Skip to Content

Introduction

This blogs provide a configuration overview of how to integrate Microsoft Active Directory Service (or any Microsoft Instance) with SAP IT Operations Analytics (SAP ITOA). There are several tools available in the market which forward Windows events to a syslog destination. The target is to forward Windows events to SAP ITOA using the syslog technology.

In SAP ITOA, the attribute editor can be used to define attributes out of the streamed content, which can then be used for analytics in stories and charts. Some configuration examples based on streamed content are also provided below. The described solution was tested with the following component and version:

Component Version
SAP ITOA 2.2.0 (running on SAP HANA 1.0 SPS12)
Windows Server 2012 R2

 

 

Configuration Steps

Preconditions

  • SAP IT Operations Analytics is installed and configured (For more details check the Administration Guide)
  • Plugin ITOA Syslog Socket Input and ITOA Attribute Editor are activated
Action

Create Bucket

Login with an user (Admin or Expert role assigned) to SAP ITOA application (http://<Hostname SAP ITOA>:<Port>/sap/dci/core) and create a new bucket:

Bucket Name WINDOWS
Plugin Activated ITOA Syslog Socket Input
ITOA Attribute Editor
Syslog Server Port 1521
Communication Protocol UDP

   
Note:
For more details check the Administration Guide

Forward Windows Events

As there are many tools available in the market, this solution description will not mention a specific one. In general the precondition are:

  • The tool is able to forward standard Syslog messages (RFC 3164 or RFC 6587) to a desired destination
  • The tool offers configuration options for:
    • Host Name or IP Address
    • Network Port
    • Network Protocol (TCP or UDP)

Please configure in the desired tool to forward standard Syslog messages to the SAP ITOA Adapter host name (or IP address), the desired network port (in this example 1521) and network protocol (in this example UDP). Save and activate the configuration changes.

Verify Data Streaming

Login with an user (Admin or Expert role assigned) to SAP ITOA application (http://<Hostname SAP ITOA>:<Port>/sap/dci/core) and verify if the bucket (WINDOWS) receives Windows messages (Streaming Content).

Attribute Parsing

In the bucket (Table View) choose (mark) a desired messages and press the button Edit Attributes (former: GET MORE INSIGHTS) and configure the desired attributes.
In the following section one configuration example is described.

Example Event

<38>Apr 24 07:45:28 source-server microsoft-windows-security-auditing[success] 4689 A process has exited.Subject:Security ID:S-1-5-21-521753158-4071250356-2168788496-500Account Name:AdministratorAccount Domain:source-serverLogon ID:0x98989Process Information:Process ID:0x1174Process Name:C:\Windows\System32\wermgr.exeExit Status:0x0
Regular Expression

 {ms_tag}\[{ms_severity}\] {ms_event_id} .*
Attribute Definition

Attribute Name SQL DATA Type Dimension Attribute RegExp
ms_tag NVARCHAR 100 [a-zA-Z-_]*
ms_severity NVARCHAR 50 [a-zA-Z]*
ms_event_id INTEGER n/a \d+

 

Note:

  • The attribute hostname is a predefined attribute regular expression, which is not required to be defined.
  • Windows Events are organized by using Event ID’s. Please check the Microsoft documentation.

 

 

 

Further Information

Content Type Information
Troubleshooting Guide https://launchpad.support.sap.com/#/notes/2435731
Release Note SAP ITOA 2.0 SP03 https://launchpad.support.sap.com/#/notes/2414432
Administrator Guide https://help.sap.com/itoa
Video Feature Demo https://www.sap.com/assetdetail/2017/02/a0596bde-a87c-0010-82c7-eda71af511fa.html

 

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply