SAP audited events are lost while Sentinel SAP event source is stopped.

While using Novell Sentinel to capture events from SAP the event source in Event Source Management (ESM) representing the SAP system was stopped.  During this time audited events were performed in the SAP system; however, once the SAP event source was started none of these events came into Sentinel.  New SAP events from the time the event source started on did show up in Sentinel as expected.

A defect where the SAP connector left a process running accepting SAP audited events, but not forwarding or caching them for later use, has been fixed.  The SAP connector with version 6r2 or later applies this fix and is available to all customers using the SAP connector.

To verify this does not happen check for an ESTABLISHED connection from the SAP system to the Sentinel Collector Manager (CM) server while the SAP event source is stopped.  If one is found it can be forcefully stopped to break the connection and stop the loss of events.