Security Audit Log of the AS JavaLocate this document in the navigation structure

Use

The security audit log of the SAP NetWeaver Application Server (AS) Java contains a log of important security events, such as successful and failed user logons, and creation or modification of users, groups and roles. This information is used by auditors to track changes made in the system.

Viewing the Log File

Use SAP NetWeaver Administrator to view log and trace files. There is a predefined security view.

For more information, see the following:

The table below lists where you can find the security audit log.

Access

Location

Log Viewer

/System/ Security/ Audit/ <subcategories optional>

File system

\usr \sap \ <SID> \ <instance_number> \j2ee \cluster \server <n> \log \system \security_audit.log

Entries In the Log File

In addition to the fields in a log record, each message entry in the log file has the following format:

[Event Name] | [Event Type] | [ObjectID] | [ObjectName] | [Details]

The parts of the message entries are described in the table below:

Parameter

Description

Event Name

A human readable name of an event.

Event Type

Consists of a principal (such as USER, ACL) and an action (such as CREATE, DELETE).

ObjectID

Unique ID of the object. Only the object IDs of users, groups, UME roles, and user accounts can be displayed. For all other objects, only a hash value is available.

ObjectName

Human readable description of the object (optional). Only the object names of users, groups, UME or portal roles, and user accounts can be displayed. Object names of other objects are not available.

Details

Additional information as a comma-separated list of key=value pairs.

List of Logged Events

The AS Java logs events in subcategories of the security audit log. It uses the following subcategories:

  • ACLs

  • Configuration

  • PermissionCheck

  • PrincipalModification

  • UserMapping

The following tables list the events logged by subcategory.

Event Name

Event Type

Severity

Object ID

Details

ACL created

ACL.CREATE

Info

The object for which the ACL was created

Owner

ACL deleted

ACL.DELETE

Info

The object to which the ACL was assigned

(no details)

ACL modified

ACL.MODIFY

Info

The object whose ACL was modified

Added or removed owners

Added or removed ACEs (access control entries): (Principle, Permission)

Changed object ID

Event Name

Event Type

Severity

Object ID

Details

Current UME configuration

CUSTOMIZE

Info

Security Audit or Properties

For Security Audit, the internal version number

For Properties, all properties of the UME configuration.

Event Name

Event Type

Severity

Object ID

Details

Permission check failed

ACCESS.ERROR

Info

The object the user wanted to access (if available)

Permission the user would have needed to access the object

Permission check successful

ACCESS.OK

Path

The object the user accessed (if available)

Permission that was needed to access the object

Event Name

Event Type

Severity

Object ID

Details

Details of created user

USER.CREATE_DETAILS

Path

The new user

All user attributes

Details of modified user

USER.MODIFY_DETAILS

Path

The modified user

All changed user attributes

Group created

GROUP.CREATE

Info

The new group

Assigned users and groups

Group deleted

GROUP.DELETE

Info

The deleted group

(no details)

Group modified

GROUP.MODIFY

Info

The modified group

If group members were modified: Added or removed users and groups

Principal created

PRINCIPAL.CREATE

Path

The new principal

All attributes

Principal deleted

PRINCIPAL.DELETE

Path

The principal deleted

(no details)

Principal modified

PRINCIPAL.MODIFY

Path

The modified principal

All attributes

Role created

ROLE.CREATE

Info

The new role

Assigned users and groups

Assigned actions

Role deleted

ROLE.DELETE

Info

The deleted role

(no details)

Role modified

ROLE.MODIFY

Info

The modified role

If role members were modified: Added or removed users and groups

If actions were modified: Added or removed actions

User account created

USERACCOUNT.CREATE

Info

The new user account

Assigned user ID

User account deleted

USERACCOUNT.DELETE

Info

The deleted user account

Assigned user ID

User account modified

USERACCOUNT.MODIFY

Info

The modified user account

Password was changed (Forced to change / Success / Failed: Reason)

User was locked (reason).

User was unlocked

Certificate was modified

Possible reasons for a locked user are:

  • [1] : User was locked due to too many incorrect logon attempts.

  • [2] : User was locked by an administrator.

User created

USER.CREATE

Info

The new user

Company ID

User deleted

USER.DELETE

Info

The deleted user

(no details)

User modified

USER.MODIFY

Info

The modified user

If user was assigned to a company: Company ID

Event Name

Event Type

Severity

Object ID

Details

Encryption mode of user mapping changed

USERMAPPING.CHANGE.CRYPTO.MODE

Info

User mapping encryption mode

The previous and new encryption mode

User mapping created

USERMAPPING.CREATE

Info

The mapped user

System alias

Remote user ID

Type of system (SAP_R3, SAP_BW, or SAP_CRM)

User mapping deleted

USERMAPPING.DELETE

Info

The mapped user

System alias

Remote user ID

User mapping used

USERMAPPING.USE

Info

The mapped user

System alias

Remote user ID

Configuring the Security Audit Log

The security audit log and all its subcategories have a default severity of Info. To show events with Path severity, set the subcategory severity to Path . To hide events, set the subcategory severity to None .

For more information, see Configuring Log Controllers .

Use UME properties to configure what is logged. The table below lists the configuration options.

For more information, see Editing UME Properties .

Option

UME Property

Log the object ID of an event

ume. secaudit. get_object_name

Disable the logging of the client host address

ume. security_policy. log_client_hostaddress

Log the client hostname

ume. security_policy. log_client_hostname