Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article includes troubleshooting steps to help you ensure accurate and timely data ingestion and monitoring for your SAP environment with Microsoft Sentinel.
When working with the agentless data connector, most troubleshooting is done directly in the SAP Integration Suite, where the message log displays errors indicating the nature of the issue encountered.
Start by examining the message processing logs. For more information, see the SAP documentation. The error messages there can help you diagnose issues with missing permissions, connectivity errors, and other misconfigurations.
If you don't see a related error to your issue, turn on trace logging for more in-depth troubleshooting. For more information, see the SAP documentation.
Check for prerequisites
The agentless data connector package, deployed while performing the initial connector configuration, includes a tool to help SAP admins diagnose and fix issues related to the SAP environment configuration.
To run the tool:
- Open the integration package, navigate to the artifacts tab, and select the Prerequisite checker iflow > Configure. 
- Set the target destination name for the remote function call (RFC) to the SAP system you want to check. For example, - A4H-100-Sentinel-RFC.
- Deploy the iflow as you would otherwise for your SAP systems. 
- Trigger the iflow from any REST client. For example, use the following sample PowerShell script, modifying the sample placeholder values for your environment: - $cpiEndpoint = "https://my-cpi-uri.it-cpi012-rt.cfapps.eu01-010.hana.ondemand.com" # CPI endpoint URL $credentialsUrl = "https://my-uaa-uri.authentication.eu01.hana.ondemand.com/oauth/token" # SAP authorization server URL $serviceKey = 'sb-12324cd-a1b2-5678-a1b2-1234cd5678ef!g9123|it-rt-my-cpi!h45678' # Process Integration Runtime Service client ID $serviceSecret = '< client secret >' # Your Process Integration Runtime service secret (make sure to use single quotes) $credentials = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$serviceKey`:$serviceSecret")) $headers = @{ "Authorization" = "Basic $credentials" "Content-Type" = "application/json" } $authResponse = Invoke-WebRequest -Uri $credentialsUrl"?grant_type=client_credentials" ` -Method Post ` -Headers $headers $token = ($authResponse.Content | ConvertFrom-Json).access_token $path = "/http/checkSAP" $param = "?startTimeUTC=$((Get-Date).AddMinutes(-1).ToString("yyyy-MM-ddTHH:mm:ss"))&endTimeUTC=$((Get-Date).ToString("yyyy-MM-ddTHH:mm:ss"))" $headers = @{ "Authorization" = "Bearer $token" "Content-Type" = "application/json" } $response = Invoke-WebRequest -Uri "$cpiEndpoint$path$param" -Method Get -Headers $headers Write-Host $response.RawContent
Make sure that the prerequisites checker runs successfully (status code 200) with no warnings on the response output before connecting to Microsoft Sentinel.
If any findings, consult the response details for guidance on remediation steps. Legacy SAP systems often require extra SAP notes. Furthermore, see the troubleshooting section for common issues and resolutions.
Missing functionality in legacy SAP systems
Some legacy SAP systems may be missing required functionality for the RFC_READ_TABLE function module. Make sure that your SAP admin has reviewed SAP notes 3390051 and 382318, and has patched the system accordingly.
For more information, see Configure SAP Cloud Connector settings.
"Deploy required azure resources" error when setting up the data connector
When you set up the Microsoft Sentinel for SAP - agentless data connector, under the Initial connector configuration > Step 1: Trigger automatic deployment of required Azure resources / SOC Engineer, after you select Deploy required resources, you might see the "Deploy required Azure resources" error or similar (errors may vary). This error might indicate that you're missing the required permissions for the Entra ID app registration.
If you don't have the Entra ID Application Developer role or higher, you need to work with a colleague that has this permission to finish setting up the Azure resources. For more information, follow the procedure in the data connector agent connection step.
Missing "Last address routed"
If you see an error in the security audit log that you're missing the last address routed (an IP address), follow the guidance in the SAP note 3566290.
Incomplete SAP user master data
If you see an error that you have incomplete SAP user master data or no data in the ABAPAuthorizationDetails Microsoft Sentinel table, do the following:
- Confirm that the SIAG_ROLE_GET_AUTH SAP function module exists in the SAP source system.
