At any time there is a need to review specific user behavior, below are the recommended steps on how to review the transaction logs and event logs:

Locate the IP address of successful/failed login for a particular ServiceNow user for their instance
Modify the time frame of the search
Limiting the scope of search by user name
Successful/Failed login attempts

Procedure

Locate User Activity Process Steps

Log into the instance as admin
Identify Transaction Logs
- Transaction logs by default are kept for over 49 days unless the instance admin has adjusted the table rotations for [syslog_transaction] table.
Navigate to System Logs > Transactions https://<instance_name>.service-now.com/syslog_transaction_list.do
Adjust filter to narrow down logs for investigative purposes
- Required timeframe: The filter is "Created"
- Username: The filter set as "Created by" with the option of "starts with" either/or "contains"
Narrow the log date range

From this list view we can then adjust the filter as below:
- Created on – Adjust do any date or timeframe the customer needs
- Created by – Adjust to the affected username
Identify the IP address of the user login:
1. Click on cog wheel in the upper left corner of the table to open the Personalized list column.
2. To view the IP address of the logged in user you can add the IP address column to the list view via the Personalize List columns module.

Note that this is only for local accounts.

Log into the instance as an admin
Navigate to System Logs > Events

https://<instance_name>.service-now.com/sysevent_list.do?sysparm_query=sys_created_onONToday%40javascript:gs.daysAgoStart(0)%40javascript:gs.daysAgoEnd(0)%5EGOTOnameSTARTSWITHSNC.Auth.DB
Adjust filter as below:
From this list view we can then adjust the filter as below:
- Created on – Adjust do any date or timeframe the customer needs
- Created by – Adjust to the affected username

This is applicable to all versions.