Analysis of security audit log_SM20N Showing Empty

Similar Messages

• Terminal - Security Audit Log analysis.

  I have enabled, security audit log for our landscape. But the terminal column is only of 8 characters in length.
  Whereas the names of terminals (Desktops and laptops) in my organisation is 15 character.
  Hence it is not possible to identify, from which particular workstation a transanction was executed.
  I am using SAP R/3 4.6C.
  Can anybody help?
  Regards,

  Thanks Eric,
  I too guessed the same...Because I have checked in ECC6...This shows ....the full name of the terminal.

• Solaris 10 with Trusted Extensions - Security Audit Events [short] Descript

  {color:#000000}I know that the security audit events and classes in Solaris 10 have changed when viewing these files: audit_class, audit_event, and audit_control with that of the same files for TSOL8. In order to perform an accurate and acceptable review of the audit events, I need to find either a file or document that provides a short description for each of the audit events within each audit class. Can anyone point me in the right direction or a URL? I have tried to search through the Sun docs and have not yielded any results. {color}

  been there, done that
  The problem is a function of your network definitions. The non-global zones do not have an IP address to match for your global zonename. The error message results from the system established default of the DISPLAY variable failing (DISPLAY=globalzonename:0.0).
  To confirm this, login to the global zone as root and "zlogin -S" to the non-global zone. Once there, the command "netstat -r" should show the IP address of the global zone instead of the expected global zonename. (combine this with a look at your output for "ifconfig -a" within the same non-global zones) Another command you should fail with will be the "getent hosts galaxy". Anyway, if you manually set your DISPLAY variable to the "IP Address" of the globalzonename and execute a "dtterm" ... it should work fine.
  If it does not violate a security policy, I suggest you add the IP address of the global zone to either the /etc/inet/hosts or /etc/inet/ipnodes file within each non-global zone.

• Security audit log for the last 30 days?

  Hi,
  My current settings for the security audit log is 20 MB (by default).  I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).
  What are the parameters that I would need to maintain?
  Or any additinal config is required?
  Thanks,
  Abdul

  Hi,
  My current configuration is like this:
  Name                Description                                           Current value                                            System default value
  FN_AUDIT     Name of security audit file          audit_++++++++
  DIR_AUDIT     Directory for security audit files     /usr/sap/GSP/DVEBMGS00/log     /usr/sap/GSP/D00/log
  rsau/enable     Enable Security Audit          0
  rsau/max_diskspace/local     Maximum space for security audit file     300M     20M
  rsau/max_diskspace/per_day     Maximum size of all security audit files per day          0
  rsau/max_diskspace/per_file     Maximum size of one single security audit file          0
  rsau/selection_slots     Number of selection slots for security audit          2
  rsau/user_selection     Defines the user selection method used inside kernel functions          0
  I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB.  If this is the growth rate, the 300MB allocated for audit will completely used in just a day.
  My requirement is - I want to track users and their activities for the last 30 days (or 45 days).  No log should be overwritten unless it is atleast 30 days old.
  In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.
  Other doubts: Do I have to start auditing manually every day?  Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.
  Regards
  Abdul
  Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM

• Security Audit Enable.

  Dear all,
  we had enabled the security sometime back and it was working fine. after a month, the security log (sm20) says : "The result set for this selection was empty".
  I thought that the audit logs had exceeded the storage size, thus i deleted 30 days log using sm18. On returning back to sm20, i am still encountering the same error.
  I would like to know that will i need to restart my application server in order to make it active again(btw its already active, in sm19).
  I need my sm20 active again!
  Kindly help me clear my confusion please.
  Thanks in advance.

  Thanks for the prompt replies.
  Dear Happy,
  I understand that I don't need to restart the server but then how can i make my security audit work ? Can U guide me to the solution please?  Cuz if i change my profile parameter (as said by Rakesh) then It will be necessary for me to restart the application server.
  Thanks.

• SM20 report shows empty result

  Hi All,
  Issue in Audit sm20:
  one of the account with special privileges which was set open for doing changes directly in production for a limited time.
  When i tried to run an SM20 report to list the actions I did but I get an empty result.Where as able to get other information except that particular user.
  Findings:
  1.Able to identify transaction used in st03 for that user.
  2, logs were returned on that particular date.
  3.cheked in sm19 all activities were active.
  4.all related parameters were set accordingly.
  PLease help me out in finding out the result and to solve the issue

