(DI-2311) Collector for RFC Security
The technical name of the Collector for RFC Security is /DVD/MON_SEC_CL_COL_RFC.
The purpose of this data collector is to monitor and ensure the security of Remote Function Call (RFC) connections in the SAP system. It collects information about RFC users, incoming RFC calls, and failed RFC calls to detect anomalies and potential security threats. The collector identifies suspicious activities, unauthorized access, and potential vulnerabilities, thereby helping to enhance the overall security posture of the system.
Default KPIs delivered with this collector
The following KPIs are delivered with this collector:
KPI name | Description | Unit | Detail table |
---|---|---|---|
SEC_RFC_DIA_USR | Number of RFC connections with dialog users | Count | Yes |
SEC_RFC_OUT_FAIL | Number of outbound failed RFC calls | Count | Yes |
SEC_RFC_IN_FAIL | Number of inbounds failed RFC calls | Count | Yes |
SEC_RFC_ANOMAL | Number of anomalies in RFC calls | Count | Yes |
Detail tables
The collector provides a detail table for RFC connections with dialog users. The technical name of the detail table is /DVD/MON_SEC_S_RFC_DIA_DET.
This detail table provides records of RFC connections made by dialog users in the SAP system. It contains the following fields:
Technical name | Description |
---|---|
BNAME | User Name |
MANDT | Client |
RFCDEST | Logical Destination (Specified in Function Call) |
The collector provides also a detail table for errors and anomalies in RFC calls. The technical name of the detail table is /DVD/MON_SEC_S_RFC_FAIL_DET.
A detail table is used to report records related to both failed RFC calls and anomalies in RFC communications. It contains information on instances where unexpected or suspicious behavior occurs in the context of RFC connections, helping to monitor and identify potential security threats.
It contains the following fields:
Technical name | Description |
---|---|
TIMESTAMP | When the records are saved into the detail table |
SID | System ID |
EVENT | RFC event description |
EVENT_TIMESTAMP | RFC event timestamp |
RFC_DIRECTION | RFC direction |
TCODE | Transaction Code |
USER_NAME | RFC user name |
The anomalies logged in the detail table include scenarios:
Unusual terminal activity: An anomaly is logged when an RFC user logs in from a different terminal than usual.
Long unused RFC users: Anomaly records are generated for RFC users who have not been used for more than 30 days and then access the system again.
Long unused RFC connection: Anomaly records are generated for RFC connections that have not been used for more than 30 days and then were accessed again.
Failed inbound RFC calls: Anomalies are logged for failed incoming asynchronous RFC calls.
Failed outbound RFC calls: Anomalies are logged for failed outgoing asynchronous RFC calls.
RFC anomalies from SM19 logs: Anomaly records are generated based on information extracted from transaction SM19 logs. Not available by default. Anomalies detected by SM19 include:
RFC/CPIC logon failed.
Failed sync. RFC call.
Failed web service call.
Generic table access by RFC.
To set up a collection of RFC anomalies from SM19 logs, you must follow the steps below to enable logging this type of security logging:
Go to the transaction SM19.
Click on Filter 1 and mark the checkbox to set the filer to active mode.
Select RFC/CPIC logon and RFC call from Audit classes.
Select Only Critical from Events.
There is no performance impact, not in time nor space, if you log unsuccessful (=critical) events as these events happen rarely. However, if you would enable logging for all kinds of audit classes and event types it could have a significant effect on space and performance.
Click the Save button.
Click on DynamicConfiguration in the menu.
Activate audit (Ctrl + F3), the status of server recording should change.
For more information about the SM19/SM20 security audit log you can also check https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/