Absent Member.
Absent Member.
1576 views

Do you use SAP?

As you maybe aware, or not, ArcSight is getting ready to deliver real-time integration with SAP.  The integration will differ from the current SAP connector as it will not leverage the SAP log files.  So if you have ever wanted to track user activity within SAP, but haven’t been able to due to the overhead of  the SAP logs, we have a solution coming.

We want your feedback around the soon to be release use cases, as well as, input into the future roadmap direction.  If you have an interest in learning more or participating please post here or email me clockton@arcsight.com.

If you are joining us at Protect ‘09 we will have a station in the Innovation Lab where we will be showing the capabilities as well. Find me after the Monday morning keynotes in the booth.

Thanks

Curt Lockton

Labels (2)
Tags (2)
0 Likes
20 Replies
Absent Member.
Absent Member.

Hello Curt,

We have been asking for a network capable SAP connector for years and it's good to hear that someone might be working on this. Will it be able to collect events from multiple SAP systems from a central connector server (using SAP's "RFC" API)?

Minimum requirements would be all logon/logoff and available administrative events. I might be able to give more helpful feedback if you could provide more information what is implemented/planned so far.

Thanks!

Tobias

0 Likes
Absent Member.
Absent Member.

Tobias,

Yes we can collect events from mutiple systems.  We will be deploying an SAP transport that will need to be installed in the target SAP landscape(s) and we will be collecting logon/logoff information in real time.

The Use cases we will be enabling in the short term are:

·         Track Disabled Account Access

·         Track Retiree Account Access

·         Fraudulent User Application Access: Login events and correlation on ESM using Active List.

·         Transaction Monitoring: Using user activity events.

·         Account Violations: Using login events.

·         Data Monitoring: Combine user login and user activity events.

·         Internal and external threat information: Collected user activity events.

·         Administrative Account: Combination of IdM connector and SAP Adapter user login events.

·         Unused privileges. 

·         Reusing temporary access to specific application. System can detect if somebody logs in using any temporary access after its first use and it can flag this as a violation of policy. 

·         Anomaly on a user using different

Please let me know your thoughts.  Will you be coming to Protect?

Curt

0 Likes
Absent Member.
Absent Member.

Hello Curt,

Sorry for the long delay. The SAP requirement just popped up again. Has there been any progress on the remote SAP connector? Is there a chance to join a beta test? We need to monitor quite a few new SAP systems in the next couple of months so the new connector would be very helpful.

Your list of usecases seems to be pretty extensive and I can't think of anything missing - at least on a generic level.

Thanks,

Tobias

0 Likes
Absent Member.
Absent Member.

Tobias,

We are making stonrg progress arouns SAP.  If you stil have an interest please let me know.

clockton@arcsight.com

Curt

0 Likes
Absent Member.
Absent Member.

Yes, we're still very interested. I've send you an e-mail.
0 Likes
Absent Member.
Absent Member.

Hi Curt,

We are working on installing SAP SmartConnector, but not sure what will be the different on some of the features between Real Time or Real Time Multi-Folder.

We are working on a single SAP server, with three profiles, mutliple SID and multiple instance. I am just the ArcSight guy but does not have a good knowledge of SAP

My question are,

1. Is all SAP has only one Security Audit Log per server, or there are Security Audit Log per SIDs/INSTANCEs/Profiles.

2. If there are mutliple Security Audit Log, can we still use Real Time SmartConnector or we should use Real Time Multi-Folder SmartConnector.

3. If we use Real Time Multi-Folder SmartConnector on the single Security Audit Log SAP, will there be any extra resource, like CPU, RAM,..., required to run, compare with just Real Time SmartConnector.

Thanks,

Peter

0 Likes
Absent Member.
Absent Member.

Does anyone have a parser override?

The Realtime Multifolder SAP SmartConnector does not appear to be able to  parse SAP audit events at either 4.6c or 4.7 and higher.

Build 5.1.3.5870.0 installed on Solaris 10

The following sample is from the agent.log:

SAP 4.7 and higher >>>
[2011-06-02 12:52:59,002][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [2AUK20110602125258000813700003D3        SOLMAN_BTC                      SAPMSSY1                    ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
[2011-06-02 12:52:59,003][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [            1071CRM_DNO_TOOLS&SAPLCRM_DNO_TOOLS&CRM_DNO_READ_DOCFLOW_CRM                            ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
[2011-06-02 12:52:59,003][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [2AUK20110602125258000813700003D3        SOLMAN_BTC                      SAPMSSY1                    ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
[2011-06-02 12:52:59,003][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [            1071DSWP_CI&SAPLDSWP_CI&SUP_CRM_F4                                                      ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
[2011-06-02 12:52:59,003][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [2AUK20110602125258000813700003D3        SOLMAN_BTC                      SAPMSSY1                    ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
[2011-06-02 12:52:59,003][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [            1071BP_CENTRAL_PERSON&SAPLBP_CENTRAL_PERSON&BP_CENTRALPERSON_GET                        ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
<<<
SAP 4.6c >>>
agent.log.9:[2011-06-02 12:52:12,223][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [mR6420110522091954001565100027B1        KAB01                           RSN3_STAT_COLLECTOR                     1021 CMINIT(SAP)                          ThCPICSCPIC-Erthxxcpic3624] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,223][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [pE0A20110521212922002801700016B1        SOLMAN                          /SDF/RSORAVSH                           1301&a#0000000000001&b/SDF/RSORAVSH                                 ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,223][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [mR6420110522091954001564600026B1        KAB01                           RSAL_BATCH_TOOL_DISPATCHING             1021 CMINIT(SAP)                          ThCPICSCPIC-Erthxxcpic3624] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,223][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [nD0120110521212922002801700016B1        SOLMAN                          /SDF/RSORAVSH                           1301DB                  612                                         ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,224][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [mR4920110522092103001564600026B1        KAB01                           RSAL_BATCH_TOOL_DISPATCHING             1021017236                                ThCPICSCPIC-Erthxxcpic3611] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,224][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [mR4920110522092103001565100027B1        KAB01                           RSN3_STAT_COLLECTOR                     1021017236                                ThCPICSCPIC-Erthxxcpic3611] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,224][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [pE0A20110521214822002801700016B1                                        RSBTCRTE                                   1&aBATCH-ADMIN&b100                                              ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,224][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [mR6420110522092103001565100027B1        KAB01                           RSN3_STAT_COLLECTOR                     1021 CMINIT(SAP)                          ThCPICSCPIC-Erthxxcpic3624] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,225][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [nD0120110521214822002801700016B1                                        RSBTCRTE                                   100                  560                                         ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,225][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [mR6420110522092103001564600026B1        KAB01                           RSAL_BATCH_TOOL_DISPATCHING             1021 CMINIT(SAP)                          ThCPICSCPIC-Erthxxcpic3624] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,225][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [mR4920110522101954001565100027B1        KAB01                           RSN3_STAT_COLLECTOR                     1021017236                                ThCPICSCPIC-Erthxxcpic3611] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,225][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [pE0A20110521220822002801700016B1                                        RSBTCRTE                                   1&aBATCH-ADMIN&b100                                              ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
agent.log.9:[2011-06-02 12:52:12,226][WARN ][default.com.arcsight.agent.sdk.a.o][parseValues] Message [mR4920110522101954001564600026B1        KAB01                           RSAL_BATCH_TOOL_DISPATCHING             1021017236                                ThCPICSCPIC-Erthxxcpic3611] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...
0 Likes
Absent Member.
Absent Member.

Hello All,

Has anyone has more information on this new conenctor?Is it diffrent from the out of box SAP connector from Arcsight?

Regards

San

0 Likes
Absent Member.
Absent Member.

We have made great prgress on the SAP Monintoring Solution.  Please feel free to contact me if youd like more information.

