Background Information
Contents
1. For Additional Help And Information Detailed specifications regarding the CorreLog Server add on components and resources are available from our corporate website Test software may be downloaded for immediate evaluation Additionally CorreLog is pleased to support proof of concepts and provide technology proposals and demonstrations on request CorreLog Inc a privately held corporation has produced software and framework components used successfully by hundreds of government and private operations worldwide We deliver security information and event management SIEM software combined with deep correlation functions and advanced security solutions CorreLog markets its solutions directly and through partners We are committed to advancing and redefining the state of art of system management using open and standards based protocols and methods Visit our website today for more information eye CorreLog Inc http www CorreLog com mailto support CorreLog com Install Guide Page 112. war CorreLog CorreLog Agent For SAP SAP Audit Log Monitor Interface This application note describes how to install configure the CorreLog to accept and format SAP audit files The information herein supplements the CorreLog Windows Tool Set Manual and File Transfer Queue Adapter User Manual and describes how to install configure and test this SAP support function which accepts and formats SAP security audit files for inclusion in the CorreLog message database Background Information SAP Audit files consist of fixed length ASCII text records which are continuously appended without any new line separators to an audit file CorreLog can read and format these files two distinct ways 1 Agent Adapter The operator can add the SAP adapter dll software to a copy of the agent program which permits the agent to read the SAP audit file as if it was a regular streaming log file 2 File Transfer Queue The operator can use the File Transfer Queue software to read and format files where these files are transferred to the CorreLog server using a mechanism such as FTP Both of the above techniques are described in this application note Using the SAP Adapter software described here a simple system can be constructed to permit a SAP audit log file to be handled in a fashion identical to other log files permitting SAP messages to be threaded alerted upon or reported on like any other received message Using
3. Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events CUN CUO CUP CUY AUY AUZ BUS BU6 BU7 BU9 BUA BUB BUC BUH CUQ CUR CUS CUT AUO BUF Critical Critical Debug Debug Notice Warning Warning Warning Warning Error Error Warning Warning Warning Warning Warning Warning Warning Debug Notice A manually caught process was stopped from within the debugger Explicit database commit or rollback from debugger Non exclusive debugging session started Object operation Download bytes to file Digital Signature ICF Recorder entry executed for user ICF Recorder entry executed by user Administration setting was changed for ICF Recorder Virus Scan Interface Error occurred in profile WS Signature check error Refer to Web service log WS Signature insufficient Refer to Web service log WS Time stamp is invalid Refer to Web service log HTTP Security Session of user and client was hard exited Logical file name not configured Physical file name not checked Physical file name does not meet requirements set by logical file name Logical file name is not a valid alias for logical file name No validation is active for logical file name Audit Test HTTP Security Session Management was activated Install Guide Page 10
4. Optional Must reside in formatters folder Use Facility local ed Use Severity notice x zi Done E Local intranet Z 6 Click Commit to save the new configuration The CorreLog SAP queue entry created above will appear on the top level Adapters gt File Queue screen No other steps are needed to configure the queue After performing the above steps any SAP audit file that is copied to the C CorreLog SAP queue folder will be read by the CO queue exe program deleted from the queue and transmitted to CorreLog Install Guide Page 4 Support for CEF Common Event Format The SAP adapter and agent supports CEF format for those SIEM devices that support this special format This feature is enabled by adding a MessageFormat directive to the agent configuration file specifying CEF format To modify the agent configuration file edit the CO sysmsg cnf file located in the same folder as the CO sysmsg exe Windows agent program and add the following directive somewhere after the MessagePort directive and prior to the first EventLog specification For example add this after the MessagePrefix directive or replace the MessagePrefix directive with the following MessageFormat CEF After making the above change stop and restart the CorreLog Syslog Message service for the change to take effect The agent will then transmit all event logs and the SAP messages in CEF format A typical
