適用於 SAP 應用程式 systemconfig.json 檔案參考的 Microsoft Sentinel 解決方案

• 適用於:

  Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal

systemconfig.json檔案可用來設定 SAP 應用程式資料連接器代理程式Microsoft Sentinel 的行為。 本文說明組態檔每個區段中可用的選項。

本文中的內容適用於您的 SAP BASIS 小組。

重要

Microsoft適用於 SAP 應用程式的 Sentinel 解決方案會 針對 2023 年 6 月 22 日或之後發行的代理程式版本使用 systemconfig.json 檔案。 針對先前的代理程式版本，您仍然必須使用 systemconfig.ini 檔案。

整體檔案結構

下列程式代碼顯示檔案的整體結構 systemconfig.json ：

{ 

"<SID_GUID>": { 

    "secrets_source": {...},

    "abap_central_instance": {...},

    "azure_credentials": {...},

    "file_extraction_abap": {...},

    "file_extraction_java": {...},

    "logs_activation_status" {...},

    "connector_configuration": {...},

    "abap_table_selector":: {...}

...

}

下表描述檔案中的每個 systemconfig.json 整體區段：

區段名稱	描述
秘密來源	定義儲存認證的位置。
ABAP 中央實例	定義要連線之 SAP 實例的一般選項。
Azure 認證	定義要連線到 Azure Log Analytics 的認證。
檔案擷取 ABAP	定義使用 SAPControl 介面從 ABAP 伺服器擷取的記錄和認證。
檔案擷取 JAVA	定義使用 SAPControl 介面從 JAVA 伺服器擷取的記錄和認證。
記錄啟用狀態	定義從 ABAP 擷取的記錄。
連接器組態	定義其他連接器選項。
ABAP 數據表選取器	定義從 ABAP 系統擷取哪些使用者主要數據記錄。

秘密來源

注意

請先移除所有批注，再使用此檔案進行設定和部署。

"secrets_source": {
  "secrets": "AZURE_KEY_VAULT|DOCKER_FIXED",
  # Storage location of SAP credentials and Log Analytics workspace ID and key
  # AZURE_KEY_VAULT - store in an Azure Key Vault. Requires keyvault option and intprefix option
  # DOCKER_FIXED - store in systemconfig.json file. Requires user, passwd, loganalyticswsid and publickey options

  "keyvault": "<vaultname>",
  # Azure Keyvault name, in case secrets = AZURE_KEY_VAULT

  "intprefix": "<prefix>"
  # intprefix - Prefix for variables created in Azure Key Vault

    },

ABAP 中央實例

注意

請先移除所有批注，再使用此檔案進行設定和部署。

"abap_central_instance": {
      "auth_type": "PLAIN_USER_AND_PASSWORD|SNC_WITH_X509",
      # Authentication type - username/password authentication, or X.509 authentication

      "ashost": "<hostname>",
      # FQDN, hostname, or IP address of the ABAP server

      "mshost": "<hostname>",
      # FQDN, hostname, or IP address of the Message server

      "msserv": "<portnumber>",
      # Port number, or service name (from /etc/services) of the message server

      "group": "<logon group>",
      # Logon group of the message server

      "sysnr": "<Instance number>",
      # Instance number of the ABAP server

      "sysid": "<SID>",
      # System ID of the ABAP server

      "client": "<Client Number>",
      # Client number of the ABAP server

      "user": "<username>",
      # Username to use to connect to ABAP server. Used only when secrets setting in Secrets Source section is set to DOCKER_FIXED

      "passwd": "<password>",
      # Password to use to connect to ABAP server. Used only when secrets setting in Secrets Source section is set to DOCKER_FIXED

      "snc_lib": "<path to libsapcrypto>",
      # Full path, to the libsapcrypto.so
      # Used when SNC is in use
      # !!! Note - the path must be valid within the container.

      "snc_partnername": "<distinguished name of the server certificate>",
      # p: -prefixed valid SAP server SNC name, which is equal to Distinguished Name(DN) of SAP server PSE
      # Used when SNC is in use

      "snc_qop": "<SNC protection level>",
      # More information available at docs.oracle.com/cd/E19509-01/820-5064/ggrpj/index.html
      # Used when SNC is in use

      "snc_myname": "<distinguished name of the client certificate>",
      # p: -prefixed valid client SNC name, which is equal to Distinguished Name(DN) of client PSE
      # Used when SNC is in use

      "x509cert": "<server certificate>"
      # Base64 encoded server certificate value in a single line (with leading ----BEGIN-CERTIFICATE--- and trailing ----END-CERTIFICATE---- removed)
    },

Azure 認證

注意

請先移除所有批注，再使用此檔案進行設定和部署。

 "azure_credentials": {
      "loganalyticswsid": "<workspace ID>",
      # Log Analytics workspace ID. Used only when secrets setting in Secrets Source section is set to DOCKER_FIXED

