ServiceNow offers a robust logging system of the events that take place within your system. You can retrieve your logs as well as your log archives using the app. We’ve detailed the main steps you’ll need below.

How to Retrieve Logs with the Browser

To browse your system log entries and download the log files, you can retrieve them in your ServiceNow Log File Browser.

To access this follow the path for System Logs > Utilities > Node Log File Browser.

Types of System Logs

ServiceNow maintains a number of logs that detail different types of events.




These logs detail all application activity in an instance.

Email and Push

These logs show all email notifications and Push messages sent from all instances within the system.


These logs show all events that occur within the system.


These logs detail data import activity within the platform.

Table Changes

These logs detail changes made to all tables in the system.

Outbound HTTP Requests

These logs detail all outbound web services requests, such as REST and SOAP requests.

Signature Images

These logs show the electronic signatures from the HR signature pad.


These logs list warnings and errors for instance processes, records, and non-critical events.

Filtering Your Searches

Inside the Log File Browser you can filter your searches for more specificity using these fields:



Start time

This field adjusts the start date of the time range you wish to search. 

Session ID

This string helps identify the sessions that generated each log entry. 

End time

This field adjusts the end date of the time range you wish to search. 


This field focuses on the system-generated descriptions of each occurrence.


This field refers to the level of the message displayed, such as Debug, Error or Warning.

Thread name

This field focuses on the system-generated identifier of the thread that created the log file.

Max rows

This field allows you to set the maximum number of records you wish to retrieve. 

Archived Logs and Log History

There are various tables that store logs and the system uses a specific schedule depending on the table. below are the log archiving schedules:

Logs Archived Daily

  • Event [ecc_event]
  • Queue [ecc_queue]

Logs Archived Weekly

  • Event [sysevent]
  • Log [syslog]
  • Transaction Log [syslog_transaction]

Logs Archived Monthly (Every 30 Days)

  • Email [sys_email]

Archived logs can be retrieved from your log history by following the path System Logs > Utilities > Node Log File Download. Once there, select an archive from the list and hit Download.

Note that to retrieve logs for a different node, you will need to navigate there under System Diagnostics > Stats.

Metron has experience integrating Cybereason with multiple security platforms. If you are considering any custom solution, please send a note to