Sm19 audit log

Similar Messages

• Security Audit Log SM19 and Log Management external tool

  Hi all,
  we are connecting a SAP ECC system with a third part product for log management.
  Our SAP system is composed by many application servers.
  We have connected the external tool with the SAP central system.
  The external product gathers data from SAP Security Audit Log (SM19/SM20).
  The problem is that we see, in the external tool,  only the data available in the central system.
  The mandatory parameters have been activated and the system has been restarted.
  The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
  In our scenario, we do not use SM20 since we want read the collected data in the external tool.
  Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
  Thanks in advance.
  Andrea Cavalleri

  I am always amazed at these questions...
  For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
  However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
  Cheers,
  Julius

• SM19 - Security Audit Log

  Hello,
  I have activated Security Audit Log through SM19.
  When I check the Parameters, I can see
  rsau/max_diskspace/local                           = 20M
  (Maximum space for security audit file)
  1. My question is if the collective size of security Audit files exceeds 20M, which file will SAP delete? or rather what is the exact course of action that SAP would take?
  2. In my system, Parameter rsau/enable = 0 (Enable Security Audit)
  But still the audit logs are getting generated.
  So does '0' signify Enabled?
  Thanks.

  I think your answer can be found in [this thread|Re: Security Audit Log FULL. What happens??;
  Kind regards,
  Lodewijk

• Audit log SM19

  Hi,
  We have created a filter on SM19 with these events:
  What does it means that all events related with the for e.g  with the Application server started are recorded on the audit log but for e.g events related with the Non-exclusive debugging session started not ?
  Thanks a lot and best regards, Carolina

  Hi Carolina,
  What does it means that all events related with the for e.g  with the Application server started are recorded on the audit log but for e.g events related with the Non-exclusive debugging session started not ?
  Whichever checkbox has been selected, you may have audit log recorded for the same,
  You can record the following information in the Security Audit Log:
  - Successful and unsuccessful dialog logon attempts
  - Successful and unsuccessful RFC logon attempts
  - RFC calls to function modules
  - Changes to user master records
  - Successful and unsuccessful transaction starts
  - Changes to the audit configuration
  Hope this helps.
  Regards,
  Deepak Kori

• SM19/SM20 Security Audit Log

  I would like to ask if we need to restart the server once we activated the Static Profile in SM19? I have 3 application servers and only 1 application server's audit log is running. When I try to activate the security audit log for the other two servers, I don't see the audit log updating after I clicked the Activate button. Profile parameter rsau/enable is already set to 1. space for audit files is sufficient. Is there anywhere else I can check why the audit log is not running?
  Thanks!

  If you set the dynamic filters, then you do not need to restart the server.
  If you set static filters, then you do need to restart the server for them to take effect.
  This may have changed, but in some releases if you display the dynamic filters and then return to the static filter tab, what you will be looking at on the screen will still be the dynamic filter settings. This can be confusing.

• "logon time" between USR41 and security audit log

  Dear colleagues,
  I got a following question from customer for security audit reason.
  > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
  > logon history of Security Audit Log(Tr-cd:SM20)?
  Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
  And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
  at the time when user logged on, the security audit log is recorded .
  I tried to check SAP GUI logon program:SAPMSYST several ways, however,
  I could not check it because the program is protected even for read access.
  I want to know about specification of "logon time" between USR41 and security audit log,
  or about how to look into the program:SAPMSYST and debug it.
  Thank you.
  Best Regards.

  Hi,
  If you configure Security Audit you can achieve your goals...
  1-Audit the employees how access the screens, tables, data...etc
  Answer : Option 1 & 3
  2-Audit all changes by all users to the data
  Answer : Option 1 & 3
  3-Keep the data up to one month
  Answer: No such settings, but you can define maximum log size.
  4-Log retention period can be defined.
  Answer: No !.. but you can define maximum log size.
  SM19/SM20 Options:
  1-Dialog logon
  You can check how many users logged in and at what time
  2-RFC login/call
  Same as above you can check RFC logins
  3-Transaction/report start
  You can see which report or transaction are executed and at what time
  (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
  4-User master change
  (You can see user master changes log with this option)
  5-System/Other events
  (System error can be logged using this option)
  Hope, it clear the things...
  Regards.
  Rajesh Narkhede

