Comparing the Security Audit Log and the System Log

Objective

Records security-related information that can be used to reestablish a series of events (for example, unsuccessful logon attempts or transaction starts).

Records information that may signal system problems (for example, database read errors, rollbacks).

Audience

Auditors

System administrators

Flexibility of Use

You can activate and deactivate the security audit log as necessary. Although you may wish to audit your system on a daily basis, you do not have to. For example, you may wish to activate the security audit log for a period of time before a scheduled audit and deactivate it between audits.

The system log is needed on a continuous basis. You do not deactivate the system log.

Log Availability

The audit logs are local logs maintained on each application server. However, in contrast to the system log, the system maintains its audit logs on a daily basis and you must archive or delete the log files manually. This way, you can refer to logs from previous days and the time frame for available logs is increased

There are two types of system logs, local and central. Local logs are maintained on each individual application server. These files are circular, meaning that once they are full, they are overwritten from the beginning. The sizes of these logs, as well as the time frame where they are available, are limited.

You can maintain a central log. However, the central log is currently not completely platform independent. At the current time, it can only be maintained on a UNIX platform. The central log is also not kept indefinitely.

Handling of Sensitive Data

Contains personal information that may fall under data protection regulations.

You must pay close attention to data protection regulations before you activate the security audit log.

Contains no personal data.