Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/24/2024 01:08 PM - edited 06/25/2024 06:36 AM
Hello,
We are wanting to have an email kicked off to the account owners in our Firefighter ID (FFID) Audit Logs Analytic. It uses the Elasticsearch Query Json below:
{
"query": {
"match_all": {}
}
}
The issue right now is that it only emails the user group that is the owner of the analytic, which is also what we want, but we also want it to email the account owners for the accounts that appeared on the analytic. Is there a way to configure this?
(EX: If accounts FF_XX_001, FF_XX_002, FF_XX_004 were in the report, then we only want an email sent to the owners of FF_XX_001, FF_XX_002, FF_XX_004. Not FF_XX_003 since no logs were on the report.)
We used this guide below to configure our FFID SAP Audit Logs:
The issue with the second link, is that we have multiple owners, so having the context as "User" will only assign one owner to view these logs, when we need all owners of an account to be able to view it.
Solved! Go to Solution.
06/25/2024 09:10 PM
You can use UNION in query so multiple owners issue will be fixed.
06/26/2024 11:51 AM
@rushikeshvartak Where would that go in this case? Saviynt doesn't let you have SQL queries in Elasticsearch Query JSONs. From my understanding, the query above is pulling data from the log files from the SAP SFTP server.
06/26/2024 04:57 PM
In this case this is not supported please raise idea ticket
06/28/2024 09:03 AM
We are having NEARLY the same issue. Our below query emails only the owner of the FFID... but it emails them ALL the previous records, regardless of if there are new logs or not, regardless of if the previous logs have been acted upon or not.
Analytics Name | Fire Fighter ID - Audit logs - NameOfEndpoint - FF_ALT_FI_P1 |
Display Name | Fire Fighter ID - Audit logs - NameOfEndpoint - FF_ALT_FI_P1 |
Analytics Query | { "query": { "bool" : { "must" : [{"match": {"endPoint" : "NameOfEndpoint"}}, {"match": {"ffid" : "FF_ALT_FI_P1"}}] } } } |
06/28/2024 09:18 AM - edited 06/28/2024 09:20 AM
I don't think I have ran into that issue. What I ended up doing is creating a new analytic that finds sessions that ended, and then emails all the owners of the FFID to review the logs. Here is my query below:
SELECT
DISTINCT u.username,
a.name AS 'FFID',
fs.account_key,
a.accountkey,
ao.accountkey as 'Account Owner Key',
fs.REQUEST_START_DATE,
fs.REQUEST_END_DATE,
fs.REQUESTED_BY,
fs.TERMINATION_DATE,
fs.FFID_SESSIONKEY
FROM
users u
JOIN accountowners ao ON u.userkey = ao.owneruserkey
JOIN accounts a ON ao.accountkey = a.accountkey
JOIN ffid_sessions fs ON a.accountkey = fs.account_key
WHERE
a.endpointkey = xx
AND a.name LIKE 'FF_%'
AND (
(
fs.TERMINATION_DATE BETWEEN DATE_SUB(CURDATE(), INTERVAL 8 HOUR)
AND CURDATE() + INTERVAL 1 DAY
)
OR (
fs.REQUEST_END_DATE BETWEEN DATE_SUB(CURDATE(), INTERVAL 8 HOUR)
AND CURDATE() + INTERVAL 1 DAY
)
)
AND fs.status = 3;
I did this instead of having an email sent from the Elastisearch FFID Audit log analytic. @Essence81 would this maybe resolve your issue until Saviynt fixes some of these issues? I am raising an idea here in a moment for some of the PAM stuff.
07/02/2024 02:24 AM
@aidanryan @Essence81 - I am trying to import audit logs (specifically for firefighter access) from the SAP S/4 HANA system. I have added the AUDIT_LOG_JSON with json for SAP S/4HANA as described in the below document. But do not think it is importing any audit logs. Can you please let me know what steps do we need to take on Saviynt side to be able to import the complete audit logs?
https://docs.saviyntcloud.com/bundle/SAP-v23x/page/Content/Importing-Audit-Data.htm
07/08/2024 08:49 AM
@shivmano I am using the ECC route at the moment as we have not migrated to S/4 yet. Have you already setup the analytic for the audit logs? Also, check the File Directory > Data Files to see if they have been imported. Here are the docs that might help below:
Audit Log Configs: https://docs.saviyntcloud.com/bundle/AAG-Guide/page/Content/Emergency-Access-Management-Audit-Import...
07/09/2024 12:14 AM
Thank you for your reply @aidanryan . I have added the AUDIT_LOG_JSON as we are on S/4 and expected the audit files to be imported under File Directory > Data Files after running an import. But looks like they are not being imported.
