Scribd Logo
Upload

Welcome to Scribd!

  • 7 views

    RFC Gateway Security, Part 6 - Logging - SAP Blogs

    Uploaded by

    Fahri Batur
    This blog post discusses logging in the RFC Gateway. It explains that logging is event-based using letter codes. Logging is configured via the GW/LOGGING profile parameter. The RFC Gateway logs all usage types and recommends logging security, rejected access, dynamic parameter changes, external programs, and registered programs. Log files can be rotated hourly, daily, weekly, etc. and retained for a number of days. Specific events to monitor in the logs are also provided.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    RFC Gateway Security, Part 6 - Logging - SAP Blogs

    Uploaded by

    Fahri Batur
    7 views6 pages
    This blog post discusses logging in the RFC Gateway. It explains that logging is event-based using letter codes. Logging is configured via the GW/LOGGING profile parameter. The RFC Gateway logs all usage types and recommends logging security, rejected access, dynamic parameter changes, external programs, and registered programs. Log files can be rotated hourly, daily, weekly, etc. and retained for a number of days. Specific events to monitor in the logs are also provided.

    Original Description:

    Original Title

    RFC Gateway security, part 6 – Logging _ SAP Blogs

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This blog post discusses logging in the RFC Gateway. It explains that logging is event-based using letter codes. Logging is configured via the GW/LOGGING profile parameter. The RFC Gateway logs all usage types and recommends logging security, rejected access, dynamic parameter changes, external programs, and registered programs. Log files can be rotated hourly, daily, weekly, etc. and retained for a number of days. Specific events to monitor in the logs are also provided.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    7 views6 pages

    RFC Gateway Security, Part 6 - Logging - SAP Blogs

    Uploaded by

    Fahri Batur
    This blog post discusses logging in the RFC Gateway. It explains that logging is event-based using letter codes. Logging is configured via the GW/LOGGING profile parameter. The RFC Gateway logs all usage types and recommends logging security, rejected access, dynamic parameter changes, external programs, and registered programs. Log files can be rotated hourly, daily, weekly, etc. and retained for a number of days. Specific events to monitor in the logs are also provided.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 6

    10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs

    Community

    Ask a Question Write a Blog Post Login

    Technical Articles

    Johannes Goerlich
    February 5, 2021 | 2 minute read

    RFC Gateway security, part 6 –


    Logging
     2  5  923
    Follow

    From my experience the RFC Gateway security is for many SAP Administrators still a
     Like not well understood topic. As a result many SAP systems lack for example of proper
    defined ACLs to prevent malicious use.

     RSS Feed After an attack vector was published in the talk “SAP Gateway to Heaven” from
    Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai
    (https://github.com/gelim/sap_ms) the RFC Gateway security is even more
    important than ever. This publication got considerable public attention as
    10KBLAZE.

    With this blogpost series i try to give a comprehensive explanation of the RFC
    Gateway Security:

    Part 1: General questions about the RFC Gateway and RFC Gateway security.

    Part 2: reginfo ACL in detail.

    Part 3: secinfo ACL in detail.

    Part 4: prxyinfo ACL in detail.

    Part 5: ACLs and the RFC Gateway security.

    https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 1/6
    10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs

    Part 6: RFC Gateway Logging.

    RFC Gateway Logging


    What about logging functionality of the RFC
    Gateway in general?
    The logging in RFC Gateway is event based. The various event types are
    specified by letters which are also used to configure the to be logged events.

    These letters are reused in the log file to indicate which event type lead to the
    log entry. The respective letter recurs as first character of a line in the log file.

    Each line represents a logged event.

    How to configure logging in the RFC Gateway?


    Logging is configured by profile parameter ‘gw/logging’. This profile parameter
    offers several sub-parameters where some of them are explained below.

    While the RFC Gateway logging settings could also be adjusted on SAP
    NetWeaver AS ABAP in transaction SMGW or in general by the command line
    tool ‘gwmon’, only settings defined in the profile parameter are persistent.

