Security Audit filters configuration

Hi,
Can any one help me with Security Audit filters configuration?
I want to know  what are the variuos Static and Dynamic Profile paramaters to be set as  part of Security Audit Filter Setting.
If possible pls provide me with the Setup Procedure as well.
Thanks

Hi,
The Static Filters:
Rsau/enable = security Audit Log
Rsau/local/file = names and location of audit files
Rsau/max_diskspace/local = maximum space to allocate for audit files.
Rsau/selection_slots = number of filters to allow for security audit log
The Dynamic Filters:
Rsau/local/file
Rsau/max_diskspace/local
Rasu/selection_slots
The Static Filters:
1.Got to security Audit Log Config screen.(tools-admin-monitor-seecurity-auditlog-config)
2.Enter the name of the profile to maintain in the dip profile field
3.If you are creating new audit profile then choose profile-create else if making changes to existing then choose profile-change
4.Define filters
5.Activate the filters
6.save the data
7.Activate the profile as well
8.Restart the app server.
The Dynamic Filters:
1.Got to security Audit Log Config screen.(tools-admin-monitor-seecurity-auditlog-config)
2.Choose Dynamic config tab
3.Choose configuration – change
4.Define filters
5.Activate the filters (Configuration- Activate Audit) (Deactivate filter : Deactivate audit)
6Choose Configuration – Distribute Configuration
7.Select the status indicator in “list of active instances” table
To Define Filter: (rasu/selction_slots)
1.Select the tab for the filter you want to define
2.Enter the client and user names in the fields
3.Select the corresponding audit classes for the events you want to audit(Audit events: Critical, Important and Critical)
SM20 = to view Security Audit Logs
*Pls don't forget to avoid points if usefull.
Thanks

Similar Messages

  • "logon time" between USR41 and security audit log

    Dear colleagues,
    I got a following question from customer for security audit reason.
    > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
    > logon history of Security Audit Log(Tr-cd:SM20)?
    Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
    And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
    at the time when user logged on, the security audit log is recorded .
    I tried to check SAP GUI logon program:SAPMSYST several ways, however,
    I could not check it because the program is protected even for read access.
    I want to know about specification of "logon time" between USR41 and security audit log,
    or about how to look into the program:SAPMSYST and debug it.
    Thank you.
    Best Regards.

    Hi,
    If you configure Security Audit you can achieve your goals...
    1-Audit the employees how access the screens, tables, data...etc
    Answer : Option 1 & 3
    2-Audit all changes by all users to the data
    Answer : Option 1 & 3
    3-Keep the data up to one month
    Answer: No such settings, but you can define maximum log size.
    4-Log retention period can be defined.
    Answer: No !.. but you can define maximum log size.
    SM19/SM20 Options:
    1-Dialog logon
    You can check how many users logged in and at what time
    2-RFC login/call
    Same as above you can check RFC logins
    3-Transaction/report start
    You can see which report or transaction are executed and at what time
    (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
    4-User master change
    (You can see user master changes log with this option)
    5-System/Other events
    (System error can be logged using this option)
    Hope, it clear the things...
    Regards.
    Rajesh Narkhede

  • CCMS and Security Audit log

    I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
    Do you know why is it so if it is not configured at your place.
    Thanks
    Edited by: Pankaj Jain on Sep 26, 2009 7:02 PM

    Performance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
    My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
    Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
    Try searching Community with SM20 / SM19 / Security Audit Log search strings.
    Regards,
    Dipanjan

  • Security Audit Log for XI IB

    Hello,
    on the ABAP Stack it is possible to activate the security audit log, to log activities on certain objects/functions. Is there also a possibilty to do this for the JAVA-Stack.
    We have for legal reasons to log, want users are doing on the productive XI system. E.g. we wanna log if someone is changing the value mapping or configurating the adapter.
    Regards, Werner

    Hi,
    chk out these links
    Audit Log
    http://help.sap.com/saphelp_me21sp2/helpdata/en/23/c9833b3bb1780fe10000000a11402f/content.htm
    regards
    jithesh

  • Security audit log for the last 30 days?