  > When i tried to run an SM20 report to list the actions I did but I get an empty result.Where as able to get other information except that particular user.
  >
  --> I believe you were able to view other users' activities during the same time, but specifically not for one user ?
  In case there are many instances in your SAP system, could you check for all instances individually from SM20 ?
  Also Security Audit logs cease to write when the audit log max size is achieved / quota for the day is done. Even this is instance specific and hence you need to verify this for the instance to which user logged on.
  There are also occurances of Audit logs not being written owing to product error. Could you go through the following SAP Notes , in case the SAP release mentioned in the notes match with that of yours ?
  SAP Note 763159 - Security Audit Log: some transaction starts not audited
  SAP Note 710138 - Security Audit Log: Transactions are not recorded (3)
  SAP Note 317883 - SecAudit: Transactions are not recorded
  SAP Note 483953 - Security Audit Log: AU9 and AUA events are not recorded
  SAP Note 840798 - SecAudit: Transaction code sometimes missing
  cheers !
  PRADi

• Security log 4634 shows another user logging off

  Security log shows users logoff that weren't even using the machine. There are no 4642 logon logs, just the 4643 logoff logs.
  These user aren't even accessing another machine via the network. All machines also have no malware or virus on them.
  Logon Type: 3
  This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
  What could be causing this?

  It's a domain enviroment. Printers are all through a Print Server.
  Below is the log of 1 such event.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2014-04-04 03:04:24 PM
  Event ID:      4634
  Task Category: Logoff
  Level:         Information
  Keywords:      Audit Success
  User:          N/A
  Computer:      (computer name.domain)
  Description:
  An account was logged off.
  Subject:
  Security ID:
  S-1-5-21-213254720-224688177-246369
  Account Name:
  (username)
  Account Domain:
  (domain)
  Logon ID:
  0x197EC67
  Logon Type: 3
  This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4634</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12545</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8020000000000000</Keywords>
      <TimeCreated SystemTime="2014-04-04T13:04:24.783747600Z" />
      <EventRecordID>108300</EventRecordID>
      <Correlation />
      <Execution ProcessID="724" ThreadID="756" />
      <Channel>Security</Channel>
      <Computer>(computer name.domain)</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="TargetUserSid">S-1-5-21-213254720-224688177-246369</Data>
      <Data Name="TargetUserName">(username)</Data>
      <Data Name="TargetDomainName">(domain)</Data>
      <Data Name="TargetLogonId">0x197ec67</Data>
      <Data Name="LogonType">3</Data>
    </EventData>
  </Event>

• Security Audit Log Reason Codes

  Hello there,
  We have an logon failed entry in our Security Audit Log and i am trying to find out what the reason code is. I think it is to do with a failed RFC connection of one of our users. Is there a list somewhere that shows all these failed logon reason codes?
  Logon Failed (Reason = 53, Type = H)
  Cheers!
  Bernard.

  That would be a failed logon of type HTTP(s) due to the user ID's password being locked from failed logon attempts (USR02-UFLAG = 128 in the ABAP world).
  See SAP Note 320991.
  Cheers,
  Julius

• Oracle Linux Security Audit

  Dear All,
  We have installed oracle Linux 6 in one of our server and we are running Oracle EBS R12.2 running on that server. last couple of days we are getting huge performance impact on that server. From the initial level of investigation the top command shows more than 300% CPU utilized by some unknown command which is initiate by super user. For this we have raised SR with oracle and they have said it seems to be a malware and ask us to do some security audit on the impacted server.
  can anyone please suggest us, is there any security audit tool available in oracle site to identify the malware and remove from the server?
  It would be very helpful for us...
  Regards,
  Venkatesh V

  here you go
  http://docs.oracle.com/cd/B19306_01/network.102/b14266/cfgaudit.htm#BABCFIHB
  http://docs.oracle.com/cd/B19306_01/network.102/b14266/auditing.htm#CHDJBDHJ
  http://docs.oracle.com/cd/B19306_01/network.102/b14266/cfgaudit.htm#BABCFIHB

• Security audit alert

  Hi,
  I have enabled the security audit alert.Can you tell me where is the log files stored in filesystem?
  Can you give me the patch..
  Regards,
  Hendry

  Hello Hendry
  The audit log files are stored on OS level
  The Security Audit Log produces an audit analysis report that contains the audited activities. By using the audit analysis report you can analyze events that have occurred and have been recorded on a local server, a remote server, or all of the servers in the SAP System
  Follow the link http://help.sap.com/saphelp_nw04/helpdata/EN/95/d2a8e96d6611d1a5700000e835363f/content.htm
  you will be able to display the report
  Rohit

• Report value is showing empty ,

  Hi Gurus ,
  i have i added new keyfigure in to query & its showing in the report also
  But problem is the value of the keyfigure showing empty ,where as in the cube all values are 0.00
  i want the keyfigures values should be 0.00
  could any one help me out
  Berry

