Monitor the health and role of your SAP systems

After you deploy the SAP solution, you want to ensure proper functioning and performance of your SAP systems, and keep track of your system health, connectivity, and performance. This article describes how you can check the connectivity health manually on the data connector page and use a dedicated alert rule template to monitor the health of your SAP systems.

Important

Monitoring the health of your SAP systems is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

For a video demonstration of the procedures in this article, watch the following video:

Prerequisites

• Before you can perform the procedures in this article, you need to have a SAP data connector agent deployed and connected to your SAP system. SAP logs aren't displayed in the Microsoft Sentinel Logs page until your SAP system is connected and data starts streaming into Microsoft Sentinel.

For more information, see Deploy and configure the container hosting the SAP data connector agent.

Check your data connector's health and connectivity

This procedure describes how to check your data connector's connection status from the Microsoft Sentinel for SAP data connector page.

1. In Microsoft Sentinel, select Data connectors and search for Microsoft Sentinel for SAP.

2. Select the Microsoft Sentinel for SAP connector and select Open connector page.

3. In the Configuration > 2. Configure an SAP system and assign it to a collector agent area, view details about the health of your SAP systems.

   For example:

   

   The fields in the Configure an SAP system and assign it to a collector agent area are described as follows:

   • System display name. The SAP system ID (SID) and its client number. Together, this value qualifies the connection to the SAP system and defines for SAP BASIS which system you're connecting to.

   • System role. Indicates whether the system is production state or not, which also affects billing. For more information, see Solution pricing. Values include:

     Value	Description
     Production	The system is defined by the SAP admin as a production system.
     Unknown (Production)	Microsoft Sentinel couldn't retrieve the system status. Microsoft Sentinel regards this type of system as a production system for both security and billing purposes. In such cases, we recommend that you check the Microsoft Sentinel role definitions and permissions on the SAP system, and validate that the system allows Microsoft Sentinel to read the content of the T000 table. Next, consider updating the SAP connector to the latest version.
     Non production	Indicates roles like developing, testing, and customizing.

   • Agent name. Unique ID of the installed data connector agent.

   • Health. Indicates whether the SID is healthy. To troubleshoot health issues, review the container execution logs and review other troubleshooting steps. Values include:

     Value	Description
     System healthy (green icon)	Indicates that Microsoft Sentinel identified both logs and a heartbeat from the system.
     System Connected – unauthorized to collect role, production assumed (yellow icon)	Microsoft Sentinel doesn't have sufficient permissions to define whether the system is a production system. In this case, Microsoft Sentinel defines the system as a production system. In such cases, check the Microsoft Sentinel role definitions and permissions on the SAP system, and validate that the system allows Microsoft Sentinel to read the content of the T000 table. Next, consider updating the SAP connector to the latest version.
     Connected with errors (yellow icon)	Connection was successful but Microsoft Sentinel detected errors when fetching the system role and doesn't have the details of whether the system is or isn't a production system.
     System not connected	Microsoft Sentinel was unable to connect to the SAP system, and cannot fetch the system role. In this case, Microsoft Sentinel doesn't have the details of whether the system is or isn't a production system.
     Other statuses that reflect more details about connectivity issues	For example, System unreachable for over 1 day.

View SAP logs streaming into Microsoft Sentinel

In Microsoft Sentinel, select General > Logs > Custom logs to view the logs streaming in from the SAP system. For example:

For more information, see Microsoft Sentinel solution for SAP applications solution logs reference.

Use an alert rule template to monitor the health of your SAP systems

The Microsoft Sentinel for SAP solution includes an alert rule template designed to give you insight into the health of your SAP agent's data collection.

The rule needs at least seven days of loading history to detect the different seasonality patterns. We recommend a value of 14 days for the alert rule Look back parameter to allow detection of weekly activity profiles.

Once activated, the rule judges the recent telemetry and log volume observed on the workspace according to the history learned. The rule then alerts on potential issues, dynamically assigning severities according to the scope of the problem.

To turn on the analytics rule in Microsoft Sentinel, select Analytics > Rule templates, and locate the SAP - Data collection health check alert rule.

The analytics rule does the following:

• Evaluates signals sent from the agent.
• Evaluates telemetry data.
• Evaluates alerts on log continuation and other system connectivity issues, if any are found.
• Learns the log ingestion history, and therefore works better with time.

The following screenshot shows an example of an alert generated by the SAP - Data collection health check alert rule:

Next steps

• Learn about the Microsoft Sentinel Solution for SAP.
• Learn how to deploy the Microsoft Sentinel Solution for SAP
• Learn about auditing and health monitoring in other areas of Microsoft Sentinel.