2008 May 22 5:56 PM
hi,
has anyone turned on the audit log in your system ?
please share with me how you make use of this log and what to be monitored.
comment and advice will be highly appreciated.
regards,
kent
2008 May 22 10:21 PM
Hi Kent,
Let me start by simple points........ the guru's will add
1. Enabling the security audit log:
Parameter rsau/enable Enables Security Audit log.
-> Check other parameters of rsau* to maintain the log file size and location and other settings. like -
rsau/max_diskspace/local
rsau/selection_slots
2. Configuring the filters
use SM19 to configure the filters. There are two types of filters, static and dynamic. Dynamic filters get flushed when a system is bounced
The number of dynamic filters you can specify is defined in the profile parameter rsau/selection_slots
3. Regarding what you need to monitor depends on the requirement. You can take a look at all critical and important events that deem important per the requirement or company.Keep in mind that audit logs can grow really fast. You will need to monitor them and archive and delete old files regularly. ( Note: SM18 does not archive files, it only deletes them! )
One thing I remember is, we cannot have a partially generic entry to define filters for clients or users. Example, it can be a ''. but cannot be A or BC*
4. This log can be analyzed via SM20N.
Hope this helps
Abhishek
2008 May 23 5:56 AM
I have used and setup the audit log for a several years already and used it on several different release levels.
I can recommend using it and getting to know how to use it. To my knowledge it is the intended tool for security monitoring.
What to monitor depends on the system and events which your processes would not expect:
- Do you want users creating / changing authorizations in production?
- Use of specific tcodes, rfcs or reports (whether successful or not) which you have not restricted yet or perhaps cannot restrict due to some reason.
- Patterns which might form and otherwise go undetected.
- In the event of a breach of security, it is useful for reconstructing events (or other users from the same terminal).
- ...
Useful is also the dynamic profiles, which can be used to u201Ctrouble shootu201D or add more information for specific users (like auditors) or events as required without having to restart the system.
I recommend that you have a procedure in place how to deal with analyzing these types of logs and how to react to them! For example if someone logs on at 3 a.m. in the morning and posts some vendor invoices, then they might just be in a different time zone or a job step is running under their user ID to post the records. You should not fire the user because of that...
Protecting the logs and handling archiving and deleting of them is also a topic you should discuss with your u201Cbasisu201D team.
Cheers,
Julius
2008 Jun 10 8:50 AM
Hello Everyone,
Is there anyway I can schedule this transaction.
Regards,
Prashanth
2008 Jun 10 9:23 AM
You might be able to schedule a variant of program RSAU_SELECT_EVENTS - documentation on this is a bit sparse so make sure you test before deploying in a production environment.
2008 Jun 10 9:36 AM
Please don't cross-post and use the correct forum! But thank you for using the search!
Take a look at:
*&---------------------------------------------------------------------*
*& Report RSAU_READ_AUDITLOG_EXTERNAL *
*& *
*&---------------------------------------------------------------------*
*& SecAudit: Example for reading Alerts using BAPIs *
*&---------------------------------------------------------------------*
Cheers,
Julius
2008 Jun 10 12:47 PM
I used the audit log in this case.
System user was locked. And every time i unlocked it, it was locked again. Then I activate the audit log, and the next time it was locked I saw which system and terminal locked it.
The solution was to change the RFC in the system where the password of this user was wrong.
2008 Jun 11 4:48 AM
Hello,
I was able to schedule the program, that was fine.
Am not a basis person so have a few more questions on the same issue as below:
1. I checked the parameter rsau/max_diskspace/local, the current size of it is 10MB.
(A) So what happens if the logs get over 10MB?
(B) Where do we check the current size of the log?
(C) Can we setup any kind of alert?
2. The current value of parameter rsau/selection_slots is set to 2, is that OK?
Prashanth
2008 Jun 11 7:19 AM
Hi,
pls review [SAP Note 539404|https://service.sap.com/sap/support/notes/539404] .
You can check the current file size on os-level too....
also alerting shall be possible on os-level.
Depending on the settings for logging I suggest to consider, if you really need all the information logged, if you reach regularly 10 MB of file size. it is possible to set your system to create a new file if the first has reached 10 mb. (as far as i remember).
b.rgds, Bernhard