Application Development Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

This document was generated from the following discussion: Recommended Settings for the Security Audit Log (SM19 / SM20)

This blog had started to give recommendations about settings for the Security Audit Log, but in the meantime it had evolved to show tips & tricks in general.

Another sound source for information are the FAQ notes 539404 "FAQ: Answers to questions about the Security Audit Log" and 2191612 "FAQ | Use of Security Audit Log as of NetWeaver 7.50".


Recommended Settings for the Security Audit Log (SM19 / RSAU_CONFIG, SM20 / RSAU_READ_LOG)

See note 2676384

Profile Parameters / Kernel Parameters

As of release SAP_BASIS 7.40 you can use the so-called "Kernel Parameters" instead of the listed Profile Parameters. You find them on a new tab in transaction SM19 respective transaction RSAU_CONFIG. See chapter Preparing the Security Audit Log in the Online Documentation. You can set them dynamically and once set they overwrite the values of the profile parameters. Take care to inspect these Kernel Parameters after an upgrade to SAP_BASIS 7.40 or higher.

Old profile parameters:

rsau/enable = 1

rsau/selection_slots = 10 (or higher if available)

rsau/user_selection = 1

rsau/integrity = 1

DIR_AUDIT and FN_AUDIT define the path and the file name pattern for the log files. These are the only profile parameters which are in use if you have switched to the "Kernel Parameters".

Filter settings in SM19 / RSAU_CONFIG

Depending on the release you can set 10, 15 (as of SAP_BASIS 7.40 SP 😎 or 90 (as of SAP_BASIS 7.50 SP 2) filters. See FAQ Note 539404 item [4].

1. Filter: Activate everything which is critical for all users '*' in all clients '*'.

  • You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.

  • Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ

  • If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT, DU5

  • If you maintain an Access Control List for RFC callback (see note 2128095) than add messages DUI, DUJ, DUK

2. Filter: Activate everything for special user SAP* in all clients '*'

You cannot use a filter 'SAP*' because this would include the virtual user SAPSYS because of profile parameter rsau/user_selection = 1. This virtual user SAPSYS performs many house-keeping activities triggered by the system itself. You do not want to log these events.

However, you can use the special filter value 'SAP#*' instead.

You can use this special filter value 'SAP#*' in transaction SM20, report RSAU_SELECT_EVENTS respective transaction/report RSAU_READ_LOG as well to show log entries in for user SAP* only.

If you can defines positive and negative filters for user groups (see note 2285879) then you can create filters for user groups like SUPER instead. This has the additional advantage that the built-in user SAPSYS does not produce any logs.

3+4. Filter: Activate everything for other support and emergency users, e.g. 'SAPSUPPORT*' (SAP Support users) respective 'FF*' (FireFighter) in all clients '*'.

If you can defines filters for user groups then you can create filters for corresponding user groups instead.

5. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients '*'. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).

6. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see ).

7. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see ).

8. and following Filter: free for other project specific purpose


The client field accepts either single values like 000 or a * to catch all clients.

The user field accepts pattern characters as well (see note 574914😞

* any sequence of characters (only the first * within the filter string is interpreted as a pattern character)

+ one character

# disable following pattern character

The user group field accepts exacts values only.

Using the print function (command PRINT) in transaction SM19 or using report RSAU_INFO_SYAG you can show an overview about the current settings.

List of events

If you miss some of the events described in this document then search for notes of application component BC-SEC-SAL.

Using note 1970644 you can get report RSAU_INFO_SYAG which shows all events of the Security Audit Log including a summarized status about the activation of the events. The detail view allows you to create an HTML-based event definition print list including the full documentation.

Within transaction SM19 you can use the system function =PRINT (respective the printer icon in the top icon row) to document the definition of static profiles as well as the current definition of the dynamic configuration. This list shows the details about all filter slots.

Events ordered by selected topics and security optimization projects:

Topic Keyword Description and references Message

RFC callback (note 2128095)

Project: "Secure RFC Callback"
CDS views EUV
CHANGABILITY System settings and client settings about changability (note 2299636) EU1 EU2
CUSTOM Custom specific events using function module RSAU_WRITE_CUSTOMER_EVTS (note 1941526) DUX DUY DUZ
DEBUG Debugging (change mode) BUZ, CUK, CUL, CU_M, CUN, CUO, CUP, CUY (BUY is obsolete)

ETD Housekeeping

see notes 2850969, 3313550 and 3265014

Directory Traversal (note 1497003)

Project: "Secure File access"
RAL Read Access Logging (note 1902280) BU0 CU0
RBAM Role Based Access Management in SAP Business ByDesign system (note 948275) BUI BUJ

Report start

Project: "Avoid SA38 by using custom report transactions"

Generic table access via RFC using functions like RFC_READ_TABLE (note 1539105)

Project: "Secure standard table access (authorization object S_TABU_RFC)"
SAL SAL Housekeeping ... EU6
S4_CLOUD S/4 Cloud SDK (note 2478128), obsolete (2023-09) EUA EUB EUC EUD EUH

Switchable authorization scenarios, transaction SACF (note 2078596)

Project: "Secure RFC functions"

SAML Authentication, transaction SRTUTIL (note 1570266)

You get long messages for events CUB and CUC instead of splitted messages as of note 2939942.

FTP server whitelist using table SAPFTP_SERVERS (note 1605054)

See note 2312710 for more information about these messages.

You can duplicate the messages related to FTP into the Syslog by using report RSAU_SET_DOUBLE_MODE (see note 1686247).

Project: "Secure SAP FTP"

Generic table access using transactions like SE16, SE16N, S416N, S416H, etc. SE16N_EMERGENCY, SM30, SM31, SM34, or SQV (notes 2041892, 3140539)

Project: "Secure standard table access (authorization object S_TABU_DIS, S_TABU_NAM)"
SLDW Generic whitelists DUL DUM DUN

SNC Client Encryption (note 2104732)

Project: "Encrypt SAPGUI comminication"
TCODE Transactions AU3 AU4 AUP AUQ

Secure the test envorinment in transaction SE37 for functions and SE24 for methods.

Notes 3292306 and 3274589

Project: "Secure ABAP test environment"

UCON for http (notes 2522156 and 3298279)

Project: "Protect webservices using UCON"
USER Change user master data (not required as you get change documents anyway) AU8 AU7 AU9 AUA AUB AUD AUR AUS AUT AUU BU2 FU8
VSI Virus Scan Interface BU8 BU9 FU9
WEB-SERVICE Web service calls (note 1620477) CUV CUW

XSRF attacks (note 1619912)

This event is triggered if subsequent request calls do not contain the user session token 'sap-wd-secure-id' which was send by the server in the first response.

Note 2073809 shows special documentation/changes about the messages

  • BUY (which is replaced by message CUL),

  • CUY (which is related to debugger messages BUZ, CUL, CU_M, CUN, CUO, CUP), and

  • CUZ (which is related to message DU9).

List of events from table TSL1D respective report RSAU_INFO_SYAG.

This list is a snapshot - check it in your system - with a comparison between release 702, 740 and 750. Some of the new messages may be added with 731 or with downports already. See following notes which are described in report RSAU_SYNC_EVENTS (start this report in the development system to bring the event definitions up to date):

Note 1411741 BUY CUK
Note 1639726 CUQ CUR CUS CUT
Note 1666804 BUX
Note 1686247 DU1 DU2 DU3 DU4 DU5 DU6 DU7 DU8
Note 1707878 CUU CUX
Note 1789518 AU1 AU2 AU5 AU6
Note 1802077 BUV BUW DUH
Note 1938382 DUR DUS DUT
Note 1941526 DUX DUY DUZ
Note 1941568 DUX DUY DUZ
Note 1968729 DUI DUJ DUK
Note 2073809 CUY BUY CUZ
Note 2128095 DUI DUJ DUK
Note 2161582 FU1 FU2
Note 2234569 AUY
Note 2252312 DUJ DUK
Note 2299636 EU1 EU2 EUQ EUR
Note 2312710 DU1 DU2 DU3 DU4 DU5 DU6 DU7 DU8
Note 2446979 EU3 EU4 EU5
Note 2578343 EUV
Note 2578918 DUW
Note 2785904 FU3 FU4 FU8 FUA FUB FUC FUD FUE
sync 04/2020: FU0 EUP EUY EUZ BUX

The column "Cloud relevant" shows which events are visible in the App Display Static System Audit on private cloud systems as defined in static profile !DISPLAY (see note 2903873).

