Technical and Product News and Insights from Rackspace
This post introduces SAP® Security Audit Log.
According to SAP: The Security Audit Log records “security-related system information such as changes to user master records or unsuccessful login attempts. This log is a tool designed for auditors who need to take a detailed look at what occurs in the AS ABAP system. By activating the audit log, [the SAP system keeps a record] of those activities that you specify for your audit. [Customers] can then access this information for evaluation in the form of an audit analysis report.
“The Security Audit Log provides for a long-term data access. The audit files are retained until you explicitly delete them. Currently, the Security Audit Log does not support the automatic archiving of the log files; however, you can manually archive them at any time.
“You can record the following information in the Security Audit Log:
According to Enterprise Threat Monitor: “SAP security audit log is the main location for the traces of events triggered by the system or by applications, which are related to security. [It is in the form of a table.] Based on the configuration which event types must be recorded, it saves the data to the disk on the SAP application server instance.” Specify the audit files location by setting the profile parameter, rsau/local/file, in the SAP system.
A SAP blog adds: “Since security audit logs are stored on the file system and not the database, they [do not impact performance]. The main consideration of the operations teams is the storage requirements. Based on the activated event types (audit classes), the data volume [can vary].”
There are two configuration options in the security audit log:
Set profile parameters based on your release.
A) For releases earlier than 740: In the default profile, default.pfl, of the system, set the following profile parameters:
B) For releases 740 to 751: Call transaction SM19. Activate the Security Audit Log by performing the following steps:
C) For releases 752 and later: Call transaction RSAU_CONFIG. Activate the Security Audit Log by performing the following steps:
Note: When you use the Kernel parameters in the Security Audit Log configuration (step 1B or 1C), existing settings with the same name in the system’s profile are ignored. For more information, see SAP Note 539404, answer 1a.
To set up filters, perform the following steps:
Call transaction SM19 or RSAU_CONFIG. Create a new profile.
Create the following filters:
SAP#*: Record all events. The character
#serves to mask
<your emergency user IDs>*: Record all events.
*): Record all events.
*), all users (
*): Record all events except AUW, AU5, AUK, CUV, DUR, and EUE (deactivate via Detailed Display).
Save and activate the profile.
Finally, check the configuration. If you have made changes to the profile parameters or the static profile, restart the system to make them effective. Until you can restart the system: Convert the static profile to a dynamic profile and activate it.
Call transaction SM20/SM20N, or its equivalent transaction depending on your SAP Netweaver version (see the following table), and give the required selection criteria as input. Click Reread Audit log to get the configured audit log for your system.
Table: Old and New functions of Transactions and reports related to the Security Audit Log
According to a SAP blog post: “You can view the long text of the Security Audit Log event messages using transaction SE92 (or in transaction SE61 if you choose the document class SL (Syslog). Using note 1970644, you can get report RSAU_INFO_SYAG which shows all the events of the Security Audit Log including the current status of activation. The detail view allows you to create a HTML-based event definition print list including the full documentation.”
It primarily depends on customer requirements to enable all successful and non-successful events for all clients and users. The SAP post continues: “There is no performance impact, not in time nor in space, if you log unsuccessful (=critical) events as these events happens rarely. As soon as you start logging successful events you might look to space—the growing size of the audit files—but still not to time, as the Security Audit Log is optimized for speed.”
SAP offers functionality to email Security Audit Logs with the help of reports RSAU_SELECT_EVENTS or RSAU_READ_LOG. Schedule any of these reports as a background job to receive the audit log from the SAP system.
The following table gives an overview of the critical events messages store in the audit log for different audit classes.
Table: Critical events of Dialog, Transaction, RFC, and User audit classes
Table source: (https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/#jive_content_id_Recommended_Settings_for_the_Security_Audit_Log_SM19__SM20)[https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/#jive_content_id_Recommended_Settings_for_the_Security_Audit_Log_SM19__SM20]
Switching on Security Audit log for all the clients and users is a crucial step in security as it provides detailed information on the audit reports. Its benefits far outweigh its costs and provide long term data access. I strongly recommended that you enable Security Audit log, especially in production environments.
Use the Feedback tab to make any comments or ask questions. You can also click Sales Chat to chat now and start the conversation.