Terminal name in extract of SAP Audit Log

Has anyone been successful in including the terminal name when extracting the SAP Audit Log to an external tool?  We've used sample program RSAU_READ_AUDITLOG_EXTERNAL; which works well be does not include the terminal name. 
Any insight would be appreciated.
Regards,
Eric

Hi Eric,
RSAU_SELECT_EVENTS should get you the required information. Another alternative is to have a custom program developed by using/activate the user exit in FM EXIT_SAPLSUSF_001 - module TH_USER_INFO and TERMINAL_ID_GET. This way the information can be populated in a custom table and can be used for reporting purpose.
If you are only looking at the active users, you can use USR41 table, which gives you this information.
Hope this helps!!
W.Rgds,
Raghu

Similar Messages

  • Sap audit logs

    hello SAPers,
    i am using r3 4.7. i need to setup audit logs. can any one provide step by step instructions to do that? i would really appreciate.

    Hi Novice,
    SAP R/3 supports an internal auditing system, called the Security Audit Log. Each SAP application server maintains a daily audit file. You can specify the name and location of the Security Audit Log using the rsau/local/file profile parameter.
    To activate the internal audit system, set the audit log parameters as described in the following table :
    Audit Log parameter settings Audit Log Parameter Set value to...
    rsau/enable 1
    rsau/local/file path to audit log file
    rsau/max_diskspace/local maximum space to allocate for the audit files
    rsau/selection_slots  3
    rec/client  ALL
    Note:
    The rsau/local/file parameter contains the entire path name to the audit logs, as well as the file name. The file name must include + symbols to contain a variable datepart. Do not include a file extension in the file name. See the following examples for clarification.
    This example shows a valid path and filename:
    /usr/sap/machine1/log/audit_++++++++
    This example shows an invalid path and filename; the filename does not include a datepart:
    /usr/sap/machine1/log/audit
    This example shows an invalid path and filename; the filename includes a file extension:
    /usr/sap/machine1/log/audit_++++++++.aud
    After you set the audit log profile parameters, start transaction SM19 to specify which events to log in the Audit Security Log.
    if it helpful reward points are appreciated

  • Using crystal report to extract data from Audit Log

    I have a customised form which contains main fields (i.e 20 fields) and when a field is changed, it's being recorded in the audit log.
    Would it be possible to use Crystal Report to extract data from the Audit Log? Ideally, i would like the report to show me all the latest field values in a spreadsheet type format (i.e. one field per column)
    Has anyone try this and if so, what is involved?

    An element with both text & a sub-element is a mixed-content element.
    For example ElementA is a mixed content element.
    <ElementA>
    Text
    <ElementB></ElementB>
    </ElementA>
    Extract just the Text from ElementA.
    <xsl:template match="ElementA">
    <xsl:apply-templates select="text()" />
    </xsl:template>

  • The format of Audit log file

    We have a perl script to extract data from Audit log files(Oracle Database 10g Release 10.2.0.1.0) which have format as bellow.
    Audit file /u03/oracle/admin/NIKKOU/adump/ora_5037.aud
    Oracle Database 10g Release 10.2.0.1.0 - Production
    ORACLE_HOME = /u01/app/oracle/product/10.2.0
    System name:     Linux
    Node name:     TOYDBSV01
    Release:     2.6.9-34.ELsmp
    Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
    Machine:     i686
    Instance name: NIKKOU
    Redo thread mounted by this instance: 1
    Oracle process number: 22
    Unix process pid: 5037, image: oracleNIKKOU@TOYDBSV01
    Sun Jul 27 03:06:34 2008
    ACTION : 'CONNECT'
    DATABASE USER: 'sys'
    PRIVILEGE : SYSDBA
    CLIENT USER: oracle
    CLIENT TERMINAL:
    STATUS: 0
    After we update the db from Release 10.2.0.1.0 to Release 10.2.0.4.0, the format of Audit log file had been changed to something likes below.
    Audit file /u03/oracle/admin/NIKKOU/adump/ora_1897.aud
    Oracle Database 10g Release 10.2.0.4.0 - Production
    ORACLE_HOME = /u01/app/oracle/product/10.2.0
    System name:     Linux
    Node name:     TOYDBSV01
    Release:     2.6.9-34.ELsmp
    Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
    Machine:     i686
    Instance name: NIKKOU
    Redo thread mounted by this instance: 1
    Oracle process number: 21
    Unix process pid: 1897, image: oracle@TOYDBSV01
    Tue Oct 14 10:30:29 2008
    LENGTH : '135'
    ACTION :[7] 'CONNECT'
    DATABASE USER:[3] 'SYS'
    PRIVILEGE :[6] 'SYSDBA'
    CLIENT USER:[0] ''
    CLIENT TERMINAL:[7] 'unknown'
    STATUS:[1] '0'
    Because we have to rewrite the perl script, could anyone tell us where we can find the manual to describe the format of the Audit log file.

    Oracle publishes views of the audit trail data. You can find a list of the views for the 11.1 database here:
    http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGIICFE
    The audit trail does not really change between patchsets as that would constitute underlying structure changes and right now, the developers are not allowed to change the underlying structure of tables in patchsets. But, we can change what may be displayed in a column from patchset to patchset. For example, we are getting ready to update the comment$text field to display more information like dblinks and program names.
    I personally don't like overloading the comment$text field like that, but sometimes when you need the information, that is the only choice except to wait for the next major release :)
    As for the output of the audit log files, those can change between patchsets because of bugs that were found and some changes to support Audit Vault. My apologies out there for anyone that is reading the audit files written to the OS directly, I would recommend using the views.
    Hope that helps. Tammy

  • ENABLING OF AUDIT LOGS

    I enabled audit logging on our SAP Development using transaction sm19 and noticed that the log files residing on the OS file system: /usr/sap/DEV/DVEBMGS00/log growing rather fast.
    This is for Development only, If I enable it on Production the growth would probably be faster.
    Aside from the fact that the logs eat up a lot of space, will audit logging result to any performance degradation? Does audit logging create additional dialog processes?
    Our present setup is rather standard and we cannot provide additional resources as of now.
    My machine has 4096 MB memory and speed of 2 Processor Power PC_Power4 1 GB

    To enable audit log, you should consider 2 SAP parameter :
    1. rsau/enable
    and
    2. rsau/max_diskspace/local (default value 1 MB)
    For local diskspace you can limit it. I think SAP audit log would have impact on your server performance because every transaction has additional process and consume CPU and memory resource.
    Please award point if it helpful.
    ardhian

  • Terminal - Security Audit Log analysis.

    I have enabled, security audit log for our landscape. But the terminal column is only of 8 characters in length.
    Whereas the names of terminals (Desktops and laptops) in my organisation is 15 character.
    Hence it is not possible to identify, from which particular workstation a transanction was executed.
    I am using SAP R/3 4.6C.
    Can anybody help?
    Regards,

    Thanks Eric,
    I too guessed the same...Because I have checked in ECC6...This shows ....the full name of the terminal.

  • Getting the name of the program or the FM called from security audit log

    Dears,
    Is there a way to get the name of the ABAP program called through transaction SE38, or the FM called through transaction SE37, from the security audit log ?
    What is available is only : RSABAPPROGRAM for transaction SE38, and RSFUNCTIONBUILDER for transaction SE37
    Thanks.
    Reda

    I had always assumed this log to be in the SUBMIT statement, but never used it.
    If I remember correctly this is recorded it the runtime submit, so it should be there.
    Perhaps it is only in selected reports? I will check in my system.
    Please compare with sm20n and run the report from sa38. The submits are different in sa38 etc compared to se38.
    The FM will only be recorded it it has a destination extention in the source system which is mostly remote. Local fm calls are not recorded for sure.
    Cheers,
    Julius
    Edited by: Julius Bussche on Jul 26, 2011 11:32 PM

  • How to get Terminal Name in Signon Audit reports

    Hi,
    I am running the Signon Audit report from System Administrator responsibility, I am getting the other info but terminal name column is blank. How to populate this field? Please give advice.
    Regards,

    There is no way to get the terminal information from Java.
    Please refer to:
    Note: 376470.1 - Trying To Use The 'Signon Audit Reports' To Track User Activity, Terminal Name = "?"
    https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=376470.1
    Note: 431586.1 - Why Does The User Monitor Screen FNDSCAUS Do Not Display The Terminal Name Any More?
    https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=431586.1

  • How to extract audit log from R/3 into BW

    Hi, I have a request that how to extract audit log from r/3 into bw?
    Is there any datasource or infocube  I can use?

    HI ,
    Identify your Audit Log table and create generic data source for the same using rso2. 
    Regards
    BVR

  • SAP Security audit log and Profile Parameter rsau/enable

    Does the Profile Parameter rsau/enable have to ="1" for the audit log to be active or is this parameter set to purely allow the maintainance of static profiles. I have been reading into SAP's documentation and they only refer to this parameter in the "Maintaining Static Profiles" section. Therefore I would like to know if the audit log can record when the parameter rsau/enable = "0"?
    Many thanks

    Hi
    I have it running on my NW2004s sneak peak system, whit a dynamic filter and the rsau/enable = 0. So Yes - it's possible to record in the secure audit log with rsau/enable = "0", if your using the dynamic filters
    Regards
    Morten Nielsen

  • How to extract audit log data from every document library in site collection using powershell?

    Hi All,
    I have n number of document library in one site collection,
    My query is- How to extract audit log data from every document library in a site collection using powershell?
    Please give solution as soon as possible?

    Hi inguru,
    For SharePoint audit log data, These data combine together in site collection. So there is no easy way to extract audit log data for document library.
    As a workaround, you can export the site collection audit log data to a CSV file using PowerShell Command, then you can filter the document library audit log data in Excel.
    More information:
    SharePoint 2007 \ 2010 – PowerShell script to get SharePoint audit information:
    http://sharepointhivehints.wordpress.com/2014/04/30/sharepoint-2007-2010-powershell-script-to-get-sharepoint-audit-information/
    Best Regards
    Zhengyu Guo
    TechNet Community Support

  • Can oracle audit logs keep info of Blocking or blacklisting a user ID, terminal or access port, and the reason for the action?

    Hello,
    I am workin on Oracle 11G STIGs and one STIGs states that audit log should include followings;
    - User ID.
    - Successful and unsuccessful attempts to access security files
    - Date and time of the event.
    - Type of event.
    - Success or failure of event.
    - Successful and unsuccessful logons.
    - Denial of access resulting from excessive number of logon attempts.
    - Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
    - Activities that might modify, bypass, or negate safeguards controlled by the system.
    I know how to enable audit trial with OS or DB, EXTENDED levels.  However, I could not find if it is possible that audit logs can contain info of Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.

    2687254 wrote:
    Hello,
    I am workin on Oracle 11G STIGs and one STIGs states that audit log should include followings;
    - User ID.
    - Successful and unsuccessful attempts to access security files
    - Date and time of the event.
    - Type of event.
    - Success or failure of event.
    - Successful and unsuccessful logons.
    - Denial of access resulting from excessive number of logon attempts.
    - Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
    - Activities that might modify, bypass, or negate safeguards controlled by the system.
    I know how to enable audit trial with OS or DB, EXTENDED levels.  However, I could not find if it is possible that audit logs can contain info of Blocking or blacklisting a user ID, terminal or access port, and the reason for the action.
    Think about that.  If the port or terminal (client ip address) is blocked, then the communication never got to the database.  So how would the database be able to audit an action that never got there?