Audit Class Message ID Event class New in release Cloud relevant Message
Dialog Logon AU1 Severe X Logon successful (type=&A, method=&C)
Dialog Logon AU2 Critical X Logon failed (reason=&B, type=&A, method=&C)
Dialog Logon AUC Non-Critical User Logoff
Dialog Logon AUM Critical with Monitor Alert User &B Locked in Client &A After Erroneous Password Checks
Dialog Logon AUN Critical User &B in Client &A Unlocked After Being Locked Due to Inval.Password Entered
Dialog Logon AUO Severe X Logon Failed (Reason = &B, Type = &A)
Dialog Logon BUD Critical X WS: Delayed logon failed (type &B, WP &C). Refer to Web service log &A.
Dialog Logon BUE Non-Critical X WS: Delayed logon successful (type &B, WP &C). Refer to Web service log &A.
Dialog Logon BUI Critical SPNego replay attack detected (UPN=&A)
Dialog Logon BUK Non-Critical &A assertion used
Dialog Logon BUL Non-Critical &A: &B
Dialog Logon BUM Non-Critical Name ID of a subject
Dialog Logon BUN Non-Critical Attribute
Dialog Logon BUO Non-Critical Authentication assertion
Dialog Logon BUP Non-Critical &A
Dialog Logon BUQ Non-Critical Signed LogoutRequest accepted
Dialog Logon BUR Non-Critical Unsigned LogoutRequest accepted
Dialog Logon CU2 Severe 740 OAuth 2.0: Invalid access token received (reason=&A)
Dialog Logon CU3 Severe 740 OAuth 2.0: Insufficient OAuth 2.0 scope for requested resource (user=&A)
Dialog Logon CU4 Critical 740 OAuth 2.0: Logged-on client user &A not same as parameter client ID &B
Dialog Logon CU5 Severe 740 OAuth 2.0: Client &A requested invalid access grant type &B
Dialog Logon CU6 Critical 740 OAuth 2.0: Client ID &A in SAML assertion not same as client ID &B in request
Dialog Logon CU7 Severe 740 OAuth 2.0: Scope &B not permitted for client &C, user &D (cause=&A)
Dialog Logon CU8 Non-Critical 740 OAuth 2.0: Access token issued (client=&A, user=&B, grant type=&C)
Dialog Logon CU9 Non-Critical 740 OAuth 2.0: Valid access token received for user &A
Dialog Logon CUA Severe Rejected Assertion
Dialog Logon CUB Severe &A: &B
Dialog Logon CUC Severe &A
Dialog Logon CUD Severe Name ID of a subject
Dialog Logon CUE Severe Attribute
Dialog Logon CUF Severe Authentication Assertion
Dialog Logon CUG Severe Signed LogoutRequest rejected
Dialog Logon CUH Severe Unsigned LogoutRequest rejected
Dialog Logon DU0 Critical with Monitor Alert Invalid SAP GUI data
Dialog Logon EUC Critical new OAuth scope &A not assigned to the user
Dialog Logon EUC Critical new HTTP request not received from trustworthy cloud connector (reason &A)
Dialog Logon EUD Critical new
Note 2478128SAP_BASIS 7.40 SP 18, 7.50 SP 9, 7.51 SP 4Obsolete since September 2023 (?)

(added 2023-11)
HTTP request not received from trustworthy cloud connector (reason &A)
Dialog Logon EUP Critical new as of Kernel 790
Note 3303172
(added 2023-11)
Virtual user client=&A type=&B action=&C &D
RFC Logon AU5 Non-Critical RFC/CPIC logon successful (type=&A, method=&C)
RFC Logon AU6 Critical X RFC/CPIC logon failed, reason=&B, type=&A, method=&C
RFC Function Call AUK Non-Critical Successful RFC Call &C (Function Group = &A)
RFC Function Call AUL Critical Failed RFC Call &C (Function Group = &A)
RFC Function Call CUV Non-Critical Successful WS Call (service = &A, operation &B)
RFC Function Call CUW Critical Failed Web service call (service = &A, operation = &B, reason = &C)
RFC Function Call CUZ Critical Generic table access by RFC to &A with activity &B
RFC Function Call DU1 Severe FTP server whitelist is empty
RFC Function Call DU2 Severe FTP server whitelist is non-secure due to use of placeholders
RFC Function Call DU3 Critical Server &A is not contained in the whitelist
RFC Function Call DU4 Critical Connection to server &A failed
RFC Function Call DU5 Critical There is no logical file name for path &A
RFC Function Call DU6 Non-Critical Validation for &A successful
RFC Function Call DU7 Critical with Monitor Alert Validation for &A failed
RFC Function Call DU8 Non-Critical FTP connection request for server &A successful
RFC Function Call DUI Non-Critical Note 2128095 RFC callback performed (destination &A, called &B, callback &C)
RFC Function Call DUJ Critical Note 2128095 RFC callback rejected (destination &A, called &B, callback &C)
RFC Function Call DUK Critical Note 2128095 RFC callback in simulation mode (destination &A, called &B, callback &C)
RFC Function Call DUR Non-Critical JSON RPC call of function module &A succeeded
RFC Function Call DUS Non-Critical JSON RPC call of function module &A failed
RFC Function Call DUT Critical Critical JSON RPC call of function module &A (S_RFC * authorization)
RFC Function Call EUE Non-Critical new RFC function module &A called successfully
RFC Function Call EUF Non-Critical new Could not call RFC function module &A
RFC Function Call EUG Non-Critical new User does not have authorization to run RFC function module &A
RFC Function Call EUI Severe


Note 2522156
Setup of UCON HTTP whitelist changed
RFC Function Call EUJ Severe


Note 2522156
Phase of UCON HTTP whitelist of context type &A changed
RFC Function Call EUK Critical


Note 2522156
Access to UCON HTTP whitelist of context type &A was refused
RFC Function Call EUL Severe


Note 2522156
Setting of content security policy whitelist for type &A changed
RFC Function Call EUM Severe


Note 2522156
Content security policy whitelist of context type &A changed
RFC Function Call EUN Critical


Note 2522156
Content security policy of CSP type &A violated
RFC Function Call EUO Severe


Note 2522156
UCON HTTP whitelist of context type &A was changed
RFC Function Call FU1 Non-Critical 740 RFC function &B with dynamic destination &C was called in program &A
Transaction Start AU3 Non-Critical X Transaction &A Started
Transaction Start AU4 Critical X Start of transaction &A failed (Reason=&B)
Transaction Start AUP Severe Transaction &A Locked
Transaction Start AUQ Severe Transaction &A Unlocked
Transaction Start BUX Severe 740 Test message
Transaction Start CUI Non-Critical 740 Application &A started
Transaction Start CUJ Critical 740 Failed to start application &A (reason =&B)
Transaction Start DU9 Non-Critical Generic table access call to &A with activity &B (auth. check: &C )
Transaction Start EUA Non-Critical new S/2 Cloud SDK ABAP component called
Transaction Start FUF Critical new
Note 3140539
(added 2023-11)
Generic modifying data access on &A started using &B
Transaction Start GU1 Non-Critical new
Statistic events computed by standard job RSAU_MAINT_LOG  from CUI/CUJ events.There are no generic follow up activities needed.(added 2023-11)
X Start authority check for &A ( &B ) successful
Report Start AUW Non-Critical Report &A Started
Report Start AUX Severe Start Report &A Failed (Reason = &B)
Report Start EUQ Severe


