7/27/2023

Implementation Guide for SAP Enterprise

Threat Detection
Generated on: 2023-07-27 12:25:35 GMT+0000

SAP Enterprise Threat Detection | 2.0 SP06 (Support Package Stack 32)

CONFIDENTIAL

Original content: https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION/eb42e48f5e9c4c9ab58a7ad73ff3bc66?

locale=en-US&state=PRODUCTION&version=2.6

Warning

This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.

For more information, please visit the https://help.sap.com/docs/disclaimer.

This is custom documentation. For more information, please visit the SAP Help Portal 1
 7/27/2023

Providing Logs and Master Data Using the ABAP Log Extractor
(New)
To set up and use the new ABAP Log Extractor, there's a report available that creates a default con guration which you can
adapt to your needs. If the new ABAP Log Extractor is not yet available in your system, you must rst install it.

See the following steps for more information:

Step More Information

1. Check which logs are supported and if you can use the new ABAP Log Recommended Transfer Methods
Extractor.
List of Logs of SAP NetWeaver AS for ABAP

List of Master Data of SAP NetWeaver AS for ABAP

2. Check if the new ABAP Log Extractor is already available in your system. System Setup

3. Make yourself familiar with the technical background. Technical Overview

4. Con gure the log transfer. To do this, you use the report Con guring the Log Transfer
SETD_CREATE_DEFAULT_CONFIGS to create default con guration settings. If
required, you can adapt the defaults.

5. If you have a multitenancy scenario, adapt the con guration as required. Con guring the Log Transfer for a Multitenancy
Scenario

6. Check and adapt your log collector con guration. Make sure that you use the HTTP Settings for the Log Collector
same port and user credentials as speci ed in the RFC destination maintained
in the sender settings.

7. Start the log transfer in each client from which you want to extract logs. Starting and Stopping the Log Transfer

8. Fix any issues. Troubleshooting

Technical Overview
The new ABAP Log Extractor includes two types of readers. The reader for system-based logs can only be used in one client and
collects system-based logs and master data. The reader for client-based logs can be used in each client of the system and
collects the client-based logs and master data.

This is custom documentation. For more information, please visit the SAP Help Portal 2
 7/27/2023

Client Components
In each client from which you want to transfer logs and master data, you need to start the client components of the ABAP Log
Extractor. The reader gathers the following logs and master data from the client and stores them in a queue for the sender:

Change Document Log

User Change Log

User Contexts

The sender reads the client-based logs and master data in the queue and sends it to the load balancer or log collector. If it was
con gured accordingly, the sender also sends system-based logs and master data that have been sent to the queue.

If the sending was successful, the sender deletes the entries in the queue.

If the sending was erroneous, the entries remain in the queue and the next job execution tries to send them again.

Besides the readers and senders, there are also cleaners executed. They delete entries in database tables when they are past
their retention periods.

System Components
Some logs and master data are not read by each client but only once for the whole system. To read this data, you need to start
the system components of the ABAP Log Extractor in the client for the system components (for example 000). The reader for

This is custom documentation. For more information, please visit the SAP Help Portal 3
 7/27/2023
system-based logs gathers the following logs and master data from the complete system:

Business Transaction Log

Gateway Log

Message Server Log

System Contexts

The actual sending of the system-based data is done using the queues and senders of the clients. The reader stores the read
entries in the queues of all the clients that are to extract logs and master data. Which clients these are is a matter of
con guration.

Duplication of System-Based Log Types

 Note
If multiple clients should transfer logs to SAP Enterprise Threat Detection, it’s important to avoid duplicate log data for the
system-based log types. To achieve this, log types that are client-independent (such as Gateway Log or Message Server Log)
must be con gured to be transferred from only one single client. This is not the case when log duplication is needed, for
example when the clients should transfer logs to different instances of SAP Enterprise Threat Detection (see Con guring
the Log Transfer for a Multitenancy Scenario).

