Hi prashanth,

SAP Transaction Code: SM20N

Report used to generate SM20N is: SAPMSM20

Internal Tracking ID: 414

this is for Analysis of Security Audit Logs.

Displaying the Audit Analysis Report

Use

The Security Audit Log produces an audit analysis report that contains the audited activities. By using the audit analysis report you can analyze events that have occurred and have been recorded on a local server, a remote server, or all of the servers in the SAP System.

The audit analysis report produced by the Security Audit Log is designed analog to the System Log.

Procedure

...

1. To access the Security Audit Log analysis screen from the SAP standard menu, choose Administration à System Administration à Monitor à Security Audit Log à Analysis (transaction SM20).

The Security Audit Log: Local Analysis screen appears; local analysis is the default.

For an improved user interface, use the transaction SM20N.

2. If you want to analyze a remote server, choose Security Audit Log à Choose à Remote Audit Log. To analyze all servers, choose Security Audit Log à Choose à All audit logs.

Your choice is displayed next to the Imported audit log entries field.

3. If you choose to analyze a remote server, then enter the name of the application server in the Instance name field.

4. Enter any restrictions you want to apply to the audit analysis report in the appropriate fields or by selecting the desired indicators (for example, From date/time, To date/time, User, Transaction, Audit classes, or Events to select).

Events are classified into three categories, critical, important, and non-critical, with critical being the most important. You can view critical events only, critical and severe events, or all events.

5. If you want to include or exclude specific messages from your report:

a. Choose Edit à Expert mode.

b. Choose Message filter.

c. Select either Only these messages or All except these messages as appropriate.

d. Enter the message numbers you want to include or exclude. (The message numbers correspond to the system log messages AU.

The following sort options are available:

· Write sequence

· Time

· Instance

Result

The result is the audit analysis report containing the messages that correspond to your selection criteria. By selecting an individual message, you can view more detailed information

The Audit Log Display Options

Option

Meaning

No. pages for individual entries

Specifies the maximum number of pages you want to view. This only applies to the main section of the report, not to the introductory information or summaries.

With statistical analysis

If you activate this option, then the following statistics are included with your report.

Instance statistics (when analyzing all instances)

Client statistics

Report statistics

Transaction statistics

User statistics

Message statistics

Settings

Specifies the layout and output devices.

Reading the Audit Analysis Report

In this section, we describe how to read the audit analysis report produced from the procedure Displaying the Audit Analysis Report.

The Main Audit Analysis Report

The audit analysis report is divided into four main sections:

Introductory information

Audit report

Statistical analysis

Contents

Introductory Information

At the top of the report, you find the selection options applied to the audit file to generate this report (for example, From date/time, To date/time, User, and Audit classes).

Audit report

The audit report follows the introductory data and contains the following information for each audit event found in audit file that applies to your selection criteria (depending on your display configuration):

Date

Time

Instance

Category (dialog or batch)

Message number

Audit class code (For example, a dialog logon attempt belongs to class number 002.)

User

Transaction code

Terminal number

Summary information is included at the end of the list (for example, the number of records read, the number of records selected, and audit file names).

Statistical analysis

If you included With statistical analysis in the display options, then the following blocks of information are included after the audit data:

Instance statistics (when analyzing all instances)

Client statistics

Report statistics

Transaction statistics

User statistics

Message statistics

Contents

A list of contents is provided at the end of the report.

The Detailed Audit Analysis Report

To view details about a specific message, place the cursor on the entry and choose Edit à Details. A detailed description of the message including information such as the task name, class, message documentation, and the technical details of the audit record appears.

thanks

karthik