Notes 3022618 and 3021889
X Analysis program &A &B was started in simulation mode
Report Start EUR Critical X Analysis program &A &B was started in production mode
User Master Record Change AU7 Critical User &A Created
User Master Record Change AU8 Severe User &A Deleted
User Master Record Change AU9 Severe User &A Locked
User Master Record Change AUA Severe User &A Unlocked
User Master Record Change AUB Severe Authorizations for User &A Changed
User Master Record Change AUD Severe User Master Record &A Changed
User Master Record Change AUR Severe &A &B Created
User Master Record Change AUS Severe &A &B Deleted
User Master Record Change AUT Severe &A &B Changed
User Master Record Change AUU Critical &A &B Activated
User Master Record Change BU2 Non-Critical Note 3075661 Password changed for user &B in client &A
User Master Record Change BUV Critical 740 Invalid hash value &A. The context contains &B.
User Master Record Change BUW Critical 740 A refresh token issued to client &A was used by client &B.
User Master Record Change DUH Severe with Monitor Alert 740 OAuth 2.0: Token declared invalid (OAuth client=&A, user=&B, token type=&C)
User Master Record Change EUH Non-Critical new Authorizations of user &A for authorization object &B detected
User Master Record Change FU8 Severe Lock entry deleted for user &A
Other events AU0 Non-Critical Audit - Test. Text: &A
Other events AUV Critical Digital Signature Error (Reason = &A, ID = &B)
Other events AUY Severe 731 X Download &A Bytes to File &C
Other events AUZ Severe Digital Signature (Reason = &A, ID = &B)
Other events BU0 Critical with Monitor Alert RAL configuration access: Action: &A, type: &B, name &C
Other events BU1 Critical with Monitor Alert X Password check failed for user &B in client &A
Other events BU3 Critical with Monitor Alert Security check changed in export: Old value &A, new value &B
Other events BU4 Non-Critical Dynamic ABAP code: Event &A, event type &B, check total &C
Other events BU5 Severe ICF recorder entry executed for user &A (activity &B)
Other events BU6 Severe ICF recorder entry executed by user &A (&B, &C) (activity &D).
Other events BU7 Severe Administration setting was changed for ICF Recorder (Activity: &A)
Other events BU8 Critical Virus Scan Interface: Virus "&C" found by profile &A (step &B)
Other events BU9 Severe Virus Scan Interface: Error "&C" occurred in profile &A (step &B)
Other events BUA Severe WS: Signature check error (reason &B, WP &C). Refer to Web service log &A.
Other events BUB Severe WS: Signature insufficient (WP &C). Refer to Web service log &A.
Other events BUC Severe WS: Time stamp is invalid. Refer to Web service log &A.
Other events BUF Non-Critical HTTP Security Session Management was activated for client &A.
Other events BUG Critical with Monitor Alert HTTP Security Session Management was deactivated for client &A.
Other events BUH Severe with Monitor Alert HTTP Security Session of user &A (client &B) was hard exited
Other events BUJ Severe Note 2104732 Non-encrypted &A communication (&B)
Other events BUS Critical &A: Request without sufficient security characteristic of address &B.
Other events BUT Severe 740 CRL download failed with error code &A
Other events BUU Critical 740 Certificate check for subject "&A" with profile &B failed (status &C)
Other events BUY Critical Field contents changed: &5&9&9&9&9&9
Other events BUZ Very Critical X [The contents of the specified field were changed in the ABAP Debugger]
> in program &A, line &B, event &C
Other events CU0 Critical RAL Log Access: Action: &A
Other events CU1 Severe CU Test Message
Other events CUK Critical X C debugging activated
Other events CUL Very Critical X Field content changed: &A
Other events CU_M Very Critical X Jump to ABAP Debugger: &A
Other events CUN Very Critical X A manually caught process was stopped from within the Debugger (&A)
Other events CUO Very Critical X Explicit database commit or rollback from debugger &A
Other events CUP Very Critical X Non-exclusive debugging session started
Other events CUQ Severe Logical file name &A not configured. Physical file name &B not checked.
Other events CUR Severe Physical file name &B does not fulfill requirements from logical file name &A
Other events CUS Severe Logical file name &B is not a valid alias for logical file name &A
Other events CUT Severe Validation for logical file name &A is not active
Other events CUU Non-Critical Note 1707878 Payload of PI/WS message &A was read | &B
Other events CUX Non-Critical Note 1707878 Payload of postprocessing request &A read
Other events CUY Non-Critical > &A
Other events DUA Severe 731 EHS-SADM: Service &A created on host &B
Other events DUB Severe 731 EHS-SADM: Service &A started on host &B
Other events DUC Severe 731 EHS-SADM: Service &A ended on host &B
Other events DUD Severe 731 EHS-SADM: Service &A deleted on host &B
Other events DUE Non-Critical 731 EHS-SADM: Configuration of service &A changed on host &B
Other events DUF Non-Critical 731 EHS-SADM: File &A transferred from host &B
Other events DUG Non-Critical 731 EHS-SADM: File &A transferred to host &B
Other events DUL Non-Critical Check for &A in whitelist &B was successful
Other events DUM Severe with Monitor Alert Check for &A in whitelist &B failed
Other events DUN Critical with Monitor Alert Active whitelist &A changed ( &B )
Other events DUO Non-Critical Authorization check for object &A in scenario &B successful
Other events DUP Non-Critical Authorization check for object &A in scenario &B failed
Other events DUQ Critical with Monitor Alert Active scenario &A for switchable authorization checks changed - &B
Other events DUU Non-Critical Authorization check for user &C on object &A in scenario &B successful
Other events DUV Non-Critical Authorization check for user &C on object &A in scenario &B failed
Other events DUW Non-Critical


Note 2578918
Data target accessed in BW &A
Other events DUX Non-Critical 740 TEMP: Customer-specific event DUX &A &B &C &D
Other events DUY Non-Critical 740 TEMP: Customer-specific event DUY &A &B &C &D
Other events DUZ Non-Critical 740 TEMP: Customer-specific event DUZ &A &B &C &D
Other events EU0 Non-Critical Test Message for Class EU
Other events EU3 Critical 750 &A change documents deleted without archiving (&B)
Other events EU4 Non-Critical new Validation successful for logical file name &A (physical: &B)
Other events EUB Critical new Could not verify the digital signature: &A
Other events EUS Severe X Read access to DCT change log (&A)
Other events EUT Severe X DCT change log (&A) was reorganized
Other events EUU Critical Note 3050692 Suspect WHERE-Clause during generic table access to table &A (Clause &B)
Other events EUV Non-Critical 740
CDS view &A (field &B) was published
Other events EUW Non-Critical 740
Blocklist is activated (connection/table/field: &A &B &C)
Other events EUX Non-Critical 740
Blocklist is deactivated (connection/table/field: &A &B &C)
Other events EUY Non-Critical 740
Data blocking activated for &A
Other events EUZ Non-Critical 740
Data blocking deactivated for &A
Other events FU2 Severe 740 Parsing of an XML data stream canceled for security reasons (reason = &A)
Other events FU3 Non-Critical X Template &A (&B) loaded
Other events FU4 Severe X Could not upload enhancement template &A
Other events FU5 Severe

new for application "Customer Data Browser"

Note 3319853

SAP_BASIS 7.40 SP 30, 7.50 SP 28, 7.51 SP 17, 7.52 SP 13, 7.53 SP 11, 7.54 SP 9, 7.55 SP 7, 7.56 SP 5, 7.57 SP 3, 7.57 SP 1

