Professional Documents
Culture Documents
RFC Gateway Security, Part 6 - Logging - SAP Blogs
RFC Gateway Security, Part 6 - Logging - SAP Blogs
RFC Gateway Security, Part 6 - Logging - SAP Blogs
Community
Technical Articles
Johannes Goerlich
February 5, 2021 | 2 minute read
From my experience the RFC Gateway security is for many SAP Administrators still a
Like not well understood topic. As a result many SAP systems lack for example of proper
defined ACLs to prevent malicious use.
RSS Feed After an attack vector was published in the talk “SAP Gateway to Heaven” from
Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai
(https://github.com/gelim/sap_ms) the RFC Gateway security is even more
important than ever. This publication got considerable public attention as
10KBLAZE.
With this blogpost series i try to give a comprehensive explanation of the RFC
Gateway Security:
Part 1: General questions about the RFC Gateway and RFC Gateway security.
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 1/6
10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
These letters are reused in the log file to indicate which event type lead to the
log entry. The respective letter recurs as first character of a line in the log file.
While the RFC Gateway logging settings could also be adjusted on SAP
NetWeaver AS ABAP in transaction SMGW or in general by the command line
tool ‘gwmon’, only settings defined in the profile parameter are persistent.
S = Security events
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 2/6
10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
E = External Programs
R = Registered programs
c) or a combination of both.
We could for example set MAXSIZEKB=0 – while making sure there is sufficient
disk space – in combination with MAXFILES=90 specifying the number of files
to be retained. With SWITCHTF=day this results in daily log rotation with 90
days log retention.
For a reliable log file handling the file name should be specified as unique as
possible, e.g., by setting the sub-parameter
LOGFILE=gw_log_$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_$(SAPLOCALHOST)-
%y-%m-%d.
Later during day to day business we should consider to monitor the log files at
least for
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 3/6
10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
for suspicious activities while still collecting all events mentioned above for
forensics.
<–Previous
Alert Moderator
Assigned tags
Security
RFC Gateway
RFC Gateway security, part 5 - ACLs and the RFC Gateway security
By Johannes Goerlich Feb 03, 2021
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 4/6
10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
Related Questions
Gateway not connected to local R/3
By souradeep ghosal Aug 10, 2021
Coffee Corner
Join the new Coffee Corner Discussion Group.
2 Comments
Andreas Kirchebner
February 11, 2021 at 8:00 am
Hi Johannes,
thanks for this great blog series. I'm looking forward to read more from you.
Like 1 | Share
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 5/6
10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
Isaias Freitas
June 27, 2021 at 8:12 pm
Like 0 | Share
Find us on
Newsletter Support
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 6/6