login.failed Events in sys_event Caused by ServiceNow Instance Analyzer Datacenter PollingIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } login.failed events are recorded in the sys_event table for the guest user. The PARAM1 field of each event contains a certificate identifier (beginning with "-----BEGIN CERTIFICATE-----"), and PARAM2 contains a local ServiceNow IP address. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } login.failed events are visible in the sys_event table.The affected user listed in each event is guest.PARAM1 of each event contains a Base64-encoded X.509 certificate. PARAM2 of each event shows an internal IP address such as 127.0.0.1 or a 10.x / 136.x datacenter address.The events are present both during and outside of scheduled clone windows.No end-user login disruption or functional breakage is reported alongside the events.Security logs may also show the following entries associated with the same transactions: event="VALIDATED_PAYLOAD_REQUEST_FAILURE" with vpe_result="NOW-VPE-BLOCKED_BY_SNC_ACCESS_CONTROL"Script: SNC Access Control: denied access to system@snc.admin,maintNOW-VPE-NO_CERTIFICATES_FOUND Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Yokohama Patch 8 Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The login.failed events are generated by routine, read-only audits that ServiceNow's Instance Analyzer executes against production instances as part of internal platform health monitoring. These audits originate from the datacenter.service-now.com central management instance. The following chain of events produces each failed-login entry: The datacenter instance sends a request to the target instance endpoint /now-vpe using mutual TLS (mTLS). The client certificate embedded in the request is provisioned by ServiceNow's internal PKI and is unique to each appnode.The target instance attempts to map the presented certificate to a sys_user record. Because no such mapping exists, authentication falls back to the guest user and a login.failed event is written to the sys_event table. This is standard platform auditing behaviour.When SNC Access Control is enabled and the system@snc user is not present in the snc_access_control allowlist, the VPE execution is additionally blocked with NOW-VPE-BLOCKED_BY_SNC_ACCESS_CONTROL. This compounds the number of logged events but does not indicate additional risk.The datacenter polling process does not require successful authentication to complete its purpose. The certificate is included in every request as a standard mTLS handshake but is not used to authorise any data access on the target instance.Because Instance Analyzer audits run in large batches across many instances simultaneously, and because customer authentication configurations vary significantly, it is not feasible for ServiceNow to predict or suppress the resulting login.failed entries at the platform level. Note: These events are not related to any end-user login failure, SSO misconfiguration, or instance clone defect. No customer data is accessed or extracted during these audits. The events are retained in sys_event for seven days and are then automatically purged. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This is expected platform behaviour. No configuration change is required to restore functionality, as no functionality is broken. The options below allow the instance administrator to reduce or eliminate the login.failed entries if they are causing alert noise or report clutter. Option 1 - Add system@snc to the SNC Access Control allowlist (Recommended) Adding the system@snc user to the snc_access_control table permits the datacenter audit requests to authenticate successfully, which prevents the login.failed events from being generated. Steps: Navigate to System Security > SNC Access Control in the target instance.Create a new record and set the User field to system@snc.Save the record.Monitor the sys_event table to confirm that no new login.failed events with PARAM1 containing a certificate are generated. Important: The system@snc user is used exclusively for internal ServiceNow platform operations such as Instance Analyzer audits. Granting this access does not permit ServiceNow personnel to access, view, or extract customer data. Audit scope is limited to platform-level health metrics.Option 2 - Accept the events as expected noise (No action required) If Option 1 is not acceptable, no further action is required. The events do not indicate a security incident or functional issue, and they are automatically cleared from the sys_event table after seven days.Note: There is no platform configuration that distinguishes or suppresses login.failed events generated by internal ServiceNow datacenter activity from those generated by end-user activity. Stopping the datacenter from sending these requests is not configurable from within the customer instance.