Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

Today I will present a scenario about SAL: use one directory to store all SAL files from all application servers in a SAP system.

As I mentioned in my previous blog, the most comprehensive document on SAL that I ever found, is available here: “Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)”.

My system landscape

For testing purposes, I will use a SAP Netweaver 7.31 system. It have the following hosts and instances:

Host A: ASCS01 and DVEBMGS00

Host B: D00 and D01

SAL configuration

I will set DIR_AUDIT to \\Host B\usr\sap\SID\Audit\ in all dialog instances from the system.

Additional parameters:

FN_AUDIT = audit_++++++++_######.AUD

rsau/max_diskspace/per_day = 1000M

rsau/max_diskspace/per_file = 100M

Thus, all SAL files will be recorded in a single directory, using the pattern above (given by FN_AUDIT). I expect multiple files per day, having each file 100 MB. The maximum disk space that can be used every day is 1000 MB.

In SM19 I decided to record all Audit classes in all clients for all user IDs.

Where are the entries?

Well, all the entries are recorded in the same file, for all application servers. You will find incorrect information in SM20:

As you can see, 1, 2 and 3 show the exact same entries, for the same User and same Terminal name (even though I omitted this information from the screenshot). The entries from 1 and 2 are from Host B, instances D00 and D01. The entries from 3 are from Host A, instance DVEBMGS00.


Set individual directories for SAL files. Each application server should write its own files in an exclusive directory.

So, in my landscape, fixing things means setting DIR_AUDIT in the instance profile, using:


DIR_AUDIT = X:\usr\sap\SID\DVEBMGS00\log


DIR_AUDIT = X:\usr\sap\SID\D00\log


DIR_AUDIT = X:\usr\sap\SID\D01\log

Then I executed one transaction code in each app server, resulting in the following SM20 report:

Additional Information

539404 - FAQ: Answers to questions about the Security Audit Log

Stay tuned for my next blog on SAL.

1 Comment