Usage of SM18, SM19, SM20

Similar Messages

• SM19/SM20 Security Audit Log

  I would like to ask if we need to restart the server once we activated the Static Profile in SM19? I have 3 application servers and only 1 application server's audit log is running. When I try to activate the security audit log for the other two servers, I don't see the audit log updating after I clicked the Activate button. Profile parameter rsau/enable is already set to 1. space for audit files is sufficient. Is there anywhere else I can check why the audit log is not running?
  Thanks!

  If you set the dynamic filters, then you do not need to restart the server.
  If you set static filters, then you do need to restart the server for them to take effect.
  This may have changed, but in some releases if you display the dynamic filters and then return to the static filter tab, what you will be looking at on the screen will still be the dynamic filter settings. This can be confusing.

• How to trace enduser activity and changes made by enduser

  Dear experts,
  how to put full fludged trace on enduser activity.
  that is i want to do the following activity:-
  *i should know the end user activity. (login details and T-codes accessed by users)
  *should know the changes made by the users.
  *i need to collect all these in the form of logs, so that i can archive it to network.
  and wht kind of security is best preffered by audit people.
  i request you all to give some valuable inputs on these questions.
  thanking you all
  best regards
  Raghav

  Hi noothangi,
  Transactions SM18, SM19, SM20 deals with security Audit Log.
  SM18
  To archieve or delete old audit log files
  SM19
  you can configure the Static/Dynamic fileters here.
  The system administrator or security administrator defines the events you
  want to audit in filters. Filters consist of the following information:
  . Client
  . User
  . Auditclass
  . Weight of events to audit
  The audit class returns information about the following:
  . Dialog logon
  . RFC/CPIClogon
  . Remotefunctioncall(RFC)
  . Transaction start
  . Reportstart
  . User master change
  You can specify the weight of events to audit:
  . Audit only critical
  . Audit important and critical
  . Auditallevents
  SM20
  SM20 to assess the security audit log.
  Soppose if you wanted to find out the transaction run by a perticular user in certain period, You can get this information in SU20.
  Please visite:
  http://help.sap.com/saphelp_46c/helpdata/en/95/d2a8e96d6611d1a5700000e835363f/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/8a/a8b5386f64b555e10000009b38f8cf/frameset.htm
  The above matter is from the below post.
  usage of SM18, SM19, SM20
  Cheers
  Soma

• Host name find in SAP

  Dear Team,
  I am using comman SAP login ID i.e QA-USER1 . Four persion using this Login ID. But after  one day I found that some one run wrong report.How I can Found out  that from witch PC i.e host name  this report Run.? and what  time?
  Thanks & Regards
  jagdish

  Hi kumar this is used for auditing purpose
  to configure the users or filters we use SM19, and to display the log we use SM20.
  for more information
  usage of SM18, SM19, SM20
  http://help.sap.com/saphelp_nw04s/helpdata/en/8a/a8b5386f64b555e10000009b38f8cf/frameset.htm
  Regards
  Bhaskar

• Security Audit Log SM19 and Log Management external tool

  Hi all,
  we are connecting a SAP ECC system with a third part product for log management.
  Our SAP system is composed by many application servers.
  We have connected the external tool with the SAP central system.
  The external product gathers data from SAP Security Audit Log (SM19/SM20).
  The problem is that we see, in the external tool,  only the data available in the central system.
  The mandatory parameters have been activated and the system has been restarted.
  The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
  In our scenario, we do not use SM20 since we want read the collected data in the external tool.
  Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
  Thanks in advance.
  Andrea Cavalleri

  I am always amazed at these questions...
  For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
  However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
  Cheers,
  Julius

• SM20 : IP/DNS address Terminal column

  Hi,
       English not my main language sorry in advance.
       I've set a Security Audit Log (SM19/SM20 and mofided my instance profile -> rsau/enable, rsau/local/file, rsau/max_diskspace/local, rsau/selection_slots)
       All working well but when i check logs (sm20) the 'Terminal' of the user logged in/off with the SAPGUI from a windows workstation is the NETBIOS name (%COMPUTERNAME%) of his workstation instead of the IP/DNS address (on linux it's the local hostname - on redhat /etc/sysconfig/network) .Of course i don't have this problem when using web client.
       So here my question : Is it possible on SAP to log IP/DNS address instead of NETBIOS name/hostname of a client using SAPGUI when using audit strategy ? If yes, what do i have to modify and where (client or server side)
       We use : SAPGUI 7.10 (Windows version) and ECC6 server kernel 7.0
       Thx in advance for the help

  Thx for the tips.
  SM04 and/or Table USR41 works great but only if user is connected. I don't have history.
  I must be able to log login/ip address (and it seems not possible with audit log)
  The only way i've found googling is to activate user exit in function EXIT_SAPLSUSF_001(module TH_USER_INFO and/or TERMINAL_ID_GET) to populate specific table
  As i'm not an expert on SAP, i've understood it's something i have to code on ABAP but can't really know how to and where to do it.
  If someone have already made it or can help making it ...
  Best regards

• User and Usage Tracking

  Hi Experts,
  Apologize if I'm posting this on a wrong category:
  Is there a possibility that a Dialog User can be tracked like:
  - the time he/she logged in and the time he/she logged out
  - duration on how long he/she is logged in
  - transaction codes used
  Cheers,
  R-jay

  Setup security logging:
  SM19 SM20 SM21
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/68/c9d8375bc4e312e10000009b38f8cf/frameset.htm
  Hope this helps.

• Historical # users logged in

  hi - i need to find out how many SAP users were logged onto the system in previous hrs.  i can find CURRENT # in AL08 of course, but don't know if the historical info is stored anywhere - please let me know if you know how to find this - thanks!

