Show TOC Start of Content Area

Background documentation The Design of the Security Audit Log  Locate the document in its SAP Library structure

Overview

The Security Audit Log keeps a record of security-related activities in AS ABAP-based systems. This information is recorded daily in an audit file on each application server. To determine what information should be written to this file, the audit log uses filters, which are stored in memory in a control block. When an event occurs that matches an active filter (for example, a transaction start), the audit log generates a corresponding audit message and writes it to the audit file. A corresponding alert is also sent to the CCMS alert monitor. Details of the events are provided in the Security Audit Log's audit analysis report. See the graphic below:

Security Audit Log Architecture

This graphic is explained in the accompanying text

Note

The AS ABAP maintains its audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that may accumulate, you should archive these files on a regular basis and delete the originals from the application server (see Deleting Old Audit Files).

The Audit File / The Audit Record

The audit files are located on the individual application servers. You define the name and location of the files in the profile parameter rsau/local/file. When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains the following information (if known):

      Event identifier (a 3-character code)

      SAP user ID and client

      Terminal name

      Transaction code

      Report name

      Time and date when the event occurred

      Process ID

      Session number

      Miscellaneous information

You define the maximum size of the audit file in the profile parameter rsau/max_diskspace/local. The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.

Filters

You define the events you want to audit in filters. This information is stored in the control block, which is located in the application server's shared memory. The SAP System uses this information to determine which audit messages should be written to the audit file.

Filters consist of the following information:

      Client

      User

      Audit Class

       Dialog logon

       RFC/CPIC logon

       RFC function call

       Transaction start

       Report start

       User master change

       Other

      Weight of Events to Audit

       Only critical

       Important and critical

       All

For more details, see Defining Filters.

The Audit Analysis Report

You can view the contents of the audit files in the audit analysis report. For more information, see Displaying the Audit Analysis Report and Reading the Audit Analysis Report.

Alerts in the Computing Center Management System Alert Monitor

The Security Audit Log also generates security alerts for the events recorded in the Computing Center Management System (CCMS) alert monitor. For more information, see Security Alerts in the CCMS Alert Monitor.

End of Content Area