Document toolboxDocument toolbox

KB 126 - Splunking HANA Audit log

Owned by Gowtham Magal
Last updated: Sept 17, 2021
2 min read

To be able to send the HANA Audit logs to splunk, you need to first enable the auditing by following the steps below:

  1. Ensure that the user SAPABAP1 has the AUDIT READ system privilage

  2. In the SAP HANA Studio expand the system on which you would like to enable auditing

  3. Expand the ‘Security’ folder

  4. Double click on ‘Security' option

  5. Click on the Auditing Status drop down menu; by default it will be ‘Disabled.’

  6. Select ‘Enabled.’

  7. Ensure that the “Audit Trail Target” is set to “Database Table“ and hit “Deploy”

  8. Create the necessary Audit policy. This is the data that will eventually be splunked

Once these changes are done, login to the SAP system and ensure that the metric HDB_DBCC_AUDIT is enabled by following the steps below:

  1. Goto /n/bnwvs/main transaction

  2. Choose Adminsitrator → Setup Group Def from the menu

  3. Ensure that the extractor is stopped and hit enter on the key board

  4. Ensure that the checkmark in the column “Active” is selected for Group Definition ”HDB_DBCC_AUDIT”

With these actions you will see that HANA audit information in Splunk and ensure that the data is onboarded by running the SPL “EVENTYPE :: HDB_DBCC_AUDIT“ in Splunk.