How to Protect Your SAP Audit Logs

Most large enterprises are using SAP’s ERP system. And the larger the enterprise is, the more compliance requirements it has to cover. This means, in part, that it’s vital to have the SAP Security Audit Log enabled, properly configured, and properly protected.

What is SAP Security Audit Log and How to Turn It On

The SAP Security Audit Log (SAP SAL) contains all events that happened within the ERP. Every different action has its own so-called transaction code and the relevant details – who did it, when and with what context. There are around a hundred thousand different transaction codes (yes, SAP’s ERP has grown rather complex over the years), and most of them are important for security and compliance purposes.

Turning on SAP SAL is easy, just follow any available tutorial. However, protecting the logs is not a trivial matter. SAP just writes to a text file and doesn’t care about protecting its integrity. And an audit log without integrity protection is worth nothing, as anyone with the relevant access can delete, modify or fabricate log entries. So protecting the integrity of SAP’s audit logs is a responsibility of the team that manages the SAP installation.

The curious technical detail about SAP’s log is that it’s a single, never-ending line of log entries with a fixed size. This bizarre decision, combined with cryptic 4+ letter transaction codes, makes it impossible to read or make sense of the log with any standard tool. SAP’s viewer seems the only option, but it’s far from perfect.

A SIEM might be there to help, but setting it up usually requires installing a special plugin within the SAP installation, which may or may not work with the desired version, may cause issues when upgrades are made and being so invasive, increases the attack surface on the ERP if the plugin is somehow compromised. And, as we have discussed, the SIEM barely protects the integrity of the collected data, if at all.

How LogSentinel Helps You Protect Your SAP Audit Logs

The LogSentinel SIEM agent speaks the native SAP log format, can translate all transaction codes to meaningful actions and events, and most importantly – guarantees the integrity of the log. You also don’t need long retention periods on the SAP log itself – after it has been collected by LogSentinel, it can be cleaned up.

You can do rich and flexible queries on the collected logs. And once collected, the logs have full protection, using our legally sound cryptographic techniques.

The collection itself is also flexible. You can choose to share the folder where the logs are with the agent machine (in case of a Windows server), install our agent on the SAP server itself, copy the logs on small intervals, or read them over SSH (in case of a Linux server). Having all these options allows us to fit into any organization’s internal rules and practices.

We strongly recommend enablingcollecting and securing SAP’s audit logs. They are the most important security, compliance and forensic feature and not having it properly setup is a major red flag. And especially now it’s rather easy to fix that red flag, cover your compliance requirements and move on to letting the ERP unlock the business value it’s meant to unlock.

Contact us to get your SAP logs secured. Book a DEMO today and find out how LogSentinel can help you achieve regulatory compliance and high information security standards:

SentinelTrails' features to protect SAP audit logs

Like this article? Share it with your network!