Logging and Tracing

Logging and tracing are important elements for securing your application server systems. Logs are important for monitoring the security of your system and to track events if problems occur, as well as for auditing the correct usage of the system.

Keep in mind the difference between logs and traces. Logs are mainly addressed to an administrator of a customer system, while traces are addressed to a developer and support organization. Write into logs only messages that are important for an administrator who supervises the system during normal operation. Write into traces everything that might be important for tracing erroneous behavior.

The SAP Logging API offers high quality support for common practices in logging:

• It generates trace and log messages.
• APIs are available that combine these two types of messages for advanced analysis. You can find these APIs in the SAP NetWeaver Developer Studio help.

The SAP Logging API is provided through the Java package com.sap.tc.logging , with all functionality for both tracing and events logging.

For more information on using logs and traces on the AS Java, see Logging and Tracing .

All applications should have a proper logging and tracing. For security reasons, we recommend that you log security-related events that have occurred in the system. One example of events of this type is unsuccessful authorization checks. Another example is any malicious actions, such as attempting to call objects even if these objects have been locked. Use the built-in SAP Logging API.

The AS Java provides an easy mechanism for configuring the behavior and output of logging without having to write Java source code. For example, if you want to generate more or fewer log messages, this depends on their diagnosis level. Sometimes you may also want to change the output destination, or even the format of the message. These can all be specified separately and dynamically integrated with the program. You do not have to recompile the source code.

The general procedure for you is as follows:

1. Identify the source area you would like to produce trace/log output.
2. Assign a severity level to the source.
3. Specify an output destination.
4. Insert messages with corresponding severity level.
5. Check that the inserted messages do not contain any sensitive data.
6. Run the program.

The message is produced and sent to the destination only when the severity of the message is equal to or higher than the source. From a developer's point of view, the focus is on steps 1, 4, and 5 defined above. The other steps are ultimately more or less determined and configured by the operators/end-users.

For more information about the SAP Logging API, see SAP Logging API .

See also the Logging Quick Guide and How to Write Useful Log and Trace Messages .

When using logging for an audit log, consider the following issues:

• A log is not useful by itself, but through the information it contains.
• Consider what will be meaningful and relevant to those who will use the log. A mere "Access denied" error does not tell much. An "Access denied for user … while attempting to perform action … on the resource …" is much better.
• More detail is generally better, but too much detail is annoying and can hinder performance. So make use of the different log levels of the SAP Logging API.
• As a general guideline you can look at the different log levels used by the User Management Engine (UME). For detailed information about logging and tracing with the UME, see Logging and Tracing .

• Logging and Tracing
• Logging Quick Guide
• How to Write Useful Log and Trace Messages
• SAP Logging API