Enable Security Audit Log
Hi All,
If we will enable Security Audit Log, does it affect the performance of the SAP System.
Please clarify my doubt.
Thanks
Hello Anil, Security audit log is creates archive log file on daily basis. No performance issues will come if you take care of some parameters
The system does not delete or overwrite audit files from previous days, it keeps them until manually deleted. Due to the amount of information that may accumulate, we should archive these files on a regular basis and delete the originals from the application server.
You define the name and location of the files in the profile parameter haanrsau/local/file. When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains the following information.
We can define the maximum size of the audit file in the profile parameter rsau/maxdiskspace/local_. The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.
Hope it helps.
Regards, Amber S | ITL
Similar Messages
-
Terminal - Security Audit Log analysis.
I have enabled, security audit log for our landscape. But the terminal column is only of 8 characters in length.
Whereas the names of terminals (Desktops and laptops) in my organisation is 15 character.
Hence it is not possible to identify, from which particular workstation a transanction was executed.
I am using SAP R/3 4.6C.
Can anybody help?
Regards,Thanks Eric,
I too guessed the same...Because I have checked in ECC6...This shows ....the full name of the terminal. -
SAP Security audit log and Profile Parameter rsau/enable
Does the Profile Parameter rsau/enable have to ="1" for the audit log to be active or is this parameter set to purely allow the maintainance of static profiles. I have been reading into SAP's documentation and they only refer to this parameter in the "Maintaining Static Profiles" section. Therefore I would like to know if the audit log can record when the parameter rsau/enable = "0"?
Many thanksHi
I have it running on my NW2004s sneak peak system, whit a dynamic filter and the rsau/enable = 0. So Yes - it's possible to record in the secure audit log with rsau/enable = "0", if your using the dynamic filters
Regards
Morten Nielsen -
Security audit log for the last 30 days?
Hi,
My current settings for the security audit log is 20 MB (by default). I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).
What are the parameters that I would need to maintain?
Or any additinal config is required?
Thanks,
AbdulHi,
My current configuration is like this:
Name Description Current value System default value
FN_AUDIT Name of security audit file audit_++++++++
DIR_AUDIT Directory for security audit files /usr/sap/GSP/DVEBMGS00/log /usr/sap/GSP/D00/log
rsau/enable Enable Security Audit 0
rsau/max_diskspace/local Maximum space for security audit file 300M 20M
rsau/max_diskspace/per_day Maximum size of all security audit files per day 0
rsau/max_diskspace/per_file Maximum size of one single security audit file 0
rsau/selection_slots Number of selection slots for security audit 2
rsau/user_selection Defines the user selection method used inside kernel functions 0
I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB. If this is the growth rate, the 300MB allocated for audit will completely used in just a day.
My requirement is - I want to track users and their activities for the last 30 days (or 45 days). No log should be overwritten unless it is atleast 30 days old.
In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.
Other doubts: Do I have to start auditing manually every day? Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.
Regards
Abdul
Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM -
Blank Security Audit Log in SM20
Dear Experts,
The rec/client parameter is set 'OFF'. So no security audit log is generated in SAP. but still if as Security audit log is required is there any way to get the log from SAP from any of the standard report, program or table.
<< Moderator message - Everyone's problem is important. But the answers in the forum are provided by volunteers. Please do not ask for help quickly. >>
thanks in advance,
Rahul
Edited by: Rob Burbank on Jan 14, 2011 4:44 PMTable logging and Security audit log are two different things. if rec/client parameter is disable then table logging will not possible. but if you need audit log then you have to enable it through SM19.
Regards,
Subhash -
Hello,
I have activated Security Audit Log through SM19.
When I check the Parameters, I can see
rsau/max_diskspace/local = 20M
(Maximum space for security audit file)
1. My question is if the collective size of security Audit files exceeds 20M, which file will SAP delete? or rather what is the exact course of action that SAP would take?
2. In my system, Parameter rsau/enable = 0 (Enable Security Audit)
But still the audit logs are getting generated.
So does '0' signify Enabled?
