Developing a clear deployment strategy is the first step toward a successful Google Security Operations for SAP implementation.
This guide helps you:
- Identify the ingestion path for logs from your SAP RISE or self-managed environments.
- Review how SAP logs map to Google SecOps log types.
- Verify infrastructure, network, and SAP software version requirements.
- Understand factors that impact log delivery and latency.
Select your log ingestion path
The ingestion path varies depending on whether SAP manages your environment (SAP RISE) or you manage the landscape yourself (on-premises or any cloud).
The following table summarizes the ingestion path for each SAP environment and log category:
| SAP environment | Log category | Ingestion path |
|---|---|---|
| Managed by SAP (SAP RISE) | Infrastructure logs | SAP LogServ and Google SecOps feeds |
| Application logs | Application Telemetry Collector, Bindplane agent, and Bindplane server | |
| Self-managed | Infrastructure logs | Bindplane agent and Bindplane server |
| Application logs | Application Telemetry Collector, Bindplane agent, and Bindplane server |
For SAP RISE environments
In an SAP RISE environment, the ingestion path depends on the type of logs that you are ingesting.
Infrastructure logs
The ingestion path for RISE infrastructure logs involves the following stages:
- Log extraction: SAP LogServ writes infrastructure logs to cloud-based storage, such as Cloud Storage, Amazon S3, or Azure Blob Storage.
- Transfer: SAP LogServ triggers an event-driven notification to alert Google SecOps that new data is available.
- Parsing: Google SecOps feeds pull the logs from the storage bucket and normalize them into the UDM format by using the standard SAP parsers.
Application logs
The ingestion path for RISE application logs involves the following stages:
- Log extraction: The Application Telemetry Collector connects to the SAP RISE environment by using the RFC protocol to extract application logs.
- Transfer: The collector forwards the logs to the Bindplane server, which batches and sends them to Google SecOps.
- Parsing: Google SecOps processes the incoming logs and normalizes the data into the UDM format by using the standard SAP parsers.
For self-managed environments
For environments where you manage the infrastructure, the ingestion path depends on the type of logs that you are ingesting.
Infrastructure logs
The ingestion path for self-managed infrastructure logs involves the following stages:
- Log extraction: The Bindplane agent, which is installed on each SAP host, tails local infrastructure logs.
- Transfer: The agent forwards the logs to the central Bindplane server, which sends them to Google SecOps.
- Parsing: Google SecOps processes the incoming logs and normalizes the data into the UDM format by using the standard SAP parsers.
Application logs
The ingestion path for self-managed application logs involves the following stages:
- Log extraction: The Application Telemetry Collector connects to your self-managed SAP instances through the RFC protocol to extract application logs.
- Transfer: The collector forwards the logs to the Bindplane server, which batches and sends them to Google SecOps.
- Parsing: Google SecOps processes the incoming logs and normalizes the data into the UDM format by using the standard SAP parsers.
Review supported log sources
The following table provides the mapping between your SAP log sources, their typical locations, and the corresponding Google SecOps log types.
| Log category | SAP log source | Log location (Self-managed) | SecOps log type |
|---|---|---|---|
| Infrastructure | SAP ICM Logs | /usr/sap/SID/DINSTANCE_NUMBER/work/dev_icm |
SAP_ICM |
| SAP Gateway Logs | /usr/sap/SID/DINSTANCE_NUMBER/work/dev_rd |
SAP_GATEWAY |
|
| SAP Web Dispatcher Logs | /usr/sap/SID/WINSTANCE_NUMBER/work/dev_webdisp |
SAP_WEBDISP |
|
| SAP HANA Audit Logs | /usr/sap/SID/HDBINSTANCE_NUMBER/HOSTNAME/trace/audit_log_backup.csv |
SAP_HANA_AUDIT |
|
| Application | Change Document Logs | Database tables CDHDR and CDPOS |
SAP_CHANGE_DOCUMENT |
| Security Audit Logs | File system | SAP_SECURITY_AUDIT |
Verify technical requirements
Before you begin the ingestion process, verify that your SAP instances and hosting infrastructure meet the following technical specifications.
