Question

LogPoint for SAP- How do I get custom SAP table modification logs in the SIEM?

  • 5 May 2021
  • 1 reply
  • 34 views

Userlevel 3
Badge +7

Hi SAP Team, my customer would like to receive all changes performed to a custom SAP table ZTABLE in the SIEM, so they can visualize or alert on incorrect or malicious modifications. Do we have documentation on the steps to perform to obtain that data in the SIEM?


1 reply

Badge

Hi Basudev,

This should be solved using LogPoint for SAP Enterprise. For such custom requirements the customizability of the solution really shines.

 

Steps to be performed on the SAP system so it can provide this data:

  1. Make sure that table change logging is enabled for the SAP system/client. For this, set profile parameter rec/client to "ALL" or to the client number that needs to be monitored.
  2. Make sure that table change logging is enabled for table ZTABLE. This can be checked and changed in transaction SE13 for table ZTABLE. Option "Log data changes" needs to be enabled.
  3. Make sure that the technical account used by LogPoint for SAP Extended has authorizations to access (read) table ZTABLE. Please assign the required authorizations via authorization object S_TABU_NAM (or S_TABU_DIS) for this table.

Steps to be performed within LogPoint for SAP Extended:

  1. Create a new extraction configuration for the Table Change Logging extractor. Assign an extraction use case identifier, select table ZTABLE, then select all table fields that should be extracted and be monitored for changes. For further options please consult the product documentation.
  2. Deploy the new configuration to the Agent systems.

Now all changes performed to table ZTABLE will be made available to the SIEM. You can filter for this table either by the table name or by the extraction use case identifier provided during configuration.

Reply