Asset & Identity Feed for ES Identity Management¶
The Splunk for SAP LogServ App auto-populates ES’s Identity Management framework with SAP system inventory + user identities, derived from the same data sources the Environment Topology view uses.
This means ES correlation searches (and any third-party app querying asset_lookup_by_str or identity_lookup_expanded) get rich asset/identity context for SAP-side events automatically.
What ships¶
Two scheduled saved searches that emit CSV lookups every 4 hours:
| Saved search | Cadence | Output lookup | Schema |
|---|---|---|---|
splunk_sap_logserv_es_asset_feed |
every 4h (cron 7 */4 * * *) |
splunk_for_sap_logserv_assets.csv |
ES Asset (17 std cols + 2 extra) |
splunk_sap_logserv_es_identity_feed |
every 4h (cron 19 */4 * * *) |
splunk_for_sap_logserv_identities.csv |
ES Identity (15 std cols + 1 extra) |
Schedules are offset by 12 minutes to avoid both firing in the same scheduler window.
Asset feed¶
The Asset feed unions 6 inventory subsearches and consolidates by IP (when present) or DNS hostname:
sap:abap:gatewayevents withlocal_ip=*→ IP+host+SIDsap:hana:tracelogswithhana_host=*→ hostname+SID (no IP)sap:abap:icmwithicm_local_ip=*→ IP+host+SIDsap:saprouterevents → host-only, categorized as middlewaresap:scc:auditevents → host-only, middlewaresap:webdispatcher:accessevents → host-only, application
After dedup, SAP-stack heuristics apply:
- HANA database servers →
priority=high, category=Server | Database | SAP HANA - Middleware (saprouter, SCC) →
priority=high, category=Server | Middleware | SAP - NetWeaver application servers →
priority=medium, category=Server | Application | SAP NetWeaver
Hardcoded fields (customer overrides via merger):
- owner = "SAP-Operations"
- bunit = "SAP"
- is_expected = 1, should_timesync = 1, should_update = 1, requires_av = 0
Empty-on-emit (out of scope):
- mac — log data doesn’t carry MAC addresses
- nt_host — Windows hostname not derivable from SAP logs
- lat / long / city / country — not in log data
- pci_domain — out of scope for SAP-side derivation
Two extra columns for SOC analyst readability (ES merger ignores unknown columns):
- _sap_sids — comma-joined list of SAP SIDs hosted on this asset
- _roles — comma-joined list of roles (e.g., SAP NetWeaver ABAP,SAP NetWeaver ABAP ICM)
Identity feed¶
The Identity feed unions 5 user-source subsearches and consolidates by identity:
sap:hana:auditexecuting_user→ taggedhana_adminsap:hana:audittarget_user→ taggedhana_targetsap:sapstartsrvauth_user→ taggedsap_host_userlinux:sudologos_user→ taggedsudo_invokerlinux:sudologtarget_user→ taggedsudo_target
Priority + category heuristics (per identity):
| Match pattern | priority | category |
|---|---|---|
(?i)^SYSTEM$ or ^root$ |
critical | (per source-type — SAP HANA system account or OS user) |
Identity matches (?i)^SYSTEM$\|^_SYS_\|^SAP_ |
(above critical or default high) | SAP HANA system account |
Identity from hana_admin or hana_target source |
high | SAP HANA user |
Identity matches (?i)adm$ (SAP service accounts) |
medium | SAP service account |
| Otherwise | low | (per source-type) |
watchlist=1 for critical+high; watchlist=0 for medium+low. ES surfaces watchlisted identities in its identity-risk dashboards.