Public Cloud:

Online Help BTP ABAP  or S/4HANA Cloud

Note 2903873

(added 2023-11)
X Access to object &A (&B), &C entries contain &D, authorization check &E
Other events FU9 Severe

new as of 750

Notes 3165706 and 3165707

(added 2023-11)
Virus scan profile &A not active. Scan was not executed.
Other events FUA Critical Audit alert: &A | &B &C &D
Other events FUC Non-Critical Attempted read on output document &A for object &B ( &C )
Other events FUD Non-Critical X Successful read on output document &A for object &B ( &C )
Other events FUE Critical X Failed read on output document &A for object &B ( &C )
Other events FUG Severe new as of 740
Notes 3313550 and 3265014(added 2023-11)
ETD configuration access (action: &A, name: &B, type: &C, status: &D)
Other events FUH Critical new as of 740
Notes 3313550 and  3265014(added 2023-11)
ETD configuration status changed (status new: &A, name: &B, type: &C)
Other events FUI Non-Critical new as of 740
Notes 3313550
and 3265014 (added 2023-11)
ETD trace was downloaded
Other events FUJ Critical new as of 740
Notes 3292306 and 3274589 (added 2023-11)
Function module &A was started in the test environment (destination &B)
Other events FUK Critical new as of 740
Notes 3292306 and 3274589 (added 2023-11)
Method &B of the class &A was started in the test environment
Other events FUL Non-Critical new as of 740
Note 3298279
(added 2023-11)
Area constructor started for &A
Other events FUM Severe new as of 740
Note 3319853
(added 2023-11)
SQL statement &B sent to system &A (&C)
Other events FUN Non-Critical new as of 740
Note 3319853
(added 2023-11)
Result for event FUM for &A (&B) - SQL code &C - &D
Other events FUO Non-Critical new as of 740
Note 3319853
(added 2023-11)
Error code for FUM for &A (&B) - SQL code &C - &D
Other events FUP Critical new as of 740
Note 3319853
(added 2023-11)
Error code for FUM for &A (&B) - SQL code &C - &D
Other events FUQ Non-Critical new as of 740
Note 3319853
(added 2023-11)
CI/CD Landscape portal call (action &A | entity &B | commit ID &C | info &D )
Other events FUR Severe new as of 750
Note 3386875
(added 2023-11)
File share client for user &A in privileged mode of class &B
Other events GU2 Non-Critical new
Statistic events computed by standard job RSAU_MAINT_LOG  from CUI/CUJ events.There are no generic follow up activities needed.(added 2023-11)
Statistic data for log data enrichment collected till &A ( &B entries )
System / housekeeping AUE Very Critical Audit Configuration Changed
System / housekeeping AUF Very Critical Audit: Slot &A: Class &B, Severity &C, User &D, Client &E, &F
System / housekeeping AUG Very Critical Application Server Started
System / housekeeping AUH Very Critical Application Server Stopped
System / housekeeping AUI Very Critical Audit: Slot &A Inactive
System / housekeeping AUJ Very Critical with Monitor Alert Audit: Active Status Set to &1
System / housekeeping EU1 Very Critical


Note 2299636
X System changeability changed (&A to &B)
System / housekeeping EU2 Very Critical


Note 2299636
X Client setting for &A changed (&B)
System / housekeeping EU5 Non-Critical new Audit log data of &A was deleted (&B data records)
System / housekeeping EU6 Non-Critical SAL log file &A passed to table &B (records: &C/reason: &D)
System / housekeeping EU7 Critical new
(added 2023-11)
I/O error on audit file &A
System / housekeeping FU0 Very Critical 750 Exclusive security audit log medium changed (new status &1)
System / housekeeping FUB Critical TEMP: Customer-specific event FUB &A &B &C &D

File format

Warning: The file format is defined SAP internally - it's not an official definition which can be used freely. Use the information with care as storage and format can change with newer releases.

As of release 7.50 you can choose if log events are stored in the files as described in this section or in the database table RSAU_BUF_DATA or at both locations (see note 2191612).

Use report RSAU_SELECT_EVENTS to analyze the file format.

The audit files have a structured but variable record layout in unicode text format.

The administrative information is fixed, however, there exist 2 record formats depending on the existence of the additional field SLGLTRM2.

The data part, field SLGDATA, containing 64 characters has a variable sub-structure containing several parameter values. Often these values are separated by '&' matching to the message variables &A, &B, etc. of the message definition. If you don't find an '&' than you will have fixed length parameter values matching to the message variables &n (n is a number describing the count of characters) within the message definition.

Relevant DDIC structures:

RSLGENTR SysLog entry

RSAUENTR2 Security Audit Log Entry Version 2 with Long Terminal Names

Example of an entry in a .aud file:

2AU520130409010803000505200009D9a234ba.pDOKUSTAR SAPMSSY1 0201R&0

This leads to the following file format:

Field Sub-field Length Description
SLGFTYP 1 Entry type: "q" = version 1 without field SLGLTRM2, "2" = version 2 including field SLGLTRM2
AREA 2 Message area
SUBID 1 Message name
SLGDATTIM Time stamp (CHAR 16)
DATE 8 Date in format YYYYMMDD
TIME 6 Time in format hhmmss
DUMMY 2 not used
UNIXPID 5 Process ID
SLGTTYP 2 Process type (short form)
SLGLTRM 8 Terminal name (truncated)
SLGUSER 12 User name
SLGTC 20 Transaction
SLGREPNA 40 Program
SLGMAND 3 Client
SLGMODE 1 External mode of an SAP dialog
SLGDATA 64 Variable message data
SLGLTRM2 20 Terminal name (continued), only available if SLGFTYP=2

You see,

  • the format of the variable message data

  • the message class (logon, transaction start, report start, RFC logon, user master record change, RFC start, miscellaneous, and system)

  • the severity (critical, important, non-critical)

  • and the monitoring alert settings (with, without)

are not visible within the file, but only in the message definition in table TSL1D (the key fields are AREA and SUBID).

Terminal ID versus IP Address

The Security Audit Log normally logs the terminal id if it's available; otherwise the IP address is logged. You can set the (undocumented) profile parameter rsau/ip_only to the value 1 to log the IP address instead (if available). See note 1497445 for details.

Use the following options to get the terminal id and the IP address of active users:

  • Transaction SM04 shows the IP address of the GUI client as well if you change the layout. (Limited to currently active users.)

  • Table USR41 containing the last logon date shows both terminal id and the IP address in field TERMINAL. Maybe it's possible to activate table logging using SE13 to get the history, too. Than you could merge this data with the log entries.

  • Maybe you can try to use user exit SUSR0001 to log IP address (from function TH_USER_INFO and/or table USR41) in a custom table or via creating additional Security Audit Log entries for message AU1 (sucessful logon) for which you e.g. set the parameter &A or a new parameter &B with the IP address. See function RSAU_WRITE_TRAC_AUDIT_LOG to understand how to create such entries. (Limited to dialog logon only.)

There exist strong limitations of logging terminal ID and IP address in ABAP. A malicious user could spoof the terminal ID easily. The IP address can be problematic, too. For example if a reverse proxy (e.g. web dispatcher) for HTTP access is used, then all users will have the same IP address.

(German) Data Protection

Would the German Data protection authorities have an issue with activating this level of logging?

From a general point of view I would start with following assumptions:

1. Filter: Activate everything which is critical for all users '*' in all clients '*'.

➙ mostly ok, details should be confirmed

2. Filter: Activate everything for users 'SAP*' in all clients '*'

➙ ok

3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'

➙ ok (assuming that you already have agreed on using GRC Super User Management)

4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients.

➙ ok

5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted.