    Hi,
    My current settings for the security audit log is 20 MB (by default).  I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).
    What are the parameters that I would need to maintain?
    Or any additinal config is required?
    Thanks,
    Abdul

    Hi,
    My current configuration is like this:
    Name                Description                                           Current value                                            System default value
    FN_AUDIT     Name of security audit file          audit_++++++++
    DIR_AUDIT     Directory for security audit files     /usr/sap/GSP/DVEBMGS00/log     /usr/sap/GSP/D00/log
    rsau/enable     Enable Security Audit          0
    rsau/max_diskspace/local     Maximum space for security audit file     300M     20M
    rsau/max_diskspace/per_day     Maximum size of all security audit files per day          0
    rsau/max_diskspace/per_file     Maximum size of one single security audit file          0
    rsau/selection_slots     Number of selection slots for security audit          2
    rsau/user_selection     Defines the user selection method used inside kernel functions          0
    I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB.  If this is the growth rate, the 300MB allocated for audit will completely used in just a day.
    My requirement is - I want to track users and their activities for the last 30 days (or 45 days).  No log should be overwritten unless it is atleast 30 days old.
    In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.
    Other doubts: Do I have to start auditing manually every day?  Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.
    Regards
    Abdul
    Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM

  • Security Audit Log - Different Files

    Hello gurus,
    I configured the security audit log of the AS java in our portal system.
    But i want a dynamic configuration like SM20 - SM19 in R/3 systems. I want to have audit<the date>.log file format. For
    example audit041608.log for 04.16.2008
                 audit041708.log for 04.17.2008
    Is this possible?
    <removed_by_moderator>
    Best regards
    Tolga
    Edited by: Julius Bussche on Apr 16, 2008 2:43 PM

    Thanks for your answer.
    I think I am misunderstood or I am misunderstanding
    Let me explain a little bit more;
    I am trying to configure secaudit in our portal system and configure it in  such a way that the logs will
    be stored in secaudit log files day by day.
    I configured secaudit as a seperate file but after the size limit,
    it clears the logfile and starts to write on the same logfile.
    We could do this by adding a profile parameter;
    "FN_AUDIT = <SID>_<Instance_No>_audit_++++++++.AUD" in R/3 system.
    But how can i do this in a portal system if it is possible?
    Best regards
    Tolga
    Edited by: Tolga Akinci on Apr 17, 2008 4:24 PM

  • SAS 70 Security Audit Compliance

    Hi
    I have to propose a network which is in compliance with SAS 70 Audit.
    The network is very simple. Internet Link will terminate on my ASA 5505 and from there the wires will go into my 1200 APs.The network consists only of Laptops.I will be using 802.1X authentication and would use encryption.
    Also in ASA a IPSec VPN connection to my US office will terminate. Now this network as said would undergo security audit.
    So my problem is that I am clueless. Is ACS server required for SAS 70?or will the current setup is OK. IF anyone has done this then please help.
    Thanks in advance
    Regards
    JD
    PS : This topic has also been posted in wireless forum.

    Hi,
    Since you are planning to create users using script, it will be a better practice to audit the actions, such as When the User Created, Group Membership changes etc.
    Checkout the below steps to enable auditing for AD User Changes,
    1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
    2. Right click the Default Domain Controllers Policy, and then click Edit.
    3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/
    Local Policies/ Audit Policy”.
    4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
    5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
    For Windows Server 2008 R2 and later versions, additional configuration is required in  “Advanced Audit
    Policy Configuration” section in Default Domain Controller Policy.
    1. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
    Audit Policy Configuration/Audit Policies/DS Access.) 
        Enable Success auditing for the following settings
         - Audit Directory Service Changes
    2. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced
    Audit Policy Configuration/Audit Policies/Account Management.) 
        Enable Success auditing for the following settings
        - Audit User Account Management
    After completing the audit settings, configure SACL in Active Directory Users and Computers console for
    enabling the geneartion of AD Change events in the eventlog as shown below,
    Checkout the below KB article on complete list on Event
    ID and Description for AD Changes,
    http://support.microsoft.com/kb/947226/en-us
    You can also use
    third party auditing solution for generating compliance reports. 
    Regards,
    Gopi
    JiJi Technologies

  • SAP Security Auditing

    Hi there,
    I have set up security audit logging in my R/3 Enterprise system. I am using SM20 to generate reports to monitor logon events but I cannot seem to be able to only report on interactive logon events rather than background logon events, even though I use the 'Dialog Logon' filter. Does anyone have any ideas?

    Hi Tony,
    Check and configure properly you system in sm19 for download report and check.
    also if you can map your system with solution manager the it will give the precise report.
    Regards,
    Vivekanand Pandey

  • SAP Security audit log and Profile Parameter rsau/enable

    Does the Profile Parameter rsau/enable have to ="1" for the audit log to be active or is this parameter set to purely allow the maintainance of static profiles. I have been reading into SAP's documentation and they only refer to this parameter in the "Maintaining Static Profiles" section. Therefore I would like to know if the audit log can record when the parameter rsau/enable = "0"?
    Many thanks

    Hi
    I have it running on my NW2004s sneak peak system, whit a dynamic filter and the rsau/enable = 0. So Yes - it's possible to record in the secure audit log with rsau/enable = "0", if your using the dynamic filters
    Regards
    Morten Nielsen

  • Regd. Security Audit log

    Hi,
    We have a requirement from business to activate Security audit log for all Business users. We have around 160 Business users but in SM19 I am able to set filters for only 10 users maximum.
    Also I tried creating 16 profiles and maintained 10 users each but still I was able to activate only one profile at a time.
    If I put * in the user tab then system starts logging for all users including our ESS users. But we don't want to log for ESS users as there are 1000+ ESS users which will affect the growth of the security log as well the performance.
    Please suggest is there any way to enable security log only for around 160 users using SM19.
    Regards,
    Nalla.

    > Thanks for the update. But rsau/user_selection will not help us because our user ids are similar to our employee ids and we cant use wild card option like RFC* or ESS*.
    I thought it worth mentioning, to consider for next time...
    > Also in detailed selection option in SM19, i tried removing the RFC related options but still when our ESS users login, it is getting logged.
    Possibly it is logging the RFC call and not the RFC authentication. Try the other way around and filter out the successfull logins in SM20N.
    > Is there any way we can restrict using user group or licensing type?
    No, not to my knowledge.
    > Will it be a minor development if I ask our ABAPER to create a Z Tcode similar to SU19 by including user group or is there any user exit which can help us to put restriciton on user group wise.
    You can make the screen program glow in the dark in a Z-tcode, but the location where the log is written is not accessible to you and that is where the music is.
    The best option is to set a carefully chosen and tested filter in SM19 which covers your requirement without stopping the log, and then use SM20N to filter a subset of that.
    You can also define the selection methods and reaction methods in transaction RZ21 and then activate them in a monitoring template in RZ20. This way you are faster and will only see what you want.
    You can also do the same in Solution Manager for the managed systems and have a central monitoring and reaction from there. Then you are on the right track in my opinion.
    Cheers,
    Julius

  • Active directory security audit software

    Can someone recommend a good security audit tool for Active Directory? We have found several accounts with inappropraite permissions and I am looking for a comprehensive toolkit that allows both a spot audit and a platform for ongoing notifications for business
    rule matches.
    I am running an AD 2003 domain at the 2000 functional level. Single forest and domain.
    Thanks.

    Hi,
    I would look at the ACS feature of Operations MAnager 2007 R2:
    http://technet.microsoft.com/en-us/library/bb381258.aspx
    This works in conjunction with the audit policies configured for the
    domain and the domain controllers to centralize security related events.
    See also,
    Auditing Security Events
    http://technet.microsoft.com/en-us/library/cc776394%28WS.10%29.aspx
    Auditing Policy
    http://technet.microsoft.com/en-us/library/cc779526%28WS.10%29.aspx
    -- Mike Burr

  • SM19/SM20 Security Audit Log

    I would like to ask if we need to restart the server once we activated the Static Profile in SM19? I have 3 application servers and only 1 application server's audit log is running. When I try to activate the security audit log for the other two servers, I don't see the audit log updating after I clicked the Activate button. Profile parameter rsau/enable is already set to 1. space for audit files is sufficient. Is there anywhere else I can check why the audit log is not running?
    Thanks!

    If you set the dynamic filters, then you do not need to restart the server.
    If you set static filters, then you do need to restart the server for them to take effect.
    This may have changed, but in some releases if you display the dynamic filters and then return to the static filter tab, what you will be looking at on the screen will still be the dynamic filter settings. This can be confusing.

  • 10G RAC security auditing

    Hi,
    I was asked to prepare a database security audit in my company. The target system is 10G RAC configuration with two nodes. What should my checklist contain? Which elements of the system must I verify?
    On Oracle's web pages I've found the following document:
    http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf
    Is it enough? Can you advice me? Any help will be appreciated.
    Regards,
    Tim

