Trace and Log Files
Log Information
Knowledge Management uses the logging mechanisms of the Application Server Java (AS Java).
Logging System Changes
System information is automatically logged in the following file:
Trace File with System Information
| Content | File | Path |
|---|---|---|
|
System information |
defaultTrace.<n>.trc |
\usr\sap\<SAP_System ID>\<Java_instance_name>\j2ee\cluster\server<n>\log\ |
You use Log Viewer to display and analyze the logged data. For more information, see Log Viewer .
Audit Logging
The audit log service saves events (for example, file operations performed by users) that were triggered in selected repositories in Knowledge Management (KM) in the following log file:
Log File with Audit Information
| Content | File | Path |
|---|---|---|
|
Audit information on repository events |
applications.<n>.log |
\usr\sap\<SAP_System ID>\<Java_instance_name>\j2ee\cluster\server<n>\log\ |
You use Log Viewer to display and analyze the logged data. For more information, see Log Viewer .
You can find the audit information for KM in the KMC/RF/APPLOG category.
You cannot configure the level of detail. Program-internally, the system writes the log automatically using the INFO level of detail.
Logging Configuration Changes
The system automatically logs changes to the KM configuration in the following file.
Log File for Configuration Changes
| Content | File | Path |
|---|---|---|
|
Configuration changes |
applications.<n>.log |
\usr\sap\<SAP_System ID>\<Java_instance_name>\j2ee\cluster\server<n>\log\ |
You use Log Viewer to display and analyze logged data. For more information, see Log Viewer .
You cannot set a level of detail for the logging of configuration changes.
For more information, see: Logging Configuration Changes .
ACL Audit Logging
You can use ACL audit logging to log changes to ACLs and accesses to ACLs.
You activate audit logging for ACLs by setting the required level of detail in the Log Configuration tool in the SAP NetWeaver Administrator for the categories /System/Security/Audit/Access and /System/Security/Audit/Modify. If these categories do not yet exist, you have to create them first. For more information, see Log Configuration with SAP NetWeaver Administrator .
The system writes the log information to the following file.
Log File for ACL Audit Information
| Content | File | Path |
|---|---|---|
|
ACL audit information |
security.<n>. log |
\usr\sap\<SAP_System ID>\<Java_instance_name>\j2ee\cluster\server<n>\log\system |
Logging Changes to ACLs
To log changes to ACLs, set the /System/Security/Audit/Modify category to WARNING or INFO (default) depending on the required level of detail.
Output for ACL Changes
Changes can be logged with the WARNING or INFO levels of detail.
- If you use INFO, the system logs detailed information on the changes.
- If you use WARNING, the system issues brief information (indicated with [aclDetails] in the following list).
When you create, delete, or remove ACLs, the following messages can occur:
| Level of Detail | Output | Description |
|---|---|---|
|
INFO / WARNING |
<user ID> ACL.CREATE <path> owner: <owner ID> |
A new ACL has been created. |
|
INFO / WARNING |
<user ID> ACL.CREATE <path> [aclDetails] |
A new ACL has been created on the basis of an existing ACL. |
|
INFO / WARNING |
<user ID> ACL.DELETE <path> |
An ACL has been deleted. |
|
INFO / WARNING |
<user ID> ACL.DELETE_ON_CHILDREN <path> |
The ACLs for a hierarchy have been deleted. This can be triggered by the deletion of a folder and the items contained therein. |
|
INFO / WARNING |
<user ID> ACL.ADD_ENTRY <path> <member ID> <permission> |
An ACE has been added to an ACL. * |
|
INFO / WARNING |
<user ID> ACL.REMOVE_ENTRY <path> <member ID> <permission> |
An ACE has been deleted from an ACL. * |
|
INFO / WARNING |
<user ID> ACL.ADD_OWNER <path> <owner ID> |
A new owner has been added to an ACL. * |
|
INFO / WARNING |
<user ID> ACL.REMOVE_OWNER <path> <owner ID> |
An owner has been deleted from an ACL. * |
|
INFO / WARNING |
<user ID> ACL.MODIFY <path> [aclDetails] |
An ACL has been changed. The output ACL details correspond to the ACL that is now valid. |
*) ACL.MODIFY can appear in the log file instead of ACL.ADD_ENTRY, ACL.REMOVE_ENTRY, ACL.ADD_OWNER and ACL.REMOVE_OWNER.
The following outputs are only relevant if new services define their own permissions:
| Level of Detail | Output | Description |
|---|---|---|
|
INFO / WARNING |
<system> ACLPERM.CREATE <permission> |
A new permission has been created. |
|
INFO / WARNING |
<system> ACLPERM.DELETE <permission> |
A permission has been deleted. |
|
INFO / WARNING |
<system> ACLPERM.ADD <permission> |
A permission has been identified as a supported permission. |
|
INFO / WARNING |
<system> ACLPERM.REMOVE <permission> |
A permission has had the designation supported permission removed. |
The following messages are only relevant if a user, group, role, or other UME item has been deleted from user administration:
| Level of Detail | Output | Description |
|---|---|---|
|
INFO / WARNING |
<user ID> ACL.USER.DELETE <deleted user ID> |
A user has been deleted from user administration. The user has also been deleted from the ACLs into which it was entered. |
|
INFO / WARNING |
<user ID> ACL.GROUP.DELETE <deleted user ID> |
A group has been deleted from user administration. The group has also been deleted from the ACLs into which it was entered. |
|
INFO / WARNING |
<user ID> ACL.ROLE.DELETE <deleted user ID> |
A role has been deleted from user administration. The role has also been deleted from the ACLs into which it was entered. |
|
INFO / WARNING |
<user ID> ACL.PRINCIPAL.DELETE <deleted user ID> |
A UME item (user, group, role, and so on) has been deleted from user administration. The item has also been deleted from the ACLs into which it was entered. |
Logging ACL Accesses
You use the /System/Security/Audit/Access category to log ACL accesses. The INFO level of detail is set by default for logging rejected accesses to resources. You can also set the category to WARNING.
Set the category to PATH to log both rejected and permitted accesses.
Output for ACL Accesses
When checking permissions, the following messages can occur:
| Level of Detail | Output | Description |
|---|---|---|
|
WARNING |
<user ID> ACCESS.ERROR <path> <permission>: not authenticated |
User is not authenticated or logged on. |
|
WARNING |
<user ID> ACCESS.ERROR <path> <permission> |
User does not have the specified permission because this is not assigned for the user according to the ACL. |
|
WARNING |
<user ID> ACCESS.ERROR <path> <permission>: unmapped |
User does not have the specified permission because the permission is unknown. |
|
PATH |
<user ID> ACCESS.OK <path> <permission>: configured |
User has the permission due to its configuration as a system user. |
|
PATH |
<user ID> ACCESS.OK <path> <permission> |
User has the permission according to the ACL. |