5. SAP message in CEF format is as follows Oct 1 13 05 47 myhost CEF 0 CorreLog SAP Agent 5 5 3 AU5 RFC CPIC logon successful 1 deviceFacility audit cat RFC CPIC suser MyUser msg AU5 SAP Audit Time 2015 10 01 13 05 47 Data 00000000D0 Terminal 183 245 SAP User MyUser Report SAPMSSY 1 Client Flag 1 Client ID 200 Args R amp 0 10 1 1 2 Audit Class RFC CPIC Logon Severity Info Descr RFC CPIC logon successful Comment If CEF is not required then this step should generally be omitted since CEF has multiple limitations and is not easily human readable Use the standard SAP agent formatting where possible since this is designed for maximum interoperability with programs and devices with the exception of those SIEMS that actually require CEF for their normal operation Note that when specifying a MessageFormat the SAP AND ALSO the Event Log messages will be in CEF format The MessagePrefix directive is ignored when the MessageFormat is set to CEF Refer to the Windows Tool Set User Manual for more information on using CEF and MessagFormat directives Install Guide Page 5 Description of SAP util exe Program As part of the SAP installation a command line utility is provided that can be used to debug and inspect a raw SAP file The SAP util exe program is placed in the wintools directory along with the SAP adapter dll Basic usage of the program can be displayed by launch
6. create a directory folder that will receive the SAP audit files This path is typically C CorreLog SAP queue but the operator can select any pathname Log into the CorreLog Web Interface and navigate to the Messages gt Adapters gt File Queue screen Click the Edit button on this screen to edit the various queues On the Queue Edit screen add the following items to a spare slot typically Slot 2 for a new installation Queue Input Folder C CorreLog SAP queue Queue Message Prefix SAP External Formatter FQ _APP_SAP_LOG bat When finished the screen Edit screen should appear similar to that shown in the screenshot below Install Guide Page 3 CorreLog Server Microsoft Internet Explorer E jol x File Edit View Favorites Tools Help ee gt address SEE Search Query More v an CORRELOG Home Dashboards Correlation Alerts Tickets Reports System Help Adapters Config Search Devices Users Facilities Severities Aux lt Cancel Reset Commit gt Queue Input Folder Path 1 c correlog file queue Required Queue Message Prefix None Optional Blank None External Formatter None Optional Must reside in formatters folder Use Facility local6 x Use Severity notice x Queue Input Folder Path 2 C A CorreLog SAP queue Optional Blank None Queue Message Prefix SAP Optional Blank None External Formatter Fa APP SAP LOG bat
7. arning Notice Notice Error Notice Warning Notice Warning Warning Notice Warning Critical Warning Warning Warning Notice Critical Debug Info Critical Debug Debug Error Debug Error Critical Critical Critical Error Critical Critical Debug Critical Critical Debug Start of transaction failed Transaction locked Transaction unlocked Transaction started Start report failed Report started User created Object activated User deleted User locked User unlocked Authorizations for user were changed User master record was changed Object created Object deleted Object changed Password changed for user in client Audit configuration changed Audit event for user in client Application server started Application server stopped Audit slot inactive Audit Activity status changed Digital signature error Security audit log event Password check failed for user in client Change security check during export Transport request contains security critical source objects Virus Scan Interface Virus found by profile HTTP Security Session Management was deactivated for client Field contents changed Audit event program line and event Security audit log event C debugging activated Field content changed Jump to ABAP Debugger Install Guide Page 9 Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events
8. can configure keyword overrides to filter messages or change the severities of the messages that are received More information on keywords and general usage of the agent can be found in the Windows Tool Set User Manual available from the Home screen of CorreLog after installation Install Guide Page 2 Using the SAP Formatter and File Transfer Queue As an alternative to the real time monitoring available via the Windows Agent adapter the SAP Log File Monitor can be included in the CorreLog File Transfer Queue Adapter software version 5 1 2 and greater Installation and usage of this adapter is documented in detail with the File Transfer Queue user manual This feature permits batch process of existing SAP files Once the File transfer queue software is installed a queue and the external formatter should be configured to accept SAP files The operator first creates a formatter using the SAP util exe program composing a simple batch file as follows and placing this file in the formatters directory of the CorreLog Server REM File FQ APP SAP LOG bat REM Requires the SAP util exe program which is REM installed as part of the SAP adapter software wintools SAP util exe FQ PATHNAME REM File was transferred After creating the FQ_APP_SAP_LOG bat external file as described above the procedure to configure the SAP File queue is as follows 1 On the CorreLog Server
9. client unlocked after being locked due to invalid password WS Delayed logon failed Refer to Web service log Logon successful Logon failed Rejected assertion SAML 2 0 Logon SAML 2 0 Logon Subject Name ID Attribute value Authentication assertion Signed logout request rejected Unsigned logout request rejected User logoff WS Delayed logon successful Refer to Web service log Assertion used SAML 2 0 Logon Subject Name ID Attribute value Authentication assertion SAML 2 0 Logon Signed logout request accepted Unsigned logout request accepted RFC CPIC logon failed RFC CPIC logon successful Failed RFC call Failed Web service call Generic table access by RFC with activity Successful RFC call Successful WS call Install Guide Page 8 Transaction Transaction Transaction Transaction Report Report Master Change Master Change Master Change Master Change Master Change Master Change Master Change Master Change Master Change Master Change Master Change System System System System System System Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events Other Events AU4 AUP AUQ AU3 AUX AUW AU7 AUU AU8 AU9 AUA AUB AUD AUR AUS AUT BU2 AUE AUF AUG AUH AUI AUJ AUV BUO BU1 BU3 BU4 BU8 BUG BUY BUZ CUO CUK CUL CUM Error W
