Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform administration
Table of Contents
Choose your release version
    Home New York Now Platform Administration Now Platform administration Platform security Auditing

    Auditing

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Auditing

    Track record changes on auditing-enabled tables. By default, the system tracks changes to the incident, change, and problem tables, among others.

    Enabling auditing tracks the creation, update, and deletion of all records in the table. If you want to audit individual fields in a table, you can hide fields you do not want to track using a dictionary attribute.

    Auditing information is kept in these tables:
    • The Audit table.
    • The History sets table.
    Caution: Auditing certain system tables that receive a large amount of traffic, such as Workflow Contexts [wf_context], can impact performance and is not recommended. The em_alert table itself can have audit=true, but the fields are not audited unless you explicitly set audit=true for a field.

    Auditing parent and child tables

    Tables do not derive the audit flags from parent or child audited tables.
    • For example, if you enable auditing for the cmdb_ci table, only CIs stored in that base table are audited.
    • Likewise, if you enable auditing for the cmdb_ci_computer table, only the computer CI records are audited, including any fields on the cmdb_ci_computer table that are derived from the cmdb_ci table.

    Auditing system tables

    By default, the system does not audit the deletion of a record from system tables. To audit a system table, add it to the list of tables in the glide.ui.audit_deleted_tables property list.

    Auditing deletions from a form or list

    By default, the system audits deletions of individual records from a form. To prevent auditing, set the table's dictionary attribute no_audit_delete.

    The system audits deletions from a list when audit is selected on the table dictionary, and the table is not listed in the glide.db.audit.ignore.delete property.
    Note: By default, the glide.db.audit.ignore.delete property is not present in the System Property [sys_properties] table. To change the property, and its associated values, you must first manually add it. However, when manually added, it overwrites the following default values:

    glide.db.audit.ignore.delete = sys_mutex,sys_db_cache,sys_lucene_block,sys_lucene_file,sys_lucene_directory,sys_user_preference,sys_audit,sc_cart,sc_cart_item,sys_trigger,wf_context,wf_activity,wf_condition,wf_executing,wf_history,wf_log,wf_transition,wf_transition_history, cmdb_ci_windows_service, cmdb_sam_sw_install, cmdb_software_instance, cmdb_sam_sw_usage, sam_sw_counter_detail

    To learn more about adding system properties, see Add a system property

    Information audited

    Auditing tracks the following record changes:
    • Unique Record Identifier (sys_id) of the record that changed
    • Field that changed
    • New field value
    • Old field value
    • Number of times this record and field have been updated
    • Date and time when the change occurred
    • User who made the change
    • Reason for the change (if any reason is associated with the change)
    • Internal checkpoint ID for the record, if the record has multiple versions.

    Information exempted from auditing

    Some updates are not audited despite enabling auditing on a table. It is why you may see 132 updates in a record's history, but only seven audited ones.
    Auditing excludes the following information:
    • Updates made by an upgrade.
    • Updates made through import sets.
    • Records in parent or child tables.
    • Fields with the no_audit dictionary attribute.
    • System tables not listed in the glide.ui.audit_deleted_tables property list.
    • Fields that begin with the sys_ prefix (system fields), except the sys_class_name and sys_domain_id columns.
    • UI Pages can sometimes trigger updates to a record without creating an audit log.
    • Anytime an inactivity monitor touches a record. It prevents you seeing possibly hundreds of updates listed against an incident, with the noise drowning out the useful data.

    Auditing a table

    For instructions on how to audit a table, see Enable auditing for a table.
    By default, the system tracks all fields in an audited table. You can audit a subset of fields in a table in one of two ways:
    • You can enable auditing for the entire table, then exclude those fields you do not want to include. It is appropriate when you want to audit most, but not all, fields, and is referred to as an exclusion listing. For more information, see Exclude a field from being audited (blacklisting).
    • You can enable auditing for the table, but only for specified fields. It is appropriate when you want to audit only a small number of the table's fields and is referred to as inclusion listing. For information on how to include a field using inclusion listing, see Include a table field in auditing (whitelisting).
    • Sys Audit and Audit Relationship Change tables

      The Now Platform tracks inserts and updates to audited records in the Sys Audit (sys_audit) and Audit Relationship Change (sys_audit_relation) tables.

    • Enable auditing for a table

      You can enable table auditing to track changes to all or some of the table's fields.

    • Enable auditing for a system table

      Deletions from tables with a sys_ prefix are not audited by default. To track deletions from these tables, add the table name to the glide.ui.audit_deleted_tables property. Enabling the Restore Deleted Records plugin adds several default values to this property.