      "publickey": "<publickey>"
      # Log Analytics workspace primary or secondary key. Used only when secrets setting in Secrets Source section is set to DOCKER_FIXED

    },

檔案擷取 ABAP

注意

請先移除所有批注，再使用此檔案進行設定和部署。

"file_extraction_abap": {
      "osuser": "<SAPControl username>",
      # Username to use to authenticate to SAPControl

      "ospasswd": "<SAPControl password>",
      # Password to use to authenticate to SAPControl

      "appserver": "<server>",
      #SAPControl server hostname/fqdn/IP address

      "instance": "<instance>",
      #SAPControl instance number

      "abapseverity": "<severity>",
      # 0 = All logs ; 1 = Warning ; 2 = Error

      "abaptz": "<timezone>"
      # GMT FORMAT
      # example - For OS Timezone = NZST (New Zealand Standard Time) use abaptz = GMT+12
    },

檔案擷取 JAVA

注意

請先移除所有批注，再使用此檔案進行設定和部署。

"file_extraction_java": {
      "javaosuser": "<username>",
      # Username to use to authenticate to JAVA server

      "javaospasswd": "<password>",
      # Password to use to authenticate to JAVA server

      "javaappserver": "<server>",
      #JAVA server hostname/fqdn/IP address

      "javainstance": "<instance number>",
      #JAVA instance number

      "javaseverity": "<severity>",
      # 0 = All logs ; 1 = Warning ; 2 = Error

      "javatz": "<timezone>"
      # GMT FORMAT
      # example - For OS Timezone = NZST (New Zealand Standard Time) use abaptz = GMT+12

    },

記錄啟用狀態

注意

請先移除所有批注，再使用此檔案進行設定和部署。

"logs_activation_status": {
      # GMT FORMAT
      # example - For OS Timezone = NZST (New Zealand Standard Time) use abaptz = GMT+12
      "ABAPAuditLog": "<True/False>",
      "ABAPJobLog": "<True/False>",
      "ABAPSpoolLog": "<True/False>",
      "ABAPSpoolOutputLog": "<True/False>",
      "ABAPChangeDocsLog": "<True/False>",
      "ABAPAppLog": "<True/False>",
      "ABAPWorkflowLog": "<True/False>",
      "ABAPCRLog": "<True/False>",
      "ABAPTableDataLog": "<True/False>",
      
      # The following logs are retrieved using SAP Control interface and OS Login
      "ABAPFilesLogs": "<True/False>",
      "SysLog": "<True/False>",
      "ICM": "<True/False>",
      "WP": "<True/False>",
      "GW": "<True/False>",
      
      # The following logs are retrieved using SAP Control interface and OS Login
      "JAVAFilesLogs": "<True/False>",

連接器設定

注意

請先移除所有批注，再使用此檔案進行設定和部署。

"connector_configuration": {
      "extractuseremail": "<True/False>",
      "apiretry": "<True/False>",
      "auditlogforcexal": "<True/False>",
      "auditlogforcelegacyfiles": "<True/False>",
      "azure_resource_id": "<Azure _ResourceId>",
      "timechunk": "<value>"
    },

ABAP 數據表選取器

注意

請先移除所有批注，再使用此檔案進行設定和部署。

"abap_table_selector": {
      # Specify True or False to configure whether table should be collected from the SAP system

      "AGR_TCODES_FULL": "<True/False>",
      "USR01_FULL": "<True/False>",
      "USR02_FULL": "<True/False>",
      "USR02_INCREMENTAL": "<True/False>",
      "AGR_1251_FULL": "<True/False>",
      "AGR_USERS_FULL": "<True/False>",
      "AGR_USERS_INCREMENTAL": "<True/False>",
      "AGR_PROF_FULL": "<True/False>",
      "UST04_FULL": "<True/False>",
      "USR21_FULL": "<True/False>",
      "ADR6_FULL": "<True/False>",
      "ADCP_FULL": "<True/False>",
      "USR05_FULL": "<True/False>",
      "USGRP_USER_FULL": "<True/False>",
      "USER_ADDR_FULL": "<True/False>",
      "DEVACCESS_FULL": "<True/False>",
      "AGR_DEFINE_FULL": "<True/False>",
      "AGR_DEFINE_INCREMENTAL": "<True/False>",
      "PAHI_FULL": "<True/False>",
      "PAHI_INCREMENTAL": "<True/False>",
      "AGR_AGRS_FULL": "<True/False>",
      "USRSTAMP_FULL": "<True/False>",
      "USRSTAMP_INCREMENTAL": "<True/False>",
      "SNCSYSACL_FULL": "<True/False>",
      "USRACL_FULL": "<True/False>"
    }

相關內容

如需詳細資訊，請參閱

• 部署和設定裝載 SAP 資料連接器代理程式的容器
• 針對 SAP 應用程式解決方案部署Microsoft Sentinel 解決方案進行疑難解答
• 快速啟動指令碼參考