Though SAP SCC ( SAP Cloud Connector ) is currently not supported by PowerConnect ( More information here ), there are many ways to get this data onto Splunk. In this knowledge base article, we will explore a way to get SCC onboard Splunk.
Splunk Universal Forwarder:
One popular option is Splunk’s offering of an agent-based collector called the Universal Forwarder. This is installed on the operating system ( Windows, Unix, etc. ) and is able to read files in real-time and send them through to Splunk.
Installing a Universal Forwarder:
Download the version of the Universal forwarder that is appropriate for the Operating system using the link https://www.splunk.com/en_us/download/universal-forwarder.html . You might have to login to Splunk or create a new user before you are able to download the universal forwarder.
Once you have the right version of the universal forwarder downloaded, you can follow the instruction in the link https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/Installanixuniversalforwarder to install the universal forwarder on the host machine.
Configuring a universal forwarder
The base configuration for the universal forwarder has predefined inputs for the relevant operating system but can be configured.
Additional inputs can be configured in the [INSTALL_HOME]/local/inputs.conf file - specific files/folders can be defined - see [INSTALL_HOME]/default/inputs.conf for inspiration. Our suggestion is to create a local app on the universal forwarder and configure inputs.conf and outputs.conf in that app context.
You can find more information about the configuration files in the link https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/Configuretheuniversalforwarder
Logs of interest for SAP SCC
There could be many logs of interest in terms for SCC to push to Splunk. You can find such logs in the location below by default. Please note that your installation folder may be different from the default
Windows : Default Path is “c:\SAP\SCC\scc20\log”
Linux : Default path is “/opt/sap/scc/log”
You can ensure that only the files with filenames ending with “.log” is sent to Splunk by adding a whitelist in your forwarders inputs.conf. Below is an example
[monitor:///opt/sap/scc/log] whitelist = \.logCODE
You should also ensure that the splunk user has access to read the logs in the location mentioned above. In Linux systems for example, this can be achieved by adding the splunk user to the same group that has access to the logs in /opt/sap/scc/log or by adding additional permissions to files and directories in its path using setfacl command.