How to consume SAP Log Service from RISE with SAP
The LogServ (SAP Log Service) is an SAP Enterprise Cloud Service (ECS) service designed to securely store and facilitate access to your own OS/DB, DNS, Network and Flow logs. SAP ECS platform enables customers to efficiently collect and centralize logs from all systems, applications in use. SAP ECS provides a secure API that allows authenticated access to customer-specific logs. Log data can be served in near real-time to multiple destinations, such as SIEM, data lakes, and customers, overall efficiency of log management. The LogServ is available for RISE PTO (Private Tailored Option) Customers and for PCE (Private Cloud Edition) Customers.
The LogServ provides the following logs and data sources to end-customers. Among them, you can see only logs those are generated from contracted SAP systems in a provided Amazon S3 bucket.
Infrastructure Logs: Operating system logs, DNS logs, Proxy logs, Network logs, Database logs
Application Logs: ABAP logs, Java logs, HANA logs, Web dispatcher logs, BOBJ logs, Cloud Connector logs
The raw log data is stored in a provided Amazon S3 bucket within the RISE with SAP account. Customers can access these logs directly using the following S3 permissions: s3:GetObject, s3:ListBucket and s3:GetBucketLocation. Within the LogServ S3 bucket, daily logs for each event type are stored in the date folder.
Below is the format of LogServ in S3 Bucket
For example, logs from one of the ABAP processes, dispatcher, which occurred on July 30, 2024, are stored in the following path
s3://LogServ Data Bucket/abap/dispatcher/2024/07/30/
All the raw log delivered to the Amazon S3 bucket are stored in JSON format compressed by gzip. Each log is saved in the format shown below.
_raw : log description
_time : log generation time presented by Epoch time format
source : log file location
host : hostname
clz_dir : event type
clz_subdir : sub-event type
clz_saphostexec : log file name
Below is example of raw log format