aINFOSECas2012g Absent Member.
Absent Member.
382 views

Connector SAP real time multi folder incl. filename with date + logfile rotation

Jump to solution

I configured successfully the ArcSight SmartConnector SAP real time multi folder incl. file name with date.

Due to the massive log volume, SAP support recommended a log rotation, once the file size reaches 100MB, which is already in place.

Now the file names look like the following:

SAPID_audit_20130112_000001

SAPID_audit_20130112_000002

SAPID_audit_20130112_000003

SAPID_audit_20130112_000004

SAPID_audit_20130112_000005

How can I implement this dynamic in the static SAP real time multi folder Connector?

I assume it has something to do with the rotationscheme.

As of today the specific file config looks like this:

agent[0].sapfoldertable[0].sapauditlogfilenames='SAPID_audit_'yyyyMMdd

Do you have any idea, hwo to implement the dynamic in the filename?

Andro

Labels (1)
0 Likes
1 Solution

Accepted Solutions
aINFOSECas2012g Absent Member.
Absent Member.

Re: Connector SAP real time multi folder incl. filename with date + logfile rotation

Jump to solution

HI Community

I solved the issue with the log rollover names from SAP with the following trick:

I created a symbolic link pointing always to the latest, up-to-date SAP audit log.

A cronjob (running every 15min) is taking care of the symbolic link and redirects the link in case, a new audit log is available in the log folder.

The ArcSight Connector is configured in a way to monitor the symbolic link only, which provides a static, fixed name. In case the symbolic link switches to another audit log from SAP, the Smart Connector identifies the change and import all new log entries...

### cron routine:

# comment: identify the newest file containing a special pattern and link this file for the new connector input #

ln -sf `ls -t $ID* | head -1` `ls -t $ID* | head -1 | awk -F audit '{print $1}'`IS_actual

# comment: create a log entry with the actual status

logger "==ArcSight SIEM: SAPaudit rollover follow job== $Path:: `file *IS_actual`"

Hope that helps others...

Andro

View solution in original post

0 Likes
2 Replies
aINFOSECas2012g Absent Member.
Absent Member.

Re: Connector SAP real time multi folder incl. filename with date + logfile rotation

Jump to solution

HI Community

I solved the issue with the log rollover names from SAP with the following trick:

I created a symbolic link pointing always to the latest, up-to-date SAP audit log.

A cronjob (running every 15min) is taking care of the symbolic link and redirects the link in case, a new audit log is available in the log folder.

The ArcSight Connector is configured in a way to monitor the symbolic link only, which provides a static, fixed name. In case the symbolic link switches to another audit log from SAP, the Smart Connector identifies the change and import all new log entries...

### cron routine:

# comment: identify the newest file containing a special pattern and link this file for the new connector input #

ln -sf `ls -t $ID* | head -1` `ls -t $ID* | head -1 | awk -F audit '{print $1}'`IS_actual

# comment: create a log entry with the actual status

logger "==ArcSight SIEM: SAPaudit rollover follow job== $Path:: `file *IS_actual`"

Hope that helps others...

Andro

View solution in original post

0 Likes
New Member.. johan
New Member..

Re: Connector SAP real time multi folder incl. filename with date + logfile rotation

Jump to solution

Nice work, Andro!

I will try this solution, thank you!

/Johan

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.