On the other hand, client-dependent logs that are read by the system-based reader (such as Business Transaction Log) will only
be distributed to the client that they belong to. For example, a log for client 000 will only be put into the queue of client 000 and
a log for client 111 will only be put into the queue of client 111 and in no other queues, regardless on which client the system
components are running on. The log transfer must then be con gured on all clients where this log data is wanted.

System Setup
The new ABAP Log Extractor is part of SAP BASIS. Depending on your SAP BASIS release and support package, you might
already have it in your system. If this is not the case, implement the relevant transport-based correction instructions (TCI). For
more information, see SAP Note 3313550 .

Furthermore, depending on your SAP BASIS release and support package, you need to implement additional SAP Notes which
do not directly belong to the new ABAP Log Extractor. These SAP Notes are prerequisites for the ABAP Log Extraction. For
more information, see 3194557 .

Con guring the Log Transfer

You can use the con guration setup report which provides a default con guration for the log transfer with the new ABAP Log
Extractor. In addition to running the report and reviewing and activating the default con guration, you need to create technical
users that execute the client components and the system components.

Context
The reader for system-based logs reads logs of the whole ABAP system like the Business Transaction Log, Gateway Log or
Message Server Log. These logs are only read by one single client, the client for the system components (for example 000).

In addition, there are client-based logs that are read within each client, such as the Change Document Log or the User Change
Log. These logs are read by the readers for client-based logs which need to be scheduled in each client. The senders send all the

This is custom documentation. For more information, please visit the SAP Help Portal 4
 7/27/2023
logs to the log collector or load balancer. For more information, see Technical Overview.

For a quick and easy setup, we recommend running our con guration setup report which provides all the required default values
for the system-speci c con guration as well as for the global client con guration.

The con guration setup report will set up the con guration so that the logs will be sent as shown in the graphic (clients 000, 111
and 222 represent all the clients in the system in this example):

Procedure
1. Log on to the client for the system components (for example client 000) with a user that is assigned to a copy of the
following standard roles:

Role Description

SAP_BC_ETD_SYSTEM_ADMIN Enterprise Threat Detection - System Administrator

SAP_BC_ETD_GLOBAL_CLIENT_ADMIN Enterprise Threat Detection - Global Client Administrator

2. Create an RFC destination to establish the connection between the ABAP system and the load balancer or log collector:

a. Make sure that the log collector supports the authentication method that you want to use.

You can either use basic authentication (with or without TLS) or certi cate-based authentication.

This is custom documentation. For more information, please visit the SAP Help Portal 5
 7/27/2023
If you want to use basic authentication for example, a user for basic authentication must be declared in the log
collector con guration for an HTTP endpoint. For more information, see HTTP Settings for the Log Collector.

b. Open transaction SM59 and create a new RFC destination of type G HTTP Connection to External Server.

For more information, see Establishing a Connection Using a Destination (SM59).

c. Test the connection by clicking Connection Test.

You should see the HTTP response code 200.

d. If you get a different response, check the following:

i. Is the log collector running?

ii. Is the port open?

iii. In the con guration xml le of your log collector host, check the following:

If you are using basic authentication: below the port, is there a <Credential> for the same user that
you have maintained in SM59? Is the maintained hashed password the hash of the password that
you have maintained in SM59?

If you are using TLS: is the ABAP system trusting the log collector, that means is the certi cate of
the log collector added to the used PSE? Does the used hostname match the certi cate?

e. Copy the name of the RFC destination that you've just created.

3. Create the default con guration settings.

To do so, open transaction SE38 and execute the report SETD_CREATE_DEFAULT_CONFIGS. Paste the name of the
RFC destination in the HTTP Destination eld and choose Execute.

4. Review and activate the DEFAULT con gurations that have been automatically created by the report.

To do so, open transaction SETD and con rm the popup if you have a valid license for SAP Enterprise Threat Detection.
Then proceed with the following steps:

a. Check the system con guration settings for log types and allowed clients and adapt them if required:

i. To check the log type settings, choose Go to System Con guration in the System Components section,
select the DEFAULT con guration and double-click Log Type Settings in the folder structure on the left
side.

Adapt the log type settings if required.

ii. To check the list of allowed clients, double-click List of Allowed Clients in the folder structure on the left
side.

 Note
For the system-based log types such as Gateway Log, only the client for the system components (for
example 000) is maintained as allowed by default. This means that these log types are only sent from
this client and not from other clients. If the log type should be transferred from other clients too, then
this needs to be con gured here. For more information, see the Duplication of System-Based Log Types
section in Technical Overview and Con guring the Log Transfer for a Multitenancy Scenario.

Adapt the list of allowed clients if required.

iii. You can keep the other settings as they are. They are ne to start with and usually don't need to be
changed.

iv. Activate the system con guration.

This is custom documentation. For more information, please visit the SAP Help Portal 6
 7/27/2023
To do so, double-click System Con guration, select the Active checkbox for the DEFAULT con guration
and save.

b. Check the client con guration settings for the log types and adapt them if required:

i. To do so, choose Go to Global Con guration in the Client Components section, select the DEFAULT
con guration and double-click Log Type Settings in the folder structure on the left side.

Note that all supported log types are active by default. This means that they will be read and sent from the
current client (for example 000). Since you are in the global client con guration, the client-based log types
are sent from all the other clients as well if you start the log transfer on these clients. The system-based
log types will not be sent from the other clients by default because they are not allowed according to the
default system con guration.

Note that the Initial Age is set to 5 minutes. This means that only the last 5 minutes of log data will be
read and sent from all clients.

Note that the Maximum Age is set to 1440 minutes, which is 24 hours. This means that whenever the logs
cannot be sent successfully, the logs can be sent again within the next 24 hours. After 24 hours the logs
are not read or sent anymore, but instead more recent logs are read then.

ii. If you want to transfer additional Change Documents, add the Change Document Objects with their time
zone in which they are stored (System Time Zone or UTC) and set them to Active.

Only the active Change Document Logs that are mentioned here are transferred.

iii. Activate the client con guration

To do so, double-click Client Con guration, select the Active checkbox for the DEFAULT con guration and
save.

If you go back to the start screen of the SETD transaction, you can now see in the Client Components section which log
types are active for this client. You can also see the allowed log types in the System Components section.

5. Create a technical user with transaction SU01 that executes the client components.

The client components include the log readers of the client-based log types like Change Document Log or User Change
Log but also the sender that sends all the logs to the load balancer or log collector.

6. Assign a copy of the standard role SAP_BC_ETD_CLIENT_EXECUTION (Enterprise Threat Detection -

Client Execution) to the technical user that you just created.

7. Carry out the steps 5 and 6 for all clients from which you want to receive logs.

8. Create a technical user with transaction SU01 that executes the system components.

The system components are the log readers of the system-based log types like Business Transaction Log, Gateway Log
or Message Server Log.

9. Assign a copy of the standard role SAP_BC_ETD_SYSTEM_EXECUTION (Enterprise Threat Detection -

Client Execution) to the technical user that you just created.

Con guring the Log Transfer for a Multitenancy Scenario

In a multitenancy scenario where multiple tenants are using the same ABAP log provider system, you would need a different
con guration because the load balancer or log collector destination differs for each client.

Two additional reasons for the different setup might be the following ones:

The tenants would like to receive not only the client-based log types but also the system-based log types like Business
Transaction Log in their SAP Enterprise Threat Detection application.

Different tenants would like to receive different log types with a different maximum age.

This is custom documentation. For more information, please visit the SAP Help Portal 7
 7/27/2023

Prerequisites
You have performed all the steps mentioned under Con guring the Log Transfer.

Procedure for System Administrator

1. Log on to the client for the system components (for example 000) with a user that is assigned to a copy of the standard
role SAP_BC_ETD_SYSTEM_ADMIN Enterprise Threat Detection - System Administrator

2. Call up transaction SETD.

3. Choose System Con guration in the System Components section.

4. Select the DEFAULT con guration and double-click Log Type Settings in the folder structure on the left side.

To allow the tenants in the other clients to receive the system-based log types, you need to allow them to receive the log
types Business Transaction Log, Gateway Log, and Message Server Log. To achieve this, change the client to ALL. Only
now the other clients would be able to send these logs to their own SAP Enterprise Threat Detection application.

