Show TOC

Security LoggingLocate this document in the navigation structure

SAP NetWeaver Application Server (SAP NetWeaver AS) keeps a variety of logs for system administration, monitoring, problem solving, and auditing purposes. Audits and logs are important for monitoring the security of your system and to track events if problems occur.

What Do I Get from SAP NetWeaver Application Server?

Depending on the data type, SAP NetWeaver AS offers different frameworks for logging data changes. In addition, several frameworks exist for logging events. For an overview of the different frameworks provided, see the following table:

Table 1: Frameworks Available for Security Logging
Data Type or Events Framework

Events

Security audit log, system log, application log

Repository data

Version management

Customizing data

Table logging

Master data

Standard change documents

Transaction Data

No framework provided. It is not useful to log transaction data.
What Do I Need to Do?

Every time a log is required to trace data changes or system events, determine whether a logging mechanism that fulfills your needs is already provided by SAP NetWeaver AS. Where possible, use standard functions. When you use standard functions, you automatically inherit all functions from the framework; for example, archive routines for change documents.

Security Audit Log

The security audit log is available on SAP NetWeaver AS. The tool is designed for auditors who need to take a detailed look at what security-related events have occurred in SAP NetWeaver AS. You can activate or deactivate the security audit log. When you activate the audit log, the system keeps a record of those activities the customer considers relevant for auditing. The information can be evaluated by an audit analysis report.

The security audit log allows insight into the daily work processes and system events, such as failed logon attempts or transaction starts. The audit log's main objective is to record the following:

  • Security-related changes to the SAP system environment

    For example:

    • Changes to user master records

    • Changes to the audit configuration

  • Information that provides more transparency

    For example:

    • Successful and unsuccessful dialog logon attempts

    • Successful and unsuccessful RFC logon attempts

    • Start and stop of SAP NetWeaver AS

    • Download of files

  • Information that enables tracing of a series of events

    For example:

    • Successful and unsuccessful transaction starts

    • Successful and unsuccessful report starts

    • RFC calls to function modules

System Log

In addition to the security audit log, the system log is also written in SAP NetWeaver AS. The system log provides a more technical view of the events in a system, such as rollbacks, database read errors, dumps, and so on. The system log is written on a continuous basis and cannot be deactivated. Each event is recorded as a system log message under the system log numbers AU, BU, or CU.

Application Log

The application log is a tool that collects messages, exceptions, and errors. This information is organized and displayed in a log. Application logs are useful for bringing situations that occur at runtime of an application program to the attention of the user. In standard SAP systems you find application logs in QM, for example.

If you provide the application log (events) as an infrastructure in your own programs, take into account, that it is used to temporarily store messages. Data that, for reasons of revision security, must be available for a long period of time, should not be stored with the application log but with change documents (changed data).

Developers who want to integrate the application log in their applications can find detailed documentation for all function modules and archiving techniques using archiving object BC_SBAL, and an overview of callback routines by executing the report SBAL_DOCUMENTATION in ABAP: Program Execution (transaction SA38).

Audit Info System (AIS)

Do not confuse the security audit with the Audit Info System (AIS). AIS is designed to facilitate and improve the audits performed by external auditors as well as internal auditors. The system is designed for Business Auditors, System Auditors and Security Administrators; many System Administrators also find it a useful tool.

Version Management

Use the version management function for repository objects when making modification adjustments. The aim of version management is to keep track of all changes made to a repository object. Therefore, the system automatically creates versions.

Table Logs

The analysis of logged customizing objects allows the customer to answer the following questions:

  • Who has changed customizing settings?

  • When and what has been changed?

Log files are written if the following prerequisites are met: 

  • The rec/client parameter in the system profile is set to allow data logging.

  • Logging is active for the table.

When developing your application, you must decide for which tables you want to activate logging. You can activate table change logging in the technical settings of the table using ABAP Dictionary (transaction SE11).

Standard Change Documents

Many business objects are changed frequently. It is often useful and even necessary to be able to trace the changes made. This logging is carried out with change documents.

How to Use a Logging Framework?

When using a logging framework, consider the following advice :

  • Keep in mind that the aim of a log should always be the traceability of events on the business object of interest.

  • All data and documents must be assigned to the relevant transactions.

  • Never log passwords in plain text.

  • Logs should not contain potentially confidential data such as credit card numbers or social security numbers. Instead, log sensitive data of this type in specially protected logs with authorization checks.

How Not to Do It?

As mentioned above, do not create your own logging framework. Instead, use a logging mechanism already provided by SAP NetWeaver AS. If no standard functionality is provided that fulfills your needs, try to get the features you require included into the existing frameworks. All standard logging frameworks provided by SAP NetWeaver AS offer the following features that are required by a good logging framework:

  • Logging and archiving should be customizable, because every customer has different requirements.

    Even the writing of log entries can be activated and deactivated in the system.

  • Logs should only be readable and never be changeable, due to traceability.

    Make sure that there is a check implemented to deny unauthorized access to logs.

  • Logs should contain information about the following:

    • The reason for logging

    • The user who created the log entry

    • Date and time when the log entry was written

    • System and client where the log entry occurred

  • Consider how logs should be handled, that is, whether they can be deleted or be archived.

  • Take into account that the creation of log files affects performance.

    Secondly, many users access this log table in parallel. This could cause lock situations even though the users are working with different application tables.

Further Information
Related Information