Data Description

The HDB_DBCC_AUDIT event is used to collect HANA Audit logs. As a prerequisite, Audit needs to be configured and enabled on DB side. More information located here: Activate and Configure Auditing - SAP Help Portal

Extractor requires AUDIT READ system privilege to read the log (privilege needs to be assigned to SAP DB user).

Potential Use Cases

Auditing provides you with visibility on who did what in the SAP HANA database (or tried to do what) and when. This allows you, for example, to log and monitor read access to sensitive data. Audit log allows you to monitor and record selected actions performed in the SAP HANA database.

It can help you achieve greater security in the following ways:

  • Uncover security holes if too many privileges were granted to some user

  • Show attempts to breach security

  • Protect the system owner against accusations of security violations and data misuse

  • Allow the system owner to meet security standards

Following actions are typically audited:

  • Changes to user authorization

  • Creation or deletion of database objects

  • Authentication of users

  • Changes to system configuration

  • Access to or changing of sensitive information

Splunk Event

The event will look like this in Splunk:

SAP Navigation

The Audit log is available on DB level.

Field Mapping

Field

Description

Unit of Measure

ACTION_GROUP

ID of the group of audit actions

Number

ACTION_GROUP_DESCRIPTION

Description for the group of audit actions

String

APPLICATION_USER_NAME

Name of the application user

String

AUDIT_POLICY_NAME

Name of the Audit Policy hit

String

CLIENT_HOST

IP of the client host

IP Address

CLIENT_IP

IP of the client application

IP Address

CLIENT_PID

PID of the client process

String

CLIENT_PORT

Port of the client process

Number

COMMENT

Any extra information on the event

String

CONNECTION_ID

ID of the connection

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_ACTION

Action performed by the audit event

String

EVENT_LEVEL

Severity Level of the event

String

EVENT_STATUS

Whether the event was successful or not

String

EVENT_SUBTYPE

String

EVENT_TYPE

HDB_DBCC_AUDIT

String

FILE_NAME

Configuration file which was changed

String

GRANTABLE

Whether the privilege/role being granted is grantable or not

String

GRANTEE

The grantee in GRANT/REVOKE statements

String

HOST

Name of the host where the event occurred

String

KEY

Attribute being changed

String

LOGTIME

Time the event occurred

YYYYMMDDHHMMSS

OBJECT_NAME

Name of object

String

ORIGIN_DATABASE_NAME

Origin database name on cross database queries

String

ORIGIN_USER_NAME

Origin user name on cross database queries

String

PORT

Port number

Number

PREV_VALUE

Old value of the attribute

String

PRIVILEGE_NAME

Name of privilege granted

String

ROLE_NAME

Name of role granted

String

SCHEMA_NAME

Name of schema

String

SECTION

Configuration which was changed

String

SERVICE_NAME

Name of the service

String

STATEMENT_STRING

The SQL statement which caused the event

String

USER_NAME

Name of user connected to the database

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

VALUE

New value of the attribute

String