Saviynt Forums

@rushikeshvartak  Where would that go in this case? Saviynt doesn't let you have SQL queries in Elasticsearch Query JSONs. From my understanding, the query above is pulling data from the log files from the SAP SFTP server.

I don't think I have ran into that issue. What I ended up doing is creating a new analytic that finds sessions that ended, and then emails all the owners of the FFID to review the logs. Here is my query below:

SELECT
    DISTINCT u.username,
    a.name AS 'FFID',
    fs.account_key,
    a.accountkey,
    ao.accountkey as 'Account Owner Key',
    fs.REQUEST_START_DATE,
    fs.REQUEST_END_DATE,
    fs.REQUESTED_BY,
    fs.TERMINATION_DATE,
    fs.FFID_SESSIONKEY
FROM
    users u
    JOIN accountowners ao ON u.userkey = ao.owneruserkey
    JOIN accounts a ON ao.accountkey = a.accountkey
    JOIN ffid_sessions fs ON a.accountkey = fs.account_key
WHERE
    a.endpointkey = xx
    AND a.name LIKE 'FF_%'
    AND (
        (
            fs.TERMINATION_DATE BETWEEN DATE_SUB(CURDATE(), INTERVAL 8 HOUR)
            AND CURDATE() + INTERVAL 1 DAY
        )
        OR (
            fs.REQUEST_END_DATE BETWEEN DATE_SUB(CURDATE(), INTERVAL 8 HOUR)
            AND CURDATE() + INTERVAL 1 DAY
        )
    )
    AND fs.status = 3;

I did this instead of having an email sent from the Elastisearch FFID Audit log analytic. @Essence81  would this maybe resolve your issue until Saviynt fixes some of these issues? I am raising an idea here in a moment for some of the PAM stuff. 

@aidanryan @Essence81  - I am trying to import audit logs (specifically for firefighter access) from the SAP S/4 HANA system. I have added the AUDIT_LOG_JSON with json for SAP S/4HANA as described in the below document. But do not think it is importing any audit logs. Can you please let me know what steps do we need to take on Saviynt side to be able to import the complete audit logs? 

https://docs.saviyntcloud.com/bundle/SAP-v23x/page/Content/Importing-Audit-Data.htm 

@shivmano I am using the ECC route at the moment as we have not migrated to S/4 yet. Have you already setup the analytic for the audit logs? Also, check the File Directory > Data Files to see if they have been imported. Here are the docs that might help below:

Analytic: https://docs.saviyntcloud.com/bundle/AAG-Guide/page/Content/Emergency-Access-Management-Audit-Report... 

Audit Log Configs: https://docs.saviyntcloud.com/bundle/AAG-Guide/page/Content/Emergency-Access-Management-Audit-Import... 

Thank you for your reply @aidanryan . I have added the AUDIT_LOG_JSON as we are on S/4 and expected the audit files to be imported under File Directory > Data Files after running an import. But looks like they are not being imported. 

Also, I am unable to configure the analytics as described in below link because, when I try, it says TEMP_FFID_AUDIT_LOGS table doesn't exist. Hence, I am unable to proceed with setting up the Elasticsearch query as well 

https://docs.saviyntcloud.com/bundle/AAG-Guide/page/Content/Emergency-Access-Management-Audit-Report... 

@shivmano It should be this search below:

And then the query is just this:

{
  "query": {
    "match_all": {
    }
  }

As for the import, could you share the job config you have for it along with the JSON in your connection. Also, it looks like they recently updated the documentation on the import portion, do you guys have a custom function module in S/4 for the audit logs? DOC

@aidanryan , I do not see the 'sapauditlogs' indices probably because the audit logs are not imported from S/4. Here is the AUDIT_LOG_JSON that we have in our SAP connector. 

{
"IM_TLOG": "X",
"IM_SECURITY_AUDIT_LOG": "X",
"DIALOG_LOGON": "",
"RFC_CPIC_LOGON": "",
"RFC_CALL": "",
"TRANSACTION_START": "",
"REPORT_START": "",
"USER_MASTER_CHANGES": "",
"OTHER_EVENTS": "",
"SYSTEM_EVENTS": "",
"ONLY_CRITICAL": "",
"SEVERE_AND_CRITICAL": "",
"EVERY": "",
"IM_SYSTEM_LOG": "X",
"IM_CLOG": "X",
"IM_DELIMITER": "|",
"IM_WRITE_TO_FILE": "",
"IM_FILE_PATH": "",
"FFID_OWNER_RANK":"1",
"TIME_BUFFER":"0",
"SAP_TIMEZONE":""
}

there is no IM_FILE_PATH defined as it says for S/4 we do not need this. We have shared the SAP custom program bundle with the SAP team that is available in the below documentation. Please can you let me know if this is the custom FM you are referring to? 

https://docs.saviyntcloud.com/bundle/SAP-v23x/page/Content/Generating-Firefighter-Reports.htm 

I needed to know the steps that we need to perform on Saviynt to fetch the audit report once the SAP team deploys it on their side for S/4 

Also, is there an additional job I need to run to fetch the audit logs? I assumed that it will be imported with the SAP account import (Application Data Import) job 

@shivmano Do you have ALTERNATE_OUTPUT_PARAMETER_ET_DATA set to True? If everything is setup on the S/4 side, then you should be receiving logs in your file directory in Saviynt. 

This is what we have for audit log JSON for ECC:

{
"IM_TLOG": "X",
"IM_SECURITY_AUDIT_LOG": "X",
"DIALOG_LOGON": "",
"RFC_CPIC_LOGON": "",
"RFC_CALL": "X",
"TRANSACTION_START": "X",
"REPORT_START": "X",
"USER_MASTER_CHANGES": "X",
"OTHER_EVENTS": "X",
"SYSTEM_EVENTS": "X",
"ONLY_CRITICAL": "",
"SEVERE_AND_CRITICAL": "",
"EVERY": "X",
"IM_SYSTEM_LOG": "X",
"IM_CLOG": "X",
"IM_DELIMITER": "|",
"IM_WRITE_TO_FILE": "X",
"IM_FILE_PATH": "/usr/sap/interfaces/xxx/xxx/xxx/",
"FFID_OWNER_RANK":"1",
"TIME_BUFFER":"0",
"SAP_TIMEZONE":"UTC"
}

Maybe go through and add "X" to some of the values in yours. If it doesn't say it's ECC only in this document HERE, then I would try adding "X" to same values we have maybe. This is where it differs for us since we use ECC in conjunction with a SFTP server to get logs. 

Also, make sure you have the custom table added in your TABLES JSON. 

If none of that works, I would suggest creating a ticket with Saviynt on it.

Thank you very much for your suggestions @aidanryan . We will proceed with this approach once the setup is done on the S/4 side 

I believe the logs won't generate unless the session was initiated from Saviynt via a remote app session (passwordless).

The way it works with ECC at least is when the session is completed (checked in) Saviynt calls that ZSAVIYNT ABAP program with some parameters and it generates a log file that has to be SFTP'd into Saviynt via a job. That was when the index showed up for us, though we needed a different ABAP program provided to us as the publicly available one wasn't mapping correctly. (Not sure if that's still the case).

Have you tried launching an FFID session in S4 with tracing on the service account to see if it is making any calls to S4 from Saviynt once the session is checked in?