Using Audit Logs and System Logs

Advanced event mesh for SAP Integration Suite provides ways for you to receive logs and be notified of system events that occur. Depending on your deployment and the security policies, you may want to consider how to integrate these into your existing security infrastructure. For more information about logs that you can use for security audits, see Audit Logs.

In addition to overall audit logs in the Cloud Console, there are system logs available for each event broker service. These are useful for you to monitor the activities, performance, capacity, or operations that occur on your event broker services. You can access these logs in two ways:

  • Using the SysLog Forwarding feature, where the event broker services can be configured to forward logs to target servers you own. For more information, see Event Broker Service Logs.
  • Using Insights Advanced Monitoring to access the logs collected from the central monitoring service. For more information, see Insights.

Audit Logs

The audit logs provide records of user activity for security and compliance for your advanced event mesh enterprise account. You can view, monitor, and track the sequence of the following activities in the Cloud Console:

  • IAM operations, such as user login
  • user management activities, such as user activation or role changes
  • event broker service lifecycle events such as the creation, modification, or deletion

With correctly authenticated and authorized users (including administrators), you have a system that provides access to only those individuals who have the correct, pre-defined privileges. To ensure that the system authenticates and authorizes the right individuals, the system logs events such as brute force password attacks in addition to expected access to data and configuration changes.

You can view, filter, and download audit logs from advanced event mesh to monitor what occurs on your system. For more information, see Using Audit Logs.

Event Broker Service Logs

System logs are useful to understand the operations that occur on event broker services. These logs pertain to system, Message VPN, and client logs. You can forward these logs to your own monitoring system to manage the health of your system. For more information, see Forwarding Logs to an External System.

The same logs are used by Insights, which permits you to monitor the health of your event broker services in your account (in addition to other useful monitoring features). For more information, see Insights.

A subset of the event broker service logs are collected and sent to our central monitoring system, which SAP uses to monitor the health of your event broker services.

There are more logs available from the event broker services. You can use the Syslog Forwarding feature to enable the distribution of these logs in the Cloud Console.

Limited logs are collected which are required for advanced event mesh to function correctly, which are as follows:

  • command.log — An audit log of all administrative commands run on the event broker service. The command action is logged and includes the user account that issued the command as well as the IP address of the connection from where the command was issued.
  • system.log — A notification log for significant system-level health events (e.g., redundancy state changes). For a summary of the logs that are collected, see System Logs Collected.
  • gather-diagnostics — A diagnostics dump of the system state and the logs that can be used to assist in troubleshooting issues.
  • System metrics — Metrics for capacity monitoring and planning. The central monitoring service collects various logs from the event broker services. These logs are used for notifications and for advanced monitoring through Insights. For detailed information on the information collected, see Metrics Collected.
  • Heartbeats — Health checks for various components of the event broker services are logged.
  • Response codes and status — Home Cloud actions (upgrades, service creation, and deletion, etc.), confirmation as to whether the action completed as intended are collected.

Summary of Log Information Collected

The following is a summary of the log information collected by the advanced event mesh for monitoring of event broker service health. There are two categories of information that are collected:

System Logs Collected

A number of system logs are collected from the event broker services. These system logs are required to monitor the health and performance of the event broker services and utilized by Insights for monitoring (via Datadog monitors). For information about the list of Datadog monitors and metrics available, see Insights Monitors for Datadog Reference and Insights Metrics and Checks.

Metrics Collected

Logs are collected by a third-party, central monitoring service called Datadog. Datadog agents on the event broker services collect the statistics and send them over a secure, encrypted connection to the central monitoring service. For more information about the central monitoring service and Datadog agents, see Central Monitoring Service and Datadog Agents.

The state information, metrics, and statistics collected by the Datadog agents are listed in Insights Metrics and Checks section. These metrics are available for Advanced Monitoring in Insights.