The security audit log keeps a record of security-related activities in SAP NetWeaver Application Server (AS) ABAP-based systems. This information is recorded daily in an audit file on each application server. To determine what information should be written to this file, the audit log uses filters, which are stored in memory in a control block. When an event occurs that matches an active filter (for example, a transaction start), the audit log generates a corresponding audit message and writes it to the audit file. A corresponding alert is also sent to the Computing Center Management System (CCMS) alert monitor. Details of the events are provided in the audit analysis report of the security audit log. The figure below illustrates the architecture of the security audit log.
The AS ABAP maintains its audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that can accumulate, you should archive these files on a regular basis and delete the originals from the application server.
For more information, see Deleting Old Audit Files.
The Audit File / The Audit Record
The audit files are located on the individual application servers. You define the name and location of the files in the profile parameter rsau/local/file. When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains information such as the following
Server name
Instance name
Work process type
SAP user ID
Terminal name
Work process number
Transaction code
Program name
Client
Message text
Message group
Sub-name (used in determining the message group)
Audit class
Security level
File number
Address in file
Parameters used for the message text
You define the maximum size of the audit file in the profile parameter rsau/max_diskspace/local. The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.
Filters
You define the events you want to audit in filters. This information is stored in the control block, which is located in the application server's shared memory. The SAP system uses this information to determine which audit messages should be written to the audit file.
Filters consist of the following information:
Client
User
Audit Class
Dialog logon
RFC/CPIC logon
RFC function call
Transaction start
Report start
User master change
System
Other
Weight of events to audit
Only critical
Important and critical
All
For more information, see Defining Filters.
The Audit Analysis Report
You can view the contents of the audit files in the audit analysis report. For more information, see:
Alerts in the Computing Center Management System Alert Monitor
The security audit log also generates security alerts for the events recorded in the CCMS alert monitor.
For more information, see Security Alerts in the CCMS Alert Monitor.