Skip to Content
Author's profile photo Divya Mary

Part 7 – API Security Best Practices – Log all API interactions

SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements.  These API Security Best Practices includes security policies for Authentication and Authorization,  Traffic Management and many more.

Collecting and analyzing API logs can help identify the damage caused and expose the cloud attacks. OWASP that represents a broad consensus about the most critical security risks to web applications documents the best practices to be followed for API logging

In this blog we will use Message Logging Policy to log the API interactions happening on SAP Cloud Platform API Management to a Third Party Logging server.In the blog we have used Loggly as the Third Party Logging server, alternatively other logging server like Splunk could be used.

This blog is a continuation of the API Security best practices blog series and in the previous blog Threat protection against injection attacks for OData/REST APIs was covered.

More best practices covered in API Security Best Practices blog series.


Customer Token from Loggly tenant

  • Sign in to your Loggly tenant.
  • Navigate to the Source Setup and then click on the tab Customer Tokens to fetch your Loggly token. This token would have to be used in the Message Logging Policy later in the section Log API Interactions.


Launch API Portal


  • Click on the link Access API Portal to open API Portal.

Log API Interactions

In this section we would use Message Logging Policy to log the following API interactions:-

  • API Proxy Name
  • Unique message Id
  • System timestamp
  • Target Response time
  • API Response time
Refer Rate limit API calls blog to create an API Proxy to an OData API from SAP Gateway and applying an API Rate limit using Quota policy. In this blog we would be extending the same to add the support for logging all API interactions to Third Party Log server.

  • Navigate to the Define from the hamburger icon, then select the tab APIs. Select the API Proxy to which API Rate limiting was applied.


  • Click on the Policies button of  the selected API Proxy.



  • Click on the Edit button from the Policy designer and then from Scripts tab click on the +button to add the JavaScript file for creating the log message data structure.



  • In the Create Script dialog provide the name of the JavaScript file say logmessage and then select Create from the Script drop down. Finally click on the Add button.


  • Select the newly added JavaScript file logmessage and in the Script Resource copy paste the following code snippet.
var logdata = {
    requestId : context.getVariable("messageid"),
    currentSystemTime : context.getVariable("system.time"),
    requestStartTime : context.getVariable("client.received.end.time"),
    targetResponseTime : context.getVariable("target.received.end.timestamp") - context.getVariable("target.sent.start.timestamp"),
    apiResponseTime : context.getVariable("system.timestamp") - context.getVariable("client.received.end.timestamp"),
    targetResponseEndTime : context.getVariable("target.received.end.time")


In the above JavaScript code snippet we gather some common API interactions points like unique request id, system time stamp, Target Response Time, API Response Time etc.

Note that the above JavaScript is just a sample snippet and this snippet would have to be adjusted to log other parameters based on your enterprise need.



  • Select PostFlow from the ProxyEndPoint  section and then click on the + button next to the JavaScript Policy available under the Extensions Policies segment.




  • In the Create policy screen specify the policy name say generatelogmessage, select Stream as Outgoing Response  and then click on the Add button.


  • Select the policy newly added generatelogmessage policy then add the following policy snippet to invoke the logmessage JavaScript file.
<Javascript async="false" continueOnError="false" enabled="true" timeLimit="200" xmlns=''>



  • Click on the + button next to the Message Logging Policy available under the Extensions Policies segment to log the generated log message to a Third Party logging server.

  • In the Create policy screen specify the policy name say logToLoggly, select Stream as Outgoing Response  and then click on the Add button.



  • Select the policy newly added logToLoggly policy then add the following policy snippet to log the generated log data into a Loggly tenant.


Note that in this blog, we have used Loggly as the third party logging server, alternatively any other logging server like Splunk can also be used.

<MessageLogging async="false" continueOnError="true" enabled="true" xmlns=''>
		<Message>[YOUR_LOGGLY_TENANT_CUSTOMER_TOKEN@41058 tag="{}"] {sapapim.logmessage}</Message>
    	<!-- This is default port value -->
  • Edit the policy snippet added to post log message to Loggly server, specify your customer token configured in the Loggly tenant as explained in section Customer Token from Loggly tenant by replacing the text YOUR_LOGGLY_TENANT_CUSTOMER_TOKEN (highlighted in previous screenshot) with your Loggly customer token.


  • Click on the Update button to save the Policy changes


  • Click on the Save button to save the changes to API Proxy.




With this we have successfully applied a Message Logging Policy to log the API interactions to a Third Party logging server like Loggly.


