Managing Audit History table in ServiceNow

Site Reliability Engineering ITSM
#1

AUDITING

My customer is worried about too many entries generated in Audit History table for CIs and possible performance impact.

a) Is it common to manually remove entries from Audit History table?
b) Is it common to disable auditing for specific CMDB tables or fields?
c) Is there any way how to influence what to audit (except table & column dictionary attribute)? E.g. IP switch is discovered from many various IP addresses but only Management IP address is essential - other IP addresses should not generate audit logs
d) Isn’t Audit History table automatically managed by rotations and kept optimized, or is it common to take care about this table somehow?

#2

Why are they concerned?

#3

A) no
b) no
c) no
d) no, it does its own thing and takes care of itself

#4
  1. No
  2. No, but not zero
  3. No
  4. No, yes, No
#5

We had a problem with excessive audit records on CMDB fields in the history -> calendar view. If you exceed a threshold, then the calendar view can’t render all the audit entries, and it will randomly remove entries from that view. The same problem doesn’t occur in the audit list view, but it was a pain for our CMDB team who had customers that needed that historical view

#6

But- that’s also why the first question is - WHY do they have the questions :stuck_out_tongue:

#7

It was often things like “when did the IP address on this CI last change” or “when did this software get upgraded”. The problem with the calendar view was that it wasn’t only failing to render old entries, it was often omitting recent entries. This was a couple of years back, and I’m not on that instance anymore, but it was a sucky problem.

#8

Yes, it would be good to know why they have the questions.

We are experiencing a little of that kind of issue described well. In a customer with millions of records in CMDB and with many records in other auditable tables (required for historical views and internal/external audits), it could need some special attention. We are trying to apply some of the recommendations from this KB Article (FAQ): “KB0832516: Audit - Frequently Asked Questions”, e.g.: when opening the sys_audit table, only open it with some defined filter.

Another suggestion we are checking to apply (based on some customer audit requirements), is from this KB Article: “A script to automatically clean up sys_audit_delete and sys_audit_relation records”, but we haven’t created it yet.

PS: in regards to the History Set [sys_history_set] table, this document says about how the data are managed (automatically rotated, dropped…): Differences Between Audit and History Sets.