Security audit alert

Similar Messages

• Security Audit Log SM19 and Log Management external tool

  Hi all,
  we are connecting a SAP ECC system with a third part product for log management.
  Our SAP system is composed by many application servers.
  We have connected the external tool with the SAP central system.
  The external product gathers data from SAP Security Audit Log (SM19/SM20).
  The problem is that we see, in the external tool,  only the data available in the central system.
  The mandatory parameters have been activated and the system has been restarted.
  The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
  In our scenario, we do not use SM20 since we want read the collected data in the external tool.
  Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
  Thanks in advance.
  Andrea Cavalleri

  I am always amazed at these questions...
  For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
  However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
  Cheers,
  Julius

• How to schedule a batch job to generate security audit log (SM20)

  May be this is a repeat question for this forum. Apologize, if it is. Is there a way to schedule a batch job to generate security audit log (SM20) automatically and possibly send a message to SAP Inbox or generate a spool request? Release is 4.6C.
  Regards
  Nirmal

  > May be this is a repeat question for this forum. Apologize, if it is.
  You don't need to apologize. You only need to do a very simple search...
  > Total Questions:  18 (16 unresolved) 
  Perhaps 16 of those 18 questions you have not followed up on could have been spared as well?
  Please do the needfull.
  Cheers,
  Julius

• Multiple security audit failures a second

  A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
  to login. 
  Keywords Date and Time Source Event ID Task Category
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
  Subject
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
  Subject :
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: < ommited from forum post >
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x24c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: SBS
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  Subject
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Success 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4904 Audit Policy Change
  "An attempt was made to register a security event source.
  Subject :
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Failure 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4625 Logon
  "An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xc000006d
  Sub Status:
  0xc0000064
  Process Information:
  Caller Process ID:
  0x24c
  Caller Process Name:
  C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name:
  SBS
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  Schannel
  Authentication Package:
  Kerberos
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  Jerry T

  Hi Jerry,
  Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
  related to share folders, printers, IIS and so on.
  Would you please let me confirm whether you had installed some third-party applications?
  Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
  Audit
  Failure - Event 4625
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• "logon time" between USR41 and security audit log

  Dear colleagues,
  I got a following question from customer for security audit reason.
  > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
  > logon history of Security Audit Log(Tr-cd:SM20)?
  Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
  And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
  at the time when user logged on, the security audit log is recorded .
  I tried to check SAP GUI logon program:SAPMSYST several ways, however,
  I could not check it because the program is protected even for read access.
  I want to know about specification of "logon time" between USR41 and security audit log,
  or about how to look into the program:SAPMSYST and debug it.
  Thank you.
  Best Regards.

  Hi,
  If you configure Security Audit you can achieve your goals...
  1-Audit the employees how access the screens, tables, data...etc
  Answer : Option 1 & 3
  2-Audit all changes by all users to the data
  Answer : Option 1 & 3
  3-Keep the data up to one month
  Answer: No such settings, but you can define maximum log size.
  4-Log retention period can be defined.
  Answer: No !.. but you can define maximum log size.
  SM19/SM20 Options:
  1-Dialog logon
  You can check how many users logged in and at what time
  2-RFC login/call
  Same as above you can check RFC logins
  3-Transaction/report start
  You can see which report or transaction are executed and at what time
  (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
  4-User master change
  (You can see user master changes log with this option)
  5-System/Other events
  (System error can be logged using this option)
  Hope, it clear the things...
  Regards.
  Rajesh Narkhede

• Getting the name of the program or the FM called from security audit log

  Dears,
  Is there a way to get the name of the ABAP program called through transaction SE38, or the FM called through transaction SE37, from the security audit log ?
  What is available is only : RSABAPPROGRAM for transaction SE38, and RSFUNCTIONBUILDER for transaction SE37
  Thanks.
  Reda

  I had always assumed this log to be in the SUBMIT statement, but never used it.
  If I remember correctly this is recorded it the runtime submit, so it should be there.
  Perhaps it is only in selected reports? I will check in my system.
  Please compare with sm20n and run the report from sa38. The submits are different in sa38 etc compared to se38.
  The FM will only be recorded it it has a destination extention in the source system which is mostly remote. Local fm calls are not recorded for sure.
  Cheers,
  Julius
  Edited by: Julius Bussche on Jul 26, 2011 11:32 PM

