BASIS ADMINISTRATION

SAP security audit log setup

1. Introduction The Security Audit Log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP system. By activating the audit log, you keep record of those activities you consider relevant for auditing. This information is recorded on a daily basis in an audit file on each application server. You can then access this information for evaluation in the form of an audit analysis report. Statistical information can easily be retrieved on transactions and reports. Although it was not designed for this purpose, the information it generates is invaluable when estimating the number of resources needed for the next upgrade project and when you want to know to which transactions or reports most attention and effort should go to. The following information can be recorded in the Security Audit Log:
y y y

Successful and unsuccessful dialog and RFC logon attempts RFC calls to function modules Successful and unsuccessful transaction and report starts

2. Activating the audit log The following instance profiles must be set in order to activate audit logging (use transaction RZ10 to do so). rsau/enable: Set to 1 to activates audit logging rsau/local/file: Name and location of the audit log file rsau/max_diskspace/local: Max. space of the audit file. If maximum size is reached auditing stops. rsau/selection_slots: Max. number of filters The settings are activated after the instance has been restarted. 3. Defining Filters To access the Security Audit Log configuration screen from the SAP standard menu, choose: Tools-> Administration->Monitor->Security Audit Log->Configuration (or transaction SM19).

Filters define what needs to be recorded. The following information can be specified:
y y y

Which User(s), Client(s) (wildcards can be used) Audit class (for example, dialog or RFC attempt, start of transaction, report...) Importance of the event (critical, important...)

Filters can be static (permanently) or dynamic (temporarily):

y

Static filters are stored inside the database. All application servers use the same filter for determining which events should be recorded in the audit log. After saving (Save) and activating (Profile->Activate) the static profile, it will be loaded at the next restart of the application server. Dynamically created profiles, on the contrary, can be activated at any time to filter for selected events. They are automatically distributed to all active application servers (after saving and distributing them by selecting Configuration->Distribute Configuration).

Transaction SM19 - Administer Audit Profile 4. Analyzing the Audit Log The Security Audit Log produces an audit analysis report that contains the audited activities. By using the audit analysis report you can analyze events that have occurred and have been recorded on a local server, a remote server, or all of the servers in the SAP System. To access the Security Audit Log Analysis screen from the SAP standard menu, choose:

Tools->Administration->Monitor->Security Audit Log->Analysis (or transaction SM20). The Audit Log can be scanned for a period of time, user, transaction, report, ect.

Transaction SM20 - Analyzing the Audit Log Example report:

Time Cat No Cl. User Text 12:00:38 DIA 0 100 I004567 Transaction SM19 Started 12:00:56 DIA 1 100 I003765 Transaction SE71 Started 12:01:28 DIA 1 100 I003765 Report RSTXDBUG Started 12:01:31 DIA 1 100 I003765 Transaction VT03N Started 12:01:36 DIA 1 100 I003765 Transaction SE71 Started 12:01:43 DIA 1 100 I003765 Report RSTXDBUG Started 12:01:45 DIA 1 100 I003765 Transaction VT03N Started 12:01:58 DIA 1 100 I003765 Transaction VT12 Started 12:01:58 DIA 1 100 I003765 Report RV56TRST Started 12:01:58 DIA 1 100 I003765 Report RV56TRSL Started 12:02:49 DIA 1 100 I003765 Transaction VT03N Started T r a n s a c t i o n Transaction Transaction code SM19 SE71 SE71 VT03N SE71 SE71 VT03N VT12 VT10 VT10 VT03N Terminal MNo PCIT0012 AU3 PCIT0054 AU3 PCIT0054 AUW PCIT0054 AU3 PCIT0054 AU3 PCIT0054 AUW PCIT0054 AU3 PCIT0054 AU3 PCIT0054 AUW PCIT0054 AUW PCIT0054 AU3

S t a t i s t i c s Number of entries

VA01 VA02 SE71 SE16N ZV01 SM19 SE38 SA38 MB51 CO03 VT03N SE37 SE91 LX03 VA01 SE09 SM18 CO02 BMBC R e p o r t Report entries RSBTCRTE ZFIN01 SAPMSSY4 ZCO03 ZFIN09 SAPLSMTR_NAVIGATION RSRZLLG0 RSDSLAN1 CSM_LOAD_APPSRV_DATA SAPMSSY8 RSDSBUFF RSDSOSCO RSDSFSYS RSDSUSER RSDS_DBMEMBER RSDSDEFLOAD RSALSUP5 RSRZLST0 RSALSUP2 RSUVM018 RSDSSPTI CCUMEAS RSRFCDMN RSDSSPNR RSDS_BP_FREEWP RS_UPDATE_STATUS RK_SE16N

17 13 13 12 9 9 8 7 7 5 5 4 4 4 3 3 3 2 2

5% 4% 4% 3% 1% 1% 1% 1% 1% 1% 1% 1% 1% 1% 1% 1% 1% 1% 1%

S t a t i s t i c s Number of 653 642 298 297 74 40 39 33 33 31 31 31 31 31 31 31 30 30 30 30 30 30 30 25 16 14 6 24 23 11 11 3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 % % % % % % % % % % % % % % % % % % % % % % % % % % %

5. Reorganizing the Audit Log The Security Audit Log saves its audits to a corresponding audit file on a daily

basis. Depending on the size of your SAP System and the filters specified, you may be faced with an enormous quantity of data within a short period of time. Old audit log files can be deleted via Tools->Administration->Monitor >Security Audit Log->Configuration (or transaction SM18).

2. How do you set up and use system auditing of transactions?

17 Feb 2006 | SearchSAP.com

2. How do you set up and use system auditing of transactions? a) Enter the filter criteria in sm19 and activate the trace. Read results with sm20. b) Use SQLplus to query the history table and select data based on user ID. c) Use pa20 to get the personnel number of an employee and then search usr01 for transactional history. d) You must install the ST-PI add on software to allow transactional auditing. ANSWER: A Transaction sm19 allows criteria for filtering your audit of transactional information by users and transactions. This does impose overhead on your system. The audit log location is also defined in this transaction and can be read and monitored in transaction sm20.