Sybase auditing

Audit trail type 

In previous versions of the SAP ASE database, database audit records were stored only in the sybsecurity database in a specific set of tables that you had to size and create and rotate yourself (or with a stored procedure).

Once the records were in the database, it was then up to you to define how and when those records would be analysed.
Depending on whether your SIEM tool supports direct ODBC/JDBC access to SAP ASE or not, would depend on how complex the extraction process would be.

In SP04 a new parameter was introduced called “audit trail type” where you can now set the audit store to be “syslog”.

When setting the store to be “syslog”, the audit records are pushed out to the Linux syslogd daemon (or rsyslogd or syslog-ng) and written to the O/S defined location according to the configuration of syslogd:

Each audit record gets a tag/program name of “SAP_ASE_AUDIT”, which means you can define a custom syslogd log file to hold the records, and also then specify a custom rotation should you wish.
Your syslogd logs may already be pulled into your SIEM tools, in which case you will simply need to classify and store those records for analysis.

With the new parameter set to “syslog” and the audit records being stored as file(s) on the file system, you will need to ensure that the file system has adequate space and establish a comfortable file retention (logrotate) configuration to ensure that audit records do not cause the file system to fill (preventing persistence of additional audit records).

Of course, should you enjoy torture, you can always go ahead and continue to use the database to store the audit records. Simply setting the new parameter “audit trail type” to “table”, will store the audit records in the database just like the previous versions of ASE.


Source page https://www.it-implementor.co.uk/2021/04/new-sap-ase-audit-logging-destination-in-16-0-4.html

Useful links :

Enable/disbale auditing :  https://help.sap.com/docs/SAP_ASE/2705a3b1e3df4514ab089cfedf87750d/a9504ea4bc2b10148b7ea0305cfb356a.html

https://help.sap.com/docs/SAP_ASE/29a04b8081884fb5b715fe4aa1ab4ad2/ab54050ebc2b1014b5d9ca93507f4a1d.html

Install auditing : 

https://help.sap.com/docs/SAP_ASE/2705a3b1e3df4514ab089cfedf87750d/a94d2376bc2b1014b869b2b912184a55.html

Understanding the audit tables :

https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc36274.1550/html/tables/CHDGGGDD.htm

https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.infocenter.dc36274.1550/html/tables/CHDGGGDD.htm

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Useful websites

https://www.yumpu.com/en/document/read/4306765/sybase-ase-15-best-practices-query-processing-optimization https://www.yumpu.com/en/document/...