• Solaris 10 with Trusted Extensions - Security Audit Events [short] Descript

  {color:#000000}I know that the security audit events and classes in Solaris 10 have changed when viewing these files: audit_class, audit_event, and audit_control with that of the same files for TSOL8. In order to perform an accurate and acceptable review of the audit events, I need to find either a file or document that provides a short description for each of the audit events within each audit class. Can anyone point me in the right direction or a URL? I have tried to search through the Sun docs and have not yielded any results. {color}

  been there, done that
  The problem is a function of your network definitions. The non-global zones do not have an IP address to match for your global zonename. The error message results from the system established default of the DISPLAY variable failing (DISPLAY=globalzonename:0.0).
  To confirm this, login to the global zone as root and "zlogin -S" to the non-global zone. Once there, the command "netstat -r" should show the IP address of the global zone instead of the expected global zonename. (combine this with a look at your output for "ifconfig -a" within the same non-global zones) Another command you should fail with will be the "getent hosts galaxy". Anyway, if you manually set your DISPLAY variable to the "IP Address" of the globalzonename and execute a "dtterm" ... it should work fine.
  If it does not violate a security policy, I suggest you add the IP address of the global zone to either the /etc/inet/hosts or /etc/inet/ipnodes file within each non-global zone.

• Consultancy Services for RAC installation and  Internet Security Audit

  Dear All,
  "Warm greetings from Venkatesh"
  We are proud to announce that, we have started a leading Database, Networking and Internet security Consulting organization at PUNE with a global presence through which we offers a focused, Excellence Solutions for Database, Networking and internet security for vulnerabilities and ethical hacking to the organizations to achieve a sustainable performance and results, and to contribute to the delivery of Quality Product, Solutions and Services to transform the human lives every day.
  We offer a customized Consulting and Corporate Training Services at competitive sizes of organization in all major verticals for Performance Excellence as under with six months maintenance support after RAC installation
  Design and Implementation of Oracle RAC (Real Application Cluster)
  - Oracle solution for High Availability & Grid Computing
  - Versions: Oracle 10gR2, 11gR1 & 11gR2
  - Operating System: Linux, Windows, Solaris, AIX
  - Storage: ASM, OCFS2
  - ASM Cluster File System (ACFS) in Oracle 11gR2
  - Building RAC setup in VMware Environment
  - Feature: Load Balancing, Failover, Dynamic addition of Nodes to Grid
  Design and Implementation of Oracle Data Guard
  - Oracle solution for Disaster Management
  - Primary & Secondary Sites
  - Logical & Physical Standby Database
  Internet Security Audit for Vulnerabilities and Ethical Hacking
  - Penetration testing
  - Source code audit
  - Information security training
  - Website design and development
  - Data Centre audit
  - ISO 27701 consultancy
  We also offer Corporate Trainings for
  - Oracle RAC Administration
  - Automatic Storage Management (ASM)
  - Data Guard
  Please feel free to revert back for any queries.
  Regards
  Venkatesh
  mail: [email protected]
  Edited by: vjpune on Apr 17, 2010 4:44 AM

  Hi! keyur,
  Greetings from venkatesh
  Sorry for delay, i was busy with some assignments.
  Actually, we are consultancy service provider for those organization who needs to Install Oracle RAC server. We provide entire services i.e. from designing to implementation of RAC server, provide solution for load balancing, desaster management and so on.. what i had mention in the earlier post.
  Also we offer corporate training to the organization in RAC administration, ASM, Data Guard.
  I think this info will get you to understand our services..
  we welcome inquires if any from your end.
  Regards
  Venkatesh
  mail: [email protected]

• In which table can I find security audit settings from SM19?

  Hello everybody,
  I'd like to give certain users access to the security audit settings that we defined in SM19. They are supposed to be able to read them but not change anything. I've experimented a bit with SM19 authorizations and figured out that a read-only access to SM19 is possible if I deactivate S_C_FUNCT. The problem is that the aforementioned users already have complete access to S_C_FUNCT and are supposed to keep it. The also have AUDD and AUDA in S_ADMI_FCD. Ergo: If I just add the S_TCODE for SM19 they'd be able to change security audit settings and I don't want to allow that.
  Does anybody know the table where SM19 saves its settings? Maybe I could grant read-only access to that table via SM30 or SE16...
  Looking forward to your answers!
  Kind regards
  Mario

  Hi Mario,
  Restrict  access for table RSAUPROF , It should do!!!
  Regards

• CCMS and Security Audit log

  I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
  Do you know why is it so if it is not configured at your place.
  Thanks
  Edited by: Pankaj Jain on Sep 26, 2009 7:02 PM

  Performance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
  My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
  Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
  Try searching Community with SM20 / SM19 / Security Audit Log search strings.
  Regards,
  Dipanjan

• SM19 security audit maximum file size is 100MB ?