- Follow the guidance in SAP note 3088309 for the relevant solution.
Status code 500 on SAP system connect on Sentinel
If you see an error with status code 500 during the connect process from Sentinel to SAP Cloud Integration, contact your SAP colleague monitoring the integration flow "Data Collector" on SAP Cloud Integration. By nature the error message details are only available on SAP's Message Processing Log.
Long message processing times or message volume anomalies on SAP Cloud Integration
If you see sudden spikes in message volumes and processing times on SAP Cloud Integration, consider filtering responsible sources on the NetWeaver side. There are two options available.
- Use transaction SM19 and SAP's best practices to apply filter settings on Users and message classes causing the spike
- Use the filter capabilities of the Sentinel package on SAP Cloud Integration to apply filtering on log read. The parameter max-rows are pre-populated to protect the integration flow from message flooding by design.
Note that log filters on NetWeaver impact what is written to the audit log on the source while a filter on SAP Cloud Integration only chooses not to read the problematic entries.
Selected troubleshooting procedures are only relevant when your data connector agent is deployed via the command line. If you used the recommended procedure to deploy the agent from the portal, use the portal to make any configuration changes.
Useful Docker commands
When troubleshooting your Microsoft Sentinel for SAP data connector, you might find the following commands useful:
| Function | Command | 
|---|---|
| Stop the Docker container | docker stop sapcon-[SID] | 
| Start the Docker container | docker start sapcon-[SID] | 
| View Docker system logs | docker logs -f sapcon-[SID] | 
| Enter the Docker container | docker exec -it sapcon-[SID] bash | 
For more information, see the Docker CLI documentation.
Review system logs
We highly recommend that you review the system logs after installing or resetting the data connector.
Run:
docker logs -f sapcon-[SID]
Enable/disable debug mode printing
This procedure is only supported if you've deployed the data connector agent from the command line.
- On your data collector agent container virtual machine, edit the /opt/sapcon/[SID]/systemconfig.json file. 
- Define the General section if it wasn't previously defined. In this section, define - logging_debug = Trueto enable debug mode printing, or- logging_debug = Falseto disable it.- For example: - [General] logging_debug = True
- Save the file. 
The change takes effect approximately two minutes after you save the file. You don't need to restart the Docker container.
View all container execution logs
Connector execution logs for your Microsoft Sentinel solution for SAP applications data connector deployment are stored on your VM in /opt/sapcon/[SID]/log/. Log filename is OmniLog.log. A history of logfiles is kept, suffixed with .[number] such as OmniLog.log.1, OmniLog.log.2, and so on.
Review and update the Microsoft Sentinel for SAP agent connector configuration file
This procedure is only supported if you've deployed the data connector agent from the command line. If you deployed your agent via the portal, continue to maintain and change configuration settings via the portal.
If you deployed via the command line, perform the following steps:
- On your VM, open the configuration file: sapcon/[SID]/systemconfig.json 
- Update the configuration if needed, and save the file. For more information, see the Microsoft Sentinel solution for SAP applications - systemconfig.jsonfile reference.
The change takes effect approximately two minutes after you save the file. You don't need to restart the Docker container.
Reset the Microsoft Sentinel for SAP data connector
The following steps reset the connector and reingest SAP logs from the last 30 minutes.
- Stop the connector. Run: - docker stop sapcon-[SID]
- Delete the metadata.db file from the /opt/sapcon/[SID] directory. Run: - cd /opt/sapcon/<SID> rm metadata.db- Note - The metadata.db file contains the last timestamp for each of the logs, and works to prevent duplication. 
- Start the connector again. Run: - docker start sapcon-[SID]
Make sure to Review system logs when you're done.
Common issues
After having deployed both the Microsoft Sentinel for SAP data connector and security content, you might experience the following errors or issues:
Corrupt or missing SAP SDK file
This error might occur when the connector fails to boot with PyRfc, or zip-related error messages are shown.
- Reinstall the SAP SDK.
- Verify that you're the correct Linux 64-bit version, such as nwrfc750P_8-70002752.zip.