One extra column:
- _source_type_str — comma-joined list of source-type tags this identity appears in
Customer wire-up¶
After the App installs, the lookups don’t exist until the saved searches first run (within 4h of install). To populate immediately:
# Dispatch the asset feed
curl -sk -u admin:<pw> -X POST \
https://<splunk-host>:8089/servicesNS/nobody/splunk_app_sap_logserv/saved/searches/splunk_sap_logserv_es_asset_feed/dispatch
# Dispatch the identity feed
curl -sk -u admin:<pw> -X POST \
https://<splunk-host>:8089/servicesNS/nobody/splunk_app_sap_logserv/saved/searches/splunk_sap_logserv_es_identity_feed/dispatch
Wait ~10 seconds for both to complete, then verify:
| inputlookup splunk_for_sap_logserv_assets | head 5
| inputlookup splunk_for_sap_logserv_identities | head 5
Add to ES Identity Management¶
In Splunk Web (with ES installed):
- Go to Settings → Configuration → Identity Management
- Under “Asset Lookup Configuration”, click + New:
- Name:
splunk_for_sap_logserv_assets- Lookup table:splunk_for_sap_logserv_assets- Source app:splunk_app_sap_logserv- Default match type:EXACT- Save - Under “Identity Lookup Configuration”, click + New:
- Name:
splunk_for_sap_logserv_identities- Lookup table:splunk_for_sap_logserv_identities- Source app:splunk_app_sap_logserv- Save
ES’s merger framework picks up the new sources within ~5 minutes. Verify by running:
| inputlookup asset_lookup_by_str | search asset="hec53v013858"
| inputlookup identity_lookup_expanded | search identity="xcjadm"
The merged record should now include priority, category, bunit from our feed (alongside any CMDB-sourced fields if present).
Confirm correlation searches enrich notables¶
Run any of the 5 base ES correlation searches. Notables in Incident Review should show:
dest_asset_priority,dest_asset_category,dest_asset_bunitpopulated fordest=hec53v013858user_identity_priority,user_identity_category,user_identity_watchlistpopulated foruser=xcjadm
Integration with CMDB (additive mode)¶
If the customer already has a CMDB feeding ES’s Asset framework, our feed is additive:
- ES merger framework reconciles across multiple sources
- Per-field precedence is configurable in
lookup_merge.conf - Conflicts (e.g., CMDB says
owner=John, our feed saysowner=SAP-Operations) resolve per merger precedence - Our SAP-stack-specific fields (
category=Server | Database | SAP HANA,_sap_sids,_roles) fill in gaps where the CMDB doesn’t have SAP-aware data
To make CMDB authoritative for owner/bunit while keeping our SAP categorization:
- Place CMDB above our feed in the Asset Lookup Configuration order
- ES applies higher-precedence values for shared fields (
owner,bunit) - Our
category,_sap_sids,_rolesfields fill in (CMDB likely doesn’t have these)
Disabling the auto-feed¶
If a customer doesn’t want our auto-feed (e.g., CMDB is fully authoritative):
- Splunk Web → Settings → Searches, reports, and alerts
- Filter by
splunk_sap_logserv_es_asset_feedandsplunk_sap_logserv_es_identity_feed - Edit each → Disable
- Save
The lookup CSVs remain on disk (last-known state) but are no longer refreshed.
Caveats¶
- No MAC addresses. SAP application logs don’t expose MAC addresses. Customers needing MAC-based asset resolution must source it elsewhere (DHCP logs, network gear).
- Short hostnames vs FQDNs. Our
dnscolumn is thehostfield as Splunk indexed it. If Splunk indexed short names but customer DNS uses FQDNs, ES asset lookups by FQDN won’t match. Fix via forward-lookup expansion inlookup_merge.conf. - No identity start/end dates. Our feed doesn’t track account creation/deactivation. Customers needing
startDate/endDatefor behavior baselining should layer an HR-system-sourced identity feed alongside ours. - Static priority/category logic. The heuristics here are SPL
case()rules. Customer-specific overrides require a manual override CSV (e.g.,my_company_sap_asset_overrides.csv) placed above our feed in merge order.
Live verification on splunk-sh-idxr (reference data)¶
After first dispatch on splunk-sh-idxr (the reference dev environment):
Assets: 22 unique rows - 6 HANA database servers (high priority) - 6 middleware servers (high priority — SCC + saprouter) - 10 NetWeaver application servers (medium priority)
Identities: 31 unique rows - 1 critical OS user (root) - 1 critical HANA system account (SYSTEM) - 1 high HANA system account - 20 high HANA users (DDIC, BKPADMIN, ENCRYPTMON, …) - 4 high SAP service accounts - 2 medium SAP service accounts - 2 low OS users