System and version requirements
Verify that your SAP systems meet the following minimum SAP NetWeaver version requirements for infrastructure and application logs:
| Component | Minimum version | Notes |
|---|---|---|
| SAP NetWeaver | SAP_BASIS 7.00 | Required to ingest infrastructure logs. |
| SAP NetWeaver | SAP_BASIS 7.50 | Required to ingest application logs. |
Infrastructure requirements
The following requirements apply to the host machine running the Application Telemetry Collector and Bindplane components.
| Requirement | Specification | Notes |
|---|---|---|
| Operating system | Debian 11 or later, Ubuntu 22.04 or later | Supported OS for the log collector and agents. |
| Container runtime | Docker Engine 20.10 or later | Required for the containerized log collector. |
Network and connectivity
Ensure your network architecture allows for the following traffic flows:
A direct network connection, such as VPC, Cloud Interconnect, or VPN, to each SAP application server from the Application Telemetry Collector, which acts as an RFC client.
Outbound access from the host that runs the Application Telemetry Collector to the following ports on your SAP application servers:
Port Description 32INSTANCE_NUMBERStandard SAP Gateway, where INSTANCE_NUMBERis the SAP instance number.33INSTANCE_NUMBERSAP Gateway for secured communication, required when using Secure Network Communication.
Bindplane agent and collector connectivity
Ensure your network architecture allows for the following traffic flows for management functions and log data transfer:
- Agent management: All Bindplane agents,
whether installed on SAP hosts or collector hosts, must have outbound connectivity
to the Bindplane server host on port
3001(OpAMP). This connection is required to manage configurations, apply updates, and monitor agent health. - Log data transfer: The Application Telemetry Collector must have outbound
connectivity to the host where the Bindplane agent is deployed on the following ports:
- Port 4317 (gRPC): OTLP data ingestion port. Required for the collector to forward logs to the agent.
- Port 4318 (HTTP): OTLP data ingestion port, as an alternative to gRPC.
If you are running the Bindplane agent on the same host as the
Application Telemetry Collector, you must enable both
the IPv4 loopback (127.0.0.1) and
IPv6 loopback (::1) interfaces on the host.
Egress to Google Cloud
The collector and agents require outbound access to the following
Google Cloud API endpoints on port 443 (HTTPS). You can establish
this connectivity through the public internet or
through Private Google Access for hosts without an external IP address.
| Service | Purpose | Destination / Endpoint |
|---|---|---|
| Cloud Storage API | Reading configuration and SAP Java Connector (JCo) libraries, and writing ingestion state. | storage.googleapis.com (Port 443) |
| Google SecOps API | Sending logs to the Google SecOps API. | malachiteingestion-pa.googleapis.com (Port 443) |
| Secret Manager API | Retrieving SAP or API credentials. | secretmanager.googleapis.com (Port 443) |
| Cloud Monitoring API | Sending health and performance metrics for the collector. | monitoring.googleapis.com (Port 443) |
SAP authorizations
Create a dedicated SAP service user to extract application logs. The service user requires the following authorizations and configurations:
- Service user: Create a dedicated service user that the Application Telemetry Collector uses to call Remote Function Modules in SAP. Make a note of the user ID and password.
- Custom role: Assign a custom role with
S_RFCauthorizations strictly limited to the required function modules:RSAU_API_GET_LOG_DATAandRFC_READ_TABLE. - Secure Network Communication (SNC) (Highly recommended): Use X.509 certificates for mutual authentication to eliminate the need for static passwords.
For more information on configuring these requirements, see Prepare your environment for log ingestion.
Log delivery expectations
When planning your SIEM operations, consider the end-to-end latency for log delivery. Log delivery times vary based on several factors:
- SAP RISE delivery: The time required for SAP LogServ to write logs to the storage bucket.
- Notification processing and polling: The time required for the notification mechanism, such as Pub/Sub, to alert Google SecOps, or the frequency at which Google SecOps feeds or agents poll for new data.
- Feed processing: The time required for the Google SecOps ingestion pipeline to parse and normalize the logs by using the standard SAP parsers.
In most cases, logs appear for search and detection in near real time, often within minutes of the event occurring in the SAP system.
Get support
For issues related to Google SecOps for SAP, contact Google SecOps support. Our team provides assistance or guides you to the right resource to help ensure a timely resolution.
For issues involving SAP systems or the LogServ service, contact SAP support. For issues related to other third-party products, such as Bindplane, contact the appropriate third-party vendor for assistance.
Get technical answers and peer support in the Google SecOps Community.
Further reading
For more information about using Bindplane and Google SecOps, see the following documentation:
- Google SecOps: Use Bindplane for ingestion
- Google SecOps: Data processing pipeline
- Bindplane documentation
What's next
- Prepare your environment for log ingestion
- Set up log ingestion for SAP RISE
- Set up log ingestion for self-managed SAP systems