topic Re: Regd. Security Audit log in Application Development and Automation Discussions

Regd. Security Audit log

Former Member — Mon, 28 Jun 2010 05:58:11 GMT

Hi,

We have a requirement from business to activate Security audit log for all Business users. We have around 160 Business users but in SM19 I am able to set filters for only 10 users maximum.

Also I tried creating 16 profiles and maintained 10 users each but still I was able to activate only one profile at a time.

If I put * in the user tab then system starts logging for all users including our ESS users. But we don't want to log for ESS users as there are 1000+ ESS users which will affect the growth of the security log as well the performance.

Please suggest is there any way to enable security log only for around 160 users using SM19.

Regards,

Nalla.

Re: Regd. Security Audit log

Former Member — Mon, 28 Jun 2010 06:07:56 GMT

Hi,

But we don't want to log for ESS users as there are 1000+ ESS users which will affect the growth of the security log as well the performance.

As per my understanding, security log will grow up to 100 MB. After that it will start overrighing it..

For performance, you can enable selective logging options in Filter setting, instead of all.

Regards.

Rajesh Narkhede

Re: Regd. Security Audit log

Former Member — Mon, 28 Jun 2010 07:04:27 GMT

Dear Rajeev,

Thanks for your suggestion. But is there any way we can activate the security log only for 160 users.

Next point is related to file overwriting. I hope the maximum file size we can set is 2 GB. Do you mean to say even the file size to grow is 2 GB, the logs will be over written when it reaches a size of 100 MB.

Regards.

Nalla.

Re: Regd. Security Audit log

Former Member — Mon, 28 Jun 2010 08:23:53 GMT

> As per my understanding, security log will grow up to 100 MB. After that it will start overrighing it..

Your understanding is not correct. You can configure the max size and when reached the log stops recording.

If considered in the user naming convention, then a possible solution to this is changing the RZ10 parameter rsau/user_selection. Read the docs in RZ11 on what it does.

Otherwise, a carefull selection of what to log is the best option - such that successfull RFC logins and calls from ESS are not recorded, but other events and those required for the 160 are. This is certainly possible and anyway recommendable.

Cheers,

Julius

Re: Regd. Security Audit log

Former Member — Mon, 28 Jun 2010 13:15:55 GMT

Hi,

Thanks for the update. But rsau/user_selection will not help us because our user ids are similar to our employee ids and we cant use wild card option like RFC* or ESS*.

Also in detailed selection option in SM19, i tried removing the RFC related options but still when our ESS users login, it is getting logged.

Our landscape is as below.

ECC 5.0 only Abap system. We have ITS system through which ESS users will login using the portal id. And user type for all users including ESS users is dialog.

Is there any way we can restrict using user group or licensing type? Will it be a minor development if I ask our ABAPER to create a Z Tcode similar to SU19 by including user group or is there any user exit which can help us to put restriciton on user group wise.

Regards,

Nalla.

Re: Regd. Security Audit log

Former Member — Mon, 28 Jun 2010 18:06:02 GMT

> Thanks for the update. But rsau/user_selection will not help us because our user ids are similar to our employee ids and we cant use wild card option like RFC* or ESS*.

I thought it worth mentioning, to consider for next time...

> Also in detailed selection option in SM19, i tried removing the RFC related options but still when our ESS users login, it is getting logged.

Possibly it is logging the RFC call and not the RFC authentication. Try the other way around and filter out the successfull logins in SM20N.

> Is there any way we can restrict using user group or licensing type?

No, not to my knowledge.

> Will it be a minor development if I ask our ABAPER to create a Z Tcode similar to SU19 by including user group or is there any user exit which can help us to put restriciton on user group wise.

You can make the screen program glow in the dark in a Z-tcode, but the location where the log is written is not accessible to you and that is where the music is.

The best option is to set a carefully chosen and tested filter in SM19 which covers your requirement without stopping the log, and then use SM20N to filter a subset of that.

You can also define the selection methods and reaction methods in transaction RZ21 and then activate them in a monitoring template in RZ20. This way you are faster and will only see what you want.

You can also do the same in Solution Manager for the managed systems and have a central monitoring and reaction from there. Then you are on the right track in my opinion.

Cheers,

Julius

Re: Regd. Security Audit log

Frank_Buchholz — Wed, 07 Jul 2010 13:30:55 GMT

The Security Audit Log does not have filter options for e.g. user groups. You just can use a generic name filter like "BS*" to identify business users. You can activate one profile only.

Perhaps you could rename the business users ... but this is not a good idea at all...

Another very weak workaround would be to work with different applications for both user groups which run different Security Audit Log settings. But any business user would be able to logon to the other application server. Therefore it's not a solution either.

-> I don't see a solution.

Anyway: In opposite to the system log, the Security Audit Log never gets overwritten. If you provide enought file space you could log everything.

Kind regards

Frank Buchholz