KB 003 – SAP ABAP – What does the SM20 collector extract from SAP and send to Splunk

ABAP Extractor SM20

Symptom:

What does the SM20 collector extract from SAP and send to Splunk?
The SM20 collector runs every hour.

The SM20 collector runs every hour

And executes function module /BNWVS/CL_EXT_SM20.

And executes function module /BNWVS/CL_EXT_SM20

Prerequisites:

For this collector to work the SAP Audit log must be configured in SAP tcode SM19 and active. If you can see the audit information in SM20 then it will be collected by SAP PowerConnect for Splunkand sent to the Splunkserver.

Fields:

The following fields are sent to Splunk.

The following fields are sent to Splunk

These fields map to the ABAP dictionary types available in tcode SM20.

These fields map to the ABAP dictionary types available in tcode SM20

These fields map to the ABAP dictionary types available in tcode SM20.

Reports: What reports can I run against this data?

Example1: Recording failed logins.

By running a search query where the login text contains the text “Failed” you can find the number of failed logins per day.

source != audittrail EVENT_TYPE=SM20 ALGTEXT “Logon Failed” | timechart span=1d count by ALGUSER

source != audittrail  EVENT_TYPE=SM20 ALGTEXT  "Logon Failed" | timechart span=1d count by  ALGUSER

Drilling down on the raw data show us the IP address from where the user logged in from and their terminal ID.

Drilling down on the raw data show us the IP address from where the user logged in from and their  termi nal ID.

Download PDF version here