Get started with ServiceNow Health Log Analytics (HLA)

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Get started with ServiceNow Health Log Analytics (HLA)

    ServiceNow Health Log Analytics (HLA) enables IT teams to proactively identify and resolve IT issues by collecting, analyzing, and correlating machine-generated log data in real time. It detects anomalies—deviations from normal behavior—as they occur and generates alerts to notify operators of potential problems before they impact users. HLA processes various textual logs, including application, infrastructure, and network logs, using UTF-8 encoding. It integrates with ServiceNow Event Management to centralize alert handling and supports both direct log streaming and log repository ingestion via MID Server and other connectors.

    Show full answer Show less

    Key Features

    • Log Ingestion: Supports multiple data input connectors such as Rsyslog, Beats, Splunk, Elasticsearch, MID Server, and TCP streams; guided setup simplifies connector configuration.
    • Data Structuring and Auto-Mapping: Automatically extracts key properties from logs (message, timestamp, host, severity, external IDs) and maps logs to logical components for organized analysis.
    • Enrichment: Identifies variable message parts, keywords (e.g., WARN, Failed), and contextual properties (e.g., user, source IP, port) to enhance analysis.
    • Analysis with Machine Learning and AI: Uses unsupervised algorithms to learn normal log behavior and dynamically detect anomalies by setting real-time thresholds.
    • Alerting: Sends detected anomalies as events to ServiceNow Event Management where alerts are consolidated and visible for operators to act upon.
    • User Roles: Administrators configure and maintain HLA; Operators analyze alerts and perform issue resolution.
    • Additional Capabilities for Operators: Log viewer visualization, log correlators for relationship detection, alert muting, log filters, lexical keyword management, and custom alert rule creation.
    • Administration Efficiency: Content packs accelerate onboarding; data input migration reduces errors when moving configurations between instances.

    Key Outcomes

    • Faster IT issue identification and resolution through real-time log anomaly detection and alerting.
    • Improved root cause analysis by enabling triage of surrounding log data linked to anomalies.
    • Centralized alert management by integrating with ServiceNow Event Management, allowing operators to view and respond to all alerts in one place.
    • Reduced noise and false positives through customizable filters, alert rules, and keyword management.
    • Streamlined setup and administration for quicker deployment and ongoing maintenance of log data ingestion and analysis.

    ServiceNow Health Log Analytics predicts IT issues before they affect your users. The application helps you solve problems faster by collecting, analyzing, and correlating machine-generated log data in real time. It discovers any anomaly, or deviation from normal behavior, as it happens and alerts you of possible issues.

    Health Log Analytics overview

    Health Log Analytics helps you solve IT issues faster by collecting, analyzing, and correlating machine-generated log data in real time. The application receives and processes logs via the MID Server and sends events to ServiceNow Event Management. Health Log Analytics discovers any anomaly—deviation from normal behavior—as it happens, and alerts you of possible issues. The application helps you identify the root cause of an issue by enabling you to triage related logs and analyze the raw data.

    Health Log Analytics can handle any kind of machine-generated textual log data. It can process application, infrastructure, and network logs, as well as other types of textual log data. Although a configuration management database (CMDB) can be helpful to generate high-quality events and alerts, it is not necessary.
    Note:
    • Health Log Analytics supports only UTF-8 logs. It does not support binary logs.
    • If you are sending logs in a language other than English, additional configuration may be required.

    Users

    Table 1. Health Log Analytics Users
    User Description Role
    Administrator Configures the Health Log Analytics application to make it ready for use by Operators.

    Performs administration tasks to keep the system running efficiently.

    		 evt_mgmt_admin, admin
    Operator Analyzes Log Analytics alerts and takes action to help resolve the underlying issue. evt_mgmt_operator

    Health Log Analytics workflow

    Health Log Analytics collects and processes log data automatically. It structures the data logically for operators to analyze, and generates meaningful alerts and suggestions that display in Event Management.

    The diagram shows the Health Log Analytics workflow from collecting the data through sending an event or alert to Event Management.

    Figure 1. Health Log Analytics workflow
    Health Log Analytics workflow: Ingestion - Structuring - Enrichment - Analysis - ML & AI - Alert in Event Management
    Ingestion
    This layer connects your environment to Health Log Analytics. You can stream your logs directly from servers and endpoints or from log repositories. The optional guided setup helps you create data input connectors for the following common data sources:
    • Rsyslog
    • Beats
    • Splunk
    • Elasticsearch
    • MID Server
    • TCP
    Structuring
    This layer deals with structuring log data and auto-mapping it to logical silos, called Components. Data structuring can be done automatically or manually.
    The system auto-structures log data by extracting the following properties from incoming log messages: Message, Timestamp, Host, Severity, and External-IDs. It extracts explicit values, like "property-name" and "value is IP." and semantic ones such as length, number of English words, and variance.
    Auto-mapping assigns log samples and metadata to the appropriate tags automatically. The system tries to map log lines by analyzing the source that streams the data. The mapping is based on agent hints and common transport header fields.
    Enrichment
    This layer handles identifying the variable parts of a log message.
    Figure 2. Health Log Analytics workflow - Enrichment
    Health Log Analytics workflow - Enrichment.
    It also identifies keywords and contextual properties. In the image, "WARN" and "Failed" are the keywords to track. "User," "source IP," and "port" are the contextual properties.
    Analysis
    In this layer, each log line is indexed. Health Log Analytics extracts properties from the inner log message that contribute to models of behavior that the system learns to expect. Anomalous behavior departs from this expected behavior. You can search for an event and its most significant properties for manual triaging.
    Machine Learning (ML) and Artificial Intelligence (AI)
    Health Log Analytics uses advanced unsupervised machine-learning algorithms to discover patterns within logs and learn their unique data behavior. It then sets dynamic thresholds based on the data signature in real time to detect issues when they first occur. When the system detects a deviation from the typical pattern, it sends an event to Event Management.
    Alert in Event Management
    Health Log Analytics sends events to Event Management. In Event Management, Health Log Analytics alerts appear in the All alerts list. This list enables operators to see alerts from the event and the Health Log Analytics alert type in a single location.

    Benefits

    Table 2. Health Log Analytics benefits
    Benefit Feature User
    Simplify data input setup using the guided setup. Guided setup Administrator
    Set up log data connector integrations quickly and conveniently from the Integrations Launchpad. Log data connector integrations Administrator
    Shorten onboarding time by installing content packs. Content packs Administrator
    Save time and reduce errors by migrating data input configurations between instances. Data input migration Administrator
    Identify the root cause of an alert by analyzing the logs that surround the anomaly. Surrounding logs Operator
    Visualize anomalous log data on the Log viewer. Log viewer Operator
    Detect relationships in log data. Log correlators Operator
    Assign higher or lower significance to alerts. Mute alert metrics Operator
    Reduce noise by creating log filters. Log alert filters Operator
    Influence how Health Log Analytics finds anomalies by managing keywords it looks for in the log data. Lexical keywords Operator
    Create alerts for specified metrics by adding, changing, or deleting rules. Custom alert rules Operator

    What to explore next