Also, I am unable to configure the analytics as described in below link because, when I try, it says TEMP_FFID_AUDIT_LOGS table doesn't exist. Hence, I am unable to proceed with setting up the Elasticsearch query as well
07/09/2024 07:41 AM
@shivmano It should be this search below:
And then the query is just this:
{
"query": {
"match_all": {
}
}
As for the import, could you share the job config you have for it along with the JSON in your connection. Also, it looks like they recently updated the documentation on the import portion, do you guys have a custom function module in S/4 for the audit logs? DOC
07/10/2024 01:42 AM
@aidanryan , I do not see the 'sapauditlogs' indices probably because the audit logs are not imported from S/4. Here is the AUDIT_LOG_JSON that we have in our SAP connector.
{
"IM_TLOG": "X",
"IM_SECURITY_AUDIT_LOG": "X",
"DIALOG_LOGON": "",
"RFC_CPIC_LOGON": "",
"RFC_CALL": "",
"TRANSACTION_START": "",
"REPORT_START": "",
"USER_MASTER_CHANGES": "",
"OTHER_EVENTS": "",
"SYSTEM_EVENTS": "",
"ONLY_CRITICAL": "",
"SEVERE_AND_CRITICAL": "",
"EVERY": "",
"IM_SYSTEM_LOG": "X",
"IM_CLOG": "X",
"IM_DELIMITER": "|",
"IM_WRITE_TO_FILE": "",
"IM_FILE_PATH": "",
"FFID_OWNER_RANK":"1",
"TIME_BUFFER":"0",
"SAP_TIMEZONE":""
}
there is no IM_FILE_PATH defined as it says for S/4 we do not need this. We have shared the SAP custom program bundle with the SAP team that is available in the below documentation. Please can you let me know if this is the custom FM you are referring to?
https://docs.saviyntcloud.com/bundle/SAP-v23x/page/Content/Generating-Firefighter-Reports.htm
I needed to know the steps that we need to perform on Saviynt to fetch the audit report once the SAP team deploys it on their side for S/4
Also, is there an additional job I need to run to fetch the audit logs? I assumed that it will be imported with the SAP account import (Application Data Import) job
07/10/2024 01:51 PM
@shivmano Do you have ALTERNATE_OUTPUT_PARAMETER_ET_DATA set to True? If everything is setup on the S/4 side, then you should be receiving logs in your file directory in Saviynt.
This is what we have for audit log JSON for ECC:
{
"IM_TLOG": "X",
"IM_SECURITY_AUDIT_LOG": "X",
"DIALOG_LOGON": "",
"RFC_CPIC_LOGON": "",
"RFC_CALL": "X",
"TRANSACTION_START": "X",
"REPORT_START": "X",
"USER_MASTER_CHANGES": "X",
"OTHER_EVENTS": "X",
"SYSTEM_EVENTS": "X",
"ONLY_CRITICAL": "",
"SEVERE_AND_CRITICAL": "",
"EVERY": "X",
"IM_SYSTEM_LOG": "X",
"IM_CLOG": "X",
"IM_DELIMITER": "|",
"IM_WRITE_TO_FILE": "X",
"IM_FILE_PATH": "/usr/sap/interfaces/xxx/xxx/xxx/",
"FFID_OWNER_RANK":"1",
"TIME_BUFFER":"0",
"SAP_TIMEZONE":"UTC"
}
Maybe go through and add "X" to some of the values in yours. If it doesn't say it's ECC only in this document HERE, then I would try adding "X" to same values we have maybe. This is where it differs for us since we use ECC in conjunction with a SFTP server to get logs.
Also, make sure you have the custom table added in your TABLES JSON.
If none of that works, I would suggest creating a ticket with Saviynt on it.
07/11/2024 12:13 AM
Thank you very much for your suggestions @aidanryan . We will proceed with this approach once the setup is done on the S/4 side
09/09/2024 01:59 PM
I believe the logs won't generate unless the session was initiated from Saviynt via a remote app session (passwordless).
The way it works with ECC at least is when the session is completed (checked in) Saviynt calls that ZSAVIYNT ABAP program with some parameters and it generates a log file that has to be SFTP'd into Saviynt via a job. That was when the index showed up for us, though we needed a different ABAP program provided to us as the publicly available one wasn't mapping correctly. (Not sure if that's still the case).
Have you tried launching an FFID session in S4 with tracing on the service account to see if it is making any calls to S4 from Saviynt once the session is checked in?