/
KB 126 - Splunking HANA Audit log

KB 126 - Splunking HANA Audit log

To be able to send the HANA Audit logs to splunk, you need to first enable the auditing by following the steps below:

  1. Ensure that the user SAPABAP1 has the AUDIT READ system privilage

  2. In the SAP HANA Studio expand the system on which you would like to enable auditing

  3. Expand the ‘Security’ folder

  4. Double click on ‘Security' option

  5. Click on the Auditing Status drop down menu; by default it will be ‘Disabled.’

  6. Select ‘Enabled.’

  7. Ensure that the “Audit Trail Target” is set to “Database Table“ and hit “Deploy”

  8. Create the necessary Audit policy. This is the data that will eventually be splunked

Once these changes are done, login to the SAP system and ensure that the metric HDB_DBCC_AUDIT is enabled by following the steps below:

  1. Goto /n/bnwvs/main transaction

  2. Choose Adminsitrator → Setup Group Def from the menu

  3. Ensure that the extractor is stopped and hit enter on the key board

  4. Ensure that the checkmark in the column “Active” is selected for Group Definition ”HDB_DBCC_AUDIT”

With these actions you will see that HANA audit information in Splunk and ensure that the data is onboarded by running the SPL “EVENTYPE :: HDB_DBCC_AUDIT“ in Splunk.

 

Related content

KB 127 - Splunking Historical data
KB 127 - Splunking Historical data
Read with this
Release Notes for Splunk App v7.3.0
Release Notes for Splunk App v7.3.0
More like this
Create an HTTP Event Collector (HEC)
Create an HTTP Event Collector (HEC)
More like this
Configuring Splunk Connection in PowerConnect for SAP HANA DB
Configuring Splunk Connection in PowerConnect for SAP HANA DB
More like this
PowerConnect for SAP HANA DB Agent Installation
PowerConnect for SAP HANA DB Agent Installation
More like this