Accesses: Delete in Security Audit Log

I am trying to determine if someone is maliciously deleting files from a folder and have auditing turned on for the directory. In combing through the Security Event viewer, I see the files in question with DELETE in the Accesses field. I just
want to be sure that this means that the user id associated with this event actually deleted the file specified in the Object Name field of the event in the log. This particular event also shows "ReadAttributes" in the Accesses field.
Can someone confirm that when I see DELETE in the event log, that this is indeed a delete?
Thanks.
Thanks, Linda

Hi Linda,
Did you see the event 560?
Can you tell us the detailed information about this event? If the event is like the following figure shows, that means the user Administrator deleted the file setuperr.log.
Regards,
Lany Zhang

Similar Messages

Security Audit Log FULL. What happens??

Hi there,
Can anyone tell me what will happen when the Security audit Log file is full on OS-level. Will the system stop? Is the file overwritten?
Best regards,
Joris

Hello Joris ,
1 ) Is the file overwritten? -> No
2 ) Will the system stop? -> Yes , if there will no free space on drive / file system SAP system will stop.
How to delete :
1.      To access the Security Audit Log reorganization tool from the SAP standard menu, choose Administration à System Administration à Monitor à Security Audit Log à Reorganization.
The Security Audit: Delete Old Audit Logs screen appears.
       2.      Enter the Minimum age of files to delete (default = 30 days).
This value must be > 3.
       3.      Activate the To all active instances indicator to delete the audit files from all application servers. Leave the indicator blank if you only want to delete the files from the local application server.
       4.      Activate the Simulation only indicator if you do not actually want to delete the files. In this case, the action is only simulated.
       5.      Choose Audit Log à Continue
Regards ,
Santosh Karadkar

"logon time" between USR41 and security audit log

Dear colleagues,
I got a following question from customer for security audit reason.
> 'Logon date' and 'Logon time' values stored in table USR41 are exactly same as
> logon history of Security Audit Log(Tr-cd:SM20)?
Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
at the time when user logged on, the security audit log is recorded .
I tried to check SAP GUI logon program:SAPMSYST several ways, however,
I could not check it because the program is protected even for read access.
I want to know about specification of "logon time" between USR41 and security audit log,
or about how to look into the program:SAPMSYST and debug it.
Thank you.
Best Regards.

Hi,
If you configure Security Audit you can achieve your goals...
1-Audit the employees how access the screens, tables, data...etc
Answer : Option 1 & 3
2-Audit all changes by all users to the data
Answer : Option 1 & 3
3-Keep the data up to one month
Answer: No such settings, but you can define maximum log size.
4-Log retention period can be defined.
Answer: No !.. but you can define maximum log size.
SM19/SM20 Options:
1-Dialog logon
You can check how many users logged in and at what time
2-RFC login/call
Same as above you can check RFC logins
3-Transaction/report start
You can see which report or transaction are executed and at what time
(It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
4-User master change
(You can see user master changes log with this option)
5-System/Other events
(System error can be logged using this option)
Hope, it clear the things...
Regards.
Rajesh Narkhede

Performance issue of Security Audit log

Hello,
My client would like to activate the Security Audit log on his system. However he will like to know whether there could be any performance issue when activating it. Since I do not have any prior experience, can you please give me your general feedback on this subject. Have any of you experience performance issue when implementing security audit log and what can be done to minimize its effect?

Hai,
Activating Security Audit logs will not affect the performance of your SAP system. Since SAP Systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that may accumulate, you should archive these files on a regular basis and delete the originals from the application server. This is the only thing you really need to take care since they might fill up the disk space if you dont archive or delete them on regular basis. Also since the data is very sensitive you should take extra care to protect the data.
Please follow the below links for more details.....
http://help.sap.com/saphelp_nw04/helpdata/EN/95/d2a8e36d6611d1a5700000e835363f/frameset.htm
http://www.saptechies.com/faq-answers-to-questions-about-the-security-audit-log/
Regards,
Yoganand.V

SM19 - Security Audit Log

Hello,
I have activated Security Audit Log through SM19.
When I check the Parameters, I can see
rsau/max_diskspace/local = 20M
(Maximum space for security audit file)
1. My question is if the collective size of security Audit files exceeds 20M, which file will SAP delete? or rather what is the exact course of action that SAP would take?
2. In my system, Parameter rsau/enable = 0 (Enable Security Audit)
But still the audit logs are getting generated.
So does '0' signify Enabled?
Thanks.