10. ing the utility at a command prompt with no arguments General usage of this utility program is as follows SAP util exe auditfile Executing the program with the pathname of a SAP audit file as the first and only argument will dump a textual listing of the file to standard output This is the mode of operation used by the File Transfer Queue described above SAP util exe tail auditfile Executing the program with the tail option followed by the pathname of a SAP audit file will continuously tail the log file displaying formatted records as new information is appended to the bottom of the file The user enters CTRL C to exit the program SAP util exe raw auditfile Executing the program with the raw option followed by the pathname to a SAP audit file will continuously tail the log file displaying unformatted records as new information is appended to the bottom of the file This option is similar to the tail option described above except no formatting is applied The user enters CTRL C to exit the program SAP util exe sim bytecount auditfile This special option copies the specified audit file to standard output pausing after the specified number of bytes is written This mode of operation is generally use for test and demonstration Install Guide Page 6 SAP Adapter Licensing Instructions The CorreLog Agent for SAP software is licensed software On initial installation the SAP adapte
11. l continue to run uninterrupted but no SAP messages will be sent If the site identifier changes because the agent is relocated to a new platform you may request another version of the auth txt file from CorreLog support Finally note that other licensing options and methods may be available You should contact CorreLog support or your account manager for more information on license methods and options Install Guide Page 7 Common SAP Adapter Messages And Codes Event Class Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon Dialog Logon RFC CPIC Logon RFC CPIC Logon RFC Function Call RFC Function Call RFC Function Call RFC Function Call RFC Function Call Code AU2 AUM AUN BUD AU1 AUO CUA CUB CUC CUD CUE CUF CUG CUH AUC BUE BUK BUL BUM BUN BUO BUP BUQ BUR AU6 AUS AUL CUW CUZ AUK CUV Severity Description Error Warning Info Error Info Error Warning Notice Notice Debug Debug Notice Error Error Info Notice Debug Notice Debug Debug Notice Notice Info Notice Error Info Error Error Info Info Info Logon failed User locked in client after erroneous password checks User in
12. r will create a 90 day evaluation license for itself to permit easy evaluation of the product To execute the program for longer than 90 days you must contact support correlog com or your CorreLog account manager and send the SAP Site Identifier value to CorreLog support Specific steps to license the program are as follows First locate the wintools SAP adapter txt file This text file contains the site identifier for the agent installation This file always resides in the same folder as the CO sysmsg exe program by default the file location CorreLog wintools SAP adapter txt Send the SAP adapter txt file to CorreLog support via e mail When this file is received CorreLog will generate an auth txt file for the SAP installation and e mail you this file The auth txt file is a short text file containing encrypted license codes Once you have received the auth txt file from CorreLog Support save this file in the same location as the CO sysmsg exe and CO sysmsg log file by default the location CorreLog wintools auth txt but possibly some other location at your site Stop and restart your agent and verify that the SAP adapter is operating properly You may check the CO sysmsg log file located in the wintools folder for SAP license and error message Note that if the CorreLog Agent for SAP is not licensed it will generate periodic error messages and will stop sending SAP data The rest of the agent wil
13. the SAP Agent Adapter The user can configure the SAP monitor at a copy of the agent program using the following procedure 1 Install the SAP extensions at a new or existing site The SAP extensions are typically installed via a self extracting WinZip file such as wt Sap x X xX exe The above file can be obtained from CorreLog support 2 After installing the agent click down into the IP Address for the agent program click Edit Remote Config to display the remote agent configuration 3 On the remote agent configuration screen click the Wizard button to run the configuration wizard and provide the following values in response to each screen Log File Monitor Type Adapter Adapter Identifier SAP Adapter Module SAP adapter dll Log File Monitor Path pathname to SAP audit file Use defaults for all other values When the Wizard finishes the SAP adapter has been added to the list of monitored logs Note that the pathname to the Log File Monitor specified on the second screen of the Wizard can contain wildcards or standard date and time notation to access the log file For example a typical path may be a value such as C SAP Audit Y m d aud The above pathname will monitor a file in the SAP Audit folder where the file name is in YYYY MM DD aud format After adding the above entry SAP audit records that are appended to the specified file will automatically be sent to CorreLog The operator
Download Pdf Manuals
Related Search