➙ ok

6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily

➙ you have to confirm this

7.-10. Filter: free for other project specific purpose

➙ you have to confirm this

Keep in mind that you have to discuss (among others) log creation, consolidation, archiving as well as retention periods and deletion.

Example from a German project (2010/2011) which was cleared through German, Austrian, French & Belgian data controllers:

Logging everything was OK as there is are legitimate reasons for it. The following additional controls were required:

  • Access to logs limited to Basis & Security team

  • Acceptable use (of logs) policy circulated to everyone with access

  • Data had to be summarized before use (e.g. could not be easily attributable to an individual. Obviously difficult to achieve if someone is in a team of 1...)

  • Distribution of data outside security team had to be approved by local data controller (local to the people who's data it was).

  • Detailed records existing outside the system had to be deleted after the summation work had been completed

Exceptions to these included:

  • legitimate use of data in event of security breach (agreed by local counsel and data controllers)

  • use of data with written approval of user (we used this a lot when redesigning access based on patterns of 'model' users).

I just found an additional recommendation about the protection of the files in a recent note:
In general, files of the Security Audit Log must not be accessed by other ABAP programs than the Security Audit Log application itself. Protect the files by assigning the appropriate S_DATASET authorizations to your users and by using S_PATH protection as described in note 177702. For this purpose, use an own dedicated folder for Security Audit Log files. Enter this directory into the SPTH table and enable the flags FS_NOWRITE and FS_NOREAD, thus disabling any read or write access from ABAP to this directory. Configure the Security Audit Log (parameter DIR_AUDIT) to use this directory.

GRC Fire Fighter logging

The application GRC Access Control Super User Management (aka FireFighter) consolidates logs from various sources:

  • Transaction Log: Captures transaction execution from transaction STAD

  • Change Log: Captures change log from change document objects (tables CDPOS and CDHDR)

  • System Log: Captures Debug & Replace information from transaction SM21

  • Security Audit Log: Captures Security Audit Log from transaction SM20

  • OS Command Log: Captures changes to OS commands from transaction SM49

Because of this we recommend to define a filter in the Security Audit Log which records all events for fire fighter users.


Q: Is there a significant performance impact (or any impact at all) if we enable the security audit log with the recommended settings? We've had resistance from some clients as they were worried that it will impact on the end user experience / slow down the system.

Unfortunately the FAQ note 539404 does not talk much about performance.

Well, the general rule is simple: There is no performance impact, not in time nor in space, if you log unsuccessful (=critical) events as these events happens rarely.

As soon as you start logging successful events you might look to space - the growing size of the audit files - but still not to time, as the Security Audit Log is optimized for speed.

Ertunga Arsal has written some noteworthy blogs about performance analysis of the Security Audit Log:

Conclusion: you do not need to care about time, and space is only important if you log specific successful events:

  • RFC function called (AUK respective EUE which take >70% of the space)

  • Successful RFC logon (AU5 which take >15%)

  • Successful Web Service Call (CUV which take >10% if the system uses web services extensively)

  • Report started (AUW which take >5%)

  • Successful JSON RPC call (DUR)

How to create customer-specific events

Using notes 1941526 and 1941568 you can utilize the custom messages DUX, DUY and DUZ in SAP_BASIS release as of 7.30. Call function RSAU_WRITE_CUSTOMER_EVTS to create these messages.

You can "reuse" other codes, i.e. CUY if you ensure that you still will be able to distinguish the messages. Nevertheless, you should interpret it as a (logical) modification of the SAP Standard.

in addition there exist other options to log custom specific events:

  • Application Log in ABAP

  • CCMS Alerts

  • Alerts send to the SAP Solution Manager

How to read the long texts of events

You can view the long text of Security Audit Log event messages using transaction SE92 (or in transaction SE61 if you choose the document class SL (Syslog).

Using note 1970644 you can get report RSAU_INFO_SYAG which shows all events of the Security Audit Log including the current status of activation. The detail view allows you to create an HTML-based event definition print list including the full documentation.

How to log critical debugger events

Using the debugger in general might already be seen as critical but using debug-change is considered as very critical by all auditors. The corresponding Security Audit Log messages for changing field content and for jumping within the code

  • Other Events, Critical, CUL Field content changed: &A

  • Other Events, Critical, CU_M Jump to ABAP Debugger: &A

are already covered by the 1st filter "Activate everything which is critical for all users in all clients" as proposed above.

These both messages are extended by another message to add more details describing the event:

  • Other Events, Critical, BUZ > in program &A, line &B, event &C

Limitation: debug-display is not logged!

The messages CUK, CUN, CUO, and CUP are related to the debugger as well.

How to track changes on the settings

Dynamic settings

The effective (dynamic) settings get logged in the Security Audit Log itself.

If you create - as recommended - a filter for "all clients, all users, all audit classes with severity 'critical'" than you already get the corresponding events of audit class "System":

System Critical AUE Audit Configuration Changed
System Critical AUF Audit: Slot &A: Class &B, Severity &C, User &D, Client &E, &F
System Critical AUG Application Server Started
System Critical AUH Application Server Stopped
System Critical AUI Audit: Slot &A Inactive
System Critical AUJ Audit: Active Status Set to &1

To identify events AUE, AUF, AUI triggered by starting an application server (compared with from events triggered by changing the dynamic profile), you can use one of the following methods:

  • You find event AUG shortly before

  • The fields for client, user, terminal and program are empty

The RFC function RSAU_GET_AUDIT_CONFIG provides the effective dynamic SAL configuration of an application server. This function is e.g. used by the data collector for the "Change Reporting / Configuration Validation" applications in SAP Solution Manager.

If available (as of SAP_BASIS 7.40 SP 17, 7.50 SP 7, 7.51 SP 2), the newer RFC function RSAU_API_GET_AUDIT_CONFIG should be used (see Note 2410004). The new function shows the active events in the known and complicated MSGVECT bit field as well as in text form in the MSG_LIST field.

In both cases, the dynamic settings of the called application server are obtained. One would have to query all active application servers to get a complete picture.

Static settings

The static settings are stored in table RSAUPROF. The system create table logs for any changes which you can view, i.e using report RSTBHIST.

The name of the active profile which is used while starting an application server is stored in field CURRPROF of the entry with PROFNAME = $CURPROF.

You can transport static profiles using a workbench transport which get transport entries for R3TR TABU RSAUPROF with table key PROFNAME=<profile name> SLOTNO=*. (You can transport the entry for $CURPROF as well, but I recommend to choose the active profile in the target system manually.)

As of SAP_BASIS 7.50 you have to add transport entries for R3TR TABU RSAUPROFEX with table key PROFNAME=<profile name> SLOTNO=*.

The Kernel parameters are stored in the special profiles $KERNEL$, etc.

We do not recommend to transport these parameters because of non-compatible changes between different SAP versions.


$KERNEL$ 0001 " " / "X" Security Audit active
$KERNEL$ 0002 " " / "X" Generic user selection
$KERNEL$ 0003 number Number of selection filters
$KERNEL$ 0004 " " / "X" One audit file per day
$KERNEL$ 0005 number Maximum Size of audit file (in case of single file per day)
$KERNEL$ 0006 " " / "X" Multiple audit files per day
$KERNEL$ 0007 number Maximum Size of an audit file (in case of multiple files per day)
$KERNEL$ 0008 number Maximum Size of all audit files (in case of multiple files per day)
$KERNEL$ 0009 " " / "X" Integrity protection format active
$KERNEL$ 0010 " " / "X" Log Target
$KERNEL$ 0011 " " / "X" Log Peer Address instead of Terminal
$CONFIG$ 0099 " " / "A" / ... Recording Status

As of SAP_BASIS 7.40 you can use transaction SM19 to add static filter definitions to a transport. See FAQ Note 539404 item [8].

The filters are stored in the entries having field SLOTNO > 0.

Field STATUS shows if a filter is active.