    • History sets

      The system generates history set records when a user requests to view an audited record's history.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Auditing

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Auditing

      Track record changes on auditing-enabled tables. By default, the system tracks changes to the incident, change, and problem tables, among others.

      Enabling auditing tracks the creation, update, and deletion of all records in the table. If you want to audit individual fields in a table, you can hide fields you do not want to track using a dictionary attribute.

      Auditing information is kept in these tables:
      • The Audit table.
      • The History sets table.
      Caution: Auditing certain system tables that receive a large amount of traffic, such as Workflow Contexts [wf_context], can impact performance and is not recommended. The em_alert table itself can have audit=true, but the fields are not audited unless you explicitly set audit=true for a field.

      Auditing parent and child tables

      Tables do not derive the audit flags from parent or child audited tables.
      • For example, if you enable auditing for the cmdb_ci table, only CIs stored in that base table are audited.
      • Likewise, if you enable auditing for the cmdb_ci_computer table, only the computer CI records are audited, including any fields on the cmdb_ci_computer table that are derived from the cmdb_ci table.

      Auditing system tables

      By default, the system does not audit the deletion of a record from system tables. To audit a system table, add it to the list of tables in the glide.ui.audit_deleted_tables property list.

      Auditing deletions from a form or list

      By default, the system audits deletions of individual records from a form. To prevent auditing, set the table's dictionary attribute no_audit_delete.

      The system audits deletions from a list when audit is selected on the table dictionary, and the table is not listed in the glide.db.audit.ignore.delete property.
      Note: By default, the glide.db.audit.ignore.delete property is not present in the System Property [sys_properties] table. To change the property, and its associated values, you must first manually add it. However, when manually added, it overwrites the following default values:

      glide.db.audit.ignore.delete = sys_mutex,sys_db_cache,sys_lucene_block,sys_lucene_file,sys_lucene_directory,sys_user_preference,sys_audit,sc_cart,sc_cart_item,sys_trigger,wf_context,wf_activity,wf_condition,wf_executing,wf_history,wf_log,wf_transition,wf_transition_history, cmdb_ci_windows_service, cmdb_sam_sw_install, cmdb_software_instance, cmdb_sam_sw_usage, sam_sw_counter_detail

      To learn more about adding system properties, see Add a system property

      Information audited

      Auditing tracks the following record changes:
      • Unique Record Identifier (sys_id) of the record that changed
      • Field that changed
      • New field value
      • Old field value
      • Number of times this record and field have been updated
      • Date and time when the change occurred
      • User who made the change
      • Reason for the change (if any reason is associated with the change)
      • Internal checkpoint ID for the record, if the record has multiple versions.

      Information exempted from auditing

      Some updates are not audited despite enabling auditing on a table. It is why you may see 132 updates in a record's history, but only seven audited ones.
      Auditing excludes the following information:
      • Updates made by an upgrade.
      • Updates made through import sets.
      • Records in parent or child tables.
      • Fields with the no_audit dictionary attribute.
      • System tables not listed in the glide.ui.audit_deleted_tables property list.
      • Fields that begin with the sys_ prefix (system fields), except the sys_class_name and sys_domain_id columns.
      • UI Pages can sometimes trigger updates to a record without creating an audit log.
      • Anytime an inactivity monitor touches a record. It prevents you seeing possibly hundreds of updates listed against an incident, with the noise drowning out the useful data.

      Auditing a table

      For instructions on how to audit a table, see Enable auditing for a table.
      By default, the system tracks all fields in an audited table. You can audit a subset of fields in a table in one of two ways:
      • You can enable auditing for the entire table, then exclude those fields you do not want to include. It is appropriate when you want to audit most, but not all, fields, and is referred to as an exclusion listing. For more information, see Exclude a field from being audited (blacklisting).
      • You can enable auditing for the table, but only for specified fields. It is appropriate when you want to audit only a small number of the table's fields and is referred to as inclusion listing. For information on how to include a field using inclusion listing, see Include a table field in auditing (whitelisting).
      • Sys Audit and Audit Relationship Change tables

        The Now Platform tracks inserts and updates to audited records in the Sys Audit (sys_audit) and Audit Relationship Change (sys_audit_relation) tables.

      • Enable auditing for a table

        You can enable table auditing to track changes to all or some of the table's fields.

      • Enable auditing for a system table

        Deletions from tables with a sys_ prefix are not audited by default. To track deletions from these tables, add the table name to the glide.ui.audit_deleted_tables property. Enabling the Restore Deleted Records plugin adds several default values to this property.

      • History sets

        The system generates history set records when a user requests to view an audited record's history.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login