Below is a high level introduction

ArcSight Enterprise View for SAP enables organizations to comprehensively monitor SAP security from the infrastructure layer up through transactions. The solution is composed of more than 100 use cases to address every facet of SAP security monitoring. The foundation for the solution is the use of the ArcSight Security Information and Event Management (SIEM) platform to monitor the entire infrastructure that supports an SAP implementation, from security and network devices to servers and databases, ensuring detection of attempts to breach SAP security both inside and outside of the application.

Working with SAP security experts and auditors, ArcSight has identified four key drivers for in-depth monitoring:

Fraud and Error: Whether malicious or unintentional, organizations lose millions of dollars each year due to fraud and errors. The Institute of Internal Auditors estimate that 0.1%–0.5% of all invoices are duplicate payments. These errors can be the result of overtasked personnel, changes in processes, mergers and acquisitions, temporary staff, or intentional fraud.

SAP BASIS and Misuse of Privilege: Privileged users (e.g., SAP Basis administrators and database administrators) have the highest level of access and permissions and can inflict significant damage to operations. This is one of the highest risk sources within an organization.

Audit and Compliance Automation: Various compliance and audit processes involve time-consuming, manual tasks, such as reporting on access to customer credit card data or monitoring segregation-of-duties exceptions. With appropriate integration and data analytics, many of these processes can be automated or streamlined.

360-Degree Security: Security threats to SAP can originate from within the application or can be completely external. An accounts payable user’s workstation may be compromised via a brute force attack or social engineering. That machine’s access to SAP now poses a security risk to SAP itself. These types of threats require monitoring not only of SAP, but also supporting infrastructure (servers, databases, network) and all points of access to SAP.

We use a ABAP connector to extract the data.

Connector Overview
The architecture for the SAP data extractor has been designed and developed to extract master data, transaction records and transaction status information while having a minimal impact on the SAP system. By doing this, the ArcSight platform is then able to take full advantage of available data.

Functional Description
The SAP Connector extracts SAP master file and business process transaction data. SAP’s R/3 Enterprise and ECC applications generate and record these transactions. Standard SAP mechanisms are used to pass data to ArcSight. The Connector ABAP Plug-in is used to extract data from the SAP data tables.


The SAP Connector instantiates a JCo server connection and the SAP’s standard sends data back to the Connector server via SAPFTPA. Then the  SAP Extractor populates the data into the a staging database.

0 Likes
Absent Member.
Absent Member.

Curt,

Is the current SAP audit connector supports  Business Warehouse, Process Integration, Enterprise Portal, or other SAP systems? or these modules of SAP will not be covered by the existing connector?

I see your comments like about the SAP ABAP connector? is this is a custom connector or Arcsight supported one?

We use a ABAP connector to extract the data.

Connector Overview
The  architecture for the SAP data extractor has been designed and developed  to extract master data, transaction records and transaction status  information while having a minimal impact on the SAP system. By doing  this, the ArcSight platform is then able to take full advantage of  available data.

Functional Description
The SAP  Connector extracts SAP master file and business process transaction  data. SAP’s R/3 Enterprise and ECC applications generate and record  these transactions. Standard SAP mechanisms are used to pass data to  ArcSight. The Connector ABAP Plug-in is used to extract data from the  SAP data tables.


The SAP Connector  instantiates a JCo server connection and the SAP’s standard sends data  back to the Connector server via SAPFTPA. Then the  SAP Extractor  populates the data into the a staging database.

Thanks!

-Kart

0 Likes
Absent Member.
Absent Member.

Hello Miles,

While looking for some "SAP support" on Protect724, I came across your post! I'm currently fighting with the same issue. All my events are rejected with the same error as yours:

"did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring..."

I opened a case at Arc^H^H^HHP but, in the mean time, did you solve this problem? How?

Regards,

Xavier

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.