Introduction
This blogs provide a configuration overview of how to integrate Microsoft Active Directory Service (or any Microsoft Instance) with SAP IT Operations Analytics (SAP ITOA). There are several tools available in the market which forward Windows events to a syslog destination. The target is to forward Windows events to SAP ITOA using the syslog technology.
In SAP ITOA, the attribute editor can be used to define attributes out of the streamed content, which can then be used for analytics in stories and charts. Some configuration examples based on streamed content are also provided below. The described solution was tested with the following component and version:
Component |
Version |
SAP ITOA |
2.2.0 (running on SAP HANA 1.0 SPS12) |
Windows Server |
2012 R2 |
Configuration Steps
Preconditions
- SAP IT Operations Analytics is installed and configured (For more details check the Administration Guide)
- Plugin ITOA Syslog Socket Input and ITOA Attribute Editor are activated
Action |
Create Bucket
Login with an user (Admin or Expert role assigned) to SAP ITOA application (http://<Hostname SAP ITOA>:<Port>/sap/dci/core) and create a new bucket:
Bucket Name |
WINDOWS |
Plugin Activated |
ITOA Syslog Socket Input
ITOA Attribute Editor |
Syslog Server Port |
1521 |
Communication Protocol |
UDP |
Note: For more details check the Administration Guide |
Forward Windows Events
As there are many tools available in the market, this solution description will not mention a specific one. In general the precondition are:
- The tool is able to forward standard Syslog messages (RFC 3164 or RFC 6587) to a desired destination
- The tool offers configuration options for:
- Host Name or IP Address
- Network Port
- Network Protocol (TCP or UDP)
Please configure in the desired tool to forward standard Syslog messages to the SAP ITOA Adapter host name (or IP address), the desired network port (in this example 1521) and network protocol (in this example UDP). Save and activate the configuration changes. |
Verify Data Streaming
Login with an user (Admin or Expert role assigned) to SAP ITOA application (http://<Hostname SAP ITOA>:<Port>/sap/dci/core) and verify if the bucket (WINDOWS) receives Windows messages (Streaming Content). |
Attribute Parsing
In the bucket (Table View) choose (mark) a desired messages and press the button Edit Attributes (former: GET MORE INSIGHTS) and configure the desired attributes.
In the following section one configuration example is described.
Example Event
<38>Apr 24 07:45:28 source-server microsoft-windows-security-auditing[success] 4689 A process has exited.Subject:Security ID:S-1-5-21-521753158-4071250356-2168788496-500Account Name:AdministratorAccount Domain:source-serverLogon ID:0x98989Process Information:Process ID:0x1174Process Name:C:\Windows\System32\wermgr.exeExit Status:0x0
|
Regular Expression
{ms_tag}\[{ms_severity}\] {ms_event_id} .*
|
Attribute Definition
Attribute Name |
SQL DATA Type |
Dimension |
Attribute RegExp |
ms_tag |
NVARCHAR |
100 |
[a-zA-Z-_]* |
ms_severity |
NVARCHAR |
50 |
[a-zA-Z]* |
ms_event_id |
INTEGER |
n/a |
\d+ |
|
Note:
- The attribute hostname is a predefined attribute regular expression, which is not required to be defined.
- Windows Events are organized by using Event ID's. Please check the Microsoft documentation.
|
Further Information
