Security Audit Enable.
Dear all,
we had enabled the security sometime back and it was working fine. after a month, the security log (sm20) says : "The result set for this selection was empty".
I thought that the audit logs had exceeded the storage size, thus i deleted 30 days log using sm18. On returning back to sm20, i am still encountering the same error.
I would like to know that will i need to restart my application server in order to make it active again(btw its already active, in sm19).
I need my sm20 active again!
Kindly help me clear my confusion please.
Thanks in advance.
Thanks for the prompt replies.
Dear Happy,
I understand that I don't need to restart the server but then how can i make my security audit work ? Can U guide me to the solution please? Cuz if i change my profile parameter (as said by Rakesh) then It will be necessary for me to restart the application server.
Thanks.
Similar Messages
-
SAP Security audit log and Profile Parameter rsau/enable
Does the Profile Parameter rsau/enable have to ="1" for the audit log to be active or is this parameter set to purely allow the maintainance of static profiles. I have been reading into SAP's documentation and they only refer to this parameter in the "Maintaining Static Profiles" section. Therefore I would like to know if the audit log can record when the parameter rsau/enable = "0"?
Many thanksHi
I have it running on my NW2004s sneak peak system, whit a dynamic filter and the rsau/enable = 0. So Yes - it's possible to record in the secure audit log with rsau/enable = "0", if your using the dynamic filters
Regards
Morten Nielsen -
Hi All,
If we will enable Security Audit Log, does it affect the performance of the SAP System.
Please clarify my doubt.
ThanksHello Anil, Security audit log is creates archive log file on daily basis. No performance issues will come if you take care of some parameters
The system does not delete or overwrite audit files from previous days, it keeps them until manually deleted. Due to the amount of information that may accumulate, we should archive these files on a regular basis and delete the originals from the application server.
You define the name and location of the files in the profile parameter haanrsau/local/file. When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains the following information.
We can define the maximum size of the audit file in the profile parameter rsau/maxdiskspace/local_. The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.
Hope it helps.
Regards, Amber S | ITL -
Security audit log for the last 30 days?
Hi,
My current settings for the security audit log is 20 MB (by default). I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).
What are the parameters that I would need to maintain?
Or any additinal config is required?
Thanks,
AbdulHi,
My current configuration is like this:
Name Description Current value System default value
FN_AUDIT Name of security audit file audit_++++++++
DIR_AUDIT Directory for security audit files /usr/sap/GSP/DVEBMGS00/log /usr/sap/GSP/D00/log
rsau/enable Enable Security Audit 0
rsau/max_diskspace/local Maximum space for security audit file 300M 20M
rsau/max_diskspace/per_day Maximum size of all security audit files per day 0
rsau/max_diskspace/per_file Maximum size of one single security audit file 0
rsau/selection_slots Number of selection slots for security audit 2
rsau/user_selection Defines the user selection method used inside kernel functions 0
I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB. If this is the growth rate, the 300MB allocated for audit will completely used in just a day.
My requirement is - I want to track users and their activities for the last 30 days (or 45 days). No log should be overwritten unless it is atleast 30 days old.
In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.
Other doubts: Do I have to start auditing manually every day? Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.
Regards
Abdul
Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM -
I can't activate/deactivate Security Audit via SM19.
Hi everyone,
I can't activate/deactivate Security Audit via SM19.
I tried to activate the security audit but the program has aborted. The Current File Size is 977kb vs Maximum File Size of 976kb. I run SM18 to initialize the log but the activation has aborted once again. The File Size remains at 977kb.
Thanks,
KikoHi,
Please check the following profile parameters...
DIR_AUDIT
Directory for security audit files
FN_AUDIT
Name of security audit file
rsau/enable
Enable Security Audit
rsau/max_diskspace/local
Maximum space for security audit file
rsau/max_diskspace/per_day
Maximum size of all security audit files
rsau/max_diskspace/per_file
Maximum size of one single security audi
rsau/selection_slots
Number of selection slots for security a
rsau/user_selection
Defines the user selection method used
Regards
Ben -
SAS 70 Security Audit Compliance
Hi
I have to propose a network which is in compliance with SAS 70 Audit.
The network is very simple. Internet Link will terminate on my ASA 5505 and from there the wires will go into my 1200 APs.The network consists only of Laptops.I will be using 802.1X authentication and would use encryption.
Also in ASA a IPSec VPN connection to my US office will terminate. Now this network as said would undergo security audit.
So my problem is that I am clueless. Is ACS server required for SAS 70?or will the current setup is OK. IF anyone has done this then please help.
Thanks in advance
Regards
JD
PS : This topic has also been posted in wireless forum.Hi,
Since you are planning to create users using script, it will be a better practice to audit the actions, such as When the User Created, Group Membership changes etc.
Checkout the below steps to enable auditing for AD User Changes,
1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
2. Right click the Default Domain Controllers Policy, and then click Edit.
3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/
Local Policies/ Audit Policy”.
4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
For Windows Server 2008 R2 and later versions, additional configuration is required in “Advanced Audit
Policy Configuration” section in Default Domain Controller Policy.
1. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
Audit Policy Configuration/Audit Policies/DS Access.)
Enable Success auditing for the following settings
- Audit Directory Service Changes
2. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
Audit Policy Configuration/Audit Policies/Account Management.)
Enable Success auditing for the following settings
- Audit User Account Management
After completing the audit settings, configure SACL in Active Directory Users and Computers console for
enabling the geneartion of AD Change events in the eventlog as shown below,
Checkout the below KB article on complete list on Event
ID and Description for AD Changes,
http://support.microsoft.com/kb/947226/en-us
You can also use
third party auditing solution for generating compliance reports.
Regards,
Gopi
JiJi Technologies -
We have a user with site that has had problems with permissions on it 4 times. On this site are 13 lists, each one with very specific permissions granted to external users. 4 times those permissions have gone away and been replaced by the parent's site permissions.
The first time the user admitted that she didn't understand what Inherited meant in this case, and that she had caused the problem. So we did some training with her and then she recreated all the permissions on her 13 lists, (and there are a lot of them.
So the next time it happened we assumed it was her again clicking the wrong button. She swore up and down that in this case she hadn't done it, and we didn't believe her. So she had to once again recreate all of these permissions. We also
walked her through again to not click the inherit button.
The third time it happened I was beginning to doubt that she did it. She is not a completely computer illiterate person, and as much work as it is for her to recreate this it's a lesson you don't soon forget. So we enabled security logging on
that site collection figuring at least the next time it would show who did what.
So on Tuesday it happened again. She claims that at 6am all the permissions were fine on all of these lists, but at 1pm she got calls from the external users saying they couldn't get in. She checked then and could see that all permissions were gone.
So I pulled the security logs, and looked through the ULS logs as well. I can see the following lines in the security logs:
Helen <i:0#.w|tor\tzihf>
legal/cases
2015-03-03T16:00:03
Security Role Bind Update
SharePoint
<roleid>-1</roleid><principalid>3396</principalid><scope>6804231A-4427-4980-9DC9-0DBC527BB590</scope><operation>ensure removed</operation>
Steve <i:0#.w|tor\mesx>
legal/cases/Licka Francis
2015-03-03T18:21:37
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3418</principalid><scope>562EB4A3-3447-4012-86D3-18DFF7DF4D4D</scope><operation>ensure added</operation>
Steve <i:0#.w|tor\mesx>
legal/cases/Licka Francis
2015-03-03T18:21:37
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3419</principalid><scope>562EB4A3-3447-4012-86D3-18DFF7DF4D4D</scope><operation>ensure added</operation>
Helen <i:0#.w|tor\tzihf>
legal/cases/Lazenby
2015-03-04T18:57:54
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3338</principalid><scope>5C6C4E2C-7570-4D76-944C-F840666300EB</scope><operation>ensure added</operation>
Helen <i:0#.w|tor\tzihf>
legal/cases/Lazenby
2015-03-04T18:57:54
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3335</principalid><scope>5C6C4E2C-7570-4D76-944C-F840666300EB</scope><operation>ensure added</operation>
Helen<i:0#.w|tor\tzihf>
legal/cases/Lazenby
2015-03-04T18:57:55
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3341</principalid><scope>5C6C4E2C-7570-4D76-944C-F840666300EB</scope><operation>ensure added</operation>
Helen<i:0#.w|tor\tzihf>
legal/cases/Lazenby
2015-03-04T18:57:55
Security Role Bind Update
SharePoint
<roleid>1073741827</roleid><principalid>3336</principalid><scope>5C6C4E2C-7570-4D76-944C-F840666300EB</scope><operation>ensure added</operation>
These aren't all, but a good snippet. The crazy thing is it only lists 3 of the 13 lists. If someone had clicked on "inherit" for each separate list, wouldn't that be listed in the security logs 13 times? Why would it only record
3 of the 13? And these are all changes that were made on Monday night, not on Tuesday morning when she says they were all set up correctly.
By the way I can see her accessing a couple of the lists in the ULS logs at 6am, but not for all of them. Not enough to have wiped permissions on all of them.
I can't believe this user clicked on the permissions for 13 different lists and clicked on inherit, knowing that she was going to have to reset them all up again from scratch. I think something else is happening with these lists but I am completely
stumped as to what else it could be. Any suggestions would be greatly appreciated.
Thanks
TedThere have been reports of permissions automatically being reset in the past. What I would strongly suggest is for you to turn on Site Collection Auditing, enable the Permissions and, if you need to monitor changes to SharePoint Groups, the "Edit Items"
flag.
This way when it happens again, you can tell exactly who did it.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Blank Security Audit Log in SM20
Dear Experts,
The rec/client parameter is set 'OFF'. So no security audit log is generated in SAP. but still if as Security audit log is required is there any way to get the log from SAP from any of the standard report, program or table.
<< Moderator message - Everyone's problem is important. But the answers in the forum are provided by volunteers. Please do not ask for help quickly. >>
thanks in advance,
Rahul
Edited by: Rob Burbank on Jan 14, 2011 4:44 PMTable logging and Security audit log are two different things. if rec/client parameter is disable then table logging will not possible. but if you need audit log then you have to enable it through SM19.
Regards,
Subhash -
Hello,
I have activated Security Audit Log through SM19.
When I check the Parameters, I can see
rsau/max_diskspace/local = 20M
(Maximum space for security audit file)
1. My question is if the collective size of security Audit files exceeds 20M, which file will SAP delete? or rather what is the exact course of action that SAP would take?
2. In my system, Parameter rsau/enable = 0 (Enable Security Audit)
But still the audit logs are getting generated.
So does '0' signify Enabled?
Thanks.I think your answer can be found in [this thread|Re: Security Audit Log FULL. What happens??;
Kind regards,
Lodewijk -
Terminal - Security Audit Log analysis.
I have enabled, security audit log for our landscape. But the terminal column is only of 8 characters in length.
Whereas the names of terminals (Desktops and laptops) in my organisation is 15 character.
Hence it is not possible to identify, from which particular workstation a transanction was executed.
I am using SAP R/3 4.6C.
Can anybody help?
Regards,Thanks Eric,
I too guessed the same...Because I have checked in ECC6...This shows ....the full name of the terminal. -
Hi,
We have a requirement from business to activate Security audit log for all Business users. We have around 160 Business users but in SM19 I am able to set filters for only 10 users maximum.
Also I tried creating 16 profiles and maintained 10 users each but still I was able to activate only one profile at a time.
If I put * in the user tab then system starts logging for all users including our ESS users. But we don't want to log for ESS users as there are 1000+ ESS users which will affect the growth of the security log as well the performance.
Please suggest is there any way to enable security log only for around 160 users using SM19.
Regards,
Nalla.> Thanks for the update. But rsau/user_selection will not help us because our user ids are similar to our employee ids and we cant use wild card option like RFC* or ESS*.
I thought it worth mentioning, to consider for next time...
> Also in detailed selection option in SM19, i tried removing the RFC related options but still when our ESS users login, it is getting logged.
Possibly it is logging the RFC call and not the RFC authentication. Try the other way around and filter out the successfull logins in SM20N.
> Is there any way we can restrict using user group or licensing type?
No, not to my knowledge.
> Will it be a minor development if I ask our ABAPER to create a Z Tcode similar to SU19 by including user group or is there any user exit which can help us to put restriciton on user group wise.
You can make the screen program glow in the dark in a Z-tcode, but the location where the log is written is not accessible to you and that is where the music is.
The best option is to set a carefully chosen and tested filter in SM19 which covers your requirement without stopping the log, and then use SM20N to filter a subset of that.
You can also define the selection methods and reaction methods in transaction RZ21 and then activate them in a monitoring template in RZ20. This way you are faster and will only see what you want.
You can also do the same in Solution Manager for the managed systems and have a central monitoring and reaction from there. Then you are on the right track in my opinion.
Cheers,
Julius -
Security Auditing - NetWeaver 2004s Portal
Hello - I am currently looking at the options for performing security auditing in the NetWeaver 2004s portal.
I've used the NWA to enable security logging, as documented :
<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/a0/58db515b95b64181ef0552dc1f5c50/frameset.htm">HERE</a>
And, have started to create a custom audit report. However, it does appear that the information that can be reported on is rather cryptic. Not overly useful.
