How to track user login activity and authentication eventsSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Learn how to track user login activity, login failures, and authentication events in ServiceNow using both the optional Identity Center plugin and base system logging features. Using the Identity Center plugin Identity Center is an optional plugin from ServiceNow that tracks user logins and login failures. It provides more detailed information than the base system alone. For more information, see the Identity Center product documentation. Identity Center login history Login history is stored in the User Login History [sys_user_login_history] table. You can query this table directly using a standard list view if you need more flexible filtering than the Identity Center Workspace UI provides. Base system logging The base system creates various log messages and events in response to authentication successes or failures. Localhost logs (node logs) When a login attempt succeeds or fails, one of the following lines is logged to the node's localhost_log file. These messages do not appear in system logs or events on the instance. All instances including non-production Look for LOGIN_SUCCESS and LOGIN_FAILURE event lines in the localhost logs (node logs). Example: Successful login 2023-10-03 20:34:12 (674) Default-thread-80 7A18B5AFDBA57910E1CE5E92F396193D txid=3e18792f8969 event="LOGIN_SUCCESS" authentication_parameter1="user_name=tim.edwards" authentication_multi_factor_enabled="false" mode="login" user_roles="sn_request_read,ais_admin,catalog_builder_editor,catalog_template_editor,catalog,cmdb_ms_editor,sn_publications_recipients_user,ml_admin,viz_creator,app_service_user,search_application_admin,workspace_user,cmdb_query_builder_read,sn_request_approver_read,sn_cmdb_user,catalog_admin,sn_comm_management.comm_plan_viewer,pa_viewer,sn_sow.sow_user,snc_platform_rest_api_access,sn_sttrm_condition_read,task_editor,cmdb_query_builder,personalize_dictionary,live_feed_admin,sn_request_write,evam_admin,certification,agent_workspace_user,canvas_user,pa_data_collector,agent_security_admin,sn_problem_write,tracked_file_reader,sn_employee.admin,sn_cmdb_editor,view_changer,itil,template_editor,sn_problem_read,taxonomy_admin,sn_incident_write,catalog_lookup_admin,admin,chat_admin,sn_change_write,cmdb_ms_user,sn_change_read,sn_incident_read,sn_ace.ace_user,email_client_template_read,sn_templated_snip.template_snippet_admin,sn_hr_sp.esc_admin,snc_internal,sn_hr_sp.admin,sn_templated_snip.template_snippet_writer,email_composer,sp_admin,announcement_admin,sn_templated_snip.template_snippet_reader,sn_publications_recipients_list_user,template_read_global,interaction_agent,user_criteria_admin,data_manager_user,notify_view,image_admin,cmdb_read,dependency_views" log_type="SECLOG" session_id="961919" source_ip="165.225.114.158" tx_num="37929" url="/navpage.do" domain="global" http_last_time="1696390452656" jsession_id="44E0EA" http_uagent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0" user="tim.edwards" user_id="98d3bb22db7d6110e1ce5e92f396199f" http_time_zone="GMT" user_group="[]" http_browser="firefox" Example: Failed login 2023-10-03 20:40:33 (542) Default-thread-80 7589F52BDBA57910E1CE5E92F3961927 txid=7789756f7269 event="LOGIN_FAILURE" authentication_parameter1="entered_user_id=invalid.username" authentication_parameter2="login attempt by user that does not exist" authentication_multi_factor_enabled="false" mode="SNC.Auth.Unknown_User.Login.Failed" log_type="SECLOG" session_id="961927" source_ip="103.23.64.60" tx_num="38018" url="/login.do" domain="global" http_last_time="1696390827160" jsession_id="8601A7" http_uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" user="guest" user_id="5136503cc611227c0183e96598c4f706" http_time_zone="America/Los_Angeles" user_group="n/a" http_browser="firefox" Production instances with SecurityEventSender active The following event types are logged on instances where SecurityEventSender is active (typically production instances). SAML SSO logins (multi-provider SSO) SNC.Auth.SAML.Login.SuccessSNC.Auth.SAML.Login.FailedSNC.Auth.SAML.Redirect.SentSNC.Auth.SAML.Redirect.Received LDAP logins SNC.Auth.LDAP.Login.SuccessSNC.Auth.LDAP.Login.Failed Example: 2018-04-05 19:00:57 (274) Default-thread-15 23E3316DDBD345000D927ED9BF961972 Logging event: SNC.Auth.LDAP.Login.Failed with parm1: user_name=john smith and parm2: ldapconfigsysid=1ed570ba0d22b000a10b5bf97d55d07e Digest logins SNC.Auth.Digest.Login.SuccessSNC.Auth.Digest.Login.Failed Local user logins Local logins do not use multi-provider SSO or LDAP. SNC.Auth.DB.Login.SuccessSNC.Auth.DB.Login.FailedSNC.Auth.Cookie.Login.Success — triggered when the user selects the Remember Me option on login.do System log In the base system, an installation exit or script include creates a system log entry every time someone logs in, including HOP user logins. (Tested on the New York release.) Events All login types A login or login.failed event is created with the following parameters: Parm1: sys_user.user_name of the user who logged inParm2: Public IP address from which the HTTP request originatedInstance: Session ID of the sys_user_session record Note: Business rules do not trigger from this event because the code path calls setWorkflow(false). Last login time The sys_user.last_login_time field is set by the base system script action Last Login Time, which is triggered by login events. For more information, see What is the Last login time in the user table. Local and LDAP logins For local (sys_user) login and HTTP Basic Auth (in some circumstances), either a login.success or login.failed event is created. Parm1: Username used in the login attemptParm2: Public IP address from which the attempt originated When events are not logged There are exceptions to authentication logging. HTTP Basic Authentication logins Login events are not created when users log in through HTTP Basic Authentication, for example, when using the REST API. To enable logging for HTTP Basic Auth, you can modify the HTTP Basic Auth script include. Login failures for invalid users Login events are not created for login failures when the username does not exist in sys_user. The following example shows localhost log entries from a login with a valid username but invalid password: 2019-01-07 17:09:51 (612) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 #4695 /login.do Parameters ------------------------- screensize=1920x1200 not_important= sys_action=sysverb_login sysparm_login_url=welcome.do user_name=tim.edwards sysparm_ck=3607c...c606d (length=72) remember_me=true 2019-01-07 17:09:51 (613) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 *** Start #4695 /login.do, user: guest 2019-01-07 17:09:51 (619) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 Logging event: SNC.Auth.DB.Login.Failed with parm1: user_name=tim.edwards and parm2: remoteAddr=70.34.61.20 2019-01-07 17:09:51 (619) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 *** Script: Logging using normal DB 2019-01-07 17:09:51 (620) Default-thread-16 FE07C4BEDB72A300C67F26B38A9619A1 txid=89a80872dbb2 *** End #4695 /login.do, user: guest, total time: 0:00:00.014, processing time: 0:00:00.014, SQL time: 0:00:00.004 (count: 5) 2019-01-07 17:09:51 (630) http-50 New transaction FE07C4BEDB72A300C67F26B38A9619A1 #4696 /welcome.do The following example shows localhost log entries from a login with an invalid username: 2019-01-07 17:50:27 (706) Default-thread-13 FE07C4BEDB72A300C67F26B38A9619A1 txid=3fe11cb6dbb2 *** Start #5050 /login.do, user: guest 2019-01-07 17:50:27 (712) Default-thread-13 FE07C4BEDB72A300C67F26B38A9619A1 txid=3fe11cb6dbb2 User or LDAP_SERVER field does not exist. Use first ldap server null for user invaliduser 2019-01-07 17:50:27 (714) Default-thread-13 FE07C4BEDB72A300C67F26B38A9619A1 txid=3fe11cb6dbb2 *** Script: Logging using normal DB 2019-01-07 17:50:27 (715) Default-thread-13 FE07C4BEDB72A300C67F26B38A9619A1 txid=3fe11cb6dbb2 *** End #5050 /login.do, user: guest, total time: 0:00:00.015, processing time: 0:00:00.015, SQL time: 0:00:00.002 (count: 9) External logins (SSO IdP) For external logins using an SSO Identity Provider, either an external.authentication.succeeded or external.authentication.failed event is created. Parm1: Username or, in some situations, the sys_id of the session recordParm2: Error string, typically "Authentication failed" HOP logins HOP logins are used by ServiceNow personnel to access instances for troubleshooting. HOP usernames use the format firstname.lastname@snc. Track HOP logins using system logs Go to System Logs > All and filter where Message contains @snc. This returns HOP logins for approximately 49 days, depending on your system log rotation settings. Track HOP logins for longer retention To retain HOP login history beyond the system log rotation period, use the Event [sysevent] records triggered on login. When a HOP login occurs, an event with the following values is created: Name: loginParm1: firstname.lastname@snc (for example, tim.edwards@snc) You can create an email notification or script action triggered by this event to perform additional actions such as an outbound REST call to an external system. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Identity Center product documentation What is the Last login time in the user table