Thanks.I think your answer can be found in [this thread|Re: Security Audit Log FULL. What happens??;
Kind regards,
Lodewijk -
Regd. Security Audit log
Hi,
We have a requirement from business to activate Security audit log for all Business users. We have around 160 Business users but in SM19 I am able to set filters for only 10 users maximum.
Also I tried creating 16 profiles and maintained 10 users each but still I was able to activate only one profile at a time.
If I put * in the user tab then system starts logging for all users including our ESS users. But we don't want to log for ESS users as there are 1000+ ESS users which will affect the growth of the security log as well the performance.
Please suggest is there any way to enable security log only for around 160 users using SM19.
Regards,
Nalla.> Thanks for the update. But rsau/user_selection will not help us because our user ids are similar to our employee ids and we cant use wild card option like RFC* or ESS*.
I thought it worth mentioning, to consider for next time...
> Also in detailed selection option in SM19, i tried removing the RFC related options but still when our ESS users login, it is getting logged.
Possibly it is logging the RFC call and not the RFC authentication. Try the other way around and filter out the successfull logins in SM20N.
> Is there any way we can restrict using user group or licensing type?
No, not to my knowledge.
> Will it be a minor development if I ask our ABAPER to create a Z Tcode similar to SU19 by including user group or is there any user exit which can help us to put restriciton on user group wise.
You can make the screen program glow in the dark in a Z-tcode, but the location where the log is written is not accessible to you and that is where the music is.
The best option is to set a carefully chosen and tested filter in SM19 which covers your requirement without stopping the log, and then use SM20N to filter a subset of that.
You can also define the selection methods and reaction methods in transaction RZ21 and then activate them in a monitoring template in RZ20. This way you are faster and will only see what you want.
You can also do the same in Solution Manager for the managed systems and have a central monitoring and reaction from there. Then you are on the right track in my opinion.
Cheers,
Julius -
SM19/SM20 Security Audit Log
I would like to ask if we need to restart the server once we activated the Static Profile in SM19? I have 3 application servers and only 1 application server's audit log is running. When I try to activate the security audit log for the other two servers, I don't see the audit log updating after I clicked the Activate button. Profile parameter rsau/enable is already set to 1. space for audit files is sufficient. Is there anywhere else I can check why the audit log is not running?
Thanks!If you set the dynamic filters, then you do not need to restart the server.
If you set static filters, then you do need to restart the server for them to take effect.
This may have changed, but in some releases if you display the dynamic filters and then return to the static filter tab, what you will be looking at on the screen will still be the dynamic filter settings. This can be confusing. -
How to schedule a batch job to generate security audit log (SM20)
May be this is a repeat question for this forum. Apologize, if it is. Is there a way to schedule a batch job to generate security audit log (SM20) automatically and possibly send a message to SAP Inbox or generate a spool request? Release is 4.6C.
Regards
Nirmal> May be this is a repeat question for this forum. Apologize, if it is.
You don't need to apologize. You only need to do a very simple search...
> Total Questions: 18 (16 unresolved)
Perhaps 16 of those 18 questions you have not followed up on could have been spared as well?
Please do the needfull.
Cheers,
Julius -
"logon time" between USR41 and security audit log
Dear colleagues,
I got a following question from customer for security audit reason.
> 'Logon date' and 'Logon time' values stored in table USR41 are exactly same as
> logon history of Security Audit Log(Tr-cd:SM20)?
Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
at the time when user logged on, the security audit log is recorded .
I tried to check SAP GUI logon program:SAPMSYST several ways, however,
I could not check it because the program is protected even for read access.
I want to know about specification of "logon time" between USR41 and security audit log,
or about how to look into the program:SAPMSYST and debug it.
Thank you.
Best Regards.Hi,
If you configure Security Audit you can achieve your goals...
1-Audit the employees how access the screens, tables, data...etc
Answer : Option 1 & 3
2-Audit all changes by all users to the data
Answer : Option 1 & 3
3-Keep the data up to one month
Answer: No such settings, but you can define maximum log size.
4-Log retention period can be defined.
Answer: No !.. but you can define maximum log size.
