Security Log 
Administrators can use the security log to help identify any potential unauthorized access to the system. The security log is configured with the parameter icm/security_log.
The following irregularities are logged:
Data with invalid syntax
Attempted access to objects that do not exist (NOT found)
Access to objects that is not permitted due to filter rules (permission denied)
Logon errors to Web administration (in ICM and Web Dispatcher)
Examples of Log Entries
Error: Permission denied (-13), authorization failed for user >sap< [http_auth_mt.c 745]
Error: Protocol error (-21), illegal request version: 1009
Error: Protocol error (-21), NULL bytes in HTTP request [http_plg_mt.c 4037]
Depending on the configuration the data that gave rise to the log entry is also output:
[Thr 5126] ------------------------------------------------------------------------
[Thr 5126] 0x47a8b614 000000 47455420 2f736170 2f62632f 6273702f |GET /sap/bc/bsp/|
[Thr 5126] 0x47a8b624 000016 7361702f 69743035 20485454 502f312e |sap/it05 HTTP/1.|
[Thr 5126] 0x47a8b634 000032 310d0a68 6f73743a 206c6470 3030372e |1..host: ldp007.|
...
Note
The security log gives an indication of the possible security procedures that could be followed. In particular cases a decision must be made as to whether the entry really is a serious security risk.