IAS Audit Log

Overview

The SAP IAS Audit Log Input collects audit log data from SAP IAS tenants (usually used for securing SAP FIeldGlass, SAP SuccessFactors etc.)

Data Collected

• Data protection and privacy related

  • audit.data-access read-access logging records for access to sensitive personal data;

  • audit.data-modification data modification logging records for sensitive personal data.

  Security related

  • audit.security-events logging of general security events like login, logout, and other;

  • audit.configuration logging of security critical configuration changes.

Status

Available

Creating the IAS Audit Log Feed

The IAS Audit Log uses the SAP BTP Audit Log service. To integrate the IAS Audit Log feed into a SAP BTP Audit Log service perform the following steps:

• Login as an administrator to the IAS Administration Console (https://<ias-tentant>/admin)

• Under Monitoring & Reporting click Audit and Change Logs

SAP Cloud Foundry Setup

• Click the Cloud Foundry tab

• Click Add

• Enter the Tenant ID, Region and Subdomain of your SAP BTP Audit Log Service

• Click Add

• The feed will now be created and will take approximately 15 minutes to start logging data

  

SAP Neo Setup

• Click the Neo tab

• Click Generate

• Note down the Client ID and Client Secret

PowerConnect Configuration

PowerConnect Cloud requires access to the SAP AuditLog API to be able to extract SAP IAS audit log data. The most secure way to do this is add PowerConnect Cloud as an OAuth client to your SAP BTP tenancy. To do this follow the steps below for your environment:

SAP Cloud Foundry

• Login to your BTP tenancy containing the Audit Log service where the IAS audit logs are being written

• Click Instances and Subsciptions

• Under Instances, find the Audit Log API instance and click on the key under Credentials
  

• Note down the following:

  • The platform host in the url field (in the example below its us10.hana.ondemand.com)

  • clientid

  • clientsecret

  • identityzone

• Follow the instructions in the section below called “Adding an Audit Log Input in PowerConnect Cloud” to configure PowerConnect Cloud with these details

SAP Neo

• Login to the SAP IAS Administration Console

• Click Applications & Resources → Tenant Settings

• Note down the subaccount name and the region

• Map the region to the platform host located here - https://help.sap.com/docs/btp/sap-btp-neo-environment/regions-and-hosts-available-for-neo-environment

• You should now have 4 pieces of information

  • Client ID

  • Client Secret

  • Platform Host

  • Subaccount

• Follow the instructions in the section below called “Adding an Audit Log Input in PowerConnect Cloud” to configure PowerConnect Cloud with these details

Adding an Audit Log Input in PowerConnect Cloud

• Login to the PowerConnect Cloud web UI

• Click on the Inputs link in the menu bar

• Click the + button to add a new Input

• For Cloud Foundry environments choose audit-log-cf under IAS → sap-ias

• For Neo environments choose audit-log-neo under IAS → sap-ias

• Fill in the form with the details you noted down above

• Choose the Splunk output you wish to send the IAS Audit Log data to
  Note: the System ID value will be mapped to the source field in the target platform (Splunk, Dynatrace etc.) and is required

• Click Save

• The Input is now created