  Hi KP,
  thanks for u r reply , i was doing in Development, if i  made this chages as peer your direction surpress Zero,
  If it is transported to Production if the valus are like 5845 (example ), is it diplays 5845 are Zero
  Please let us know
  Thanks in advance
  Berry

• How to schedule a batch job to generate security audit log (SM20)

  May be this is a repeat question for this forum. Apologize, if it is. Is there a way to schedule a batch job to generate security audit log (SM20) automatically and possibly send a message to SAP Inbox or generate a spool request? Release is 4.6C.
  Regards
  Nirmal

  > May be this is a repeat question for this forum. Apologize, if it is.
  You don't need to apologize. You only need to do a very simple search...
  > Total Questions:  18 (16 unresolved) 
  Perhaps 16 of those 18 questions you have not followed up on could have been spared as well?
  Please do the needfull.
  Cheers,
  Julius

• Multiple security audit failures a second

  A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
  to login. 
  Keywords Date and Time Source Event ID Task Category
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
  Subject
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
  Subject :
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: < ommited from forum post >
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x24c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: SBS
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  Subject
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Success 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4904 Audit Policy Change
  "An attempt was made to register a security event source.
  Subject :
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Failure 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4625 Logon
  "An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xc000006d
  Sub Status:
  0xc0000064
  Process Information:
  Caller Process ID:
  0x24c
  Caller Process Name:
  C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name:
  SBS
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  Schannel
  Authentication Package:
  Kerberos
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  Jerry T

  Hi Jerry,
  Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
  related to share folders, printers, IIS and so on.
  Would you please let me confirm whether you had installed some third-party applications?
  Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
  Audit
  Failure - Event 4625
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Show Empty Data

  I hope there is anybody how could help me:
  I create a Bex Query on EA Data (Account with same Key Figures) the Query is its based on a BPC Cube. In rows a only the account and in the columns are the key figures. Now not on all Account are values in the cube. I say in Bex Query that they should show Master Data. In Analyzer there are all accounts also the account without values in the cube.
  In crystal I only see account with values. I use CR SP3 and integration Kit SP3. I set u201CShowEmptyDatau201D to True but nothing happened.
  As second solution I create a formula in Bex with the value 1, take it in the columns but nothing happened in crystal I only see accounts with values in the cube.
  I donu2019t know what I could do.
  Second I had problems with the general connection of Bex and Crystal.
  In the normal way I create a new report with the Sap Integration Kit Menue. What is the different between this way and the way with the crystal function new report and use a new MDX Connection. In booth ways with the same SAP System I get different connection parameters. Which way is the right way.
  In addion if i set Show Empty Data to True, i get ask for the query variables and after it show empty data is set to false automaticly

  Hello Ingo,
  really??????
  But in release notes of SAP Integration KIT XI 3.1 SP3  SAP shows it as one of the big new features. I couldn't believe that this is a fake?? Thats was the basement why we use it.
  Is it in BO 4.0 possible to use only Crystal Reports Designer (which Version?) and a BW System with the Integration KIT?? Like in XI3.1??
  We only use Crystal Reports Designer with Integration KIT and the Integration KIT in the BW System. Is there an Integration KIT of BO 4.0 with transports for the BW System?
  I couldn't believe that it is not possible in XI 3.1. I stay in contact with the SAP and then im really angry because in the documnentation there is the option listed.

• "logon time" between USR41 and security audit log

  Dear colleagues,
  I got a following question from customer for security audit reason.
  > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
  > logon history of Security Audit Log(Tr-cd:SM20)?
  Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
  And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
  at the time when user logged on, the security audit log is recorded .
  I tried to check SAP GUI logon program:SAPMSYST several ways, however,
  I could not check it because the program is protected even for read access.
  I want to know about specification of "logon time" between USR41 and security audit log,
  or about how to look into the program:SAPMSYST and debug it.
  Thank you.
  Best Regards.

  Hi,
  If you configure Security Audit you can achieve your goals...
  1-Audit the employees how access the screens, tables, data...etc
  Answer : Option 1 & 3
  2-Audit all changes by all users to the data
  Answer : Option 1 & 3
  3-Keep the data up to one month
  Answer: No such settings, but you can define maximum log size.
  4-Log retention period can be defined.
  Answer: No !.. but you can define maximum log size.
  SM19/SM20 Options:
  1-Dialog logon
  You can check how many users logged in and at what time
  2-RFC login/call
  Same as above you can check RFC logins
  3-Transaction/report start
  You can see which report or transaction are executed and at what time
  (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
  4-User master change
  (You can see user master changes log with this option)
  5-System/Other events
  (System error can be logged using this option)
  Hope, it clear the things...
  Regards.
  Rajesh Narkhede