...
Transaction Code - This field is mandatory and is used to filter on a specific transaction code that is noted within the security audit log. To extract data from all transactions, enter a wildcard value (i.e. “*”).
Client - This field is mandatory and is used to filter on a specific client of the SAP system that is noted within the security audit log. To extract data from all the clients, enter a wildcard value (i.e. “*”).
User - This field is mandatory and is used to filter on a specific user that is noted within the security audit log. To extract data for all the users, enter a wildcard value (i.e. “*”).
Security Level - This field is mandatory and is used to filter on a specific 'Security Level' message that is noted within the security audit log. To extract data for all security level, enter a wildcard value (i.e. “*”).
Grp - This field is mandatory and represents the system log message group. To extract data for all message groups, enter a wildcard value.
N - This field is mandatory and represents the message group sub-name. To extract data for all the message group sub-names, enter a wildcard value.
Message Text - This field is mandatory and represents the message text from the system log. To extract data for all messages, enter a wildcard value.
INCL/EXCL - This field is mandatory and is an exclusion or inclusion criteria. To exclude the values defined in the selection criteria enter an “E“ in the field. Similarly, to include the values defined in the selection criteria enter an “I” in the field.
Active - This field is mandatory and is a checkbox used to enable or disable the filter criteria. To activate the filter criteria, ensure the checkbox is checked. Conversely, if you would like to disable data collection ensure the checkbox is unchecked.
Here is an example of what the filter can look like once it is filled out:
...
Splunk Event
The event will look like this in Splunk:
...
The data displayed will match the data collected and sent to Splunk.
...
Field Mapping
Field | Description | Unit of Measure |
|---|---|---|
ALGAREA | System Log: Group of 36 System Log Messages | String |
ALGCLIENT | Client | Number |
ALGDATE | SecAudit: Date audit entry created | YYYYMMDD |
ALGFILENO | SysLog: File number | Number |
ALGFILEPOS | SysLog: File offset | Number |
ALGINST | SAP Instance Name | String |
ALGLTERM | SecAudit: Terminal name | String |
ALGREPNA | Program Name | String |
ALGSUBID | System log: Third character of message name | String |
ALGSYSTEM | Server Name | String |
ALGTASKNO | Work process number | Number |
ALGTASKTYPE | System log: SAP process name | String |
ALGTCODE | Transaction Code | String |
ALGTEXT | SecAudit: Text part of displayed Security Audit Log message | String |
ALGTIME | SecAudit: Time at which audit entry was created | HHMMSS |
ALGUSER | User Name in User Master Record | String |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_SUBTYPE | String | |
EVENT_TYPE | SM20 | String |
IPADDRESS | Terminal | IP Address |
PARAM1 | SysLog: variable message data | String |
PARAM2 | SysLog: variable message data | String |
PARAM3 | SysLog: variable message data | String |
PARAM4 | SysLog: variable message data | String |
TXSEVERITY | System audit log: Security level text format | String |
TXSUBCLSID | System audit log: Security class text format | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |