SAP (xm_sap)

This module provides support for parsing the SAP Security Audit Log (SAL). It registers an InputType using the name of the module instance. This module can be used with the im_file input module.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.


The xm_sap module accepts only the common module directives.


The following fields are used by xm_sap.

$Client (type: string)

The three-digit client number.

$DialogMode (type: string)

External mode of a SAP dialog.

$EntryType (type: string)

The one-character SAP entry type.

$EventTime (type: datetime)

The timestamp that indicates when the event was logged. Constructed from the year, month, day, hour, minute and second fields of the audit record.

$MessageData (type: string)

The audit log message text. This may contain parameters for use in the SAP UI. For a list of SAP message IDs and their corresponding text, execute transaction SM92.

$MessageID (type: string)

The three-character audit message ID. First two characters represent message area, and the last one represents message name.

$ProcessID (type: string)

The ID of the process that originated the event.

$ProcessType (type: string)

The two-character process type (short form).

$Program (type: string)

The program that was executed.

$Task (type: string)

The five-digit task number

$Terminal (type: string)

The name of the computer where the event was generated.

$TransmissionCode (type: string)

The SAP transaction code.

$Username (type: string)

The username associated with the event.


Example 1. Parsing SAP audit log

This example uses the im_file input module to read SAP Security Audit Log files and specifies the xm_sap instance name in the InputType directive. Log records are then converted to JSON using the to_json() procedure of the xm_json module.

Input sample
2AU120211116085901000779800001D1PC-1    SAP*        SESSION_MANAGER     SAPMSYST                                0011A&0&P                                                 
<Extension sap_parser>
    Module       xm_sap

<Extension json>
    Module       xm_json

<Input sap_audit_log>
    Module       im_file
    File         '/usr/sap/NPL/D00/log/audit_*'
    InputType    sap_parser
    Exec         to_json();
Output sample in JSON format
    "EntryType": "2",
    "MessageID": "AU1",
    "EventTime": "2021-11-16 08:59:01",
    "ProcessID": "07798",
    "Task": "00001",
    "ProcessType": "D1",
    "Terminal": "PC-",
    "Username": "SAP*",
    "TransmissionCode": "SESSION_MANAGER",
    "Program": "SAPMSYST",
    "Client": "001",
    "DialogMode": "1",
    "MessageData": "A&0&P",
    "EventReceivedTime": "2021-11-16T09:00:44.852728+01:00",
    "SourceModuleName": "sap_audit_log",
    "SourceModuleType": "im_file"