Collect SAP HANA audit logs in Microsoft Sentinel
This article explains how to collect audit logs from your SAP HANA database.
Important
Microsoft Sentinel SAP HANA support is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
If you have SAP HANA database audit logs configured with Syslog, you'll also need to configure your Log Analytics agent to collect the Syslog files.
Collect SAP HANA audit logs
Make sure that the SAP HANA audit log trail is configured to use Syslog, as described in SAP Note 0002624117, which is accessible from the SAP Launchpad support site. For more information, see:
Check your operating system Syslog files for any relevant HANA database events.
Install and configure a Log Analytics agent on your machine:
Sign in to your HANA database operating system as a user with sudo privileges.
In the Azure portal, go to your Log Analytics workspace. On the left pane, under Settings, select Agents management > Linux servers.
Under Download and onboard agent for Linux, copy the code that's displayed in the box to your terminal, and then run the script.
The Log Analytics agent is installed on your machine and connected to your workspace. For more information, see Install Log Analytics agent on Linux computers and OMS Agent for Linux on the Microsoft GitHub repository.
Refresh the Agents Management > Linux servers tab to confirm that you have 1 Linux computers connected.
On the left pane, under Settings, select Agents configuration, and then select the Syslog tab.
Select Add facility to add the facilities you want to collect.
Tip
Because the facilities where HANA database events are saved can change between different distributions, we recommend that you add all facilities, check them against your Syslog logs, and then remove any that aren't relevant.
In Microsoft Sentinel, check to confirm that HANA database events are now shown in the ingested logs.
Next steps
Learn more about the Microsoft Sentinel solution for SAP® applications:
- Deploy Microsoft Sentinel solution for SAP® applications
- Prerequisites for deploying Microsoft Sentinel solution for SAP® applications
- Deploy SAP Change Requests (CRs) and configure authorization
- Deploy the solution content from the content hub
- Deploy and configure the container hosting the SAP data connector agent
- Deploy the SAP data connector with SNC
- Monitor the health of your SAP system
- Enable and configure SAP auditing
Troubleshooting:
Reference files:
- Microsoft Sentinel solution for SAP® applications data reference
- Microsoft Sentinel solution for SAP® applications: security content reference
- Kickstart script reference
- Update script reference
- Systemconfig.ini file reference
For more information, see Microsoft Sentinel solutions.
Tilbakemeldinger
Kommer snart: Gjennom 2024 faser vi ut GitHub Issues som tilbakemeldingsmekanisme for innhold, og erstatter det med et nytt system for tilbakemeldinger. Hvis du vil ha mer informasjon, kan du se: https://aka.ms/ContentUserFeedback.
Send inn og vis tilbakemelding for