Show TOC

The Design of the Security Audit LogLocate this document in the navigation structure

Use

The security audit log keeps a record of security-related activities in SAP NetWeaver Application Server (AS) ABAP-based systems. This information is recorded daily in an audit file on each application server. To determine what information should be written to this file, the audit log uses filters, which are stored in memory in a control block. When an event occurs that matches an active filter (for example, a transaction start), the audit log generates a corresponding audit message and writes it to the audit file. A corresponding alert is also sent to the Computing Center Management System (CCMS) alert monitor. Details of the events are provided in the audit analysis report of the security audit log. The figure below illustrates the architecture of the security audit log.

Figure 1: Security Audit Log Architecture
Note

The AS ABAP maintains its audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that can accumulate, you should archive these files on a regular basis and delete the originals from the application server.

For more information, see Deleting Old Audit Files.

The Audit File / The Audit Record

The audit files are located on the individual application servers. You define the name and location of the files in the profile parameter rsau/local/file. When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains information such as the following

  • Server name

  • Instance name

  • Work process type

  • SAP user ID

  • Terminal name

  • Work process number

  • Transaction code

  • Program name

  • Client

  • Message text

  • Message group

  • Sub-name (used in determining the message group)

  • Audit class

  • Security level

  • File number

  • Address in file

  • Parameters used for the message text

You define the maximum size of the audit file in the profile parameter rsau/max_diskspace/local. The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.

Filters

You define the events you want to audit in filters. This information is stored in the control block, which is located in the application server's shared memory. The SAP system uses this information to determine which audit messages should be written to the audit file.

Filters consist of the following information:

  • Client

  • User

  • Audit Class

    • Dialog logon

    • RFC/CPIC logon

    • RFC function call

    • Transaction start

    • Report start

    • User master change

    • System

    • Other

  • Weight of events to audit

    • Only critical

    • Important and critical

    • All

For more information, see Defining Filters.

The Audit Analysis Report

You can view the contents of the audit files in the audit analysis report. For more information, see:

Alerts in the Computing Center Management System Alert Monitor

The security audit log also generates security alerts for the events recorded in the CCMS alert monitor.

For more information, see Security Alerts in the CCMS Alert Monitor.