Skip to content

SAP HANA

SAP HANA

About

SAP HANA in-memory database is for transactional and analytical workloads with any data type — on a single data copy. It breaks down the transactional and analytical silos in organizations, for quick decision-making, on premise and in the cloud.

Product Details

Vendor URL: SAP HANA | In-Memory Database

Product Type: Database Management

Product Tier: Tier III

Integration Method: Syslog

Integration URL: 2624117 - How-To: Configure HANA audit log in SYSLOG | SAP

Log Guide: Data and Log Volumes - SAP Help Portal

Parser Details

Log Format: JSON

Expected Normalization Rate: 75%

Data Label: SAP_HANA

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
vendor metadata.vendor_name
product metadata.product_name
version metadata.product_version
description metadata.description
column16 metadata.product_event_type
GENERIC_EVENT metadata.event_type
column13 target.file.full_path
mimetype target.file.mime_type
file_name src.file.full_path
length additional.fields
dst target.hostname
dst target.ip
dhost target.hostname
dhost target.ip
shost principal.hostname
shost principal.ip
suser principal.user.userid
request target.url
INFORMATIONAL/LOW/MEDIUM/HIGH security_result.severity
ALLOW/BLOCK security_result.action
observer observer.hostname
observer observer.ip

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
Default GENERIC_EVENT

Log Sample

{"msg": "#!\"2021-12-16 14:40:23.896951000\"#!\"SERVERNAME1234\"#!123456#!\"indexserver\"#!123456#!\"HOSTNAME1234\"#!\"10.10.10.30\"#!123456#!123456#!\"HOST4567\"#!\"HOSTNAME4567\"#!\"SAP_1234\"#!\"john.doe\"#!\"HOSTNAME4567\"#!\"LOCKED_USER\"#!\"SUCCESSFUL\"#!\"INFO\"#!\"CONNECT\"#!?#!?#!?#!?#!?#!?#!\"HOSTNAME4567\"#!?#!?#!?#!?#!?#!?#!?#!?#!?#!?#!\n", "length": 283, "file_name": "sap_hana.CSV.GZ, "product": "HANA", "vendor": "SAP"}

Sample Parsing

metadata.event_timestamp = "2021-12-16T14:40:23Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "SAP"
metadata.product_name = "HANA"
metadata.product_event_type = "LOCKED_USER"
metadata.description = "CONNECT"
metadata.ingested_timestamp = "2021-12-16T15:06:25.061099Z"
additional.length = "283"
principal.hostname = "HOST1234"
principal.user.userid = "john.doe"
principal.ip = "10.10.10.30"
principal.namespace = "COMPANYNAME"
principal.asset.ip = "10.10.10.30"
src.file.full_path = "sap_hana.CSV.GZ
src.namespace = "COMPANYNAME"
target.hostname = "HOSTNAME4567"
target.file.full_path = "SAP_1234"
target.namespace = "COMPANYNAME"
target.asset.hostname = "HOSTNAME4567"
observer.hostname = "SERVERNAME1234"
observer.namespace = "COMPANYNAME"
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon