通过

Systemconfig.json 文件参考

  • 项目

Systemconfig.json 文件用于配置数据收集器的行为。 配置选项分为几个部分。 本文列出了可用的选项并提供了选项说明。

重要

对于 2023 年 6 月 22 日或之后发布的代理版本,适用于 SAP 的 Microsoft Sentinel 解决方案® 应用程序使用新的 systemconfig.json 文件。 对于以前的代理版本,仍然必须使用 systemconfig.ini 文件

文件结构

{ 

"<SID_GUID>": { 

    "secrets_source": {...},

    "abap_central_instance": {...},

    "azure_credentials": {...},

    "file_extraction_abap": {...},

    "file_extraction_java": {...},

    "logs_activation_status" {...},

    "connector_configuration": {...},

    "abap_table_selector":: {...}

...

}

Systemconfig 配置文件部分

节名称 描述
机密源 本部分定义存储凭据的位置。
ABAP 中心实例 本部分定义要连接到的 SAP 实例的常规选项。
Azure 凭据 本部分定义用于连接到 Azure Log Analytics 的凭据。
文件提取 ABAP 本部分定义使用 SAPControl 接口从 ABAP 服务器提取的日志和凭据。
文件提取 JAVA 本部分定义使用 SAPControl 接口从 JAVA 服务器提取的日志和凭据。
日志激活状态 本部分定义从 ABAP 中提取的日志。
连接器配置 本部分定义其他连接器选项。
ABAP 表选择器 本部分定义从 ABAP 系统中提取哪些用户主数据日志。

“机密源”部分

注意

在将此文件用于配置和部署之前,请移除所有注释。

"secrets_source": {
  "secrets": "AZURE_KEY_VAULT|DOCKER_FIXED",
  # Storage location of SAP credentials and Log Analytics workspace ID and key
  # AZURE_KEY_VAULT - store in an Azure Key Vault. Requires keyvault option and intprefix option
  # DOCKER_FIXED - store in systemconfig.ini file. Requires user, passwd, loganalyticswsid and publickey options

  "keyvault": "<vaultname>",
  # Azure Keyvault name, in case secrets = AZURE_KEY_VAULT

  "intprefix": "<prefix>"
  # intprefix - Prefix for variables created in Azure Key Vault

    },

“ABAP 中心实例”部分

注意

在将此文件用于配置和部署之前,请移除所有注释。

"abap_central_instance": {
      "auth_type": "PLAIN_USER_AND_PASSWORD|SNC_WITH_X509",
      # Authentication type - username/password authentication, or X.509 authentication

      "ashost": "<hostname>",
      # FQDN, hostname, or IP address of the ABAP server

      "mshost": "<hostname>",
      # FQDN, hostname, or IP address of the Message server

      "msserv": "<portnumber>",
      # Port number, or service name (from /etc/services) of the message server

      "group": "<logon group>",
      # Logon group of the message server

      "sysnr": "<Instance number>",
      # Instance number of the ABAP server

      "sysid": "<SID>",
      # System ID of the ABAP server

      "client": "<Client Number>",
      # Client number of the ABAP server

      "user": "<username>",
      # Username to use to connect to ABAP server. Used only when secrets setting in Secrets Source section is set to DOCKER_FIXED

      "passwd": "<password>",
      # Password to use to connect to ABAP server. Used only when secrets setting in Secrets Source section is set to DOCKER_FIXED

      "snc_lib": "<path to libsapcrypto>",
      # Full path, to the libsapcrypto.so
      # Used when SNC is in use
      # !!! Note - the path must be valid within the container.

      "snc_partnername": "<distinguished name of the server certificate>",
      # p: -prefixed valid SAP server SNC name, which is equal to Distinguished Name(DN) of SAP server PSE
      # Used when SNC is in use

      "snc_qop": "<SNC protection level>",
      # More information available at docs.oracle.com/cd/E19509-01/820-5064/ggrpj/index.html
      # Used when SNC is in use

      "snc_myname": "<distinguished name of the client certificate>",
      # p: -prefixed valid client SNC name, which is equal to Distinguished Name(DN) of client PSE
      # Used when SNC is in use

      "x509cert": "<server certificate>"
      # Base64 encoded server certificate value in a single line (with leading ----BEGIN-CERTIFICATE--- and trailing ----END-CERTIFICATE---- removed)
    },

“Azure 凭据”部分

注意

在将此文件用于配置和部署之前,请移除所有注释。

 "azure_credentials": {
      "loganalyticswsid": "<workspace ID>",
      # Log Analytics workspace ID. Used only when secrets setting in Secrets Source section is set to DOCKER_FIXED

      "publickey": "<publickey>"
      # Log Analytics workspace primary or secondary key. Used only when secrets setting in Secrets Source section is set to DOCKER_FIXED