5. To allow the tenants to deviate from the global client con guration, maintain Local Client Administrator users
for them so that they can maintain their own client-speci c con guration.

To do so, create users for the tenants that are assigned to a copy of the standard role
SAP_BC_ETD_LOCAL_CLIENT_ADMIN Enterprise Threat Detection – Local Client Administrator.

This is custom documentation. For more information, please visit the SAP Help Portal 8
 7/27/2023
The tenant can now log on with this user and proceed.

Procedure for Local Client Administrator

1. Log on to your client (for example 222) with a user that is assigned to a copy of the standard role
SAP_BC_ETD_LOCAL_CLIENT_ADMIN Enterprise Threat Detection – Local Client Administrator.

2. Call up transaction SETD.

3. Choose Local Client Con guration in the Client Components section.

4. Create a new entry such as DEFAULT_222 and save it.

5. Start a second SAP GUI session and open the global client con guration to copy the settings that you need to enter in
the local client con guration.

6. Copy the following settings, enter them in the local client con guration and adapt some of them as follows:

Work Process Goups: Copy the values in the global client con guration and enter them in the local client
con guration.

Log Type Settings: Copy the values in the global client con guration and enter them in the local client
con guration. This will activate all log types by default. Now you can change the values as required, for example
change the maximum age or set log types to inactive so that they are not sent anymore.

Sender Settings: Copy the values in the global client con guration and enter them in the local client
con guration. Maintain your own HTTP destination that points to the tenant’s load balancer or log collector.

Cleaner Settings: Copy the values in the global client con guration and enter them in the local client
con guration. Change the retention period if required.

Change Document Objects: Copy the values in the global client con guration and enter them in the local client
con guration. Add additional Change Document Objects with their time zone in which they are stored (System
Time Zone or UTC) and set them to Active. Only the active Change Document Logs that are mentioned here are
transferred.

Starting and Stopping the Log Transfer

When you are ready with the con guration, you start the log transfer by starting the components of the new ABAP Log
Extractor. Once you have started the components, the readers run every minute.

In the client for the system components (for example 000), you start the transfer for the system-based logs and master data
as well as for the client-based logs and master data for client 000. To start the transfer for the client-based logs and master
data for additional clients, you log on to these clients and start the transfer for the client components.

Prerequisites
You have a technical user that can execute the system components. The user needs to have a copy of role
SAP_BC_ETD_SYSTEM_EXECUTION assigned.

You have technical users, one for each client, that can execute the client components. The user needs to have a copy of role
SAP_BC_ETD_CLIENT_EXECUTION assigned.

Starting the Reading and the Transfer from the System

1. Log on to the client for the system components (for example 000) with your system administrator user.

This is custom documentation. For more information, please visit the SAP Help Portal 9
 7/27/2023
2. Open transaction SETD.

3. Start the system components.

To do so, click the Start button in the System Components section and maintain the technical user with system
execution authorizations in the popup.

If everyhing works ne, you see a green traffic light.

4. If the traffic light is red, stop the system components by clicking Stop.

5. Open Protocol Open Protocol to see the errors.

6. Solve the errors.

For more information, see Troubleshooting.

Starting the Reading and the Transfer from a Client

1. Log on to the client (for example 222) with your client administrator user.

2. Start the client components.

To do so, click the Start button in the Client Components section and maintain the technical user with client execution
authorizations in the popup.

If everyhing works ne, you see a green traffic light.

3. If the traffic light is red, stop the client components by clicking Stop.

4. Open Protocol Open Protocol to see the errors.

5. Solve the errors.

For more information, see .Troubleshooting

Stopping the Reading from the System

1. Log on to the client for the system components (for example 000) with your client administrator user.

2. Call up transaction SETD.

3. To stop the system components, click Stop in the System Components section.

Instead of the traffic light, the system shows the text Not running.

Stopping the Reading from a Client

1. Log on to the client, for example 222, with your client administrator user.

2. Call up transaction SETD.

3. To stop the client components, click Stop in the Client Components section.

Instead of the traffic light, the system shows the text Not running.