Our requirement is to be able to log ALL actions (specifically changes) that SUPER users can perform (we call these firefight users.)
Has anybody tried to use the auditing capabilities within the portal (netweaver 2004s) to do this? Any input, advice?
Thank you.Hi Ken,
check out http://service.sap.com/pam ==> Only Oracle 10.1 Enterprise Edition 64-bit is officially supported.
Hope it helps
Detlev -
Security Audit filters configuration
Hi,
Can any one help me with Security Audit filters configuration?
I want to know what are the variuos Static and Dynamic Profile paramaters to be set as part of Security Audit Filter Setting.
If possible pls provide me with the Setup Procedure as well.
ThanksHi,
The Static Filters:
Rsau/enable = security Audit Log
Rsau/local/file = names and location of audit files
Rsau/max_diskspace/local = maximum space to allocate for audit files.
Rsau/selection_slots = number of filters to allow for security audit log
The Dynamic Filters:
Rsau/local/file
Rsau/max_diskspace/local
Rasu/selection_slots
The Static Filters:
1.Got to security Audit Log Config screen.(tools-admin-monitor-seecurity-auditlog-config)
2.Enter the name of the profile to maintain in the dip profile field
3.If you are creating new audit profile then choose profile-create else if making changes to existing then choose profile-change
4.Define filters
5.Activate the filters
6.save the data
7.Activate the profile as well
8.Restart the app server.
The Dynamic Filters:
1.Got to security Audit Log Config screen.(tools-admin-monitor-seecurity-auditlog-config)
2.Choose Dynamic config tab
3.Choose configuration change
4.Define filters
5.Activate the filters (Configuration- Activate Audit) (Deactivate filter : Deactivate audit)
6Choose Configuration Distribute Configuration
7.Select the status indicator in list of active instances table
To Define Filter: (rasu/selction_slots)
1.Select the tab for the filter you want to define
2.Enter the client and user names in the fields
3.Select the corresponding audit classes for the events you want to audit(Audit events: Critical, Important and Critical)
SM20 = to view Security Audit Logs
*Pls don't forget to avoid points if usefull.
Thanks -
Hi,
I have enabled the security audit alert.Can you tell me where is the log files stored in filesystem?
Can you give me the patch..
Regards,
HendryHello Hendry
The audit log files are stored on OS level
The Security Audit Log produces an audit analysis report that contains the audited activities. By using the audit analysis report you can analyze events that have occurred and have been recorded on a local server, a remote server, or all of the servers in the SAP System
Follow the link http://help.sap.com/saphelp_nw04/helpdata/EN/95/d2a8e96d6611d1a5700000e835363f/content.htm
you will be able to display the report
Rohit -
I would like to ask if we need to restart the server once we activated the Static Profile in SM19? I have 3 application servers and only 1 application server's audit log is running. When I try to activate the security audit log for the other two servers, I don't see the audit log updating after I clicked the Activate button. Profile parameter rsau/enable is already set to 1. space for audit files is sufficient. Is there anywhere else I can check why the audit log is not running?
Thanks!If you set the dynamic filters, then you do not need to restart the server.
If you set static filters, then you do need to restart the server for them to take effect.
This may have changed, but in some releases if you display the dynamic filters and then return to the static filter tab, what you will be looking at on the screen will still be the dynamic filter settings. This can be confusing.
Maybe you are looking for
-
Reviewing General Ledger Accounts - No line item detail
I have just started with a new company using SAP Business One for the first time. My frustration is when reviewing the general ledger line items that there is no detail coming through that lets me see what the amounts relate to. No Description or Ve
-
I have an ipod touch 32gb. Model: MC008BT Version: 5.1.1. 3rd ed. Recently when clicking play on any song the ipod will shuffle through as many songs as there are in the album or playlist until it reaches the end without playing any songs. It also do
-
Hello, As virt-install is not available in Oracle VM 3.0, I would like to know if there is any another way to create VMs manually in Oracle VM 3.0 (we dont want to get Oracle VM Manager) Thank you!!!
-
Unknown embedded font is preventing saving as PDF
I am aware that some fonts cannot be saved into PDFs because of licensing restrictions, but I am having a hard time finding where Indesign is referencing this font in this case. I'm guessing that it might be in one of the linked files perhaps? I did
-
Hi, I am new to Adobe Forms using LiveCycle Designer and need help in my scenario. I tried searching for a similar issue in the forum but could not find a solution. I have a PARENT subform in which i have inserted a table (table header + table Body R