cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Pushing SAP Logs via RZ20

Go to solution
former_member421045
Explorer

on ‎09-06-2014 7:27 AM

0 Kudos

Hi!

My customer wants to push SAP logs to an external system (say, a big data processor or an event management system) either by saving the logs to flat files or sending the logs via syslog protocol.

Would RZ20 be the right tool for this? Both to aggregate SAP access/change logs and to push them further.

Would the save-2-files or syslog transfer be the standard functionality of RZ20 or would this be a development?

Thank you very much in advance!

Ivan

p.s. some background: 

RZ20 - SAP CCMS
Monitor Templates - Syslog

https://help.sap.com/saphelp_srm702/helpdata/en/32/a58b3b7682773ce10000000a114084/content.htm


Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alwina_enns
Employee
Employee
‎09-06-2014 7:41 AM
0 Kudos

Hello Ivan,

what exactly do you mean by pushing logs to an external system? Do you need to store the logs in a file system? In RZ20 the data are displayed centrally on CEN by accessing the monitored systems via RFC connections, or agents are pushing data from CCMS shared memory of the monitored system to shared memory (or cache) of CEN and the agents can monitor logs, but nothing in RZ20 is pushing logs.

Regards,
Alwina

Show replies
Show replies
former_member421045
Explorer
‎09-06-2014 1:26 PM
0 Kudos

Alwina, thank you! please, check the context in other response in the thread.

I see 2 ways to handle the logs - save them to a file (yes, to a file-system) or 'seamlessly' transmit them via the syslog or Common Event Format - seemingly a development task.

I just need to understand whether those tasks may be a standard or we need to develop s/t for the customer.

We need to capture system access most of all - who logged where and which transactions started.

Sorry for the lame questions - I spend quite some time on extended (UI Logging) but rather have limited exposure into SAP access logging.

Ivan

alwina_enns
Employee
Employee
‎09-07-2014 9:29 AM
0 Kudos

Hello Ivan,

RZ20 does not push logs to a central system. It works in the way, that you connects systems to a central system and CEN can then access data on the monitored systems. You can store performance data centrally for monitored systems on CEN, but there is no such feature for logs in RZ20. Some customers have scripts on OS level to collect and store logs for a longer period of time.

Regards,
Alwina

Answers (2)

Answers (2)

Former Member
‎10-07-2014 6:20 PM
0 Kudos

Hello Ivan,

we have developed a generic SIEM extractor to forward SAP System and Security Logs (and more than 20 other log sources !) to external SIEM platforms via flat file or standard syslog.

If you need further info please contact me directly.

Best regards

Ralf

Show replies
Show replies
former_member421045
Explorer
‎11-24-2014 10:09 AM
0 Kudos

Hi Ralf, can you, please, drop your contact to <removed_by_moderator>?

Thank you!

Former Member
‎03-11-2015 8:34 PM
0 Kudos

This message was moderated.

Former Member
‎03-11-2015 10:53 PM
0 Kudos

Hi Ivan

Have you got the solution or currently doing this by solution manager.

Regards

Former Member
‎03-12-2015 8:20 AM
0 Kudos

Hello Abhishek,

our solution can be installed on any type of SAP ABAP stack systems.

Actually we can extract 31 different SAP log types including  Security Audit Log and Syslog.

All logs can be filtered regarding critical security events and afterwards forwarded by syslog prototocol, file or webservice to external SIEM systems.

Of course it also works on the Solution Manager

Best regards

Ralf

former_member242849
Explorer
‎06-22-2015 11:39 AM
0 Kudos

This message was moderated.

Former Member
‎09-23-2015 9:31 AM
0 Kudos

This message was moderated.

Former Member
‎03-04-2016 8:45 PM
0 Kudos

This message was moderated.

divyanshu_srivastava3
Active Contributor
‎09-06-2014 7:45 AM
0 Kudos

Hi Ivan,

Can you be a bit more clear with your intentions ?

Are you referring RZ20 as an alternative to you external monitoring toll or vice versa ?

Regards

Show replies
Show replies
former_member421045
Explorer
‎09-06-2014 1:22 PM
0 Kudos

Divanshu, thank you for the input!

The intention is to pull out the raw logs to an external event management system (SIEM) for further analysis in real-time or with a bit of delay.

I was wondering whether RZ20 may be a centralized analog for SM18/19/20/21 so it may be a one-stop-shop for logs' storage.

The exteral systems rely either on syslog (UDP protocol) interface or Common Event Format but some big-data crunchers can process raw files as well.

Do you feel here is a better way to pull out the logs/push them out of SAP environment?

I need ones from HR, SRM and CRM most of all.

Ivan

divyanshu_srivastava3
Active Contributor
‎09-06-2014 7:34 PM
0 Kudos

Perhaps, how logs are read or processed solely depends on your external log processing tool.

I believe for such kind of monitoring Solution Manager 7.1 itself is sufficient. The old RZ20 is a one stop for monitoring but as a shop for standard methods only.

If you want to pull logs then may be scripts and custom programs on operating system level can do this task.

You should also check with the vendor who is providing this system for integration with SAP or always better raise an incident to check options at your disposal.

Regards

christophnagy
Explorer
‎03-07-2016 2:09 PM
0 Kudos

Hi Ivan,

you are looking for an API that allows extration of SAP Syslog in a readable and structured way. The extraction and transformation to CE Format would be custom development.

You may find FM 'RSLG_ITSAM_READ_SYSLOG_ALV' helpful to fetch data from the syslog.

Regards

Christoph

Ask a Question