Share via

Microsoft Sentinel for SAP - No Audit Log Data - other data is visible

Gabel, Felix 20 Reputation points
2024-12-19T15:58:21.38+00:00

Hello all,

we have a strange issue - we dont receive AUDIT LOG data in MS Sentinel for SAP - other data is successfully transferred:
User's image

SM19/SM20 is activated with content on SAP side (checked: https://learn.microsoft.com/de-de/azure/sentinel/sap/sap-deploy-troubleshoot#empty-or-no-audit-log-retrieved-with-no-special-error-messages) ST22/SM21 also no entries with the connection User - SU53 no entries for connection User.

Systemconfig file on docker connector VM:
User's image

In Omnilog file we have some strange entries regarding SMADENT_SID user (which is not our connection user) I dont know where they come from.

User's image

Do you have any ideas on this why we can not see any audit logs?

Felix

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,202 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Martin Pankraz 0 Reputation points Microsoft Employee
    2024-12-27T08:52:48.7466667+00:00

    Hey @Gabel, Felix, SMD Agent refers to the SAP Solution Manager Diagnostic agent user. Looks like there are some configuration challenges in your individual setup that would require in-depth troubleshooting through support ticket.

    Also be aware that the latest collector agent is using Azure KeyVault to store SID config and not the systemconfig file you shared. See step 14 here.

    Are you aware of our new agentless offering for SAP systems running on NetWeaver 7.50 and higher? This way you could bypass that problem domain altogether.

    KR Martin

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.