10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
Community
Ask a Question Write a Blog Post Login
Technical Articles
Johannes Goerlich
February 5, 2021 | 2 minute read
RFC Gateway security, part 6 –
Logging
2 5 923
Follow
From my experience the RFC Gateway security is for many SAP Administrators still a
Like not well understood topic. As a result many SAP systems lack for example of proper
defined ACLs to prevent malicious use.
RSS Feed After an attack vector was published in the talk “SAP Gateway to Heaven” from
Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai
(https://github.com/gelim/sap_ms) the RFC Gateway security is even more
important than ever. This publication got considerable public attention as
10KBLAZE.
With this blogpost series i try to give a comprehensive explanation of the RFC
Gateway Security:
Part 1: General questions about the RFC Gateway and RFC Gateway security.
Part 2: reginfo ACL in detail.
Part 3: secinfo ACL in detail.
Part 4: prxyinfo ACL in detail.
Part 5: ACLs and the RFC Gateway security.
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 1/6
�10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
Part 6: RFC Gateway Logging.
RFC Gateway Logging
What about logging functionality of the RFC
Gateway in general?
The logging in RFC Gateway is event based. The various event types are
specified by letters which are also used to configure the to be logged events.
These letters are reused in the log file to indicate which event type lead to the
log entry. The respective letter recurs as first character of a line in the log file.
Each line represents a logged event.
How to configure logging in the RFC Gateway?
Logging is configured by profile parameter ‘gw/logging’. This profile parameter
offers several sub-parameters where some of them are explained below.
While the RFC Gateway logging settings could also be adjusted on SAP
NetWeaver AS ABAP in transaction SMGW or in general by the command line
tool ‘gwmon’, only settings defined in the profile parameter are persistent.
Which usage types are covered by the logging?
As we learned in part 1 the RFC Gateway serves for different usage types. The
logging covers all these usage types. For some the logging is more detailed
than for others.
What events should be logged by the RFC
Gateway?
Logging is always a trade of between log volume and meaningful data for
forensics. For the RFC Gateway we should log at least the following events:
X = Start/stop of RFC Gateway, Log file rotation
S = Security events
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 2/6
�10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
Z = Rejected access without rules denied by implicit deny all rule
P = Dynamic Parameter Changes
E = External Programs
R = Registered programs
Which results in the sub-parameter ACTION=ERSZPX.
What about log file handling?
The RFC Gateway comes with a functionality to rotate log files
a) on a hourly, daily, weekly, monthly or yearly basis, defined in sub-parameter
‘SWITCHTF’ (the rotation happens at the first log event after midnight),
b) or depending on the file size, defined in sub-parameter ‘MAXSIZEKB’,
c) or a combination of both.
Log retention can be configured by sub-parameter ‘MAXFILES’ .
We could for example set MAXSIZEKB=0 – while making sure there is sufficient
disk space – in combination with MAXFILES=90 specifying the number of files
to be retained. With SWITCHTF=day this results in daily log rotation with 90
days log retention.
For a reliable log file handling the file name should be specified as unique as
possible, e.g., by setting the sub-parameter
LOGFILE=gw_log_$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_$(SAPLOCALHOST)-
%y-%m-%d.
Anything specific to look for in this logs?
During the initial creation of custom ACLs we should consider to monitor the
log files for
‘secinfo accepted:’ and ‘secinfo denied:’,
‘reginfo accepted:, ‘reginfo denied:’, and ‘reginfo (no rule found):’
‘prxyinfo accepted:’ and ‘prxyinfo denied:’.
Later during day to day business we should consider to monitor the log files at
least for
‘secinfo (no rule found):’
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 3/6
�10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
‘reginfo (no rule found):’
‘prxyinfo denied:’
log entries starting with ‘E’
log entries starting with ‘P’
for suspicious activities while still collecting all events mentioned above for
forensics.
<–Previous
Alert Moderator
Assigned tags
SAP NetWeaver Application Server for ABAP
NW Client/Server Technology (CST)
SAP NetWeaver Application Server for Java
Security
RFC Gateway
Similar Blog Posts
RFC Gateway security, part 1 - basic understanding
By Johannes Goerlich Jan 26, 2021
RFC Gateway security, part 5 - ACLs and the RFC Gateway security
By Johannes Goerlich Feb 03, 2021
RFC Gateway security, part 4 - prxyinfo ACL
By Johannes Goerlich Feb 01, 2021
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 4/6
�10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
Related Questions
Gateway not connected to local R/3
By souradeep ghosal Aug 10, 2021
Massive creation of CPICTRC files in work directory
By Marie Renneke Jul 25, 2017
How to register an external program on gateway
By Former Member Sep 13, 2017
Join the Conversation
SAP TechEd
Tune in for tech talk. Stay for inspiration. Upskill your future.
Coffee Corner
Join the new Coffee Corner Discussion Group.
2 Comments
You must be Logged on to comment or reply to a post.
Andreas Kirchebner
February 11, 2021 at 8:00 am
Hi Johannes,
thanks for this great blog series. I'm looking forward to read more from you.
Take care, Andreas
Like 1 | Share
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 5/6
�10/21/21, 1:14 PM RFC Gateway security, part 6 – Logging | SAP Blogs
Isaias Freitas
June 27, 2021 at 8:12 pm
Indeed, great blog series! Well done!
Like 0 | Share
Find us on
Privacy Terms of Use
Legal Disclosure Copyright
Trademark Cookie Preferences
Newsletter Support
https://blogs.sap.com/2021/02/05/rfc-gateway-security-part-6-logging/ 6/6