    Hi,
    What is the purpose of this audit? Do you have any criteria? Or are you allowed to make up your own list?
    My experience is databases hosting third party apps are usually completely unprotected because
    - the application owner has the connect, resource and dba roles (or even more)
    - the account has the password set to the user name.
    Also if an application is not using bind variables, the system is sensitive to 'SQL injection'.
    The document you posted outlines some basic measures, but it doesn't go into sufficient detail. It doesn't mention the password_verify function you can set up. It doesn't mention system privileges at all. It doesn't mention you should disallow telnet access, and disallow root to login remotely (ie one should su to root).
    Etc, etc.
    There is a whitepaper on OTN called 'Project Lockdown' written by Arup Nanda. It implements 3 or 4 times more measures.
    Sybrand Bakker
    Senior Oracle DBA

  • How to schedule a batch job to generate security audit log (SM20)

    May be this is a repeat question for this forum. Apologize, if it is. Is there a way to schedule a batch job to generate security audit log (SM20) automatically and possibly send a message to SAP Inbox or generate a spool request? Release is 4.6C.
    Regards
    Nirmal

    > May be this is a repeat question for this forum. Apologize, if it is.
    You don't need to apologize. You only need to do a very simple search...
    > Total Questions:  18 (16 unresolved) 
    Perhaps 16 of those 18 questions you have not followed up on could have been spared as well?
    Please do the needfull.
    Cheers,
    Julius

  • Multiple security audit failures a second

    A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
    to login. 
    Keywords Date and Time Source Event ID Task Category
    Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
    Subject
    Security ID: SYSTEM
    Account Name: SBS$
    Account Domain: <ommited from forum post>
    Logon ID: 0x3e7
    Process:
    Process ID: 0x10d4
    Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    Event Source:
    Source Name: ServiceModel 4.0.0.0
    Event Source ID: 0x262070f0"
    Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
    Subject :
    Security ID: SYSTEM
    Account Name: SBS$
    Account Domain: < ommited from forum post >
    Logon ID: 0x3e7
    Process:
    Process ID: 0x10d4
    Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    Event Source:
    Source Name: ServiceModel 4.0.0.0
    Event Source ID: 0x262070f0"
    Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
    Subject:
    Security ID: SYSTEM
    Account Name: SBS$
    Account Domain: <ommited from forum post>
    Logon ID: 0x3e7
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:
    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc0000064
    Process Information:
    Caller Process ID: 0x24c
    Caller Process Name: C:\Windows\System32\lsass.exe
    Network Information:
    Workstation Name: SBS
    Source Network Address: -
    Source Port: -
    Detailed Authentication Information:
    Logon Process: Schannel
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0
    Subject
    Security ID:
    SYSTEM
    Account Name:
    SBS$
    Account Domain:
    <ommited from forum post>
    Logon ID:
    0x3e7
    Process:
    Process ID:
    0x131c
    Process Name:
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    Event Source:
    Source Name:
    ServiceModel 4.0.0.0
    Event Source ID:
    0x26206ef4"
    Audit Success 6/18/2014 1:50:32 PM
    Microsoft-Windows-Security-Auditing
    4904 Audit Policy Change
    "An attempt was made to register a security event source.
    Subject :
    Security ID:
    SYSTEM
    Account Name:
    SBS$
    Account Domain:
    <ommited from forum post>
    Logon ID:
    0x3e7
    Process:
    Process ID:
    0x131c
    Process Name:
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    Event Source:
    Source Name:
    ServiceModel 4.0.0.0
    Event Source ID:
    0x26206ef4"
    Audit Failure 6/18/2014 1:50:32 PM
    Microsoft-Windows-Security-Auditing
    4625 Logon
    "An account failed to log on.
    Subject:
    Security ID:
    SYSTEM
    Account Name:
    SBS$
    Account Domain:
    <ommited from forum post>
    Logon ID:
    0x3e7
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID:
    NULL SID
    Account Name:
    Account Domain:
    Failure Information:
    Failure Reason:
    Unknown user name or bad password.
    Status:
    0xc000006d
    Sub Status:
    0xc0000064
    Process Information:
    Caller Process ID:
    0x24c
    Caller Process Name:
    C:\Windows\System32\lsass.exe
    Network Information:
    Workstation Name:
    SBS
    Source Network Address:
    Source Port:
    Detailed Authentication Information:
    Logon Process:
    Schannel
    Authentication Package:
    Kerberos
    Transited Services:
    Package Name (NTLM only):
    Key Length:
    0
    Jerry T

    Hi Jerry,
    Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
    related to share folders, printers, IIS and so on.
    Would you please let me confirm whether you had installed some third-party applications?
    Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
    Audit
    Failure - Event 4625
    If any update, please feel free to let me know.
    Hope this helps.
    Best regards,
    Justin Gu

Maybe you are looking for