Field CLASSES shows the active audit classes. This is a bit-field summing up the values for the different audit classes (see include RSAUCONSTANTS😞

rsau_class_system(4) type x value 64,

The audit class "System" is implicitly active and is not added, therefore you get the value CLASSES = 191 = 128 + 32+16+8+4+2+1 if you activate all audit classes.

Field SEVERITY shows the severity (see include RSAUCONSTANTS😞


If you have selected the detail settings, then field SELVAR contains the constant 01 (and field CLASSES = 0 and SEVERITY = 0). Field MSGVECT defines active events. (In this case you can deactivate "System" events.)

Active events are identified using individual bits at specific positions within field MSGVECT. The position is calculated using the alphanumerical order 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ according to the SUBID of the events. The event area (AU, BU, CU, DU, EU) defines the bit which is added to the value on that position: AU = 80 (hex), BU = 40 (hex), CU = 20 (hex), DU = 10 (hex), EU = 08 (hex).

Only the first 36 positions of field MSGVECT are used. Every position holds two bytes therefore you see two hexadecimal characters per position.

Example showing active system events only (AUE AUF AUG AUH AUI AUJ😞

MSGVECT 000000000000000000000000000080808080808000000000000000000000000000000000...

SUBID 0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Position -1-2-3-4-5-6-7-8-9--11--13--15--17--19--21--23--25--27--29--31--33--35--...

Change Reporting in the SAP Solution Manager

In addition to the local table logs of table RSAUPROF you can use the applications Change Reporting and Configuration Validation in the SAP Solution Manager to analyse changed settings. Use the configuration store AUDIT_CONFIGURATION. Be aware that the extractor gets a snapshot of the dynamic settings daily - that means it shows the effective settings according to profile parameters respective the overriding kernel parameters. Changes between two executions of the extractor are not cached. The configuration store does not show the user account who triggered the change. Therefore I recommend to use Change Reporting or Configuration Validation as a trigger for deeper analysis of the local table logs.

see: Configuration Validation Home

➙ Content of CCDB for a Technical System of type ABAP ➙ …

What is the meaning of message BU4?

Question: I our productive environment am getting many times the message BU4 "Dynamic ABAP Coding: Event &A Event Type: &B Checksum: &C" but according to your post (and my old screen capture) the BU4 message should be for "Transport Request &A Contains Security-Critical Source Objects".

I searched but could not find anything about this issue...what do you recommend beside good luck :-)?

Answer: The definition of the message BU4 in transaction SE92 might be still wrong depending on the release of the system. According to note 539404 recording the events to transport security-relevant objects (BU3, BU4) is not yet implemented.

As described in note 1655743, the Kernel creates message BU4 "Dynamic ABAP Coding: Event &A Event Type: &B Checksum: &C" to flag usage of




if setting in SM19 at 'Other entries' for 'Audit of generated dynamic ABAP' is active.

You will get events for message BU4 i.e. whenever transaction SE16 generated a report selection screen for a table which you view using this transaction.

(In addition entries in the db tables DYNABAPHDR and DYNABAPSRC are written if profile parameter abap/dyn_abap_log is set to the value "on".)

How can I read events using BAPIs?

The security alerts are also available to external programs using BAPIs (Business Application Programming Interfaces). The report RSAU_READ_AUDITLOG_EXTERNAL is a sample SAP program that you can use as a template for accessing the security alerts using BAPIs.

For the Security Audit Log (SAL) you will work with following result fields:

write: /
MSG_LINE_TBL-MSCGLLID+4(14), " Time stamp (yyyymmddhhmmss)
XMI_RAW_TBL-MSGARG2, " SAL Message parameters seperated by '&'
XMI_EXT_TBL-MSG. " SAL Message text with parameters

- It seems that you have to address all application servers individually (however, I’m not sure as I’m not an expert for these BAPIs).
- Following fields seem not to be available: Terminal name, Transaction Code, Program, SAP process, Work Process Number

Documentation about using the BAPIs:

Including External System Management Programs in the CCMS Monitoring Architecture (2002)

How to get a cross-reference about the creation of messages?

If you want to know which program triggers which message you can use the cross-reference feature of the development environment. Well, messages are no repository objects, therefore you cannot use it directly. However, many but not all messages are triggered by specific functions of methods per scenario. You can use the cross-reference for these triggers.

Have a look to method GET_TRIGGER_FOR_MSG of class CL_INFO_SYAG to view the list of triggers which are used to create audit messages. Then go for the cross-reference in transaction SE80 or SE84 for these functions and methods.

How to avoid logging for Auto-ABAP (SAPSYS) processing

If you do not want to log Security Audit Log events for Auto-ABAP processing (aka "SAPSYS processing") even if you log all events for user pattern SAP* you can assign a different username to this type of processing by setting following profile parameters:


To define the value for these profile parameters you enter the client, a comma and the user.

Example: 000,ZSAPSYS

This user has to exist in the choosen client with sufficient authorizations!

Create this user with user type B=system, no password and a role which contains at least following authorizations (you may start with full authorizations and use transaction STAUTHTRACE for a while to get the list of required authorizations):

Authorization object S_ADMI_FCD with field S_ADMI_FCD = PADM, ST0R

Authorization object S_BTCH_ADM with field BTCADMIN = Y

Authorization object S_DATASET with fields
ACTVT = 33

Authorization object S_RZL_ADM with field ACTVT = 01, 03

This tip was developed by a customer based on information within note 2288530. The customer has an even stronger requirement as mentioned above because they want to log everything in all clients for all users with just the exception to omit logging for Auto-ABAP processing. This customer use a special variation of the trick:

Auto-ABAP processing is executed by user SAPSYS______ (12 characters).

No other user name is longer than 11 characters.

The filter im transaction SM19 for the user name is defined as +++++++++++ (11 characters).

Comparison between old and new transactions as of 7.50

We recommend to use the new functions as soon as they are available for a larger part of the system landscape. Implement note 2743809 before using RSAU_CONFIG - this note contains important corrections.

Old transaction SM19 does not work correctly anymore as soon as you start using RSAU_CONFIG! To avoid using the old functions we recommend to lock the transactions (see note 2234192) and to write a comment into the profile parameter file.

Old function New function as of 7.50 Description
Transaction SM18 Transaction RSAU_ADMIN Log Data Administration
Transaction SM19 Transaction RSAU_CONFIG Configuration
- Transaction RSAU_CONFIG_SHOW
Show Configuration
Transaction SM20 = SM20N
Transaction RSAU_READ_LOG
- Transaction RSAU_READ_ARC
Reporting including archived data
- Transaction RSAU_TRANSFER
Upload/Download Configuration Data
- Report RSAU_INFO_SYAG Show Message Definitions
Template report RSAU_READ_AUDITLOG_EXTERNAL Function module RSAU_API_GET_LOG_DATA or static method GET_SAL_DATA of class CL_SAL_ALERT_API Read Security Audit Log data in customer programs (see note 2641084)
Profile Parameters rsau/* Kernel parameters in transaction RSAU_CONFIG Settings

Is it possible to schedule Security Audit Log reports and send them via mail?

Transaction SM20 is a dialog transaction which does not offer scheduling options.

However you can use report RSAU_SELECT_EVENTS or new report RSAU_READ_LOG, which is available as of 7.50, instead. As these are standard reports you can schedule them as an background job, and you can send the results via mail like for any other background job.

0 Kudos

Great detail and deep technical level. I like it!

Former Member
0 Kudos

Hi Frank,



We need to analyze specific transaction runs of specific users for a long period of time like 3 months? Unfortunately sm20 is so slow and we couldnt get result although we use username and transaction code filters in one run. Is there any other way or tool to analyze and display that audit log files quickly?

0 Kudos

Hi Ufuk


Very nice your document.