I think your answer can be found in [this thread|Re: Security Audit Log FULL. What happens??;
Kind regards,
Lodewijk

Enable Security Audit Log

Hi All,
If we will enable Security Audit Log, does it affect the performance of the SAP System.
Please clarify my doubt.
Thanks

Hello Anil, Security audit log is creates archive log file on daily basis. No performance issues will come if you take care of some parameters
The system does not delete or overwrite audit files from previous days, it keeps them until manually deleted. Due to the amount of information that may accumulate, we should archive these files on a regular basis and delete the originals from the application server.
You define the name and location of the files in the profile parameter haanrsau/local/file. When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains the following information.
We can define the maximum size of the audit file in the profile parameter rsau/maxdiskspace/local_. The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.
Hope it helps.
Regards, Amber S | ITL

Security Audit Log / Logging of downloads from query results?

Hi everybody,
our data protection team has raised the requirement to log all data downloads from our BW system. As far as I know, it is possible to log downloads in SAP GUI using Security Audit Log, but does this also cover "Export to Excel" functionality of query results executed in the portal? And what about execution of queries with BEx Analyzer? I doubt, if that tool would log this. Are there any other tools available to cover that requirement?
Any comment and idea is welcome. Thanks in advance!
Regards,
Carsten

If restricted to ALV I think it can be done, but even there... if the user executes it in background and mails or prints the spool request then the cat is out of the box...
Moral of the story: Do not grant access if the user should not be able to see the data (regardless where they log on from).
That you cannot monitor / log all (mass) download events is however a bit unfortunate, however once the data is outside of the system for those whom you do trust then you anyway need to train them not to park sensitive files on project or public file servers.
IMO the main problem here is front-end computing tools (like Excel, etc) which the users feel more confortable with to analyze data than the server side analytics tools (e.g. in the ALV task bars, or even the BOBJ Dashboards which are very "user-sentric").
In German it is known as "Bauern mentalität" (farmer mentality) which generally resides at the application surphase layer in the greater scheme of things:
-> You do not eat anything you have not slaughtered yourself...
Specifically regarding tokenization, you can consider not displaying the data in the portal. If the user wants to display these fields they have to navigate in their own context into the backend system to retrieve the token and then only display individual values.
--> A download of a list via the portal or BEX excludes these fields which the user can access, but not mass download.
I think this is possible, but it will be a challenge depending on whether the fields support tockenization. Credit Card numbers as mentioned my Martin is fairly vanilla and already used.
Custom fields&types, insufficiently critical elements and older programs will be a bigger challenge.
Please provide more details, as the generic answers are not well take care of IMO. If you cannot provide mre details, then SDN discussions speculating on answers is not efficient either...
Cheers,
Julius

How to schedule a batch job to generate security audit log (SM20)

May be this is a repeat question for this forum. Apologize, if it is. Is there a way to schedule a batch job to generate security audit log (SM20) automatically and possibly send a message to SAP Inbox or generate a spool request? Release is 4.6C.
Regards
Nirmal

> May be this is a repeat question for this forum. Apologize, if it is.
You don't need to apologize. You only need to do a very simple search...
> Total Questions: 18 (16 unresolved)
Perhaps 16 of those 18 questions you have not followed up on could have been spared as well?
Please do the needfull.
Cheers,
Julius

Getting the name of the program or the FM called from security audit log

Dears,
Is there a way to get the name of the ABAP program called through transaction SE38, or the FM called through transaction SE37, from the security audit log ?
What is available is only : RSABAPPROGRAM for transaction SE38, and RSFUNCTIONBUILDER for transaction SE37
Thanks.
Reda

I had always assumed this log to be in the SUBMIT statement, but never used it.
If I remember correctly this is recorded it the runtime submit, so it should be there.
Perhaps it is only in selected reports? I will check in my system.
Please compare with sm20n and run the report from sa38. The submits are different in sa38 etc compared to se38.
The FM will only be recorded it it has a destination extention in the source system which is mostly remote. Local fm calls are not recorded for sure.
Cheers,
Julius
Edited by: Julius Bussche on Jul 26, 2011 11:32 PM

