Security Audit Log of the AS Java
Use
The security audit log of the SAP NetWeaver Application Server (AS) Java contains a log of important security events, such as successful and failed user logons, and creation or modification of users, groups and roles. This information is used by auditors to track changes made in the system.
For more
information about the security log, see
Logging and
Tracing.
Entries in the log file
Each entry in the log file has the following format:
[TimeStamp] | [Severity] | [Actor] | [Event] | [ObjectType] = [ObjectID] | [ObjectName] | [Details]
Feb 12, 2003 6:20:48 PM | Info | <systemuser> | LOGIN.OK | USER = … | TestUser02
The parts of the log file entries are described in the table below:
Timestamp |
Includes time zone (UTC) |
Severity |
Path = Low Info = Medium Warning = High Error = Very High |
Actor |
The logged in user or <systemuser> if no user was logged in (optional). |
Event |
Consists of a category (such as USER, LOGIN, ACL) and an action (such as CREATE, DELETE). |
ObjectType |
The type of object involved in the event, for example, USER, USERACCOUNT, ROLE, GROUP, PRINCIPIAL or NONE |
ObjectID |
Unique ID of the object. Only the object IDs of users, groups, UME roles, and user accounts can be displayed. For all other objects, only a hash value is available. |
ObjectName |
Human readable description of the object (optional). Only the object names of users, groups, UME or portal roles, and user accounts can be displayed. Object names of other objects are not available. |
Details |
Additional information as a comma-separated list of key=value pairs. |
Events that are logged
The following table lists at which events an entry is made in the log file and provides details on what information is logged.
Event |
Severity |
Object ID |
Details |
Principal modification |
|||
User creation |
Medium |
The new user |
Company ID |
Low |
The new user |
All user attributes |
|
User account creation |
High |
The new user account |
Assigned user ID |
Group creation |
High |
The new group |
Assigned users and groups |
Role creation |
High |
The new role |
Assigned users and groups Assigned actions |
User modification |
Medium |
The modified user |
If user was assigned to a company: Company ID |
Low |
The modified user |
All changed user attributes |
|
User account modification |
High |
The modified user account |
Password was changed (Forced to change / Success / Failed: Reason) User was locked (reason). User was unlocked Certificate was modified
Possible reasons for a locked user are: ● [1]: User was locked due to too many incorrect logon attempts. ● [2]: User was locked by an administrator. |
Group modification |
High |
The modified group |
If group members were modified: Added or removed users and groups |
Role modification |
High |
The modified role |
If role members were modified: Added or removed users and groups If actions were modified: Added or removed actions |
User deletion |
Medium |
The deleted user |
(no details) |
User account deletion |
High |
The deleted user account |
Assigned user ID |
Group deletion |
High |
The deleted group |
(no details) |
Role deletion |
High |
The deleted role |
(no details) |
User mapping |
|||
User mapping creation |
Medium |
The mapped user |
System alias Remote user ID Type of system (SAP_R3, SAP_BW, or SAP_CRM) |
User mapping modification |
Medium |
The mapped user |
System alias Remote user ID |
User mapping deletion |
Medium |
The mapped user |
System alias Remote user ID |
User mapping usage |
Medium |
The mapped user |
System alias Remote user ID |
Login/Logoff |
|||
Successful user logon |
Medium |
The used user account |
User ID Logon method/ Authentication scheme IP address |
Failed user logon |
High |
The used user account |
User ID Logon method/ Authentication scheme IP address Reason why logon failed (wrong password, user locked, …) |
User logoff |
Medium |
The used user account |
(no details) |
Permission (checking) |
|||
ACL creation |
High |
The object for which the ACL was created |
Owner |
ACL modification |
High |
The object whose ACL was modified |
Added or removed owners Added or removed ACEs (access control entries): (Principle, Permission) Changed object ID |
ACL deletion |
High |
The object to which the ACL was assigned |
(no details) |
Access violation or access denied |
Very high |
The object the user wanted to access (if available) |
Permission the user would have needed to access the object |
Access granted |
Low |
The object the user accessed (if available) |
Permission that was needed to access the object |
Configuration |
|||
Customizing |
Medium |
“Properties” |
At start up of AS Java: All customized properties with their values Otherwise: Changed properties |
Configuring the Security Audit Log
You can configure what information appears in the security audit log. You can also configure the AS Java to save the security audit entries in a separate file.
Configuring the Logging Options
You can use UME properties to configure what is logged. The following options are available:
● Log the object ID of an event.
● Disable the logging of the actor of an event, only anonymous is recorded.
● Disable the logging of the client host address.
● Log the client hostname.
For more
information, see
Security
Audit.
Changing the Default Location of the Security Audit Log File
By default the security audit logs are written in the file /usr/sap/<SID>/<instance>/j2ee/cluster/serverX/security_audit.X.log. You can change the location of the file in the Visual Administrator:
...
1. Start the Visual Administrator.
2. On the Cluster tab, choose <system_id> → Server → Services → Log Configurator.
3. Go to Advanced Mode → Destinations.
4. Select the service_security_audit destination.
5. Change the location of the security audit log file.
In the default value, the ./ stands for /usr/sap/<SID>/<instance>/j2ee/cluster/serverX/.
6. Save your changes.