CIM Compliance¶
The Splunk for SAP LogServ App tags every supported SAP-side sourcetype into the relevant Splunk Common Information Model (CIM) data models, so ES correlation searches and RBA risk framework can consume the data through the standard | datamodel <Model> search ... interface.
CIM models in scope¶
The App participates in these CIM data models, declared in app.manifest under info.commonInformationModels:
| Model | Use case | SAP-side sourcetypes |
|---|---|---|
| Authentication | login attempts (success / failure) | sap:hana:audit (CONNECT events), sap:sapstartsrv, sap:scc:audit (ACCESS_DENIED), linux:sudolog |
| Change | account / role / config modifications | sap:hana:audit (DDL events), sap:scc:audit (CONFIGURATION_CHANGED, SERVICE_*) |
| Network_Sessions | TCP-level connection tracking | sap:abap:gateway, sap:saprouter |
| Network / Resolution (DNS) | DNS query / resolution activity (absorbed ISC BIND parser) | isc:bind:query, isc:bind:queryerror |
| Web | HTTP request/response | sap:webdispatcher:access, sap:scc:http_access, sap:abap:icm, squid:access (absorbed Squid proxy parser) |
For sourcetypes that don’t fit any stock CIM model (HANA tracelogs, ABAP application-tier internal logs), the App still extracts rich search-time fields and adds vendor_product = "SAP NetWeaver ABAP" (or similar) for cross-cutting search consistency, but doesn’t tag them into a CIM model.
How the tagging works¶
Two configuration files drive CIM tagging:
default/eventtypes.conf¶
Defines 18 eventtypes — 13 SAP-specific plus 5 from the absorbed ISC BIND + Squid parsers (isc_bind_query, isc_bind_queryerror, isc_bind_lameserver, isc_bind_transfer, squid_access) — each filtering events that should participate in a particular CIM model. For example:
[sap_hana_authentication]
search = sourcetype="sap:hana:audit" (action_type="CONNECT" OR audit_category="SYSTEM Logins")
[sap_hana_change]
search = sourcetype="sap:hana:audit" (action_type IN ("ALTER USER","CREATE USER","DROP USER","GRANT","REVOKE", ...) OR audit_category IN ("User Administration", ...))
A single sourcetype like sap:hana:audit can route to multiple eventtypes — CONNECT events go to sap_hana_authentication, while DDL events go to sap_hana_change.
default/tags.conf¶
Activates CIM tags on each eventtype:
[eventtype=sap_hana_authentication]
authentication = enabled
[eventtype=sap_hana_change]
change = enabled
[eventtype=sap_abap_gateway_session]
network = enabled
session = enabled
When you query tag=authentication (or use the Authentication data model), Splunk includes events from every eventtype that has authentication = enabled.
CIM-required field coverage¶
For each tagged sourcetype, the App’s default/props.conf provides the CIM-required fields via EXTRACT-, EVAL-, and FIELDALIAS- directives.
Example: sap:hana:audit¶
| CIM field | Source |
|---|---|
action |
EVAL — case(action_type=="CONNECT" AND status=="SUCCESSFUL", "success", action_type=="CONNECT" AND status IN ("UNSUCCESSFUL","FAILED"), "failure", match(action_type,"(?i)create"), "created", match(action_type,"(?i)alter|grant|revoke"), "modified", ...) |
app |
EVAL literal "sap_hana" |
vendor_product |
EVAL literal "SAP HANA" |
user |
FIELDALIAS-user = executing_user (the user PERFORMING the action) |
dest_user |
FIELDALIAS-dest_user = target_user (the affected user, for Change model) |
src |
FIELDALIAS-src = client_ip |
dest |
FIELDALIAS-dest = db_hostname |
change_type |
EVAL — case(match(action_type,"(?i)(user|role|grant|revoke)"), "account", ...) |
object |
FIELDALIAS-object = target_user |
object_category |
EVAL — case(match(action_type,"(?i)user"), "user account", ...) |
Same pattern applies to other sourcetypes. See default/props.conf in the App package for the full per-sourcetype field-mapping detail.
Verifying CIM compliance¶
Run the following on a Splunk instance with the App installed (and the underlying SAP-side data ingested):
| datamodel Authentication search
| search sourcetype IN ("sap:hana:audit","sap:sapstartsrv","sap:scc:audit","linux:sudolog")
| stats count by sourcetype Authentication.action
You should see results like:
sourcetype Authentication.action count
linux:sudolog success 369
sap:hana:audit failure 19
sap:hana:audit success 604
sap:sapstartsrv failure 566
sap:scc:audit failure 27
Repeat for the other models:
| datamodel Change search | search sourcetype IN ("sap:hana:audit","sap:scc:audit") | stats count by sourcetype All_Changes.action
| datamodel Web search | search sourcetype IN ("sap:webdispatcher:access","sap:scc:http_access","sap:abap:icm") | stats count by sourcetype Web.action
| datamodel Network_Sessions search | search sourcetype IN ("sap:abap:gateway","sap:saprouter") | stats count by sourcetype
If | datamodel ... returns rows for our sourcetypes, ES can consume them — every standard ES Authentication / Change / Web / Network_Sessions correlation search will include SAP-side events automatically.
Sourcetype coverage matrix¶
| Sourcetype | Tagged into | Severity |
|---|---|---|
sap:hana:audit |
Authentication + Change | (CONNECT events: high-priority for ES Auth dashboards) |
sap:webdispatcher:access |
Web | medium |
sap:scc:http_access |
Web | medium |
sap:abap:icm |
Web | medium |
sap:abap:gateway |
Network_Sessions | medium |
sap:saprouter |
Network_Sessions | medium |
sap:sapstartsrv |
Authentication | medium |
sap:scc:audit |
Authentication (ACCESS_DENIED) + Change (CONFIGURATION_CHANGED, SERVICE_*) | medium |
linux:sudolog |
Authentication + privileged | medium |
isc:bind:query |
Network + Resolution (DNS) — absorbed ISC BIND parser | medium |
isc:bind:queryerror |
Network + Resolution (DNS) — absorbed ISC BIND parser | medium |
squid:access |
Web + Proxy — absorbed Squid proxy parser | medium |
Known limitations¶
F5: Web events appear at two tiers¶
Both sap:webdispatcher:access (front-end TLS-terminating load balancer) and sap:scc:http_access (backend tunnel traversal) capture HTTP events for the same logical request chain. ES’s Web data model surfaces both as distinct events.
This is correct CIM-aligned behavior — each tier records its own view, and ES dashboards can drill into either. But correlation queries that count “unique HTTP requests” should dedupe carefully (e.g., by the request-id field if both tiers carry one, or by _time window + client_ip + uri).
F6: Some sourcetypes have no clean CIM fit¶
ABAP application-tier internal logs (sap:abap:dispatcher, sap:abap:enqueueserver, sap:abap:event, sap:abap:messageserver, sap:abap:sapstartsrv, sap:abap:workprocess) and HANA tracelogs (sap:hana:tracelogs) don’t map cleanly to any stock Splunk CIM model. The App provides rich search-time fields for them but doesn’t force a poor-fit mapping. Our own dashboards consume these directly; ES correlation searches built on these would need to use sourcetype-explicit SPL rather than CIM-data-model search.
sap:abap:audit currently has minimal extraction¶
The ABAP security audit log (sap:abap:audit) is binary/hex format. The App extracts SID + instance + the audit marker; richer field extraction would require a more accessible source format (e.g., SM20/SM19 export) is available. As a result, this sourcetype is currently NOT tagged into Authentication or Change — events are in the index but not in CIM dashboards. Expected to land in a future release.