• CCMS and Security Audit log

  I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
  Do you know why is it so if it is not configured at your place.
  Thanks
  Edited by: Pankaj Jain on Sep 26, 2009 7:02 PM

  Performance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
  My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
  Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
  Try searching Community with SM20 / SM19 / Security Audit Log search strings.
  Regards,
  Dipanjan

• Security Audit Log - Different Files

  Hello gurus,
  I configured the security audit log of the AS java in our portal system.
  But i want a dynamic configuration like SM20 - SM19 in R/3 systems. I want to have audit<the date>.log file format. For
  example audit041608.log for 04.16.2008
               audit041708.log for 04.17.2008
  Is this possible?
  <removed_by_moderator>
  Best regards
  Tolga
  Edited by: Julius Bussche on Apr 16, 2008 2:43 PM

  Thanks for your answer.
  I think I am misunderstood or I am misunderstanding
  Let me explain a little bit more;
  I am trying to configure secaudit in our portal system and configure it in  such a way that the logs will
  be stored in secaudit log files day by day.
  I configured secaudit as a seperate file but after the size limit,
  it clears the logfile and starts to write on the same logfile.
  We could do this by adding a profile parameter;
  "FN_AUDIT = <SID>_<Instance_No>_audit_++++++++.AUD" in R/3 system.
  But how can i do this in a portal system if it is possible?
  Best regards
  Tolga
  Edited by: Tolga Akinci on Apr 17, 2008 4:24 PM

• ENABLING OF AUDIT LOGS

  I enabled audit logging on our SAP Development using transaction sm19 and noticed that the log files residing on the OS file system: /usr/sap/DEV/DVEBMGS00/log growing rather fast.
  This is for Development only, If I enable it on Production the growth would probably be faster.
  Aside from the fact that the logs eat up a lot of space, will audit logging result to any performance degradation? Does audit logging create additional dialog processes?
  Our present setup is rather standard and we cannot provide additional resources as of now.
  My machine has 4096 MB memory and speed of 2 Processor Power PC_Power4 1 GB

  To enable audit log, you should consider 2 SAP parameter :
  1. rsau/enable
  and
  2. rsau/max_diskspace/local (default value 1 MB)
  For local diskspace you can limit it. I think SAP audit log would have impact on your server performance because every transaction has additional process and consume CPU and memory resource.
  Please award point if it helpful.
  ardhian

• Monitoring Users (Trace or security-Audit-Log)

  Hi,
  we have 2 extrernal Users in our system and want to know, what they are "doing" in
  our Sytem (Tcode, Reports etc.).
  Is the best way to use security-Audit-Log (SM19/SM20) or to us etraces (ST01/ST05/ST11).
  Thanks for Help.
  regards, Dieter

  Hi Thomas,
  thanks for your answer. I try as you has mentioned.
  Regards, Dieter

• Need details of people logged on when the Security audit log was deactive

  Respected Guru's,
  Security audit log was deactivated, i have activated it recently in sm19.
  Now, i should get the details of people logged on when the audit log was deactive.
  What are the posibilities of Security audit being deactivated.
  Regards,
  Daya.

  Dear Alex,
  Please let me know how to check in ST03N.
  Further, how to retrive user logon data which is not recorded in the audit files.
  Edited by: Dayananadan Anandan on Nov 12, 2009 10:03 AM

• Blank Security Audit Log in SM20

  Dear Experts,
  The rec/client parameter is set 'OFF'. So no security audit log is generated in SAP. but still if as Security audit log is required is there any way to get the log from SAP from any of the standard report, program or table.
  << Moderator message - Everyone's problem is important. But the answers in the forum are provided by volunteers. Please do not ask for help quickly. >>
  thanks in advance,
  Rahul
  Edited by: Rob Burbank on Jan 14, 2011 4:44 PM