    },

“文件提取 ABAP”部分

注意

在将此文件用于配置和部署之前,请移除所有注释。

"file_extraction_abap": {
      "osuser": "<SAPControl username>",
      # Username to use to authenticate to SAPControl

      "ospasswd": "<SAPControl password>",
      # Password to use to authenticate to SAPControl

      "appserver": "<server>",
      #SAPControl server hostname/fqdn/IP address

      "instance": "<instance>",
      #SAPControl instance number

      "abapseverity": "<severity>",
      # 0 = All logs ; 1 = Warning ; 2 = Error

      "abaptz": "<timezone>"
      # GMT FORMAT
      # example - For OS Timezone = NZST (New Zealand Standard Time) use abaptz = GMT+12
    },

“文件提取 JAVA”部分

注意

在将此文件用于配置和部署之前,请移除所有注释。

"file_extraction_java": {
      "javaosuser": "<username>",
      # Username to use to authenticate to JAVA server

      "javaospasswd": "<password>",
      # Password to use to authenticate to JAVA server

      "javaappserver": "<server>",
      #JAVA server hostname/fqdn/IP address

      "javainstance": "<instance number>",
      #JAVA instance number

      "javaseverity": "<severity>",
      # 0 = All logs ; 1 = Warning ; 2 = Error

      "javatz": "<timezone>"
      # GMT FORMAT
      # example - For OS Timezone = NZST (New Zealand Standard Time) use abaptz = GMT+12

    },

“日志激活状态”部分

注意

在将此文件用于配置和部署之前,请移除所有注释。

"logs_activation_status": {
      # GMT FORMAT
      # example - For OS Timezone = NZST (New Zealand Standard Time) use abaptz = GMT+12
      "ABAPAuditLog": "<True/False>",
      "ABAPJobLog": "<True/False>",
      "ABAPSpoolLog": "<True/False>",
      "ABAPSpoolOutputLog": "<True/False>",
      "ABAPChangeDocsLog": "<True/False>",
      "ABAPAppLog": "<True/False>",
      "ABAPWorkflowLog": "<True/False>",
      "ABAPCRLog": "<True/False>",
      "ABAPTableDataLog": "<True/False>",
      
      # The following logs are retrieved using SAP Control interface and OS Login
      "ABAPFilesLogs": "<True/False>",
      "SysLog": "<True/False>",
      "ICM": "<True/False>",
      "WP": "<True/False>",
      "GW": "<True/False>",
      
      # The following logs are retrieved using SAP Control interface and OS Login
      "JAVAFilesLogs": "<True/False>",

“连接器配置”部分

注意

在将此文件用于配置和部署之前,请移除所有注释。

"connector_configuration": {
      "extractuseremail": "<True/False>",
      "apiretry": "<True/False>",
      "auditlogforcexal": "<True/False>",
      "auditlogforcelegacyfiles": "<True/False>",
      "azure_resource_id": "<Azure _ResourceId>",
      "timechunk": "<value>"
    },

“ABAP 表连接器”部分

注意

在将此文件用于配置和部署之前,请移除所有注释。

"abap_table_selector": {
      # Specify True or False to configure whether table should be collected from the SAP system

      "AGR_TCODES_FULL": "<True/False>",
      "USR01_FULL": "<True/False>",
      "USR02_FULL": "<True/False>",
      "USR02_INCREMENTAL": "<True/False>",
      "AGR_1251_FULL": "<True/False>",
      "AGR_USERS_FULL": "<True/False>",
      "AGR_USERS_INCREMENTAL": "<True/False>",
      "AGR_PROF_FULL": "<True/False>",
      "UST04_FULL": "<True/False>",
      "USR21_FULL": "<True/False>",
      "ADR6_FULL": "<True/False>",
      "ADCP_FULL": "<True/False>",
      "USR05_FULL": "<True/False>",
      "USGRP_USER_FULL": "<True/False>",
      "USER_ADDR_FULL": "<True/False>",
      "DEVACCESS_FULL": "<True/False>",
      "AGR_DEFINE_FULL": "<True/False>",
      "AGR_DEFINE_INCREMENTAL": "<True/False>",
      "PAHI_FULL": "<True/False>",
      "AGR_AGRS_FULL": "<True/False>",
      "USRSTAMP_FULL": "<True/False>",
      "USRSTAMP_INCREMENTAL": "<True/False>",
      "SNCSYSACL_FULL": "<True/False>",
      "USRACL_FULL": "<True/False>"
    }

后续步骤

详细了解适用于 SAP® 的 Microsoft Sentinel 解决方案应用程序:

疑难解答:

参考文件:

要了解详情,请参阅 Microsoft Sentinel 解决方案