Data Description
The HDB_DBCC_AUDIT event is used to collect HANA Audit logs. As a prerequisite, Audit needs to be configured and enabled on DB side. More information located here: Activate and Configure Auditing - SAP Help Portal
Extractor requires AUDIT READ system privilege to read the log (privilege needs to be assigned to SAP DB user).
Potential Use Cases
Auditing provides you with visibility on who did what in the SAP HANA database (or tried to do what) and when. This allows you, for example, to log and monitor read access to sensitive data. Audit log allows you to monitor and record selected actions performed in the SAP HANA database.
...
Changes to user authorization
Creation or deletion of database objects
Authentication of users
Changes to system configuration
Access to or changing of sensitive information
Splunk Event
The event will look like this in Splunk:
...
SAP Navigation
The Audit log is available on DB level.
Field Mapping
Field | Description | Unit of Measure |
|---|---|---|
ACTION_GROUP | ID of the group of audit actions | Number |
ACTION_GROUP_DESCRIPTION | Description for the group of audit actions | String |
APPLICATION_USER_NAME | Name of the application user | String |
AUDIT_POLICY_NAME | Name of the Audit Policy hit | String |
CLIENT_HOST | IP of the client host | IP Address |
CLIENT_IP | IP of the client application | IP Address |
CLIENT_PID | PID of the client process | String |
CLIENT_PORT | Port of the client process | Number |
COMMENT | Any extra information on the event | String |
CONNECTION_ID | ID of the connection | String |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_ACTION | Action performed by the audit event | String |
EVENT_LEVEL | Severity Level of the event | String |
EVENT_STATUS | Whether the event was successful or not | String |
EVENT_SUBTYPE | String | |
EVENT_TYPE | HDB_DBCC_AUDIT | String |
FILE_NAME | Configuration file which was changed | String |
GRANTABLE | Whether the privilege/role being granted is grantable or not | String |
GRANTEE | The grantee in GRANT/REVOKE statements | String |
HOST | Name of the host where the event occurred | String |
KEY | Attribute being changed | String |
LOGTIME | Time the event occurred | YYYYMMDDHHMMSS |
OBJECT_NAME | Name of object | String |
ORIGIN_DATABASE_NAME | Origin database name on cross database queries | String |
ORIGIN_USER_NAME | Origin user name on cross database queries | String |
PORT | Port number | Number |
PREV_VALUE | Old value of the attribute | String |
PRIVILEGE_NAME | Name of privilege granted | String |
ROLE_NAME | Name of role granted | String |
SCHEMA_NAME | Name of schema | String |
SECTION | Configuration which was changed | String |
SERVICE_NAME | Name of the service | String |
STATEMENT_STRING | The SQL statement which caused the event | String |
USER_NAME | Name of user connected to the database | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |
VALUE | New value of the attribute | String |