  • Any SAP tool that will perform audit logging views of personal data?

    Hi, 
    I am wondering if there is a SAP tool or a third party tool  that will perform audit logging of end users when viewing personal data?
    The audit record should contain: who is viewing, what data is being viewed and the date/time stamp.
    This is required to meet data privacy legal requirements.
    Janet S.

    There is a T-code SM20, through some requirement can be fulfilled.
    Regards,
    Subhash

  • Capture Audit log

    Can any one tell me how to capture Audit log in sap without enabling it i,e. not through sm20

    My concern was without enabling audit log through sm19, and display by SM21. How can i find user activity in SAP? i.e, at what time user login/logout from sap and entered which t-code/report of sap and executed which table of sap?
    more over i would like to know all these details like...track user activity from SAP i.e., date, time, terminal name, ip address and transaction code, program name and database table along with these details:
    a.     PC identity, which is fixed and unique for each users' pc.
    b.     VPN login - external and internal ip address of connecting pc.
    c.     Report on users connecting to multiple SAP idu2019s from the same pc.
    d.     For watched users, need to watch every single record that they access.
    e.     Capturing users accessed to which database table of SAP.
    Edited by: Ravipawar1 on Feb 9, 2011 4:28 PM

  • Audit log + manual update + specify download location

    Hi all,
    I'm evaluating whether we can use Java Web Start for our new product, for geographically distributed software deployment.
    I've the following questions that I could not find answers in the official documentation:
    - Can it support manual update? i.e. is there any way I can put a button on the application UI so that instead of checking latest version on every program start, the end-user can manually initiate software update.
    - Can I extend it to support audit log? i.e. we need to keep track of which client upgrade to which version in a centralized database (as audit trail), and when such update occurred. Can we do this?
    - Some of our end-user has no access to local filesystem, they only have access to dedicated shared network drive, can we customize Web Start so that it download and save the new version to a specific location, instead of C:\temp?
    - We have a few jar files for the application. How can we ensure that all jar files are either updated, or not updated at all? i.e. kind of transaction concept.
    - One of the jar files contains some configuration files, which need to be expanded in exploded format (to allow runtime change of configuration options). How can we do that?
    Thanks a million.

    Hi all,
    I'm evaluating whether we can use Java Web Start for
    our new product, for geographically distributed
    software deployment.
    I've the following questions that I could not find
    answers in the official documentation:
    - Can it support manual update? i.e. is there any
    way I can put a button on the application UI so that
    instead of checking latest version on every program
    start, the end-user can manually initiate software
    update.currently, no - this is a requested feature being considered for 6.0
    >
    - Can I extend it to support audit log? i.e. we need
    to keep track of which client upgrade to which
    version in a centralized database (as audit trail),
    and when such update occurred. Can we do this?only by controling a servlet or jsp page that generates the jnlp file and keeps track of what requests are made for the jnlp file and the resources of the app. Java Web Start itself runs on the client machine.
    >
    - Some of our end-user has no access to local
    filesystem, they only have access to dedicated shared
    network drive, can we customize Web Start so that it
    download and save the new version to a specific
    location, instead of C:\temp?webstart itself only downloads into its own cache (by default on windows XP at c:\Doccuments and settings\<user name>\Application Data\Sun\java\deployment\cache\javaws
    this cache location can be configured.
    in version 6.0 we will have capability to disable caching, but curent version must have a cache.
    >
    - We have a few jar files for the application. How
    can we ensure that all jar files are either updated,
    or not updated at all? i.e. kind of transaction
    concept.
    Java web Start currently checks timestamps of all downloaded jars before launching application, and will only update all or none.
    - One of the jar files contains some configuration
    files, which need to be expanded in exploded format
    (to allow runtime change of configuration options).
    How can we do that?If you must access these resources as files, you will have to extract them using ClassLoader.getresourceAsStream(), and then write them to disk yourself.
    >
    Thanks a million./Andy

Maybe you are looking for