SAP (xm_sap)
This module provides support for parsing the SAP Security Audit Log (SAL). It registers an InputType using the name of the module instance. This module can be used with the im_file input module.
To examine the supported platforms, see the list of installation packages. |
Configuration
The xm_sap module accepts only the common module directives.
Fields
The following fields are used by xm_sap.
$Client
(type: string)-
The three-digit client number.
$DialogMode
(type: string)-
External mode of a SAP dialog.
$EntryType
(type: string)-
The one-character SAP entry type.
$EventTime
(type: datetime)-
The timestamp that indicates when the event was logged. Constructed from the year, month, day, hour, minute and second fields of the audit record.
$MessageData
(type: string)-
The audit log message text. This may contain parameters for use in the SAP UI. For a list of SAP message IDs and their corresponding text, execute transaction
SM92
.
$MessageID
(type: string)-
The three-character audit message ID. First two characters represent message area, and the last one represents message name.
$ProcessID
(type: string)-
The ID of the process that originated the event.
$ProcessType
(type: string)-
The two-character process type (short form).
$Program
(type: string)-
The program that was executed.
$Task
(type: string)-
The five-digit task number
$Terminal
(type: string)-
The name of the computer where the event was generated.
$TransmissionCode
(type: string)-
The SAP transaction code.
$Username
(type: string)-
The username associated with the event.
Examples
This example uses the im_file input module to read SAP Security Audit Log files and specifies the xm_sap instance name in the InputType directive. Log records are then converted to JSON using the to_json() procedure of the xm_json module.
2AU120211116085901000779800001D1PC-1 SAP* SESSION_MANAGER SAPMSYST 0011A&0&P 10.0.0.115
<Extension sap_parser>
Module xm_sap
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input sap_audit_log>
Module im_file
File '/usr/sap/NPL/D00/log/audit_*'
InputType sap_parser
Exec to_json();
</Input>
{
"EntryType": "2",
"MessageID": "AU1",
"EventTime": "2021-11-16 08:59:01",
"ProcessID": "07798",
"Task": "00001",
"ProcessType": "D1",
"Terminal": "PC-110.0.0.115",
"Username": "SAP*",
"TransmissionCode": "SESSION_MANAGER",
"Program": "SAPMSYST",
"Client": "001",
"DialogMode": "1",
"MessageData": "A&0&P",
"EventReceivedTime": "2021-11-16T09:00:44.852728+01:00",
"SourceModuleName": "sap_audit_log",
"SourceModuleType": "im_file"
}