Absent Member.
Absent Member.
1577 views

Do you use SAP?

As you maybe aware, or not, ArcSight is getting ready to deliver real-time integration with SAP.  The integration will differ from the current SAP connector as it will not leverage the SAP log files.  So if you have ever wanted to track user activity within SAP, but haven’t been able to due to the overhead of  the SAP logs, we have a solution coming.

We want your feedback around the soon to be release use cases, as well as, input into the future roadmap direction.  If you have an interest in learning more or participating please post here or email me clockton@arcsight.com.

If you are joining us at Protect ‘09 we will have a station in the Innovation Lab where we will be showing the capabilities as well. Find me after the Monday morning keynotes in the booth.

Thanks

Curt Lockton

Labels (2)
Tags (2)
0 Likes
20 Replies
Absent Member.
Absent Member.

Which connector version are you using?

0 Likes
Absent Member.
Absent Member.

The latest one: 5.2.3.6281.0!

0 Likes
Absent Member.
Absent Member.

Can you post your agent.properties file and what kind of SAP module are you trying to integrate with ArcSight? And what is the extension of the SAP auditing files?  Will be helpful if you can also paste some agent.log errors

0 Likes
Absent Member.
Absent Member.

Thank for your time! The configuration has been enabled as described in the SmartConnector documentation.

Here is my agent.properties:

#ArcSight Properties File
#Thu Jun 28 10:11:41 CEST 2012
agents.maxAgents=1
agents[0].AgentSequenceNumber=0
agents[0].destination.count=1
agents[0].destination[0].agentid=3OP6ELjgBABCAAhZKPiqvkg\=\=
agents[0].destination[0].failover.count=0
agents[0].destination[0].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n    <Parameter Name\="port" Value\="443"/>\n    <Parameter Name\="host" Value\="x.x.x.x"/>\n    <Parameter Name\="rcvrname" Value\="xxxxx"/>\n    <Parameter Name\="compression" Value\="Disabled"/>\n    <Parameter Name\="fipsciphers" Value\="fipsDefault"/>\n</ParameterValues>\n

agents[0].destination[0].type=loggersecure
agents[0].deviceconnectionalertinterval=60000
agents[0].enabled=true
agents[0].entityid=hwyFLjgBABCAAxZKPiqvkg\=\=
agents[0].extractfieldnames=deviceHostName
agents[0].extractregex="audit_(.*?)_\\d+"
agents[0].extractsource=File Name
agents[0].fcp.version=0
agents[0].fixedlinelength=-1
agents[0].id=3OP6ELjgBABCAAhZKPiqvkg\=\=
agents[0].ignoremissinglogfiles=false
agents[0].internalevent.filecount.duration=-1
agents[0].internalevent.filecount.enable=false
agents[0].internalevent.filecount.minfilecount=-1
agents[0].internalevent.filecount.timer.delay=60
agents[0].internalevent.fileend.enable=true
agents[0].internalevent.filestart.enable=true
agents[0].onrotation=None
agents[0].onrotationoptions=processed
agents[0].persistenceinterval=0
agents[0].preservedstatecount=10
agents[0].preservedstateinterval=30000
agents[0].preservestate=false
agents[0].rotationdelay=30
agents[0].sapauditlogencoding=
agents[0].sapauditlogfilenameformat=DateBased
agents[0].sapauditlogfilenames='audit_LSP_'yyyyMMdd
agents[0].sapauditlogfolder=/usr/sap/LSP/XXXXXX/log
agents[0].sapauditrecordcontains=Fixed Number of Characters
agents[0].sapversion=4.7 or higer
agents[0].startatend=true
agents[0].type=sapaudit_multi_file
agents[0].usealternaterotationdetection=true
agents[0].usefieldextractor=true
agents[0].usenonlockingwindowsfilereader=false
remote.management.second.listener.port=10050
remote.management.ssl.organizational.unit=PzB9LjgBABCAAa4XgNy8Jw

And some errors:

[2012-06-28 09:55:04,619][WARN ][default.com.arcsight.agent.sdk.d.q][parseValues] Message [2AU120120628095504001953800000D0W06567  EMERGENCY   SESSION_MANAGER     SAPMSYST                    ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...

[2012-06-28 09:55:04,622][INFO ][default.com.arcsight.agent.hd.i$b_$a_][<init>] New ThreadLocalWorker [ThreadLocalWorker #1 for Main Flow Batching[3OP6ELjgBABCAAhZKPiqvkg==]] created by thread [FileReader[/sap/LSP/DVEBMGS15/log/audit_LSP_20120628]]

[2012-06-28 09:55:04,626][WARN ][default.com.arcsight.agent.sdk.d.q][parseValues] Message [            0401A&0                                                             W06567              ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...

[2012-06-28 09:55:04,628][WARN ][default.com.arcsight.agent.sdk.d.q][parseValues] Message [2AUW20120628095504001953800000D0W06567  EMERGENCY   SESSION_MANAGER     RSRZLLG0                    ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...

[2012-06-28 09:55:04,630][WARN ][default.com.arcsight.agent.sdk.d.q][parseValues] Message [            0401RSRZLLG0&                                                       W06567              ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...

[2012-06-28 09:55:04,631][WARN ][default.com.arcsight.agent.sdk.d.q][parseValues] Message [2AUW20120628095504001953800000D0W06567  EMERGENCY   SESSION_MANAGER     RSRZLLG0_ACTUAL             ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...

[2012-06-28 09:55:04,633][WARN ][default.com.arcsight.agent.sdk.d.q][parseValues] Message [            0401RSRZLLG0_ACTUAL&                                                W06567              ] did not match the common regular expression [(2|q)(\w{3})(\d{14})0{1,2}\s*(\d+)\s*(\d+)[A-Z].(.{8})(.{12})(.{20})(.{40})(.{3}).((.*?)(.{20}))], ignoring...

[2012-06-28 09:55:06,625][INFO ][default.com.arcsight.agent.loadable._EventCounter][processSingleAlert] First event from [|||] received.


Regards,

Xavier


0 Likes
Absent Member.
Absent Member.

whats the SAP encoding are you using at your end?

I dont see any value specifed for SAPAUDITLOGENCODING which is highlighted below: try to use UTF-16LE or UTF-16 and give it a shot. It should work, more over what kind of SAP module are you trying to integrate? and what is the extension of the SAP Audit files? is that .AUD? other than .AUD nothing works i think. These are some important points to remember.

agents[0].sapauditlogencoding=
agents[0].sapauditlogfilenameformat=DateBased
agents[0].sapauditlogfilenames='audit_LSP_'yyyyMMdd
agents[0].sapauditlogfolder=/usr/sap/LSP/XXXXXX/log
agents[0].sapauditrecordcontains=Fixed Number of Characters
agents[0].sapversion=4.7 or higer

 

Thanks!

-Kart

0 Likes
Absent Member.
Absent Member.

Tested with "UTF-16" and it worked perfectly this time!

Thank you for your help, really appreciated!

Regards,

Xavier

0 Likes
Absent Member.
Absent Member.

Cheers! sounds great..

-Kart

0 Likes
Absent Member.
Absent Member.

I will be out of the office starting 06/28/2012 and will not return until 06/29/2012.

I will on leave on 28th June.I will be having very limited access to my E-mail and Phone.

--

Informationen (einschließlich Pflichtangaben) zu einzelnen, innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen des Konzerns Deutsche Bank finden Sie unter http://www.deutsche-bank.de/de/content/pflichtangaben.htm. Diese E-Mail enthält vertrauliche und/ oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for information (including mandatory corporate particulars) on selected Deutsche Bank branches and group companies registered or incorporated in the European Union. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

0 Likes
Absent Member.
Absent Member.

Hi guys,

have a look at agileSI - our SAP Security Monitoring solution:

http://www.it-cube.net/en/solutions/it-security/sap-security/agilesi/overview.html

agileSI turns SAP Security Data into Insight, Action, and Competitive Advantage. It’s the industry’s first automated solution that continuously scans SAP landscapes and detects weak system configurations, excessive user access rights, SoD violations, potential threats through attacks, and can be used to monitor critical transactions or privileged user activity.

Please feel free to contact me for further information.

Andreas

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.