How to Integrate Your SAP Log with a Splunk SIEM?

In this article you will learn how to:

Introduction

Ingesting your SAP NetWeaver and S/4 logs into your corporate SIEM solution may be a challenge sometimes. Especially if you are trying to ingest the logs directly from the SAP system into your SIEM. There are different third party log  adapters and tools which will "translate" SAP log events and generate alerts in your SIEM solution, but often those are quite costly and represent an additional layer which we need to maintain. Therefore, ideally we will be able to integrate our SAP systems directly into our SIEM infrastructure without additional third party license cost and maintenance effort. 

In an SAP system you would like to monitor different types of logs like ICM/ICF logs, Gateway Logs, Security Audit Logs, and so on.

Some of the SAP logs have more common log syntax - e.g. ICM/ICF logs (transaction SMICM) which uses common Apache log format allowing flexible customization, which can be more easily ingested into a SIEM solution. Here is an example of the ICM HTTP access log.