Logging and Events Related to Authentication to a ServiceNow Instance - Support and Troubleshooting

Logging and Events Related to Authentication to a ServiceNow Instance Summary Using the Optional Identity Center Product Identity Center is an optional plugin from ServiceNow that can be installed on the instance. It keeps track of user logins and login failures and provides more detailed information than is available in the out-of-box product alone:

https://docs.servicenow.com/csh?topicname=identity-center.html&version=latest Identity Center Login History This is stored in the table sys_user_login_history

This table can be used directly via a standard list view if you need more flexible filtering than is provided in the Identity Center Workspace UI.

In the Out-of-Box Product There are various log messages and Events that are created in response to authentication successes or failures. Localhost Logs (Node Logs) When a login attempt succeeds or fails one of the following lines will be logged to the node's localhost_log file (these messages won't appear in System Logs or Events on the instance): All Instances (Sub-Production Instances Included) Look for LOGIN_SUCCESS and LOGIN_FAILURE event lines in the localhost logs (Node Logs). Examples:

2023-10-03 20:34:12 (674) Default-thread-80 7A18B5AFDBA57910E1CE5E92F396193D txid=3e18792f8969 event="LOGIN_SUCCESS" authentication_parameter1="user_name=tim.edwards" authentication_multi_factor_enabled="false" mode="login" user_roles="sn_request_read,ais_admin,catalog_builder_editor,catalog_template_editor,catalog,cmdb_ms_editor,sn_publications_recipients_user,ml_admin,viz_creator,app_service_user,search_application_admin,workspace_user,cmdb_query_builder_read,sn_request_approver_read,sn_cmdb_user,catalog_admin,sn_comm_management.comm_plan_viewer,pa_viewer,sn_sow.sow_user,snc_platform_rest_api_access,sn_sttrm_condition_read,task_editor,cmdb_query_builder,personalize_dictionary,live_feed_admin,sn_request_write,evam_admin,certification,agent_workspace_user,canvas_user,pa_data_collector,agent_security_admin,sn_problem_write,tracked_file_reader,sn_employee.admin,sn_cmdb_editor,view_changer,itil,template_editor,sn_problem_read,taxonomy_admin,sn_incident_write,catalog_lookup_admin,admin,chat_admin,sn_change_write,cmdb_ms_user,sn_change_read,sn_incident_read,sn_ace.ace_user,email_client_template_read,sn_templated_snip.template_snippet_admin,sn_hr_sp.esc_admin,snc_internal,sn_hr_sp.admin,sn_templated_snip.template_snippet_writer,email_composer,sp_admin,announcement_admin,sn_templated_snip.template_snippet_reader,sn_publications_recipients_list_user,template_read_global,interaction_agent,user_criteria_admin,data_manager_user,notify_view,image_admin,cmdb_read,dependency_views" log_type="SECLOG" session_id="961919" source_ip="165.225.114.158" tx_num="37929" url="/navpage.do" domain="global" http_last_time="1696390452656" jsession_id="44E0EA" http_uagent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0" user="tim.edwards" user_id="98d3bb22db7d6110e1ce5e92f396199f" http_time_zone="GMT" user_group="[]" http_browser="firefox"

2023-10-03 20:40:33 (542) Default-thread-80 7589F52BDBA57910E1CE5E92F3961927 txid=7789756f7269 event="LOGIN_FAILURE" authentication_parameter1="entered_user_id=invalid.username" authentication_parameter2="login attempt by user that does not exist" authentication_multi_factor_enabled="false" mode="SNC.Auth.Unknown_User.Login.Failed" log_type="SECLOG" session_id="961927" source_ip="103.23.64.60" tx_num="38018" url="/login.do" domain="global" http_last_time="1696390827160" jsession_id="8601A7" http_uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" user="guest" user_id="5136503cc611227c0183e96598c4f706" http_time_zone="America/Los_Angeles" user_group="n/a" http_browser="firefox"

Some Instances (likely Production Instances Where SecurityEventSender is Active) SAML SSO Logins using Multi-provider SSO SNC.Auth.SAML.Login.Success SNC.Auth.SAML.Login.Failed SNC.Auth.SAML.Redirect.Sent SNC.Auth.SAML.Redirect.Received LDAP Logins SNC.Auth.LDAP.Login.Success SNC.Auth.LDAP.Login.Failed Example: 2018-04-05 19:00:57 (274) Default-thread-15 23E3316DDBD345000D927ED9BF961972 Logging event: SNC.Auth.LDAP.Login.Failed with parm1: user_name=john smith and parm2: ldapconfigsysid=1ed570ba0d22b000a10b5bf97d55d07e Digest Login SNC.Auth.Digest.Login.Success SNC.Auth.Digest.Login.Failed Local User Login (i.e not using Multi-provider SSO or LDAP) SNC.Auth.DB.Login.Success SNC.Auth.DB.Login.Failed SNC.Auth.Cookie.Login.Success (if the user's using the 'Remember Me' feature from login.do) System Log Out-of-box one of the Installation Exits (or possibly a Script Include) creates a System Log entry every time someone logs in. This includes if it's a hop user login. Tested on New York. See screenshot:

Events All Login Types A login or login.failed Event will be created: Parm1: Parm2: Instance: Note that BR's won't trigger off this Event, as its codepath makes a call to setWorkflow(false), refer CSTASK423694 Last Login Time The sys_user.last_login_time field is set by the OOB Script Action Last Login Time, which is triggered off of login Events. See What is the "Last login time" in the user table https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0749704 Local (sys_user) Login and LDAP Login For local (sys_user) login and (in some circumstances, see note below) HTTP Basic Auth either a login.success or login.failed event will be created. Parm1 will be the username used in the login attempt, Parm2 the public IP address from which the attempt came. When Things Aren't Logged There are exceptions to this logging though: Login Events aren't Created when Users Login Through HTTP Basic Authentication (for example when using the REST API) See PRB1255474 for a suggestion on how to modify the HTTP Basic Auth Script Include to enable logging Login Events aren't Created for Login Failures for Invalid Users These are the localhost log entries from a login with a valid username but invalid password: 2019-01-07 17:09:51 (612) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 #4695 /login.do Parameters ------------------------- screensize=1920x1200 not_important= sys_action=sysverb_login sysparm_login_url=welcome.do user_name=tim.edwards sysparm_ck=3607c...c606d (length=72) remember_me=true 2019-01-07 17:09:51 (613) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 *** Start #4695 /login.do, user: guest 2019-01-07 17:09:51 (619) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 Logging event: SNC.Auth.DB.Login.Failed with parm1: user_name=tim.edwards and parm2: remoteAddr=70.34.61.20 2019-01-07 17:09:51 (619) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 *** Script: Logging using normal DB 2019-01-07 17:09:51 (620) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 *** End #4695 /login.do, user: guest, total time: 0:00:00.014, processing time: 0:00:00.014, SQL time: 0:00:00.004 (count: 5) 2019-01-07 17:09:51 (630) http-50 New transaction FE07C4BEDB72A300C67F26B38A9619A1 #4696 /welcome.do These are the localhost log entries from a login with an invalid username (i.e not in sys_user) but invalid password: 2019-01-07 17:50:27 (706) Default-thread-13 FE07C4BEDB72A300C67F26B38A9619A1 txid=3fe11cb6dbb2 *** Start #5050 /login.do, user: guest 2019-01-07 17:50:27 (712) Default-thread-13 FE07C4BEDB72A300C67F26B38A9619A1 txid=3fe11cb6dbb2 User or LDAP_SERVER field does not exist. Use first ldap server null for user invaliduser 2019-01-07 17:50:27 (714) Default-thread-13 FE07C4BEDB72A300C67F26B38A9619A1 txid=3fe11cb6dbb2 *** Script: Logging using normal DB 2019-01-07 17:50:27 (715) Default-thread-13 FE07C4BEDB72A300C67F26B38A9619A1 txid=3fe11cb6dbb2 *** End #5050 /login.do, user: guest, total time: 0:00:00.015, processing time: 0:00:00.015, SQL time: 0:00:00.002 (count: 9) External (SSO IdP) Login For 'external' (i.e. SSO IdP) login either an external.authentication.succeeded or external.authentication.failed Event will be created. The Parm1 will be either the username or (in some situations) the sys_id of the session record. Parm2 will be the error string, usually 'Authentication failed'. HOP Logins (Used by ServiceNow Personnel to Access Instances for Troubleshooting Reasons) For tracking hop logins (defined as where the username is firstname.lastname@snc): - Out-of-box customers can check under System Log for filter condition "Message contains @snc". This will get them a list of hop logins for the last ~49 days (however long System Log is set for rotation, see Table Rotation) - If you want to keep more than ~49 days of history, a suggestion would be to use the Events[sysevent] records that are triggered on login. When someone does a hop login an Event of Name 'login' and with the Parm1 set to firstname.lastname@snc (e.g. tim.edwards@snc) is created. If needed, a customer could trigger either an email Notification off this, and/or a Script Action if they want to do anything else (e.g. outbound REST call to a system on their side)