Logging and Tracing
Logging and Trace Files
The following files are available for logging important security events and helping administrators with troubleshooting:
● Security Logging
Location in Log Viewer: ./log/system/security.log
Location in file system: <J2EE_installation>\j2ee\cluster\serverX\log\system\security.log
This file contains a log of important security events, such as successful and failed user logons, and creation or modification of users, groups and roles. For a complete list of events that are logged and the format in which they are logged, see What is Logged?.
● Trace Files
Location in Log Viewer: ./log/defaultTrace.trc
Location in file system: <J2EE_installation>\j2ee\cluster\server0\log\defaultTrace.trc
This file contains all the trace information for the whole server and includes trace information for UME libraries and the UME Provider (com.sap.security.core.ume.service). The information in this file is on a very fine-granular level and includes exceptions, warnings, and debugging information. It is mainly required by the SAP support team.
● Directory Server Logging
When you use an LDAP directory server as a data source for the user management engine (UME), you can configure log files to monitor and troubleshoot the connections.
○ Directory Service Access Log
When enabled, the UME creates the directory server access log file, sap.access.audit, in the following location:
<J2EE_installation>\j2ee\cluster\server<n>
When you restart the Application Server (AS) Java, the system checks for the existence of a previous log. If a log exists, the system appends a time stamp to the file name and creates a new log file.
○ Directory Service Connection Pool Log
When enabled, the UME creates the directory server connection pool log file, sapum_cpmon_<hostname>_<port>_<object_ID>.log, in the following location:
<J2EE_installation>\j2ee\cluster\server<n>
Viewing Logging and Trace Files in the Log Viewer
...
1. In the Visual Administrator, on the Cluster tab, choose <system_id> ® Server ® Services ® LogViewer.
2. Make sure the Runtime tab is displayed.
3. In the navigation tree, choose Cluster ® Server ® <J2EE_installation_directory> and navigate to the required file.
Configuring the Log Viewer
You can change the severity level of logging and tracing using the log configuration services in the Visual Administrator.
...
1. In the Visual Administrator, on the Cluster tab, choose <system_id> ® Server ® Services ® Log Configurator.
2. Choose the configuration you want to change.
¡ For security logging, choose Categories ® Root Category ® System ® Security ® Audit.
¡ For tracing, switch to advanced mode and choose Locations ® Root location ® com ® sap ® security.
3. Change the severity level as required.
a. Select the required package and choose Edit.
b. Under Severity change the severity settings.
The new severity level will be activated immediately. You do not have to restart the server.
Configuring Security Logging
You can also configure security logging with the following UME properties:
Property |
Value |
Description |
ume.secaudit.log_actor |
Default value is TRUE. FALSE = Actor of event is not logged. |
Defines whether the actor of an event is written to the log file. |
ume.secaudit. |
Default value is FALSE. |
Defines whether the display name of an object is written to the log file in addition to the object ID. Only the object names of users, groups, UME and portal roles, and user accounts can be displayed. Object names of other objects are not available. |
ume.logon.security_policy. |
Default value is TRUE. |
Logs the IP address of the client while logged on. |
ume.logon.security_policy. |
Default value is FALSE. |
Logs the hostname of the client while logged on.
For performance reasons, we do not recommend activating this property. |