Former Member
0 Kudos

is there any BAPI or RFC which can be used to read the log?

Requirement is to get the log in non-SAP (.NET) for analytics?




Product and Topic Expert
Product and Topic Expert
0 Kudos

The security alerts are also available to external programs using BAPIs (Business Application Programming Interfaces). The report RSAU_READ_AUDITLOG_EXTERNAL is a sample SAP program that you can use as a template for accessing the security alerts using BAPIs.

Former Member
0 Kudos

Hi does anyone know when Event CUK (C Debugging activated) is raised?

I found no possibility to activate C debugging, so I was not able to generate this event.





Former Member
0 Kudos

Hi Frank,


I am unable to view the document. Are you making some changes?

Please share the document.




Former Member
0 Kudos

Hello Frank,



Could you please share the Doc, not able to find any doc here...





0 Kudos

Very nice topic

Former Member
0 Kudos

You can check the previous version 15 - there is a link up in the right corner

Former Member
0 Kudos

I've found the Perl script in thread 677226 to be very useful.  The file it creates from the audit log can be searched with grep or imported into a spreadsheet.

Active Contributor
0 Kudos

Look at this project.


It provides extractor of various data out of ABAP AS. It supports event. I think it was originally developed to export data into Splunk for further analysis.



Former Member
0 Kudos

Sweet.  When things let up a bit.  I'll find a sandbox and try it out.



Thank you,

0 Kudos

Hello Frank


Great content, very detailed and easy to understand.



Filipe Santos

Former Member
0 Kudos

Hello Frank,

great job! Thx, U saved me lot of time!!!



0 Kudos

Hi Frank,


By far, the most comprehensive documentation on SAL.


Thanks for sharing,


Former Member
0 Kudos

Hello Frank,


Thanks for posting detailed document .


Bhupesh Akkineni

Former Member
0 Kudos

Do you have GRC Access Control?  The Action Usage Sync pulls this data into the GRACACTUSAGE table which has analysis programs.  You can also query this data very quickly and easily by user.

0 Kudos

Hello Frank,


we get this in our audit log as we switched on Audit Class Dialog Login.

I don't like to have in type=B Background neither want to switch off event class Severe.

So we get events from any batch job, which is uncritical. Severe would by type=A Dialog login itself.


Audit Class

Message IDEvent classNew in releaseMessage
Dialog LogonAU1SevereLogon successful (type=B, method=&C)

Great blog on the security audit log. Fortunately SAP is good in logging, although the SAL by far does not cover for all vulnerabilities and we also miss out on the aggregation and correlation logic which may show patterns of relatively harmless actions sudden look like a SAP attack pattern.

For that reason we did a deep dive and now evaluate a tool that actually accesses all available logs sources (SAL, system log, user master, change logs, …) and reports events in real-time using predefined identification patterns.  SecurityBridge, written by ABAP-Experts, removes the noise form the music when it comes to alert generation.  The complexity for analysing logs and evaluation threats is boxed into predefined event listeners. Furthermore it also provides a plug & play link in order to connect your SAP instances to any SIEM solution.

Best Regards,
Ivan Mans

0 Kudos
Hello Frank,
thanks for providing such detailed Information! It was helpful for us when we started with SAL.
Meanwhile we face another challenge: We'd like to have a logging for any access to the file System (incl. also RZ10, SM37).

As Long as I understand your examples, this is not covered yet ("Project: “Secure File access"). Until now, we only get information to logical file names (TC FILE). We also did not find any relevant Events by checking the description of the  Message IDs.

=> Q: Do you know whether it is possible to get this Information out of SM19/SM20?

Best regards,
Product and Topic Expert
Product and Topic Expert
0 Kudos
The SAL records events related to logical file names - but it does not log any file access which is not related to a logical file name (the log is written within functions like FILE_VALIDATE_NAME etc. but not inside of the ABAP statement OPEN DATASET).

About RZ10: As far as I know there is are logical file names used in RZ10. -> No log about file access

About SE37: Well, it's not the SE37 which might access files directly. It's a function module which you start via SE37. Only if this function uses logical file names you would get log entries.


Kind regards

Frank Buchholz
SAP CoE Security Services
0 Kudos

Hello Frank,
thank you for the explanation!

So, as long as I understand, if we want such file system access logged, we have to ensure that only logical file names are used and so we have to avoid respective inhibit the use of physical file names. I suppose this can/has to be done via SAP authorizations (e.g. allow only file names that are partly qualified via fixed prefix) or via restriction of specific ABAP statements (like OPEN DATASET) or anything like that.

Hm, I think we need to investigate any further…

Best regards,
0 Kudos
Hello Frank,

thank you for this detailed information and recommendations regarding SAL settings!

I have a question about the different filters and events you can log:

For example in Filter 1 you log the event AU2 (dialog logon failed) for every user in every client. In Filter 2 you log the same event but only for user DDIC. So when the logon of user DDIC will fail now, which Filter will record this event to the log files?

Isn't Filter 2 redundant since you already catch the event in Filter 1? Or is the user DDIC in Filter 2 excluded from Filter 1 because he got his own Filter settings?

Kind regards

Thomas Bau
Product and Topic Expert
Product and Topic Expert
0 Kudos
An event gets logged if (at least) one filter match to the message of the event.

Concerning your example: if both filter only deal with message AU2 then the 2nd filter is redundant. However, usually you use different filters, like the following which do not overlap completely:

1st filter: specific messages for all users in all clients
2nd filter: all messages for specific users

Kind regards
Frank Buchholz
SAP CoE Security Services

0 Kudos
Okay... In your example this would mean that the events in filter 2 (all messages for specific users) which are overlapping with the events of filter 1 (specific messages for all users in all clients) are redundant and can be deleted from filter 2 (only non-overlapping events will remain in filter 2) because you catch these messages already with filter 1. Do I understand this correctly?

I'm asking because if this is so, we can customize our filters recursively and avoid overlapping events to get an better overview about all messages we're logging.
Active Contributor
0 Kudos
Hello Frank,


Thank you for the great blog.

I wonder whether I can differentiate direct instance logon and logon group logon via audit logs?

I want to find users logging on to the system without using logon group.

Can you help about the issue, please?


Thanks and Regards,

0 Kudos

Hello Frank,

we have log entries in SM20, which do NOT belong to any active filters in SM19. The only active filter, which would match partwise, is the filter for SAP#*, but of course the log entries are about our Dialog users... Then there is another filter, that would match, but this one is NOT active.

Do you have an explanation for that?

Does the "#" really work in SM19 Settings?

Thanks and Regards,

0 Kudos

Hello Frank Buchholz,

I think in the Events<>Topics list VSI Events might also be a Topic.

Kind Regards,

Franz Lengel

0 Kudos
Hello Frank Buchholz and all,

Can you please read this system default value, and provide the understanding. My SAP Basis admin do not understand and I am facing severe audit logs problems.

0 Kudos
Hello Frank Buchholz,


We are facing a issue while activating audit log in sm19.Transaction start class getting disable automatically when saving the filter.



Manikanta P.

0 Kudos

syedabbas , System Default Value comes from SAP kernel (not the one in SM19) or default parameters. Current value is the active value or user defined. Frank given hint in the very beginning. You can open the link given for Preparing Security Audit log which explains some of these values.


Profile Parameters / Kernel Parameters

rsau/enable = 1

rsau/selection_slots = 10 (or higher if available)

rsau/user_selection = 1

DIR_AUDIT and FN_AUDIT define the path and the file name pattern for the log files.

As of release SAP_BASIS 7.40 you can use the so-called “Kernel Parameters” instead of the listed Profile Parameters. You find them on a new tab in transaction SM19 respective transaction RSAU_ADMIN. See chapter Preparing the Security Audit Log in the Online Documentation. You can set them dynamically and once set they overwrite the values of the profile parameters. Take care to inspect these Kernel Parameters after an upgrade to SAP_BASIS 7.40 or higher.

Which value you couldn't understand? From your picture, I see rsau/enable is 0 which means security audit is not enabled. You can set logging dynamically by going through the same link or permanently by changing profile or kernel parameters depending on Netweaver or Basis version.

Short text
Enable Security Audit

Parameter Description

0 audit not activated
1 audit activated


Audit is only active if you used Transaction SM19 to maintain and activate a corresponding audit profile. You must also specify the directory, name, and maximum size of the audit files using profile parameters. Depending on the settings, audit can lead to large audit files. Ensure that there is sufficent memory in the file system.
0 Kudos
Hello Frank, I'm using SM20 but I found out that not all the tcodes are recorded. I would like to know if is there something I'm loosing. Per example, in sandbox, I execute the tcode FD03. Then, once I was there, I selected the edit option, so the new window was from tcode FD02. I did some changes using that tcode and I reviewed the log. I saw FD03 but I couldn't see FD02. I would like to know then if I enter a creation or modification tcode through a report tcode, the log will only record the one I use to go through? Thanks in advance.

0 Kudos
Hi Frank,

Is it possible to truncate the header part in the log file? For example I want to receive file without following header part, I don't want to edit the file using external scripts, instead want this to be achieved from SAP. So once file is downloaded it should be without the header. Is it possible?



02/19/2019 Dynamic List Display 1
Analysis of Security Audit Log

Period Requested 02/19/2019 12:00:00 - 02/19/2019 21:56:41
Period Selected 02/19/2019 12:00:02 - 02/19/2019 21:56:21
Client 100
Audit Classes Dialog Logon
0 Kudos
Hi Frank, nice blog. Thanks for the initiative.

I have a question maybe you can help me. What happens with the audit log if DIR_AUDIT is not available for 1 hour, for example?

Does the system throw the logs away, or will the system keep trying to write down the file?

Do you have any idea?



0 Kudos
Hi Frank,


My favorite article since I started to work in the SAP Security area.

Just wanted to add here, as I use this article many times to validate audit log settings, might be also useful for others - recently I have encountered that the CLASSES field in table RSAUPROF in S/4 shows System - 64 messages as well, hence the value calculated can be 255 (vs 191 in R/3).




Hello Frank Buchholz, Hi all,


Nowadays there is such Dialog Users as RPA Robots.

Is there a recommendation what to log for such users ?

Since these users may cause a lot of logs, should there be a restricted filter for them ?


Is Security Audit Log only for Dialog Users ?

What About technical users like Batch & RFC Users ?


Thanks in Advance.

Franz Lengel


0 Kudos

Hi Frank

Thanks for the information you have presented.

Not sure if you get insights into future improvements.

In regards to "How to avoid logging for Auto-ABAP (SAPSYS) processing "

I was wondering if there will be a method in the future that would simplify the way to exclude the AUTO-ABAP  type activities appearing by default now under user SAPSYS?

It seems like a lot of manipulation to change the name of that user in rdisp/   parameters to use a new user, then trace and set it's authorisations.

Only to lock in the need to deal with any future requirements that may change in terms of auths for the auto-abap events as you have made it now "non SAPSYS".

Would a flag / setting to say "don't log auto-abap events" as one of the Filter parameters be simpler?

That way we are not altering how the the actual activity is happening ie under the user SAPSYS , we just choose to not add to the logs with frequent auto-abap data.


I see from note  2288530 - System internal logons are not properly logged in Security Audit Log

That are other various  "system internal logons for various tasks" 

"All these logons have in common that they are non-interactive internal system activities. An real end-user has not logged on. No password or other logon credential is used."

Perhaps that note has meant the system internal logons for various tasks then became logged by default?





0 Kudos
Hi frank.buchholz

Thank you very much for this article, it's old but still so helpful.
0 Kudos
Hi Guys,


do you have some information regarding data retention of these SAL (for Germany )? How many years should be kept ? Are there only restriction if you can  zip those audit logs or move them due to space issues ?


Thank you.


0 Kudos

I think the SAL should be moved to a read only device for security reason. It must be kept a while for audit and forensic.

I do not know how long it is allowed to be kept. I think there are restrictions especially if containing personal data ?
0 Kudos
Reviewing the documentation for the Security Audit Log I find many references to "Kernel parameters" as opposed to "Profile parameters". Until now I've always used these terms interchangeably. What's the difference?
Active Contributor

The term "Kernel parameters" is indeed miss leading in this context.

As of release 7.40, some - but not all - of the SAL relevant parameters have been moved to the "Kernel Parameter" tab in transaction SM19 (as of 7.50 it's transaction RSAU_CONFIG). The "Kernel parameters" of the SAL are stored in the table RSAUPROF indicated by field PROFNAME = $KERNEL$.
Once set, the system ignores the values of the corresponding profile parameters. But profile parameters may still be used as a fallback in the case of missing "Kernel Parameter". Therefore, SAP recommends against mixed usage.
0 Kudos
Thank you. Everything is clear now.
0 Kudos
Hi all,

is it correct that UCON RFC changes are not logged, only UCON HTTP events ?


Franz Lengel

Active Contributor
0 Kudos
If you determine that the events EU* and FU* cannot be selected for logging please make sure to implement SAP note 3170439 - SM19 | Detail selection for EU* and FU* events.


0 Kudos
What could be a regular root cause for "Exclusive security audit log medium changed". How often would you expect it to happen? Weekly, monthly, annually?
Product and Topic Expert
Product and Topic Expert
Message FU0 "Exclusive security audit log medium changed (new status 0/1)"

The event is raised by setting the kernel parameter of the recording target.

Manually you set this parameter in the security audit configuration editor, transaction RSAU_CONFIG. I would expect to see this message with a changed value once in lifetime of the system.

However, I can confirm, that I get this message together with message AUE "Audit configuration changed" with a constant value in irregular intervals in my demo environment, too. (I guess it's related to restarts of the system, but I didn't have verified this.)

Note 2680888 describes report RSAU_READ_LOG_DIFF which shows resulting changes only and hides all repeating events for the system messages AUE, AUF, AUG, AUH,AUI,AUJ,EU5, and FU0. Log entries with identical content are summarized: Only the first log entry is displayed, and all further pseudo changes are suppressed.
0 Kudos
Dear Frank,

I am really no expert in SAL/RAL. But I do find regular entries in SM20 across all S/4 releases at hand that look like this:

RAL is not activated in the systems but what is going on?

Best Sven

Product and Topic Expert
Product and Topic Expert
0 Kudos

Let's check some code:

- The report R_JR_BTCJOBS_GENERATOR belongs to package "Technical Job Repository". The report generates standard jobs. I could imagine that this includes a RAL job.

- The Security Audit Log message BU0 "RAL configuration access: Action: &A, type: &B, name &C" is created here:
function RSAU_WRITE_RAL_AUDIT_LOG which is called by method WRITE_AUDIT_LOG of class CL_SRAL_LOG

- Action R = read, type S = client_switch
see definition in class cl_sral_sau_log:

    constants: begin of co_action,
create type t_action value 'C',
read type t_action value 'R',
update type t_action value 'U',
delete type t_action value 'D',
end of co_action,
begin of co_entity_type,
logging_purpose type sral_elog_entity_type value 'P',
log_domain type sral_elog_entity_type value 'D',
recording type sral_elog_entity_type value 'R',
configuration type sral_elog_entity_type value 'C',
blacklist type sral_elog_entity_type value 'B',
client_switch type sral_elog_entity_type value 'S',
ra_log type sral_elog_entity_type value 'L',
end of co_entity_type.

- The message refers to transaction SRALMANAGER

-> I do not know what is happening, but we might search for a standard job which regularly reads the RAL conficuration.

Labels in this area