    Which usage types are covered by the logging?


    As we learned in part 1 the RFC Gateway serves for different usage types. The
    logging covers all these usage types. For some the logging is more detailed
    than for others.

    What events should be logged by the RFC


    Gateway?
    Logging is always a trade of between log volume and meaningful data for
    forensics. For the RFC Gateway we should log at least the following events:

    X = Start/stop of RFC Gateway, Log file rotation

    S = Security events
    https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 2/6
    10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs

    Z = Rejected access without rules denied by implicit deny all rule

    P = Dynamic Parameter Changes

    E = External Programs

    R = Registered programs

    Which results in the sub-parameter ACTION=ERSZPX.

    What about log file handling?


    The RFC Gateway comes with a functionality to rotate log files

    a) on a hourly, daily, weekly, monthly or yearly basis, defined in sub-parameter


    ‘SWITCHTF’ (the rotation happens at the first log event after midnight),

    b) or depending on the file size, defined in sub-parameter ‘MAXSIZEKB’,

    c) or a combination of both.

    Log retention can be configured by sub-parameter ‘MAXFILES’ .

    We could for example set MAXSIZEKB=0 – while making sure there is sufficient
    disk space – in combination with MAXFILES=90 specifying the number of files
    to be retained. With SWITCHTF=day this results in daily log rotation with 90
    days log retention.

    For a reliable log file handling the file name should be specified as unique as
    possible, e.g., by setting the sub-parameter
    LOGFILE=gw_log_$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_$(SAPLOCALHOST)-
    %y-%m-%d.

    Anything specific to look for in this logs?


    During the initial creation of custom ACLs we should consider to monitor the
    log files for

    ‘secinfo accepted:’ and ‘secinfo denied:’,


    ‘reginfo accepted:, ‘reginfo denied:’, and ‘reginfo (no rule found):’
    ‘prxyinfo accepted:’ and ‘prxyinfo denied:’.

    Later during day to day business we should consider to monitor the log files at
    least for

    ‘secinfo (no rule found):’

    https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 3/6
    10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs

    ‘reginfo (no rule found):’


    ‘prxyinfo denied:’
    log entries starting with ‘E’
    log entries starting with ‘P’

    for suspicious activities while still collecting all events mentioned above for
    forensics.

    <–Previous

    Alert Moderator

    Assigned tags

    SAP NetWeaver Application Server for ABAP

    NW Client/Server Technology (CST)

    SAP NetWeaver Application Server for Java

    Security

    RFC Gateway

    Similar Blog Posts 


    RFC Gateway security, part 1 - basic understanding
    By Johannes Goerlich Jan 26, 2021

    RFC Gateway security, part 5 - ACLs and the RFC Gateway security
    By Johannes Goerlich Feb 03, 2021

    RFC Gateway security, part 4 - prxyinfo ACL


    By Johannes Goerlich Feb 01, 2021

    https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 4/6
    10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs

    Related Questions 
    Gateway not connected to local R/3
    By souradeep ghosal Aug 10, 2021

    Massive creation of CPICTRC files in work directory


    By Marie Renneke Jul 25, 2017

    How to register an external program on gateway


    By Former Member Sep 13, 2017

    Join the Conversation 


    SAP TechEd
    Tune in for tech talk. Stay for inspiration. Upskill your future.

    Coffee Corner
    Join the new Coffee Corner Discussion Group.

    2 Comments

    You must be Logged on to comment or reply to a post.

    Andreas Kirchebner
    February 11, 2021 at 8:00 am

    Hi Johannes,

    thanks for this great blog series. I'm looking forward to read more from you.

    Take care, Andreas

    Like 1 | Share

    https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 5/6
    10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs

    Isaias Freitas
    June 27, 2021 at 8:12 pm

    Indeed, great blog series! Well done!

    Like 0 | Share

    Find us on

    Privacy Terms of Use

    Legal Disclosure Copyright

    Trademark Cookie Preferences

    Newsletter Support

    https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 6/6

    You might also like