Monitoring

This is custom documentation. For more information, please visit the SAP Help Portal 10
 7/27/2023
You have three different options to monitor the log extraction. You can see the most recent messages and help instructions in
the protocol of transaction SETD. In addition, you can see all messages in the application log and monitor certain metrics in the
Computing Center Management System (CCMS).

Protocol in SETD
In transaction SETD, you can call up the protocol via Protocol Open Protocol . It shows the most 100 recent messages both
from the current client as well as from the system components. To look further back in time, choose Load next 100
records. For some error messages, there's additional help available. To access the help instructions, click the icon in the Help
column. To understand which process belongs to which parent process, click Show more columns to display the columns Process
ID and Parent Process ID. The process ID is also needed to download the trace le.

Application Log and SAP Focused Run

All messages of the protocol are also written to the Application Log (transaction SLG1). To display the messages related to the
log extraction components of SAP Enterprise Threat Detection, enter the object SETD.

We recommend to use SAP Focused Run to monitor error and warning messages.

CCMS Monitoring
To check the metrics using CCMS Monitoring, call up the monitoring contexts for SAP Enterprise Threat Detection. To do so, call
up transaction RZ20 and open the node SAP CCMS Technical Expert Monitors All Monitoring Contexts .

When the components for the ABAP Log Extractor have already run, you can see one context for the system and one for each
client:

Enterprise Threat Detection System

Enterprise Threat Detection Client 000

..

You can see the following metrics:

Number of Erroneous Work Items

This metric should be 0. If it is higher than 0, it means that there is an error in the protocol which should be followed up.

Number of Entries in Sender Queue

This metric shows the number of entries that have been read, but have not yet been sent away to the load balancer or
log collector. The number should not grow too much. This number is only shown for the client execution.

Reader Execution Lag in Seconds

This metric shows the number of seconds the readers are delayed for each required log type.

ABAP Extractor Status

This metric shows the status of the last ABAP Log Extractor execution as it is also shown in transaction SETD:

§ Running with Errors

§ Running with Warnings

§ Running Without Issues

This is custom documentation. For more information, please visit the SAP Help Portal 11
 7/27/2023
§ Not running

Troubleshooting
To understand and x issues, you can check the error protocol. If it's an implementation issue, you can also create a customer
ticket with the trace le.

If you see a red traffic light in transaction SETD, there are recent errors in the protocol. To check the error messages, go to
Protocol Open Protocol . For some error messages, there's an icon available in the Help column. Click the help icon to get
detailed instructions how to solve the issue. For known issues, error codes are used in the error messages. To look up the
meaning of the error codes and the steps to solve the issues, check SAP Note 2957945 .

If you think that it's an issue related to the implementation of ABAP Log Extractor, you can create a customer ticket on
component BC-SEC-ETD. If you do so, it's important that you attach the trace le to the customer ticket.

How to Get the Trace File?

1. In the protocol, display the columns Process ID and Parent Process ID by clicking Show more columns.

2. If you see a value for parent process ID for the error message, copy it. If there is no parent process ID, copy the value for
the process ID.

3. Go back and choose Protocol Download Trace .

4. Paste the copied value in the Process ID eld and click Execute.

In the popup, choose a download location for the trace le.

5. If the popup does not appear, but instead you see the error message
The trace does not contain any data for the selected criteria, you need to increase the trace level
as described below under "How to Increase the Trace Level?"

6. After having increased the trace level, you wait for the next execution and check the protocol again for the error
message. Repeat the previous steps to download the trace le.

How to Increase the Trace Level?

1. Open transaction SETD.

2. If you want to increase the trace level due to an issue in the system components, go to System Con guration.

3. If you want to increase the trace level due to an issue in the client components, go to Global Con guration or Local
Con guration depending on the con guration type that is currently active.

4. Select the active con guration name and navigate to Extended Settings. Add an attribute Trace level (higher number
means more traces) and set its value to 3. Allowed are values between 0 and 3.

This is custom documentation. For more information, please visit the SAP Help Portal 12