  Hi Ben,
  You can check if Security log helps you to find the info you are looking for. To activate the security audit log, use SM20,SM18,SM19 tcodes (http://help.sap.com/saphelp_erp2005vp/helpdata/en/c7/69bcb7f36611d3a6510000e835363f/frameset.htm)
  Alternatively, you can come up with a custom program that will be periodically checking content/number of the USR41 table and insert the number of users to custom table. Then you can use the data from this custom table to get the historical number of users.
  Regards,
  Mike

• New log on session

  Hello experts,
  I'll be very grateful if anybody could help me with this issue. I would like check in abap transaction if in particular account is already started at least one session. If not I would like to get password from user and start new session on this account without using SAP Logon.
  Thanks in advance.

  Hi,
  what is the name of the table that contain info about number of started user sessions? When you log on through SAP Logon and if you already have started session system ask if you would like to kill last session. That's mean this kind of information is stored somewhere in the system tables.
  Why not try this way?
  1. You have list of  newly created users
  2.  Find out which transaction the user has excuted for that day(SM19,SM20,STAT, ST03)
  without usage of SAP Logon?
  1. User type
  2. RFC users (not dialog users)
  Table for storing SAP session count
  Thanks,
  Sri
  Edited by: sri on Aug 3, 2010 9:32 AM

• "logon time" between USR41 and security audit log

  Dear colleagues,
  I got a following question from customer for security audit reason.
  > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
  > logon history of Security Audit Log(Tr-cd:SM20)?
  Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
  And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
  at the time when user logged on, the security audit log is recorded .
  I tried to check SAP GUI logon program:SAPMSYST several ways, however,
  I could not check it because the program is protected even for read access.
  I want to know about specification of "logon time" between USR41 and security audit log,
  or about how to look into the program:SAPMSYST and debug it.
  Thank you.
  Best Regards.

  Hi,
  If you configure Security Audit you can achieve your goals...
  1-Audit the employees how access the screens, tables, data...etc
  Answer : Option 1 & 3
  2-Audit all changes by all users to the data
  Answer : Option 1 & 3
  3-Keep the data up to one month
  Answer: No such settings, but you can define maximum log size.
  4-Log retention period can be defined.
  Answer: No !.. but you can define maximum log size.
  SM19/SM20 Options:
  1-Dialog logon
  You can check how many users logged in and at what time
  2-RFC login/call
  Same as above you can check RFC logins
  3-Transaction/report start
  You can see which report or transaction are executed and at what time
  (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
  4-User master change
  (You can see user master changes log with this option)
  5-System/Other events
  (System error can be logged using this option)
  Hope, it clear the things...
  Regards.
  Rajesh Narkhede

• User id getting locked everyday

  Dear All,
  User Id getting locked everyday having profile SAP_ALL and SAP_NEW.I m not getting any clue why its getting locked everyday.
  I tried to check RFC and  background job job also but i m not able to find.everyday i have to unlock it.
  Kindly suggest me how to check.
  Regards
  Adil

  Hi,
  Such issue mostly happens due to wrong attempt of login in SAP system client with that SAP User id either through RFC login, external- program, script,etc...
  If you have checked all the RFCs login settings and not able to found the login attempt, then  Enable [SAP Security audit log|http://help.sap.com/saphelp_nw04s/helpdata/en/c7/69bcb7f36611d3a6510000e835363f/content.htm] using SM19, SM20 and analyze the logs for that SAP User id only.
  Regards,
  Bhavik G. Shroff

• CCMS and Security Audit log

  I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
  Do you know why is it so if it is not configured at your place.
  Thanks
  Edited by: Pankaj Jain on Sep 26, 2009 7:02 PM

  Performance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
  My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
  Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
  Try searching Community with SM20 / SM19 / Security Audit Log search strings.
  Regards,
  Dipanjan

• Log files information

  An user identification was used by several persons logged in different terminals.
  I need to know what he did and in what terminal during a certain period.
  Probably this information exists in a log file.
  How can I know that?

  Hi,
  To trace what a user has done from different terminals you can use the SM19/SM20 audits. more over you can also check SUIM for more information. I doubt whether it would be available in the file system level.
  Please check out help.sap.com for more information.
  Regards,
  sree

• No of users

  Hi
  I want to know the no. of users who logged on my SAP system on the previous days.
  Is it possible?
  hoping for a quick reply

  Dear RAP,
  If you have correctly configured CCMS on your system - activated background dispatching and assigned a reorg schema you will have several months of concurrent logon data in CCMS.
  Go to RZ20 - Technical Expert Monitors - All systems/segments.  You will then need to drill down to the concurrent users metric, click on "detailed information" (it is a button on the toolbar) and then select the period (start and end date).  From memory I think the data is broken down per client.
  ST03N can give you some data on users.  Configuring system auditing SM19/SM20 will give you detailed data that you could download to Excel. SAP also has a system measurement tool. 
  Each method will give you data in a different format.
  Thanks
  N.P.C

• Retrieve long-term transaction history from locked users

  Hi all,
  I need to gather an audit report on terminated users and their transaction codes for a specific date range. We have an auditor using the FOX tool to gather information, but it only applies to currently active users. They are able to get data on each active user in a specific group from 10/30/2006 - 4/01/2009
  My question is this.
  What is the best transaction to use to compile a report for 3 years worth of transactions for these specific terminated users. ST03N retention only goes back 2 months, I cannot pull any long term information in STAD, and I do not have access on our Production system to SM19/SM20.
  I feel pretty stuck and any help would be appreciated.
  Thanks!

  Thanks Lakshmi,
  I have gotten similar responses about this issue.  It would appear there is no feasible way to do this.
  Thanks for your help!