  Table logging and Security audit log are two different things. if rec/client parameter is disable then table logging will not possible. but if you need audit log then you have to enable it through SM19.
  Regards,
  Subhash

• Regd. Security Audit log

  Hi,
  We have a requirement from business to activate Security audit log for all Business users. We have around 160 Business users but in SM19 I am able to set filters for only 10 users maximum.
  Also I tried creating 16 profiles and maintained 10 users each but still I was able to activate only one profile at a time.
  If I put * in the user tab then system starts logging for all users including our ESS users. But we don't want to log for ESS users as there are 1000+ ESS users which will affect the growth of the security log as well the performance.
  Please suggest is there any way to enable security log only for around 160 users using SM19.
  Regards,
  Nalla.

  > Thanks for the update. But rsau/user_selection will not help us because our user ids are similar to our employee ids and we cant use wild card option like RFC* or ESS*.
  I thought it worth mentioning, to consider for next time...
  > Also in detailed selection option in SM19, i tried removing the RFC related options but still when our ESS users login, it is getting logged.
  Possibly it is logging the RFC call and not the RFC authentication. Try the other way around and filter out the successfull logins in SM20N.
  > Is there any way we can restrict using user group or licensing type?
  No, not to my knowledge.
  > Will it be a minor development if I ask our ABAPER to create a Z Tcode similar to SU19 by including user group or is there any user exit which can help us to put restriciton on user group wise.
  You can make the screen program glow in the dark in a Z-tcode, but the location where the log is written is not accessible to you and that is where the music is.
  The best option is to set a carefully chosen and tested filter in SM19 which covers your requirement without stopping the log, and then use SM20N to filter a subset of that.
  You can also define the selection methods and reaction methods in transaction RZ21 and then activate them in a monitoring template in RZ20. This way you are faster and will only see what you want.
  You can also do the same in Solution Manager for the managed systems and have a central monitoring and reaction from there. Then you are on the right track in my opinion.
  Cheers,
  Julius

• Capture Audit log

  Can any one tell me how to capture Audit log in sap without enabling it i,e. not through sm20

  My concern was without enabling audit log through sm19, and display by SM21. How can i find user activity in SAP? i.e, at what time user login/logout from sap and entered which t-code/report of sap and executed which table of sap?
  more over i would like to know all these details like...track user activity from SAP i.e., date, time, terminal name, ip address and transaction code, program name and database table along with these details:
  a.     PC identity, which is fixed and unique for each users' pc.
  b.     VPN login - external and internal ip address of connecting pc.
  c.     Report on users connecting to multiple SAP idu2019s from the same pc.
  d.     For watched users, need to watch every single record that they access.
  e.     Capturing users accessed to which database table of SAP.
  Edited by: Ravipawar1 on Feb 9, 2011 4:28 PM

• Sap audit logs

  hello SAPers,
  i am using r3 4.7. i need to setup audit logs. can any one provide step by step instructions to do that? i would really appreciate.

  Hi Novice,
  SAP R/3 supports an internal auditing system, called the Security Audit Log. Each SAP application server maintains a daily audit file. You can specify the name and location of the Security Audit Log using the rsau/local/file profile parameter.
  To activate the internal audit system, set the audit log parameters as described in the following table :
  Audit Log parameter settings Audit Log Parameter Set value to...
  rsau/enable 1
  rsau/local/file path to audit log file
  rsau/max_diskspace/local maximum space to allocate for the audit files
  rsau/selection_slots  3
  rec/client  ALL
  Note:
  The rsau/local/file parameter contains the entire path name to the audit logs, as well as the file name. The file name must include + symbols to contain a variable datepart. Do not include a file extension in the file name. See the following examples for clarification.
  This example shows a valid path and filename:
  /usr/sap/machine1/log/audit_++++++++
  This example shows an invalid path and filename; the filename does not include a datepart:
  /usr/sap/machine1/log/audit
  This example shows an invalid path and filename; the filename includes a file extension:
  /usr/sap/machine1/log/audit_++++++++.aud
  After you set the audit log profile parameters, start transaction SM19 to specify which events to log in the Audit Security Log.
  if it helpful reward points are appreciated