Automated Storage and Archival of SAP Security Logs

SAP system owners must store and archive security logs for security and compliance reasons. However, storage and retention of SAP security audit logs is a challenging and costly task for SAP BASIS system administrators.

Especially after enabling all SAP security audit types in SM19 transaction, the SAP security audit log volume increases dramatically, which increases costs of running the SAP system since usually SAP systems run on expensive storage.

Enterprise Threat Monitor retrieves all security events from all application servers on your SAP landscape in real-time.

It stores the logs centrally, outside of SAP. An attacker cannot get to them.

Since logs are no longer on SAP and they are compressed automatically, you save valuable disk space on SAP systems and save costs.

How Enterprise Threat Monitor can solve your SAP log retention challenges

Enterprise Threat Monitor solves log storage and archiving by its proprietary log compression and storage method. Enterprise Threat Monitor runs continuously and retrieves SAP security logs from the target SAP systems in real-time remotely, which it analyzes and correlates for detecting SAP specific attacks.

After ETM processes the logs, it compresses and stores them locally (outside the SAP systems) for satisfying the log retention compliance requirements and for processing detailed security analysis requests from the ETM application.

You can refer to our article for estimating log sizing requirements.

Over 98% reduction in size

ETM saves SAP security audit logs (SM20 logs), change documents and critical SAP information such as SAP gateway logs. By default, log retention is automatically activated for 18 months. This can be adjusted in ETM’s configuration interface.

ETM’s method for compression typically achieves 98% of log volume reduction. The compression ratio depends on the user activity on the system and the SAP system type and may slightly change.