SM19/SM20 Options:
1-Dialog logon
You can check how many users logged in and at what time
2-RFC login/call
Same as above you can check RFC logins
3-Transaction/report start
You can see which report or transaction are executed and at what time
(It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
4-User master change
(You can see user master changes log with this option)
5-System/Other events
(System error can be logged using this option)
Hope, it clear the things...
Regards.
Rajesh Narkhede -
Getting the name of the program or the FM called from security audit log
Dears,
Is there a way to get the name of the ABAP program called through transaction SE38, or the FM called through transaction SE37, from the security audit log ?
What is available is only : RSABAPPROGRAM for transaction SE38, and RSFUNCTIONBUILDER for transaction SE37
Thanks.
RedaI had always assumed this log to be in the SUBMIT statement, but never used it.
If I remember correctly this is recorded it the runtime submit, so it should be there.
Perhaps it is only in selected reports? I will check in my system.
Please compare with sm20n and run the report from sa38. The submits are different in sa38 etc compared to se38.
The FM will only be recorded it it has a destination extention in the source system which is mostly remote. Local fm calls are not recorded for sure.
Cheers,
Julius
Edited by: Julius Bussche on Jul 26, 2011 11:32 PM -
I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
Do you know why is it so if it is not configured at your place.
Thanks
Edited by: Pankaj Jain on Sep 26, 2009 7:02 PMPerformance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
Try searching Community with SM20 / SM19 / Security Audit Log search strings.
Regards,
Dipanjan -
Security Audit Log SM19 and Log Management external tool
Hi all,
we are connecting a SAP ECC system with a third part product for log management.
Our SAP system is composed by many application servers.
We have connected the external tool with the SAP central system.
The external product gathers data from SAP Security Audit Log (SM19/SM20).
The problem is that we see, in the external tool, only the data available in the central system.
The mandatory parameters have been activated and the system has been restarted.
The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
In our scenario, we do not use SM20 since we want read the collected data in the external tool.
Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
Thanks in advance.
Andrea CavalleriI am always amazed at these questions...
For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
Cheers,
Julius -
Weu0092d like to get Custom reports. The base of reports is Security Audit Log
Wed like to get Custom reports. The base of reports is Security Audit Log files. This is files for SM20.
What does the file structure look like? What is field of it?
Thanks!Hello Marina
The data written to the security audit log correspond to the DDIC structures RSLGENTR (up to release 4.6) and RSAUENTR2 (in newer releases). DDIC structures can be viewed using TA SE11 (data type).
As I can see you have already opened a thread regarding this. Please don't duplicate the threads, as this only widespreads the information.
Regards,
Désiré -
Hello,
on the ABAP Stack it is possible to activate the security audit log, to log activities on certain objects/functions. Is there also a possibilty to do this for the JAVA-Stack.
We have for legal reasons to log, want users are doing on the productive XI system. E.g. we wanna log if someone is changing the value mapping or configurating the adapter.
Regards, WernerHi,
chk out these links
Audit Log
http://help.sap.com/saphelp_me21sp2/helpdata/en/23/c9833b3bb1780fe10000000a11402f/content.htm
regards
jithesh
Maybe you are looking for
-
Report to Generate Materials Used for the Production of FG/SFG Materiak
Dear Experts, I am working for a Cement Factory. CLINKER is a SFG used for the production of FG Cement. RMOPCK1 and FINECOAL are another SFG used for the Production of CLINKER RMOPCK1 + = CLINKER + (Different Materials) = CEMENT FI
-
What is the cost of replacing a keyboard
I spilled a soft dring on my keyboard. What is the cost of labor to replace a keyboard? What is the cost of a keyboard for a Macbook?
-
Boot Error: Errata bits for controller 0x8086
Seems to be a non critical error as system functions fine. But i noticed this only recently started appearing and not sure of exact cause. But I did some checking and did find this is the USB controler and each errata error corasponds to one of the b
-
Missing Recoverable Items DPM 2012R2
DPM Protection Group shows that a specific folder on a drive being backed up is being backed up. No alerts that the protection group is failing. (all green) However the specific folder does not show up when trying to restore it. All files and folde
-
Im running windows xp sp3 just upgraded to firefox 4 browser doesn't show new firefox menu button ?