In a few cases I use an ABAP trial system to experiment. Today I want to test the Security Audit Log to monitor RFC calls, but the analysis of Security Audit Log (SM20) doesn't work on the trial system. Then I debugged the program SAPMSM20 and detect that the function module RSAU_READ_FILE is called with a destination and here I get a system failure, incomplete logon data. I read here in the SCN about the error which is based on a system copy. So I checked the TAC secstore and found the reason.
Because of the system copy are two entries in the secure store disabled. After I delete the two entries the analysis of the Security Audit Log works as expected and all RFC calls have been logged.
You can find more information about the Security Audit Log here.