Configuring the Log to Server action in an API Task

Configure the Log to Server action to forward the runtime and custom logs to an external SIEM server. You can add necessary headers, log levels and data source tags to custom log.

This procedure shows how to configure a Log to Server action to forward the run time logs and the variables to a Pipedream HTTP endpoint when you retrieve details of a ServiceNow Incident record.

Prerequisites

Ensure that the following conditions are met:
  • Permissions to create and run API Tasks.
  • Permissions to configure the SIEM server.
  • Active OAuth connections to the ServiceNow instance. For more information about setting up a ServiceNow OAuth connection, see Create OAuth connection.
  • A Pipedream account with a source named Logging. In the Pipedream portal, go to Sources > HTTP/Webhook > New Requests to create a source. When you create a source, the portal creates a custom HTTP endpoint. Use this endpoint as the SIEM server to collect the logs.

Procedure

  1. Log in to your Control Room.
  2. Perform the following actions to add the Pipedream source as the SIEM server for logging.
    1. Go to Administration > Settings > SIEM Integration Configuration.
    2. Select Enabled in the External SIEM Integration Configuration.
    3. Enter the Pipedream HTTP endpoint in SIEM server endpoint.
      The Pipedream HTTP endpoint is in the following format https://<unique_source_id>.m.pipedream.net. The Pipedream portal automatically generates the unique_source_id when you create a source.
    4. Select POST as the HTTP request method in HTTP Method.
    5. Enter message as the event attribute for the JSON file in Event attribute.
    6. Click Save changes to save the configuration.
  3. Go to Automation > Create > API Task to create an API Task in the Automation page.
  4. Enter servicenow-logging in the name field of Create API Task modal, and then click Create & edit.
    The API Task with the name logging appears on the editor page.
  5. Go to ServiceNow > Authentication to add the action.
  6. Select Control room OAuth connection in Authentication type.
  7. Click Pick to select the configured ServiceNow OAuth connection.
  8. Optional: Enter a custom name in Session name.
    By default, Default is set as the session name.
  9. Go to ServiceNow > Get Record to add the action.
  10. Enter incident in Table name.
  11. Enter the sys_id of the incident record in Record sys_id.
  12. Select Multiple variables and add the following variables in Assign output to a dictionary variable.
    • incident_state: String variable with the key state to capture the state of the record.
    • incident_short_description: String variable with the key short_description to capture the short description of the record.
    • incident_sys_id: String variable with the key sys_id to capture the sys_id of the incident.
  13. Go to Actions > Logging, and add Log to Server action to the automation.
  14. Enter servicenow incident logs in Text to log field to set the log content header.
  15. Select Custom selection tab in Variables to log (optional) setting.
  16. Enable the variables created in the previous step
    Enabling check boxes forwards the string variables and their values to the server.
  17. Enter incident_record in Data source tag (optional) field to set the unique identifier for the log content on the server.
    Tagging allows easy filtering of the logs. You can also use a string variable for tagging the log content.
  18. Select Info (6) to set the log level.
  19. Select Save to save the automation.
When you run the automation from Run API Task > Run now option, the automation retrieves the details of the ServiceNow incident record and forwards all the runtime and custom logs to Pipedream source.

Next steps

Log in to the Pipedream portal and go to Sources > Logging to view the logs. The final log entry contains the custom logs that the Log to Server action generates. The following is the sample event log that the system forwards to the HTTP endpoint.
{
  "method": "POST",
  "path": "/",
  "query": {},
  "client_ip": "35.155.28.36",
  "url": "https://04038b46964107d148cfdd251d89c826.m.pipedream.net/",
  "headers": {
    "host": "04038b46964107d148cfdd251d89c826.m.pipedream.net",
    "content-length": "459",
    "accept-encoding": "gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
    "accept": "*/*",
    "user-agent": "Ruby",
    "content-type": "application/x-ndjson"
  },
  "bodyRaw": "{\"logMessage\":{\"logContent\":\"servicenow incident logs\",\"variableValues\":{\"incident_state\":\"1\",\"incident_sys_id\":\"57af7aec73d423002728660c4cf6a71c\",\"incident_short_description\":\"API call issue\"}},\"executionId\":\"b2e45a6d-186b-4b96-a2a2-3509808909f9_88f3a7ff9e646cc7\",\"logLevel\":\"INFO\",\"sysLogSource\":\"incident_record\",\"botName\":\"servicenow-logging\",\"botId\":\"45\",\"logCreatedTime\":\"2025-10-24T18:13:41.267798Z\",\"_tenantId\":\"dc170ff6-42d0-4f3d-8e9f-1904278d77f8\"}\n",
  "body": {
    "logMessage": {
      "logContent": "servicenow incident logs",
      "variableValues": {
        "incident_state": "1",
        "incident_sys_id": "57af7aec73d423002728660c4cf6a71c",
        "incident_short_description": "API call issue"
      }
    },
    "executionId": "b2e45a6d-186b-4b96-a2a2-3509808909f9_88f3a7ff9e646cc7",
    "logLevel": "INFO",
    "sysLogSource": "incident_record",
    "botName": "servicenow-logging",
    "botId": "45",
    "logCreatedTime": "2025-10-24T18:13:41.267798Z",
    "_tenantId": "dc170ff6-42d0-4f3d-8e9f-1904278d77f8"
  }
}