![]() ![]() In addition, the EXTRACT statments get dynamic subfields of the message field.įinally, the LOOKUP uses the message_id to provide some additional explanatory fields. The fixed fields will be defined through a transformation via REPORT-SAP-Delim. LOOKUP-auto_sap_sm20 = sap_sm20 message_id AS message_id OUTPUTNEW audit_class AS sap_audit_class event_class AS sap_event_class message AS sap_message new_in_release AS sap_new_in_release And the character set information is removed: Therefore, the nf file that gets pushed to the indexers looks similar to the one on the forwarder with one crucial entry added: I got the idea to split the records into delimited fields. The initial thought of using just fixed fields never really worked the results where unusable for analysis. So now that we can send the records to the indexer we need to help Splunk to identify the fields. It will consume the initial digit of the record but this is usually not relevant for the analysis. This works by using the report type indicator at the beginning (always 2 or 3 on our systems) and the two dummy 0 bytes after date and time. Therefore, we need to trick Splunk into seeing lines. The SAL has 200 character records, no proper line ends. The forwarder already needs to know about the UTF-16LE encoding otherwise you might get rather strange results. In the following, I assume a universal forwarder on the SAP sever which is managed by a deployment server and that the indexers are managed as cluster nodes and the basic infrastructure is already set up. ![]() The SAP Security Audit log is a weird beast, it is written in UTF-16 even though it only shows simple ASCII, maybe SAP has a deal with disk manufacturers. Of course you need to know where the log file is written to. The information about the SAP audit log was taken from here:įirst, you need to setup a splunk user id on the SAP servers that can read the log files, so typically it should be in group sapsys. I want to run this without touching SAP at all. ![]() This is a write-up of my experiences trying to integrate the SAP Security Audit Log into Splunk without spending money and time getting third party adapters into SAP. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |