Console
    Start free

    Set up log ingestion for self-managed SAP systems

    This document explains how to ingest logs from your self-managed SAP systems and forward them to Google SecOps.

    Select your ingestion path

    In a self-managed SAP environment, the ingestion path depends on the log layer. To achieve comprehensive log coverage across your infrastructure and application layers, follow both paths described in this document:

    Log layer Log type Ingestion path
    Infrastructure logs
    		 ICM, Gateway, Web Dispatcher, and SAP HANA Audit logs Bindplane agent and Bindplane server
    Application logs
    		 Security Audit Logs and Change Documents Application Telemetry Collector, Bindplane agent, and Bindplane server

    Before you begin

    Before you start the ingestion process, ensure that you've completed the following steps:

    • Planning: Review the ingestion paths and technical requirements in the Plan for log ingestion guide.
    • Foundation: Provision your Google SecOps instance and complete the onboarding process in Google Cloud.
    • Bindplane setup: Install and configure the centralized Bindplane server as described in the Prepare your environment for log ingestion guide.
    • Network access: Ensure your network architecture allows the Bindplane server to receive incoming traffic on port 4317 (gRPC) from all agents, and the Bindplane agent to receive incoming traffic on the same port from the Application Telemetry Collector.
    • SAP preparation: Ensure your SAP system is prepared (service user, authorizations, and SNC) as described in the Prepare your environment for log ingestion guide.
    • Google Cloud resources: Ensure that you have configured the required Google Cloud resources, such as APIs, storage buckets, and IAM roles, as described in the Prepare your environment for log ingestion guide.

    Ingest infrastructure logs

    Follow this path to ingest logs from the SAP operating system and database layers, including SAP HANA Audit, ICM, and Gateway logs.

    Infrastructure log ingestion involves the following components:

    • Bindplane agent: A lightweight agent installed on each SAP application server. The agent tails local log files and forwards them to the Bindplane server.
    • Bindplane server: Receives the logs from Bindplane agents, batches the data, and forwards the data to the Google SecOps gateway.

    Install the Bindplane agents on SAP hosts

    To forward infrastructure logs, install the Bindplane agent on each SAP host by running the command generated in the Bindplane UI. For detailed instructions, see the Bindplane agent installation guide .

    To verify the installation, go to the Agentstab in the Bindplane UIand confirm that the agent is visible with a Connectedstatus.

    Configure the Bindplane pipeline

    For optimized log delivery, we recommend a two-step ingestion pipeline:

    1. SAP to Bindplane Gateway: Ingest logs from the SAP host and send them to the central Bindplane server. For more information, see Configure SAP host log collection .
    2. Bindplane Gateway to Google SecOps: Forward the processed logs from the Bindplane server to your Google SecOps instance. For more information, see Configure the Google SecOps destination .

    Configure the SAP host log collection

    A configuration defines the SAP log sources that you want to ingest, the processors for log normalization, and the Bindplane gateway destination, which is the Bindplane server. For more information, see Build Your First Configuration .

    Create the log collection configuration

    Define the basic settings for your log ingestion pipeline, including the agent type and platform.

    1. In the Bindplane UI, go to the Configurationstab.
    2. Click Create Configuration.
    3. Enter a Name, for example, sap-infra-logs .
    4. Select BDOT 1.x (Stable)as the Agent Type.
    5. Select Linuxas the Platform.
    6. Click Next.

    Add SAP log sources

    Define the specific log sources on your SAP host that you want the Bindplane agent to monitor. You can add multiple sources to a single configuration.

    For SAP ICM, SAP Gateway, and SAP Web Dispatcher

    To ingest standard text-based logs, add a Filesource:

    1. In the Add Sourcesstage, select the Filesource type.
    2. Enter a Short Description.
    3. In the File Path(s)field, enter the path to your SAP log files. For more information about the supported log sources and their default locations, see Review supported log sources .
    4. In the Log Typefield, enter the value that corresponds to the SAP log source that you are configuring, for example, SAP_ICM . For more information about the required values, see the mapping table in the Add the Google SecOps Standardization processorsection.
    5. Click Save.
    For SAP HANA Audit

    To ingest HANA Audit logs sent through syslog, add a Syslogsource:

    1. In the Add Sourcesstage, select the Syslogsource type.
    2. Enter a Short Description.
    3. Set the Listening IP Address, for example, 0.0.0.0 .
    4. Set the Listening Port, for example, 5140 .
    5. Set the Protocolto rfc3164 .
    6. Set the Transport Protocolto tcp or udp .
    7. In the Log Typefield, enter SAP_HANA_AUDIT .
    8. Click Save.

    Add destination

    Configure the central Bindplane server as the primary destination for all ingested logs.

    1. In the Add Destinationstage, select Bindplane Gateway.
    2. Enter the Hostnameor IP address of your Bindplane server.
    3. Ensure the Portis set to 4317 , which is the default OTLP gRPC.
    4. Select grpc as the Protocol.
    5. Click Save.

    Add the Google SecOps Standardization processor

    Apply normalization rules to your logs to ensure that they are compatible with the Google SecOps Unified Data Model (UDM).

    The Google SecOps Standardizationprocessor maps your raw SAP logs to specific Google SecOps log types. Selecting the correct Log Typeensures that Bindplane correctly interprets and normalizes data from sources like SAP ICM, Gateway, Web Dispatcher, and SAP HANA Audit for ingestion.

    1. In the configuration diagram, click Add Processoron the link between the source and destination.
    2. Select Google SecOps Standardization.
    3. Click Create New.
    4. Click Add Log Type.

    5. In the Log Typefield, enter the value that corresponds to the SAP log source that you're configuring. The following table shows the mapping between the SAP source and the required Google SecOps log type:

      SAP log source SecOps log type
      SAP ICM Logs SAP_ICM
      SAP Gateway Logs SAP_GATEWAY
      SAP Web Dispatcher Logs SAP_WEBDISP
      SAP HANA Audit Logs SAP_HANA_AUDIT

    6. Click Saveand then click Finish.

    Deploy the configuration to agents

    Once the configuration is ready, assign the configuration to your installed Bindplane agents.

    1. In the Bindplane UI, go to the Configurationstab.
    2. Select your new configuration, for example, sap-infra-logs .
    3. Click Add Agents.
    4. Select the SAP host Bindplane agents and click Apply.

    Configure the Google SecOps destination

    Once logs reach the central Bindplane server, configure a forwarder to send them to your Google SecOps instance. This involves creating a separate configuration for the Bindplane server that listens for incoming OTLP data from your SAP host agents.

    Create the log forwarding configuration

    Define the basic settings for the pipeline on your central Bindplane server.

    1. In the Bindplane UI, go to the Configurationstab.
    2. Click Create Configuration.
    3. Enter a Name, for example, sap-forwarder-secops .
    4. Select BDOT 1.x (Stable)as the Agent Type.
    5. Select Linuxas the Platform.
    6. Click Next.

    Add the Bindplane gateway source

    Configure an OpenTelemetry (OTLP) listener on the Bindplane server to receive logs from the agents installed on your SAP hosts.

    1. In the Add Sourcesstage, select the Bindplane Gatewaysource type.
    2. Enter a Short Description.
    3. In the Listen Addressfield, enter 0.0.0.0 .
    4. Ensure the Portis set to 4317 .
    5. Click Save.
    Add the Batch processor

    To prevent overwhelming the Google SecOps API, batch your requests.

    1. Click Add Processorand select Batch.
    2. Use the recommended defaults, usually 8192 units or a 200ms timeout.
    3. Click Save.

    Obtain Google SecOps credentials

    To securely forward logs to Google SecOps, obtain your ingestion authentication file and customer ID from the Google SecOps console.

    Google SecOps ingestion authentication file

    To download the ingestion authentication file, do the following:

    1. Open the Google SecOps console.
    2. Go to SIEM Settings > Collection Agent.

    3. Download the Google SecOps ingestion authentication file. Your next step depends on your transfer method:

      • gRPC: Use the downloaded ingestion authentication file.
      • HTTPS: Create a service account in the Google Cloud project linked to Google SecOps and assign the Chronicle Editorrole to the service account.
    Google SecOps customer ID

    To find the customer ID, do the following:

    1. Open the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy the customer ID from the Organization Detailssection.

    For more information, see Get Google SecOps customer ID .

    Create the Google SecOps destination in Bindplane

    Set up the final destination in Bindplane to securely forward your processed logs to Google SecOps.

    1. In the Bindplane UI, go to the Destinationstab and click Create Destination.
    2. Select Google SecOpsas the destination type.
    3. Enter a Name, for example, secops-destination .
    4. In the Customer IDfield, paste your Google SecOps customer ID.
    5. In the Credentialsfield, click Uploadand select the ingestion authentication file you downloaded, or paste the file content directly.
    6. Click Save.

    Confirm your log ingestion

    To verify the setup, do the following:

    1. In the Bindplane UI:
      1. Go to the Configurationstab and select your configuration.
      2. Click the Sourceor Destinationand select Recent Logsto see a livestream of data passing through the pipeline.
    2. In Google SecOps:
      1. Go to Search.
      2. Enter a UDM query to filter by your log type, for example, metadata.log_type = "SAP_ICM" . For instructions on searching and filtering logs, see Search and filter SAP logs .
      3. Confirm that logs are appearing and are correctly parsed into UDM fields.
      4. Open the Event Viewerto inspect the raw log and the normalized UDM fields. For example, verify that the Log Typein the UDM view matches your source, such as SAP_ICM , and that key fields like Principal Host( principal.host.hostname ) and relevant network or file details are populated.

    Ingest application logs

    Follow this path to ingest log types such as Security Audit Logs and Change Documents directly from the SAP application layer using the RFC protocol.

    Application log ingestion involves the following components:

    • Application Telemetry Collector: A containerized Java application that connects to your SAP application servers using the RFC protocol to extract security logs.
    • Bindplane server: Receives the logs from the Application Telemetry Collector and forwards them to Google SecOps.

    Prepare the collector host and dependencies

    Provision the infrastructure to run the collector and upload the necessary SAP libraries.

    • Infrastructure Instance: Provision a host to run the collector container.
      • Host options: You can use Compute Engine, on-premises servers, or container orchestration platforms like GKE.
      • Specifications: Use a standard Linux distribution, such as Debian 11 or 12, with Docker Engine 20.10 or later.
      • Network: The host requires internal network access to the Bindplane server and outbound access to your SAP server and Cloud Storage.
      • Continuity: Ensure the host is "always-on" to prevent log gaps. Don't use serverless platforms like Cloud Run.
      • Identity (Within Google Cloud): Attach the service account created in the Configure Google Cloud resources section to the VM. In the console, set Access Scopesto Allow full access to all Cloud APIs.
      • Identity (Outside Google Cloud): Use service account keys or Workload Identity Federation .
    • SAP Java Connector (JCo) and SNC libraries: Upload the SAP connector and cryptographic files to the jco/ folder in your Cloud Storage bucket. You create the jco/ folder as described in the Configure Google Cloud resources guide.
      • SAP JCo: Download sapjco3.jar and libsapjco3.so from the SAP Support Portal and upload them to the jco/ folder. Ensure you download the version matching your host architecture (ARM or x86).
      • SNC Libraries: If you use SNC, download libslcryptokernel.so and libsapcrypto.so from the SAP portal, and then upload them to the jco/ folder. For instructions on how to download the .SAR file and extract the files by using the sapcar utility, see the SAP documentation .

    Configure the collector

    Create a collector_config.json file to define your SAP connections and the logs you want to ingest.

    Once you have defined the configuration, upload the collector_config.json file to the config/ folder in the Cloud Storage bucket you created in the Configure Google Cloud resources section.

    Configuration example and field descriptions

    Use the following JSON example to create your collector configuration file and refer to the field descriptions for detailed parameter information.

      { 
  
 "systems" 
 : 
  
 [ 
  
 { 
  
 "system_id" 
 : 
  
 " PRD-HANA 
" 
 , 
  
 "connection" 
 : 
  
 { 
  
 "host" 
 : 
  
 " sap-prd.internal.net 
" 
 , 
  
 "client" 
 : 
  
 "100" 
 , 
  
 "system_number" 
 : 
  
 "00" 
 , 
  
 "language" 
 : 
  
 "en" 
  
 }, 
  
 "auth" 
 : 
  
 { 
  
 "basic" 
 : 
  
 { 
  
 "username_secret" 
 : 
  
 "projects/ my-project-123 
/secrets/ sap-collector-user 
/versions/latest" 
 , 
  
 "password_secret" 
 : 
  
 "projects/ my-project-123 
/secrets/ sap-collector-pass 
/versions/latest" 
  
 } 
  
 }, 
  
 "log_sources" 
 : 
  
 [ 
  
 { 
  
 "log_type" 
 : 
  
 "SAP_SECURITY_AUDIT" 
 , 
  
 "interval" 
 : 
  
 "60s" 
  
 }, 
  
 { 
  
 "log_type" 
 : 
  
 "SAP_CHANGE_DOCUMENT" 
 , 
  
 "interval" 
 : 
  
 "300s" 
 , 
  
 "change_document_object_classes" 
 : 
  
 [ 
 "PFCG" 
 , 
  
 "IDENTITY" 
 ] 
  
 } 
  
 ], 
  
 "initial_lookback_window" 
 : 
  
 "86400s" 
 , 
  
 "sap_timezone" 
 : 
  
 "UTC" 
  
 }, 
  
 { 
  
 "system_id" 
 : 
  
 " DEV-HANA-SNC 
" 
 , 
  
 "connection" 
 : 
  
 { 
  
 "host" 
 : 
  
 " sap-dev.internal.net 
" 
 , 
  
 "client" 
 : 
  
 "200" 
 , 
  
 "system_number" 
 : 
  
 "01" 
 , 
  
 "language" 
 : 
  
 "en" 
  
 }, 
  
 "auth" 
 : 
  
 { 
  
 "x509" 
 : 
  
 { 
  
 "snc_name" 
 : 
  
 " p:CN=SAP-Collector,O=MyCompany,C=US 
" 
 , 
  
 "snc_partner_name" 
 : 
  
 " p:CN=SAP-Server-DEV,O=MyCompany,C=US 
" 
 , 
  
 "snc_qop" 
 : 
  
 "3" 
 , 
  
 "x509_cert_secret" 
 : 
  
 "projects/ my-project-123 
/secrets/ sap-x509-cert 
/versions/latest" 
  
 } 
  
 }, 
  
 "log_sources" 
 : 
  
 [ 
  
 { 
  
 "log_type" 
 : 
  
 "SAP_SECURITY_AUDIT" 
 , 
  
 "interval" 
 : 
  
 "120s" 
  
 } 
  
 ], 
  
 "initial_lookback_window" 
 : 
  
 "3600s" 
 , 
  
 "sap_timezone" 
 : 
  
 "UTC" 
  
 } 
  
 ], 
  
 "bindplane_host" 
 : 
  
 "127.0.0.1" 
 , 
  
 "bindplane_port" 
 : 
  
 4317 
 , 
  
 "heartbeat_enabled" 
 : 
  
 true 
 , 
  
 "heartbeat_interval" 
 : 
  
 "30s" 
 , 
  
 "heartbeat_metric_name" 
 : 
  
 "custom/sap/collector_heartbeat" 
 , 
  
 "jco_pse_secret" 
 : 
  
 "projects/ my-project-123 
/secrets/ sap-collector-pse 
/versions/latest" 
 , 
  
 "jco_cred_secret" 
 : 
  
 "projects/ my-project-123 
/secrets/ sap-collector-cred 
/versions/latest" 
 }

    The following table describes the fields in the collector_config.json file.

    Section
    Field
    Description
    System Connection ( systems )
    List of systems to monitor.
    system_id
    A unique label for the system, for example, PRD . In the example, replace PRD-HANA with your specific label.
    sap_timezone
    The timezone of the SAP application server, for example, UTC . This is critical for accurate log querying.
    initial_lookback_window
    How far back the collector looks for logs on its first run, for example, "86400s" for 24 hours.
    connection
    Contains the following RFC connection parameters:
    • host : The FQDN or IP of your SAP server. Replace sap-prd.internal.net in the example.
    • client : The 3-digit SAP client, for example, "100" .
    • system_number : The 2-digit instance number, for example, "00" .
    • language : The logon language, defaults to "en" .
    Authentication ( auth )
    Choose one of the authentication methods.
    basic
    Username and password authentication. Provide the full Secret Manager paths for username_secret and password_secret . These secrets must contain the credentials of the SAP service user created in the preparation guide. For more information, see Basic authentication .
    x509 (SNC)
    Secure Network Communication authentication. For setup instructions, see Secure Network Communication (SNC) . Provide the following:
    • snc_name : The SNC name.
    • snc_partner_name : The SNC identity of the SAP Application Server.
    • snc_qop : (Optional) The Quality of Protection level required by the SAP server, for example, 3 for end-to-end data privacy and payload encryption.
    • x509_cert_secret : (Optional) The full Secret Manager path to the secret containing the collector_cert.crt file. For more information, see Store SNC artifacts in Secret Manager .
    Log Sources ( log_sources )
    Defines logs and frequency.
    log_type
    The type of log to ingest. Options include:
    • SAP_SECURITY_AUDIT
    • SAP_CHANGE_DOCUMENT
    For more information, see Review supported log sources .
    interval
    The polling frequency for this specific log source, for example, "30s" .
    change_document_object_classes
    (Optional) Used only for SAP_CHANGE_DOCUMENT . A list of specific SAP object classes to track, for example, ["MATERIAL", "USER"] .
    Global Collector Settings
    Applied to the entire instance.
    bindplane_host

    The hostname or IP address of your Bindplane agent, such as localhost or 10.0.0.5 .

    We recommend deploying Bindplane agent on the same host as Application Telemetry Collector. In this configuration, set the bindplane_host value to localhost .

    bindplane_port
    The port number the Bindplane server listens on. Default is 4317 .
    heartbeat_enabled
    A boolean, which is true or false , to toggle a "stay-alive" metric.
    heartbeat_interval
    How often the heartbeat metric is sent to Monitoring through Bindplane. Must be a string followed by "s", for example, "30s" . Defaults to 60s .
    heartbeat_metric_name
    (Optional) The name that appears in your monitoring dashboard for this heartbeat, for example, sap_collector_status . Defaults to sap_appl_telemetry_collector_heartbeat .
    jco_pse_secret
    The full Secret Manager path to the secret containing the PSE file (for example, sapcrypto.pse ). For more information, see Store SNC artifacts in Secret Manager .
    jco_cred_secret
    The full Secret Manager path to the secret containing the cred_v2 file. For more information, see Store SNC artifacts in Secret Manager .

    Deploy the collector

    Run the Application Telemetry Collector as a Docker container on your host machine.

    Prepare host directory and credentials (external hosts)

    If your host machine is outside Google Cloud, such as on-premises or in another cloud, then prepare the configuration directory and credentials:

    1. Create the directory: Create the designated configuration directory:

       sudo  
mkdir  
-p  
/etc/sap-collector

    2. Prepare credentials: For hosts outside of Google Cloud, you can provide a service account key or configure Workload Identity Federation (WIF).

    Run the collector container

    Choose the deployment command that matches your host environment:

    Google Cloud

    Use this command if your host runs on Google Cloud and uses an attached Service Account for authentication.

     docker  
run  
-d  
 \ 
  
--name  
sap-telemetry-collector  
 \ 
  
--restart  
always  
 \ 
  
--network  
host  
 \ 
  
-e  
 COLLECTOR_GCS_BUCKET 
 = 
gs:// YOUR_BUCKET_NAME 
  
 \ 
  
 COLLECTOR_IMAGE_PATH

    External host

    Use this command if your host is outside Google Cloud. This command uses the Docker volume mount ( -v ) to link your host's /etc/sap-collector directory to the container's /tmp/keys directory, and the GOOGLE_APPLICATION_CREDENTIALS environment variable ( -e ) to point the collector to your creds.json key.

     docker  
run  
-d  
 \ 
  
--name  
sap-telemetry-collector  
 \ 
  
--restart  
always  
 \ 
  
--network  
host  
 \ 
  
-v  
/etc/sap-collector:/tmp/keys:ro  
 \ 
  
-e  
 GOOGLE_APPLICATION_CREDENTIALS 
 = 
/tmp/keys/creds.json  
 \ 
  
-e  
 COLLECTOR_GCS_BUCKET 
 = 
gs:// YOUR_BUCKET_NAME 
  
 \ 
  
 COLLECTOR_IMAGE_PATH

    Replace the following:

    • YOUR_BUCKET_NAME : The name of the Cloud Storage bucket where you uploaded the SAP JCo libraries and the collector_config.json file. Ensure the value follows the format gs://BUCKET_NAME without trailing slashes or subdirectories.

    • COLLECTOR_IMAGE_PATH : The URI of the collector image. The collector is available to download from the following regional Artifact Registry paths:

      • us-docker.pkg.dev/sap-core-eng-products/sap-application-telemetry/google-cloud-sap-application-telemetry: TAG
      • europe-docker.pkg.dev/sap-core-eng-products/sap-application-telemetry/google-cloud-sap-application-telemetry: TAG
      • asia-docker.pkg.dev/sap-core-eng-products/sap-application-telemetry/google-cloud-sap-application-telemetry: TAG

      Replace TAG with the version of the collector image that you want to download, for example, latest . For more information about how tags work, see Artifact Registry container concepts .

    Install the Bindplane agent on the Application Telemetry Collector host

    To forward application logs, install the Bindplane agent on the Application Telemetry Collector host by running the command generated in the Bindplane UI. For detailed instructions, see the Bindplane agent installation guide .

    To verify the installation, go to the Agentstab in the Bindplane UIand confirm that the agent is visible with a Connectedstatus.

    Configure the Bindplane gateway

    Configure a gateway in the Bindplane UI to receive logs from the Application Telemetry Collector and forward them to Google SecOps.

    Create the log forwarding configuration

    Define the basic settings for the pipeline on your central Bindplane server.

    1. In the Bindplane UI, go to the Configurationstab.
    2. Click Create Configuration.
    3. Enter a Name, for example, sap-app-logs .
    4. Select BDOT 1.x (Stable)as the Agent Type.
    5. Select Linuxas the Platform.
    6. Click Next.
    Add the Bindplane gateway source

    Configure an OpenTelemetry (OTLP) listener on the Bindplane server to receive logs from the Application Telemetry Collector.

    1. In the Add Sourcesstage, select the Bindplane Gatewaysource type.
    2. Enter a Short Description.
    3. In the Listen Addressfield, enter 0.0.0.0 .
    4. Ensure the Portis set to 4317 (gRPC) and ensure that your host's firewall allows traffic on this port.
    5. Click Save.
    Add the Batch processor

    To prevent overwhelming the Google SecOps API, batch your requests.

    1. Click Add Processorand select Batch.
    2. Use the recommended defaults, usually 8192 units or a 200ms timeout.
    3. Click Save.
    Obtain Google SecOps credentials

    To securely forward logs to Google SecOps, obtain your ingestion authentication file and customer ID from the Google SecOps console.

    Google SecOps ingestion authentication file

    To download the ingestion authentication file, do the following:

    1. Open the Google SecOps console.
    2. Go to SIEM Settings > Collection Agent.

    3. Download the Google SecOps ingestion authentication file. Your next step depends on your transfer method:

      • gRPC: Use the downloaded ingestion authentication file.
      • HTTPS: Create a service account in the Google Cloud project linked to Google SecOps and assign the Chronicle Editorrole to the service account.
    Google SecOps customer ID

    To find the customer ID, do the following:

    1. Open the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy the customer ID from the Organization Detailssection.
    Create the Google SecOps destination in Bindplane

    Set up the final destination in Bindplane to securely forward your processed logs to Google SecOps.

    1. In the Bindplane UI, go to the Destinationstab and click Create Destination.
    2. Select Google SecOpsas the destination type.
    3. Enter a Name, for example, secops-destination .
    4. In the Customer IDfield, paste your Google SecOps customer ID.
    5. In the Credentialsfield, click Uploadand select the ingestion authentication file you downloaded, or paste the file content directly.
    6. Click Save.
    Add the Monitoring destination

    To monitor the health of your collectors within Monitoring, ensure that heartbeat metrics are enabled and routed through the gateway.

    1. Click Add Destinationand select Google Cloud Monitoring.
    2. In the Project IDfield, enter your Google Cloud project ID.
    3. In the Authenticationfield, select Autoif your Bindplane server is running on a Google Cloud instance. Otherwise, provide your Service Account credentials.
    4. Click Save.

    Deploy the configuration to agents

    Once the configuration is ready, assign the configuration to your installed Bindplane agents.

    1. In the Bindplane UI, go to the Configurationstab.
    2. Select your new configuration, for example, sap-app-logs .
    3. Click Add Agents.
    4. Select the Bindplane agent on the Application Telemetry Collector host and click Apply.

    Confirm your log ingestion

    To ensure the setup is working correctly, follow the verification steps in Confirm your log ingestion .

    When verifying application-layer logs in Google SecOps, use a UDM query to filter by your specific log type, for example, metadata.log_type = "SAP_CHANGE_DOCUMENT" . For more information, see Search and filter SAP logs .

    Get support

    For issues related to Google SecOps for SAP, contact Google SecOps support . Our team provides assistance or guides you to the right resource to help ensure a timely resolution.

    For issues involving SAP systems or the LogServ service, contact SAP support. For issues related to other third-party products, such as Bindplane, contact the appropriate third-party vendor for assistance.

    Get technical answers and peer support in the Google SecOps Community .

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: