Collect SAP HANA audit logs in Microsoft Sentinel
This article explains how to collect audit logs from your SAP HANA database.
Microsoft Sentinel SAP HANA support is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
If you have SAP HANA database audit logs configured with Syslog, you'll also need to configure your Log Analytics agent to collect the Syslog files.
Collect SAP HANA audit logs
Make sure that the SAP HANA audit log trail is configured to use Syslog, as described in SAP Note 0002624117, which is accessible from the SAP Launchpad support site. For more information, see:
Check your operating system Syslog files for any relevant HANA database events.
Install and configure a Log Analytics agent on your machine:
Sign in to your HANA database operating system as a user with sudo privileges.
In the Azure portal, go to your Log Analytics workspace. On the left pane, under Settings, select Agents management > Linux servers.
Under Download and onboard agent for Linux, copy the code that's displayed in the box to your terminal, and then run the script.
The Log Analytics agent is installed on your machine and connected to your workspace. For more information, see Install Log Analytics agent on Linux computers and OMS Agent for Linux on the Microsoft GitHub repository.
Refresh the Agents Management > Linux servers tab to confirm that you have 1 Linux computers connected.
On the left pane, under Settings, select Agents configuration, and then select the Syslog tab.
Select Add facility to add the facilities you want to collect.
Because the facilities where HANA database events are saved can change between different distributions, we recommend that you add all facilities, check them against your Syslog logs, and then remove any that aren't relevant.
In Microsoft Sentinel, check to confirm that HANA database events are now shown in the ingested logs.
Learn more about the Microsoft Sentinel Solution for SAP:
- Deploy Microsoft Sentinel Solution for SAP
- Prerequisites for deploying Microsoft Sentinel Solution for SAP
- Deploy SAP Change Requests (CRs) and configure authorization
- Deploy and configure the container hosting the SAP data connector agent
- Deploy SAP security content
- Deploy the SAP data connector with SNC
- Enable and configure SAP auditing
- Troubleshoot your Microsoft Sentinel Solution for SAP deployment
- Configure SAP Transport Management System
- Microsoft Sentinel Solution for SAP data reference
- Microsoft Sentinel Solution for SAP: security content reference
- Kickstart script reference
- Update script reference
- Systemconfig.ini file reference
For more information, see Microsoft Sentinel solutions.