  Dear all,
  My system security audit log has reached maximum 100MB.
  a.) Is 100MB the default size ?
  b.) Any way to increase it ?
  Comment and advice will be appreciated.
  Thanks.
  Regards,
  Kent

  Hi,
  > a.) Is 100MB the default size ?
  Yes
  > b.) Any way to increase it ?
  >
  Follow SAP note 909734.
  Also link: http://www.saptechies.com/faq-answers-to-questions-about-the-security-audit-log_1/
  Thanks
  Sunny

• Weu0092d like to get Custom reports. The base of reports is Security Audit Log

  We’d like to get Custom reports. The base of reports is Security Audit Log files. This is files for SM20.
  What does the file structure look like? What is field of it?
  Thanks!

  Hello Marina
  The data written to the security audit log correspond to the DDIC structures RSLGENTR (up to release 4.6) and RSAUENTR2 (in newer releases). DDIC structures can be viewed using TA SE11 (data type).
  As I can see you have already opened a thread regarding this. Please don't duplicate the threads, as this only widespreads the information.
  Regards,
  Désiré

• Security Audit Log for XI IB

  Hello,
  on the ABAP Stack it is possible to activate the security audit log, to log activities on certain objects/functions. Is there also a possibilty to do this for the JAVA-Stack.
  We have for legal reasons to log, want users are doing on the productive XI system. E.g. we wanna log if someone is changing the value mapping or configurating the adapter.
  Regards, Werner

  Hi,
  chk out these links
  Audit Log
  http://help.sap.com/saphelp_me21sp2/helpdata/en/23/c9833b3bb1780fe10000000a11402f/content.htm
  regards
  jithesh

• Security audit log for the last 30 days?

  Hi,
  My current settings for the security audit log is 20 MB (by default).  I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).
  What are the parameters that I would need to maintain?
  Or any additinal config is required?
  Thanks,
  Abdul

  Hi,
  My current configuration is like this:
  Name                Description                                           Current value                                            System default value
  FN_AUDIT     Name of security audit file          audit_++++++++
  DIR_AUDIT     Directory for security audit files     /usr/sap/GSP/DVEBMGS00/log     /usr/sap/GSP/D00/log
  rsau/enable     Enable Security Audit          0
  rsau/max_diskspace/local     Maximum space for security audit file     300M     20M
  rsau/max_diskspace/per_day     Maximum size of all security audit files per day          0
  rsau/max_diskspace/per_file     Maximum size of one single security audit file          0
  rsau/selection_slots     Number of selection slots for security audit          2
  rsau/user_selection     Defines the user selection method used inside kernel functions          0
  I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB.  If this is the growth rate, the 300MB allocated for audit will completely used in just a day.
  My requirement is - I want to track users and their activities for the last 30 days (or 45 days).  No log should be overwritten unless it is atleast 30 days old.
  In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.
  Other doubts: Do I have to start auditing manually every day?  Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.
  Regards
  Abdul
  Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM

• Performance issue of Security Audit log

  Hello,
            My client would like to activate the Security Audit log on his system. However he will like to know whether there could be any performance issue when activating it. Since I do not have any prior experience, can you please give me your general feedback on this subject. Have any of you experience performance issue when implementing security audit log and what can be done to minimize its effect?

  Hai,
  Activating Security Audit logs will not affect the performance of your SAP system. Since SAP Systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that may accumulate, you should archive these files on a regular basis and delete the originals from the application server. This is the only thing you really need to take care since they might fill up the disk space if you dont archive or delete them on regular basis. Also since the data is very sensitive you should take extra care to protect the data.
  Please follow the below links for more details.....
  http://help.sap.com/saphelp_nw04/helpdata/EN/95/d2a8e36d6611d1a5700000e835363f/frameset.htm
  http://www.saptechies.com/faq-answers-to-questions-about-the-security-audit-log/
  Regards,
  Yoganand.V