If you'd installed the data connector manually, make sure that you'd copied the SDK file into the Docker container.
Run:
docker cp nwrfc750P_8-70002752.zip /sapcon-app/inst/
ABAP runtime errors appear on a large system
This procedure is only supported if you've deployed the data connector agent from the command line.
If ABAP runtime errors appear on large systems, try setting a smaller chunk size:
- Edit the /opt/sapcon/[SID]/systemconfig.json file and in the Connector Configuration section define - timechunk = 5.- For example: - [Connector Configuration] timechunk = 5
- Save the file. 
The change takes effect approximately two minutes after you save the file. You don't need to restart the Docker container.
Note
The timechunk size is defined in minutes.
Empty or no audit log retrieved, with no special error messages
- Check that audit logging is enabled in SAP.
- Verify the SM19 or RSAU_CONFIG transactions.
- Enable any events as needed.
- Verify whether messages arrive and exist in the SAP SM20 or RSAU_READ_LOG, without any special errors appearing on the connector log.
Incorrect workspace ID or key in key vault
If you realize that you entered an incorrect workspace ID or key in your deployment script, update the credentials stored in Azure Key Vault.
After verifying your credentials in Azure KeyVault, restart the container:
docker restart sapcon-[SID]
Incorrect SAP ABAP user credentials in key vault
Check your credentials and fix them as needed, applying the correct values to the ABAPUSER and ABAPPASS values in Azure Key Vault.
Then, restart the container:
docker restart sapcon-[SID]
Incorrect SAP ABAP user credentials in a fixed configuration
This section is only supported if you've deployed the data connector agent from the command line.
A fixed configuration is when the password is stored directly in the systemconfig.json configuration file.
If your credentials there are incorrect, verify your credentials.
Use base64 encryption to encrypt the user and password. You can use online encryption tools to do encrypt your credentials, such as https://www.base64encode.org/.
Missing ABAP (SAP user) permissions
If you get an error message similar to: ..Missing Backend RFC Authorization.., your SAP authorizations and role weren't applied properly.
- Ensure that the MSFTSEN/SENTINEL_CONNECTOR role was imported as part of a change request transport, and applied to the connector user. 
- Run the role generation and user comparison process using the SAP transaction PFCG. 
Missing data in your workbooks or alerts
If you find that you're missing data in your Microsoft Sentinel workbooks or alerts, ensure that the Auditlog policy is properly enabled on the SAP side, with no errors in the container log file.
Use the RSAU_CONFIG_LOG transaction for this step.
For more information, see the SAP documentation and Collect SAP HANA audit logs in Microsoft Sentinel.
We recommend that you configure auditing for all messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting. For more information, see Configure SAP auditing.
Missing IP address or transaction code fields in the SAP audit log
In SAP systems with versions for SAP BASIS 7.5 SP12 and above, Microsoft Sentinel can reflect extra fields in the ABAPAuditLog_CL and SAPAuditLog tables.
If you're using SAP BASIS versions higher than 7.5 SP12 and are missing IP address or transaction code fields in the SAP audit log, verify that the SAP system from which you're extracting the data contains the relevant change requests (transports). For more information, see Configure support for extra data retrieval (recommended).
Missing SAP change request
If you see errors that you're missing a required SAP change request, make sure you've imported the correct SAP change request for your system. For more information, see SAP prerequisites and Configure your SAP system for the Microsoft Sentinel solution.
No data is showing in the SAP table data log
In SAP systems with versions for SAP BASIS 7.5 SP12 and above, Microsoft Sentinel can reflect table data log changes in the ABAPTableDataLog_CL table.
If no data is showing in the ABAPTableDataLog_CL table, verify that the SAP system from which you're extracting the data contains the relevant change requests (transports). For more information, see Configure support for extra data retrieval (recommended).
No records / late records
The data collector agent relies on time zone information to be correct. If you see that there are no records in the SAP audit and change logs, or if records are constantly a few hours behind, check whether the SAP TZCUSTHELP report presents any errors. For more information, see SAP note 481835.
There might also be issues with the clock on the virtual machine where the data collector agent container is hosted, and any deviation from the clock on the VM from UTC impacts data collection. Even more importantly, the clocks on both the SAP system machines and the data collector agent machines must match.