Finally testing the flow


  • Navigate to the Test tab from the hamburger icon



  • From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test.



  • Click on the Authentication: None link and select Basic Authentication to set the user credential to connect to the SAP Gateway ES4 system




  • Click on the Send button to invoke the API.



  • Logon to your Loggly tenant and then click on the Dashboard tab. The latest log message would be appear in the dashboard.


  • Click on the latest log message as shown in the screen shot above to view the log data in details.


Further Reads

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Eder Torres de Souza
      Eder Torres de Souza

      Hello Divya,

      Thanks for sharing this content with such richness of details. Giving that we have tools inside API Portal that help us visualize relevant information of API calls such as number of error calls, statistics about usage and traffic, I wonder if there is a way to log the details of the API calls inside the very same API Portal, instead of recurring to an external tool such as Loggly to get this information. Is that possible or even considered for next releases?



      Author's profile photo Divya Mary
      Divya Mary
      Blog Post Author

      Hi Eder,


      Thanks a lot for feedback.  One way to log about API traffic and custom statistics would be to use the Statistics Collector policy and the usage of this is explained in my colleague Sven's SAP API Management – Custom Dashboard with payload metrics blog.

      We will also share this feedback on having an integrated API log experience with our product team.

      Thanks and Best Regards,



      Author's profile photo Rajesh Kumar
      Rajesh Kumar

      Hi Divya - I tried the log the message as per above steps. But I don't see any log messages in

      loggly.  Though my API call is successful I don't see any further details also about the step loggly.

      so is there any way to troubleshoot this?

      I checked in debug mode and I don't see any more details over there as well.




      Thanks & Regards



      Author's profile photo Divya Mary
      Divya Mary
      Blog Post Author

      Hi Rajesh,


      It takes a little time to get the logs replicated into the Loggly server and reflected on the Loggly dashboard. Let me know if you are still facing the issues.

      In the message logging policy, the Loggly customer token should be specified in the format [YOUR_LOGGLY_TENANT_CUSTOMER_TOKEN@41058 tag="{}"]

      Thanks and Best Regards,


      Author's profile photo Rajesh Kumar
      Rajesh Kumar

      Hi @Divya Mary - Still I don't see the log in the loggly server. Currently I am using the Trial Version of loggly , hope that shouldn't limit this functionality of logging.

      I have specified the token in the format as you have specified , but still don't see any log event.

      <Message>[4c6b2efe-70ce-XXXX-a7c7-0c37200XXXXX@41058 tag="{}"] {sapapim:logmessage}</Message>

      Am I missing anything here ?



      Author's profile photo Divya Mary
      Divya Mary
      Blog Post Author

      Hi Rajesh,

      Kindly also share the API Management LS details from where you are trying out the message logging policy.

      The configuration looks like fine.

      Best Regards,


      Author's profile photo Pandey Anuj
      Pandey Anuj

      Hi Divya ,

      Thanks for giving insight about  logging .

      This logging mechanism works fine as long as API call is successful and post flow is getting executed  but it doesn't work if there is any error during any of API policy and flow execution , where it is really needed .

      I tried to use post client flow but it doesn't  work because apparently  'post client flow' can not execute java script .

      May I ask if there is any way to capture logs during error in API management flow?




      Author's profile photo Divya Mary
      Divya Mary
      Blog Post Author

      Hi Anuj,

      One approach for the policies defined in postflow to be executed in the error scenarios would be to set target endpoint properties for error status codes 4xx,5xx along with the success status codes 2xx,3xx  (ref screenshot below) as well. Details of this is available in wiki.

      Best Regards,



      Author's profile photo RAFAEL ASSAYAG

      Hi everybody!


      Is there someone who ever succeeded in loggly's dashboard presenting any result after calling the correponding API in this example ?



      Author's profile photo Chetan Mhatre
      Chetan Mhatre

      Hi Divya,

      Apart from Loggly and Splunk, are any other logging server that can be used. ?

      Can I be able to log the messages on HANA Cloud. Is it possible ?

      Please help.


      Author's profile photo Chetan Mhatre
      Chetan Mhatre

      This is done

      Author's profile photo Martin Buselmeier
      Martin Buselmeier

      Hello Divya,

      thanks for this great Blog Series! Do you see a chance to log messages against an OnPrem Splunk installation via a Cloud Connector? Our current Splunk installation is not accessible via Internet.

      I Haven't found something about that in the Documentation.

      Author's profile photo Bijayashree Banoj Brahma
      Bijayashree Banoj Brahma

      Hi Divya,

      I cant see log in loggly,even after getting response data.