Collect SAP HANA audit logs in Microsoft Sentinel

This article explains how to collect audit logs from your SAP HANA database.

Important

Microsoft Sentinel SAP HANA support is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

If you have SAP HANA database audit logs configured with Syslog, you'll also need to configure your Log Analytics agent to collect the Syslog files.

Collect SAP HANA audit logs

  1. Make sure that the SAP HANA audit log trail is configured to use Syslog, as described in SAP Note 0002624117, which is accessible from the SAP Launchpad support site. For more information, see:

  2. Check your operating system Syslog files for any relevant HANA database events.

  3. Install and configure a Log Analytics agent on your machine:

    1. Sign in to your HANA database operating system as a user with sudo privileges.

    2. In the Azure portal, go to your Log Analytics workspace. On the left pane, under Settings, select Agents management > Linux servers.

    3. Under Download and onboard agent for Linux, copy the code that's displayed in the box to your terminal, and then run the script.

    The Log Analytics agent is installed on your machine and connected to your workspace. For more information, see Install Log Analytics agent on Linux computers and OMS Agent for Linux on the Microsoft GitHub repository.

  4. Refresh the Agents Management > Linux servers tab to confirm that you have 1 Linux computers connected.

  5. On the left pane, under Settings, select Agents configuration, and then select the Syslog tab.

  6. Select Add facility to add the facilities you want to collect.

    Tip

    Because the facilities where HANA database events are saved can change between different distributions, we recommend that you add all facilities, check them against your Syslog logs, and then remove any that aren't relevant.

  7. In Microsoft Sentinel, check to confirm that HANA database events are now shown in the ingested logs.

Next steps

Learn more about the Microsoft Sentinel Solution for SAP:

Troubleshooting:

Reference files:

For more information, see Microsoft Sentinel solutions.