Security audit log

Former Member · ‎2021 Apr 27

Hi,

While monitoring Security Audit Logs events in ArcSight, the events "Application server started (Event id AUG)" and "Application Server Stopped (Event id AUH)" occurred with no IP address or host name. How will find which application is started or stopped?

tom_wan · ‎2021 Apr 27

Hi

I think you should contact ArcSight support for this, as it is a 3rd party product.

Regards

Tom

cris_hansen · ‎2021 Apr 27

Hello,

SAL files should be recorded per application server. That means that the entry you see is from the application server itself.

Read more about SAL in this SAP Community blog.

Regards,

Cris

JoeGoerlich · ‎2021 Apr 27

Hello anonymous user,

sadly many log files produced by SAP systems like SAP NetWeaver or SAP HANA do not have all necessary details inside the log files themselves, which would be the baseline for an easy SIEM integration. Here for example you need to enrich the logs with the hostname on which the logs have been generated.

We would love to see more alignment when it comes to logging - both between the components of the same product as well as between different products. Wondering how SAP ETD for example handles this, but my assumption is that SAP spent some effort in log enrichment, correlation, etc. instead of healing the root causes.

Regards

Joe Görlich

Former Member · ‎2021 Apr 27

We have more than one application server. How we will find the application server without IP/host name?

For what purpose, the application server started and stopped?

cris_hansen · ‎2021 Apr 29

I have just used SM20 in a test system with two app servers:

As you can see above, the Name displays the application server name (I cut the first part of the names). One ends with "73x" and the other one ends with "75".

So, you know what app server was stopped and started.

Why they are stopped and started: most likely a maintenance happened, that required a system (or instance) restart.

In my example, I didn't select a specific instance, so SM20 read the Security Audit Logs from both instances.

Regards,

Cris

Former Member · ‎2021 Apr 30

Thank you for your reply,

We are analyzing security audit log in ArcSight SIEM. There are no field for application server's name.

The available details are attached here

application-server.png

JoeGoerlich · ‎2021 Apr 30

How do you forward the SAL logs from the SAP NetWeaver AS ABAP to your SIEM?

Former Member · ‎2021 Apr 30

Hi,

We have no idea about that and monitoring another organization's logs. we are new to the security audit log and monitoring another organization's logs.

There contains about 30+ servers for development, production and testing.

What is the difference between SAP ERP Central Component (ECC) and SAP NetWeaver AS ABAP ?

JoeGoerlich · ‎2021 Apr 28

On the SAP system you may configure the SAL log file name via profile parameter FN_AUDIT to include the hostname, the SID as well as the instance number. For example FN_AUDIT = audit_$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_$(SAPLOCALHOST)_++++++++###### Then you may enrich the logs in your SIEM to include these values from the log file name during the import.

For this and for details like reasons for restarts of application servers please contact the responsible SAP administrators.

I also recommend to read the blogpost https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm...

Including SAP security monitoring into the SOC/CDC is a highly valuable step, but this means also to train the analysts to 'speek' SAP. No offence!

Best regards

Joe Görlich

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My SAP Profile

My SAP Profile

Security audit log