Setting up the Data Forwarder and MID Server is only required if you use the Data Forwarder and AWS S3 Bucket option with ServiceNow. Data collection through the REST API does not require these steps.

If you are ingesting Alerts using the Data Forwarder and AWS S3 option then the Carbon Black Cloud Data Forwarder Configuration must be updated to the Alert Forwarder Schema v2.0.

ServiceNow does not successfully ingest the Forwarder Alert Schema 1.0.

See ServiceNow 3.0.0 Release Notes for more information about updating the Data Forwarder to use the Alert Forwarder Schema v2.0.

For full details about the Carbon Black Cloud Data Forwarder and options to configure it, see Data Forwarders.

Note: Azure Blob Storage is not supported with ServiceNow Apps.

Prerequisites

Procedure

  1. Configure an AWS S3 bucket. See Create an S3 Bucket in the AWS Console and Configure the Bucket Policy to Allow Access.
  2. Configure an AWS SQS queue.
    1. In the AWS Management Console, create an SQS queue.
    2. Configure the Access policy. Replace the tokens with your own values.

      Tokens for configuring the Access policy for the SQS queue

    3. Go to Properties > Event Notifications and set the Destination SQS queue to the arn of the new queue.
      Note: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue after they are retrieved. To view historical events or reload data, copy the events to another prefix to copy it to the queue.
  3. Configure an Alert Forwarder with Schema 2.0.0. See Add a Data Forwarder.
  4. Install and configure the MID server using the steps in the MID Server Installation Guide in the ServiceNow Store.