Log Export Service enables customers to export their ServiceNow instance system and application logs at scale and in near real time as a service to their enterprise log analytics solutions (e.g. Splunk) and Kafka environments.
- Easily export system and application logs without any coding or integration scripts.
- Highly scalable and near real-time data transmission architecture (leverages internal Kafka cloud infrastructure).
- Reduce complexity and increase efficiency by being able to specify log sources and data filters for them.
What's New
Auto-Configuration of Default Log Sources on Plugin Activation Log Export Service now automatically configures syslog and sys_audit as default log sources when the LES plugin is activated. Previously, administrators had to manually configure these sources after activation. This reduces post-install setup time and ensures a consistent baseline configuration out of the box.
LES Metrics Visibility in Vault Console New APIs expose LES operational metrics directly within the Vault Console. Security administrators can now view export health, throughput, and connectivity status alongside other platform security posture data — without context-switching to a separate LES admin view. This closes a key dependency (DEP0046129) required for the Vault Console integration.
Extended Audit Log Source Support: sys_audit_delete and sys_audit_relation LES now supports two additional audit log source types: sys_audit_delete (records of deleted records) and sys_audit_relation (relationship-level audit changes). This expands audit coverage for customers with compliance requirements around deletion and relational data changes, and addresses a request from SAP customers.
Updated Guided Setup for MID Server Connectivity (Hermes) The LES guided setup flow has been refreshed to include an updated connectivity check for Hermes-based MID server configurations, improving clarity and reducing friction during initial setup and re-configuration.
- Zurich
- Yokohoma
- External connectivity: we support two main modes:
- 1. Dedicated MID Server
- 2. Native Kafka binary protocol:
- Kafka to Kafka native connectivity from external Kafka deployments
- With third-party supported Kafka connectors such as the Splunk Connect for Kafka.
- Licenses:
- Sub-production instances: don't require licenses
- Production instances:
- Begin with a zero-dollar license.
- For extended usage, one or more premium SKUs — such as Log Export Service Additional — can be added.
- With a ServiceNow Vault license, Log Export Service (LES) can be used without any usage limitations.
- On-premise installations: not supported
- External connectivity: we support two main modes: