on the instance:

Log into the instance with an account having admin rights to the instance. On the instance, browse to the following location System Definition -> Dictionary Dictionary . Filter the list to locate the record with a Table name which corresponds to the table for which you intend to enable auditing and has a Type field with a value of Collection .

4. If the Audit column is not displayed in this list, click the cog icon to configure the list to display the Audit field.

5. Double click the Audit column corresponding to the record for which you want to modify auditing.

6. The field should then become editable. Change the value to either true or false, depending on whether you want to enable or disable auditing for this table (use true to enable auditing for the selected table or false to disable auditing for the table).

7. After making the necessary selection, click the green check icon to save the change.

2. Configure Auditing for Individual Fields (Exclusion list Auditing) Individual fields within a table can be configured to enable or disable auditing of any changes to that field in a record using either exclusion list or inclusion list auditing. The steps below will detail exclusion list auditing.

One way to quickly configure this can be performed with the following steps: Log into the instance with an account having admin rights to that instance. Using the Menu Navigator, browse to the following location on the instance: System Definition -> Dictionary . A list of Dictionary records on the instance will appear. Filter the search results to display the Table name and Field name ( Column name field) for the table and field you want to modify the audit setting for. The Dictionary record for the selected field should appear. Click the related link titled Advanced view to show a more detailed display for this record. Locate the Attributes text box field for this record. To disable auditing for this field in this table when using a exclusion list auditing scheme, add the following text to this field " no_audit ". If the Attributes field already contains values in the text box, add a comma after the last attribute currently found in the field and then the no_audit text. However, if the Attributes field is currently empty, simply add the text no_audit into the text box. After adding this attribute click the Update button.

To enable auditing of a field which is currently configured to not be enabled for auditing on a table that is configured for exclusion list auditing, utilize inclusion list auditing to allow field changes on tables such as alm_asset to be captured. Further information on this approach and why the value (true/false) for the no_audit attribute is fruitless can be seen in KB0869832 - [Auditing] New audit modes introduced in [Istanbul] and how to enable auditing for a table that is set to [no_audit] out-of-box (OOB) using the new inclusion-list audit mode, so that it is not overwritten after an upgrade and it continues to audit the field.

Related Links As mentioned above, if an administrator prefers, inclusion listing can be used to determine the specific fields on a certain table to audit. This option is usually ideal when just a small subset of all the fields on a table is to be configured for auditing. See KB Article KB0724176 - How to use Field Inclusion list with Table Field Auditing , which describes how to configure the inclusive list audit configuration for a specific table. For general information regarding configuration of tables/columns for audit, and the behavior of audit-related attributes, see KB1648738