We recommend that you configure auditing for all messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting. For more information, see Configure SAP auditing.
Network connectivity issues
If you're having network connectivity issues to the SAP environment or to Microsoft Sentinel, check your network connectivity to make sure data is flowing as expected.
Common issues include:
- Firewalls between the docker container and the SAP hosts might be blocking traffic. The SAP host receives communication via the following TCP ports, which must be open: 32xx, 5xx13, and 33xx, where xx is the SAP instance number. 
- Outbound communication from your SAP agent host to Microsoft Container Registry or Azure requires proxy configuration. This typically impacts the installation and requires you to configure the - HTTP_PROXYand- HTTPS_PROXYenvironmental variables. You can also ingest environment variables into the docker container when you create the container, by adding the- -eflag to the docker- create/- runcommand.
Retrieving an audit log fails with warnings
This section is only supported if you've deployed the data connector agent from the command line.
If you attempt to retrieve an audit log without the required configurations and the process fails with warnings, verify that the SAP Auditlog can be retrieved using one of the following methods:
- Using a compatibility mode called XAL on older versions
- Using a version not recently patched
- Without any changes made for connecting to the Microsoft Sentinel data connector agent. For more information, see Configure your SAP system for the Microsoft Sentinel solution.
While your system should automatically switch to compatibility mode if needed, you might need to switch it manually. To switch to compatibility mode manually:
- Edit the /opt/sapcon/[SID]/systemconfig.json file. 
- In the Connector Configuration section defineefine: - auditlogforcexal = True- For example: - [Connector Configuration] auditlogforcexal = True
- Save the file. 
The change takes effect approximately two minutes after you save the file. You don't need to restart the Docker container.
SAPCONTROL or JAVA subsystems unable to connect
Check that the OS user is valid and can run the following command on the target SAP system:
sapcontrol -nr <SID> -function GetSystemInstanceList
SAPCONTROL or JAVA subsystem fails with timezone-related error message
If your SAPCONTROL or JAVA subsystem fails with a timezone-related error message, such as: Please check the configuration and network access to the SAP server - 'Etc/NZST', make sure that you're using standard timezone codes.
For example, use javatz = GMT+12 or abaptz = GMT-3**.
Audit log data not ingested past initial load
If the SAP audit log data, visible in either the RSAU_READ_LOAD or SM200 transactions, isn't ingested into Microsoft Sentinel past the initial load, you might have a misconfiguration of the SAP system and the SAP host operating system.
- Initial loads are ingested after a fresh installation of the Microsoft Sentinel for SAP data connector, or after the metadata.db file is deleted.
- A sample misconfiguration might be when your SAP system timezone is set to CET in the STZAC transaction, but the SAP host operating system time zone is set to UTC.
To check for misconfigurations, run the RSDBTIME report in transaction SE38. If you find a mismatch between the SAP system and the SAP host operating system:
- Stop the Docker container. Run - docker stop sapcon-[SID]
- Delete the metadata.db file from the /opt/sapcon/[SID] directory. Run: - rm /opt/sapcon/[SID]/metadata.db
- Update the SAP system and the SAP host operating system so that they have matching settings, such as the same time zone. For more information, see the SAP Community Wiki. 
- Start the container again. Run: - docker start sapcon-[SID]
Other unexpected issues
If you have unexpected issues not listed in this article, try the following steps:
- Reset the connector and reload your logs
- Upgrade the connector to the latest version.
Tip
Resetting your connector and ensuring that you have the latest upgrades are also recommended after any major configuration changes.
Related content
Learn more about the Microsoft Sentinel solution for SAP applications:
- Deploy Microsoft Sentinel solution for SAP applications
- Prerequisites for deploying Microsoft Sentinel solution for SAP applications
- Configure your SAP system for the Microsoft Sentinel solution
- Deploy the solution content from the content hub
Reference files:
- Microsoft Sentinel solution for SAP applications solution data reference
- Microsoft Sentinel solution for SAP applications solution: security content reference
For more information, see Microsoft Sentinel solutions.