Data Description
The SM20 event is used in SAP to view the security audit log.
Potential Use Cases
This event could be used in the following scenarios:
Dashboard audit log messages to view messages by criticality
Alert on specific audit log messages
Correlate the data from the system audit log with other data points such as user log-ins and authorization objects to identify potential malicious behavior.
Metric Filters
This filter is used to select or exclude specific messages from the audit log and is an optional configuration to control data volume sent to Splunk. To access the metric filter log into the managed system and execute the /n/bnwvs/main transaction. Then go to Administrator → Metric Filters → More → SM20 Audit log filter.
Then select the New Entries button, and enter the user selection parameters using the fields below, and save the configuration:
Transaction Code - This field is mandatory and is used to filter on a specific transaction code that is noted within the security audit log. To extract data from all transactions, enter a wildcard value (i.e. “*”).
Grp - This field is mandatory and represents the system log message group. To extract data for all message groups, enter a wildcard value.
N - This field is mandatory and represents the message group sub-name. To extract data for all the message group sub-names, enter a wildcard value.
Message Text - This field is mandatory and represents the message text from the system log. To extract data for all messages, enter a wildcard value.
INCL/EXCL - This field is mandatory and is an exclusion or inclusion criteria. To exclude the values defined in the selection criteria enter an “E“ in the field. Similarly, to include the values defined in the selection criteria enter an “I” in the field.
Active - This field is mandatory and is a checkbox used to enable or disable the filter criteria. To activate the filter criteria, ensure the checkbox is checked. Conversely, if you would like to disable data collection ensure the checkbox is unchecked.
Here is an example of what the filter can look like once it is filled out:
Splunk Event
The event will look like this in Splunk:
SAP Navigation
Log into the managed system and execute the SM20 transaction. Then fill in the desired user selection parameters and hit the Reread Audit Log.
The data displayed will match the data collected and sent to Splunk.
Field Mapping
Field | Description | Unit of Measure |
---|---|---|
ALGAREA | System Log: Group of 36 System Log Messages | String |
ALGCLIENT | Client | Number |
ALGDATE | SecAudit: Date audit entry created | YYYYMMDD |
ALGFILENO | SysLog: File number | Number |
ALGFILEPOS | SysLog: File offset | Number |
ALGINST | SAP Instance Name | String |
ALGLTERM | SecAudit: Terminal name | String |
ALGREPNA | Program Name | String |
ALGSUBID | System log: Third character of message name | String |
ALGSYSTEM | Server Name | String |
ALGTASKNO | Work process number | Number |
ALGTASKTYPE | System log: SAP process name | String |
ALGTCODE | Transaction Code | String |
ALGTEXT | SecAudit: Text part of displayed Security Audit Log message | String |
ALGTIME | SecAudit: Time at which audit entry was created | HHMMSS |
ALGUSER | User Name in User Master Record | String |
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_SUBTYPE | String | |
EVENT_TYPE | SM20 | String |
IPADDRESS | Terminal | IP Address |
PARAM1 | SysLog: variable message data | String |
PARAM2 | SysLog: variable message data | String |
PARAM3 | SysLog: variable message data | String |
PARAM4 | SysLog: variable message data | String |
TXSEVERITY | System audit log: Security level text format | String |
TXSUBCLSID | System audit log: Security class text format | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |