This project helps SAP Administrator in the configuration and deployment of rsyslog for your SAP environment, providing rsyslog file(s) in /src/rsyslog.d and a launcher to configure easily your environment.
SAP logs on OVHcloud Logs Data Platform has been tested on the following distributions and SAP versions.
| Distribution |
|---|
| SUSE Linux Enterprise Server 15 SP4/SP5 |
| Red Hat Enterprise Linux 8.6 |
| SAP version |
|---|
| NetWeaver 7.50 |
| S/4HANA 2023 |
| SAP Network Interface Router, Version 40.4 |
| SAP Web Dispatcher Version 7.89.0 |
As this project is working with rsyslog and OVHcloud Logs Data Platform, make sure the packages rsyslog (>=8.23.0) and rsyslog-module-gtls (>=8.2108) are presents on your environment.
$ rpm -qa rsyslog
rsyslog-8.2306.0-150400.5.27.1.x86_64
$ rpm -qa rsyslog-module-gtls
rsyslog-module-gtls-8.2306.0-150400.5.27.1.x86_64If the version is lower than required, please update your operating system. If the output message is empty, it means that the package is not present on your operating system and you must install it.
- SLES
zypper install rsyslog rsyslog-module-gtls- RHEL
yum install rsyslog rsyslog-module-gtlsTo deploy easily the rsyslog files on your environment a launcher is available to configure parts of the files. Below are presented some examples of how to use the launcher:
A minimal deployment requires only the OVHcloud Logs Data Platform endpoint and the location of the certificate:
./start.sh \
--ldp-target-platform gra159-xxx.gra159.logs.ovh.com \
--ldp-ca-file-path /etc/rsyslog.d/logstash.crtDeployment with setting the software stack to let the script discover your SAP environment:
./start.sh --software-stack S4 \
--ldp-target-platform gra159-xxx.gra159.logs.ovh.com \
--ldp-ca-file-path /etc/rsyslog.d/logstash.crtDeployment with setting the SAP SID or the SAP HANA SID:
./start.sh --software-stack NW \
--sap-sid S0P \
--ldp-target-platform gra159-xxx.gra159.logs.ovh.com \
--ldp-ca-file-path /etc/rsyslog.d/logstash.crtDeployment with SAP audit logs on a specific Data Stream:
./start.sh --software-stack HANA \
--sap-sid S0P \
--hana-sid HDB \
--ldp-target-platform gra159-xxx.gra159.logs.ovh.com \
--ldp-ca-file-path /etc/rsyslog.d/logstash.crt \
--audit-ldp-target-platform gra159-xxx.gra159.logs.ovh.com \
--audit-ldp-ca-file-path /etc/rsyslog.d/audit-logstash.crtThe SAP logs on OVHcloud Logs Data Platform feature provides the possibility to retrieve the ABAP security audit logs directly with the parameter --collect-sal. More information about the action of this parameter in the following chapter named SAP AS ABAP Security Audit Log.
./start.sh --software-stack NW \
--sap-sid S0P \
--ldp-target-platform gra159-xxx.gra159.logs.ovh.com \
--ldp-ca-file-path /etc/rsyslog.d/logstash.crt \
--collect-salAnsible playbooks are also available if you intend to apply the rsyslog configuration on myany servers at the same time. The playbook configures rsyslog and download the configuration files, which will then be applied.
A minimal deployment requires only the OVHcloud Logs Data Platform endpoint and the location of the certificate:
- name: Playbook - SAP logs on OVHcloud Logs Data Platform
hosts: all
tasks:
- name: Configure rsyslog
ansible.builtin.include_role:
name: rsyslog
- name: Configure rsyslog config files
ansible.builtin.include_role:
name: rsyslog_config
vars:
ldp_target_platform: gra159-xxx.gra159.logs.ovh.com
ldp_ca_file_path: /etc/rsyslog.d/logstash.crtDeployment with setting the software stack to let the script discover your SAP environment:
- name: Playbook - SAP logs on OVHcloud Logs Data Platform
hosts: as
tasks:
- name: Configure rsyslog
ansible.builtin.include_role:
name: rsyslog
- name: Configure rsyslog config files
ansible.builtin.include_role:
name: rsyslog_config
vars:
software_stack: S4
ldp_target_platform: gra159-xxx.gra159.logs.ovh.com
ldp_ca_file_path: /etc/rsyslog.d/logstash.crtDeployment with setting the SAP SID or the SAP HANA SID:
- name: Playbook - SAP logs on OVHcloud Logs Data Platform
hosts: as
tasks:
- name: Configure rsyslog
ansible.builtin.include_role:
name: rsyslog
- name: Configure rsyslog config files
ansible.builtin.include_role:
name: rsyslog_config
vars:
software_stack: NW
sap_sid: S0P
ldp_target_platform: gra159-xxx.gra159.logs.ovh.com
ldp_ca_file_path: /etc/rsyslog.d/logstash.crtDeployment with setting the SAP SID and the SAP HANA SID on SAP HANA:
- name: Playbook - SAP logs on OVHcloud Logs Data Platform
hosts: hana
tasks:
- name: Configure rsyslog
ansible.builtin.include_role:
name: rsyslog
- name: Configure rsyslog config files
ansible.builtin.include_role:
name: rsyslog_config
vars:
software_stack: HANA
sap_sid: S0P
hana_sid: H0P
ldp_target_platform: gra159-xxx.gra159.logs.ovh.com
ldp_ca_file_path: /etc/rsyslog.d/logstash.crtDeployment with SAP audit logs on a specific Data Stream:
- name: Playbook - SAP logs on OVHcloud Logs Data Platform
hosts: as
tasks:
- name: Configure rsyslog
ansible.builtin.include_role:
name: rsyslog
- name: Configure rsyslog config files
ansible.builtin.include_role:
name: rsyslog_config
vars:
software_stack: S4
ldp_target_platform: gra159-xxx.gra159.logs.ovh.com
ldp_ca_file_path: /etc/rsyslog.d/logstash.crt
audit_ldp_target_platform: gra159-xxx.gra159.logs.ovh.com
audit_ldp_ca_file_path: /etc/rsyslog.d/audit-logstash.crtLaunch ansible playbook:
ansible-playbook playbooks/main.yml- RSYSLOG
- HANA
- AS (ABAP/JAVA)
- ASCS (ABAP/JAVA)
- SAProuter
- SAP Web Dispatcher
- ERS
SAP offers the possibility with the Security Audit Log to record security-related system information of your SAP system.
By activating it, all activities that you specify will be recorded into an audit log file located in /usr/sap/<SID>/D<NI>/log/audit_YYYYMMDD for SAP NetWeaver 7.50. Please note that the service only accepts daily files with the name audit_YYYYDDMM.
However, for SAP S/4HANA, the classic approach must be configured. Only one file per day must be generated, the option "protection format active" must be disabled and the parameter FN_AUDIT (set in the DEFAULT.PFL profile) must be set with the value ++++++++.AUD, where ++++++++ equals YYYYDDMM. In order to load this new configuration, a restart of your SAP system must be done.
As those files can't be correctly parsed with rsyslog, OVHcloud developed a Linux service in order to identify and send messages to rsyslog through the /var/log/messages file. These messages come from Security Audit Log process are identified with the tag security_audit_abap.
Enable and start service ovhcloud-sap-audit.service:
systemctl enable ovhcloud-sap-audit.service
systemctl start ovhcloud-sap-audit.serviceAlways feel free to help out! Whether it's filing bugs and feature requests or working on some of the open issues, our contributing guide will help get you started.
This code is released under the Apache 2.0 License. Please see LICENSE for more details.