https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400549#M1995608 <P>I have just used SM20 in a test system with two app servers:</P><P><IMG class="migrated-image" src="https://community.sap.com/legacyfs/online/storage/attachments/storage/7/attachments/1916712-sm20.jpg" /></P><P>As you can see above, the Name displays the application server name (I cut the first part of the names). One ends with "73x" and the other one ends with "75".</P><P>So, you know what app server was stopped and started.</P><P>Why they are stopped and started: most likely a maintenance happened, that required a system (or instance) restart.</P><P>In my example, I didn't select a specific instance, so SM20 read the Security Audit Logs from both instances.</P><P>Regards,</P><P>Cris</P> Thu, 29 Apr 2021 17:47:38 GMT cris_hansen 2021-04-29T17:47:38Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400543#M1995602 <P>Hi,</P> <P>While monitoring Security Audit Logs events in ArcSight, the events "Application server started (Event id AUG)" and "Application Server Stopped (Event id AUH)" occurred with no IP address or host name. How will find which application is started or stopped?</P> Tue, 27 Apr 2021 06:33:03 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400543#M1995602 Former Member 2021-04-27T06:33:03Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400544#M1995603 <P>Hi</P><P>I think you should contact ArcSight support for this, as it is a 3rd party product.</P><P>Regards</P><P>Tom</P> Tue, 27 Apr 2021 07:31:26 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400544#M1995603 tom_wan 2021-04-27T07:31:26Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400545#M1995604 <P>Hello,</P><P>SAL files should be recorded per application server. That means that the entry you see is from the application server itself.</P><P>Read more about SAL in <A href="https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/" target="_blank">this SAP Community blog</A>.</P><P>Regards,</P><P>Cris</P> Tue, 27 Apr 2021 10:52:43 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400545#M1995604 cris_hansen 2021-04-27T10:52:43Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400546#M1995605 <P>Hello anonymous user, </P><P>sadly many log files produced by SAP systems like SAP NetWeaver or SAP HANA do not have all necessary details inside the log files themselves, which would be the baseline for an easy SIEM integration. Here for example you need to enrich the logs with the hostname on which the logs have been generated.</P><P>We would love to see more alignment when it comes to logging - both between the components of the same product as well as between different products. Wondering how SAP ETD for example handles this, but my assumption is that SAP spent some effort in log enrichment, correlation, etc. instead of healing the root causes.</P><P>Regards</P><P>Joe Görlich</P> Tue, 27 Apr 2021 12:05:12 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400546#M1995605 JoeGoerlich 2021-04-27T12:05:12Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400547#M1995606 <P>We have more than one application server. How we will find the application server without IP/host name?</P><P>For what purpose, the application server started and stopped?</P> Tue, 27 Apr 2021 12:10:28 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400547#M1995606 Former Member 2021-04-27T12:10:28Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400548#M1995607 <P>On the SAP system you may configure the SAL log file name via profile parameter FN_AUDIT to include the hostname, the SID as well as the instance number. For example FN_AUDIT = audit_$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_$(SAPLOCALHOST)_++++++++###### Then you may enrich the logs in your SIEM to include these values from the log file name during the import.</P><P>For this and for details like reasons for restarts of application servers please contact the responsible SAP administrators. </P><P>I also recommend to read the blogpost <A href="https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/" target="test_blank">https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/</A></P><P>Including SAP security monitoring into the SOC/CDC is a highly valuable step, but this means also to train the analysts to 'speek' SAP. No offence!</P><P>Best regards</P><P>Joe Görlich</P> Wed, 28 Apr 2021 11:20:52 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400548#M1995607 JoeGoerlich 2021-04-28T11:20:52Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400549#M1995608 <P>I have just used SM20 in a test system with two app servers:</P><P><IMG class="migrated-image" src="https://community.sap.com/legacyfs/online/storage/attachments/storage/7/attachments/1916712-sm20.jpg" /></P><P>As you can see above, the Name displays the application server name (I cut the first part of the names). One ends with "73x" and the other one ends with "75".</P><P>So, you know what app server was stopped and started.</P><P>Why they are stopped and started: most likely a maintenance happened, that required a system (or instance) restart.</P><P>In my example, I didn't select a specific instance, so SM20 read the Security Audit Logs from both instances.</P><P>Regards,</P><P>Cris</P> Thu, 29 Apr 2021 17:47:38 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400549#M1995608 cris_hansen 2021-04-29T17:47:38Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400550#M1995609 <P>Thank you for your reply,</P><P>We are analyzing security audit log in ArcSight SIEM. There are no field for application server's name.</P><P>The available details are attached here</P><P><A href="https://answers.sap.com/storage/temp/1916721-application-server.png">application-server.png</A></P> Fri, 30 Apr 2021 04:04:22 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400550#M1995609 Former Member 2021-04-30T04:04:22Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400551#M1995610 <P>How do you forward the SAL logs from the SAP NetWeaver AS ABAP to your SIEM?</P> Fri, 30 Apr 2021 07:56:12 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400551#M1995610 JoeGoerlich 2021-04-30T07:56:12Z https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400552#M1995611 <P>Hi,</P><P>We have no idea about that and monitoring another organization's logs. we are new to the security audit log and monitoring another organization's logs.</P><P>There contains about 30+ servers for development, production and testing.</P><P>What is the difference between SAP ERP Central Component (ECC) and SAP NetWeaver AS ABAP ?</P> Fri, 30 Apr 2021 08:55:00 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-audit-log/m-p/12400552#M1995611 Former Member 2021-04-30T08:55:00Z