Collect SAP logs

Supported in:

Google secops SIEM

Google SecOps supports the ingestion and normalization of business-critical telemetry from your SAP landscape. Whether your landscape is managed by SAP (SAP RISE) or self-managed (on-premises or any cloud), you can collect the following logs to monitor for security events:

Infrastructure logs: Capture events from the operating system and database layers, such as SAP HANA Audit, ICM, and Gateway logs.
Application logs: Capture security-relevant business events directly from the SAP application layer, such as Security Audit Logs and Change Documents.

To ingest these logs, Google SecOps uses a combination of ingestion mechanisms:

SAP LogServ: In SAP RISE environments, pulls infrastructure logs from cloud-based storage.
Application Telemetry Collector: A containerized application that extracts application logs using the Remote Function Call (RFC) protocol.
Bindplane: A log management platform that provides agents for host log collection and a centralized server for log forwarding and normalization.

For more information about Google SecOps for SAP, see Secure SAP applications with Google SecOps .

Before you begin

Before you start the ingestion process, review the following guides:

Plan for log ingestion : Select an ingestion path and verify technical requirements.
Prepare your environment for log ingestion : Configure Google Cloud resources and SAP systems.

Log ingestion overview

To ingest SAP logs, first determine the architecture of your SAP environment. The ingestion path depends on whether your environment is managed by SAP (RISE) or self-managed.

SAP RISE ingestion path

Use this path if your SAP landscape is managed under the SAP RISE program. In an SAP RISE environment, the ingestion path involves the following:

Infrastructure logs: SAP LogServ writes logs to cloud-based storage. Google SecOps pulls these logs through feeds.
Application logs: The Application Telemetry Collector extracts logs using the RFC protocol and forwards them through a Bindplane server to Google SecOps.

For more information, see Set up log ingestion for SAP RISE .

Self-managed ingestion path

Use this path if you manage your own SAP landscape in an on-premises environment or in the cloud. For self-managed environments, the ingestion path involves the following:

Infrastructure logs: Bindplane agents installed on your SAP hosts tail the log files and forward them through a central Bindplane server to Google SecOps.
Application logs: A central Application Telemetry Collector connects to your SAP instances to extract logs and forwards them through the Bindplane server to Google SecOps.

For more information, see Set up log ingestion for self-managed SAP systems .

Supported log types

The following table lists the SAP log sources that Google SecOps supports and their corresponding log types:

UDM field mappings

Google SecOps normalizes incoming SAP logs into the Unified Data Model (UDM) so that you can search for data and run detections. For a detailed field-by-field reference of how SAP data maps to UDM fields, see UDM mapping for SAP logs .

Need more help? Get answers from Community members and Google SecOps professionals.