CCMS and Security Audit log

I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
Do you know why is it so if it is not configured at your place.
Thanks
Edited by: Pankaj Jain on Sep 26, 2009 7:02 PM

Performance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
Try searching Community with SM20 / SM19 / Security Audit Log search strings.
Regards,
Dipanjan

Security Audit Log SM19 and Log Management external tool

Hi all,
we are connecting a SAP ECC system with a third part product for log management.
Our SAP system is composed by many application servers.
We have connected the external tool with the SAP central system.
The external product gathers data from SAP Security Audit Log (SM19/SM20).
The problem is that we see, in the external tool, only the data available in the central system.
The mandatory parameters have been activated and the system has been restarted.
The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
In our scenario, we do not use SM20 since we want read the collected data in the external tool.
Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
Thanks in advance.
Andrea Cavalleri

I am always amazed at these questions...
For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
Cheers,
Julius

Weu0092d like to get Custom reports. The base of reports is Security Audit Log

Wed like to get Custom reports. The base of reports is Security Audit Log files. This is files for SM20.
What does the file structure look like? What is field of it?
Thanks!

Hello Marina
The data written to the security audit log correspond to the DDIC structures RSLGENTR (up to release 4.6) and RSAUENTR2 (in newer releases). DDIC structures can be viewed using TA SE11 (data type).
As I can see you have already opened a thread regarding this. Please don't duplicate the threads, as this only widespreads the information.
Regards,
Désiré

Security Audit Log for XI IB

Hello,
on the ABAP Stack it is possible to activate the security audit log, to log activities on certain objects/functions. Is there also a possibilty to do this for the JAVA-Stack.
We have for legal reasons to log, want users are doing on the productive XI system. E.g. we wanna log if someone is changing the value mapping or configurating the adapter.
Regards, Werner

Hi,
chk out these links
Audit Log
http://help.sap.com/saphelp_me21sp2/helpdata/en/23/c9833b3bb1780fe10000000a11402f/content.htm
regards
jithesh

Security audit log for the last 30 days?

Hi,
My current settings for the security audit log is 20 MB (by default). I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).
What are the parameters that I would need to maintain?
Or any additinal config is required?
Thanks,
Abdul

Hi,
My current configuration is like this:
Name                Description                                           Current value                                            System default value
FN_AUDIT     Name of security audit file          audit_++++++++
DIR_AUDIT     Directory for security audit files     /usr/sap/GSP/DVEBMGS00/log     /usr/sap/GSP/D00/log
rsau/enable     Enable Security Audit          0
rsau/max_diskspace/local     Maximum space for security audit file     300M     20M
rsau/max_diskspace/per_day     Maximum size of all security audit files per day          0
rsau/max_diskspace/per_file     Maximum size of one single security audit file          0
rsau/selection_slots     Number of selection slots for security audit          2
rsau/user_selection     Defines the user selection method used inside kernel functions          0
I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB. If this is the growth rate, the 300MB allocated for audit will completely used in just a day.
My requirement is - I want to track users and their activities for the last 30 days (or 45 days). No log should be overwritten unless it is atleast 30 days old.
In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.
Other doubts: Do I have to start auditing manually every day? Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.
Regards
Abdul
Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM

Security audit log doesn't capture services

Hello I am posting this on behalf of Carol, Would you please be kind on helping her?
After the upgrade to ECC the t-codes for the ESS functions were
changed to services that run via the portal. We need to find where the
audit data is logged for these services. Below are some of the t-codes
which are now run via the new service name.
PZ02##sap.com/essusaddr/Per_Address_US
PZ03##sap.com/essusbank/Per_Bank_US
PZ10##sap.com/essusw4/Per_W4_US
PZ11_PDF#sap.com/ess~rem/PaySlip2
PZ18##Z_WDA_HR_EMRG_CONTACT
A search of notes with 'security audit log' hasn't turned up any new
information.
Carol

Hi Ricardo,
check the notes:
[544708|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=544708] - Changed password rules prevent ITS-based logon
[872773|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=872773] - Changed password rules and ITS-based logon
Alternatively use the search terms "ESS Scenario PZ02/ Personal data" .. you might get some related notes.
Regards,
Srihari

Accesses: Delete in Security Audit Log

Similar Messages

Maybe you are looking for