Security Audit Log of the AS Java (SAP Library

Security Audit Log of the AS Java

Use

The security audit log of the SAP NetWeaver Application Server (AS) Java contains a log of important security events, such as successful and failed user logons, and creation or modification of users, groups and roles. This information is used by auditors to track changes made in the system.

For more information about the security log, see Logging and Tracing.

Entries in the log file

Each entry in the log file has the following format:

Example

The parts of the log file entries are described in the table below:

Timestamp	Includes time zone (UTC)
Severity	Path = Low Info = Medium Warning = High Error = Very High
Actor	The logged in user or <systemuser> if no user was logged in (optional).
Event	Consists of a category (such as USER, LOGIN, ACL) and an action (such as CREATE, DELETE).
ObjectType	The type of object involved in the event, for example, USER, USERACCOUNT, ROLE, GROUP, PRINCIPIAL, or NONE
ObjectID	Unique ID of the object. Only the object IDs of users, groups, UME roles, and user accounts can be displayed. For all other objects, only a hash value is available.
ObjectName	Human readable description of the object (optional). Only the object names of users, groups, UME or portal roles, and user accounts can be displayed. Object names of other objects are not available.
Details	Additional information as a comma-separated list of key=value pairs.

Events that are logged

The following table lists at which events an entry is made in the log file and provides details on what information is logged.

Event	Severity	Object ID	Details
Principal modification
User creation	Medium	The new user	Company ID
User creation	Low	The new user	All user attributes
User account creation	High	The new user account	Assigned user ID
Group creation	High	The new group	Assigned users and groups
Role creation	High	The new role	Assigned users and groups Assigned actions
User modification	Medium	The modified user	If user was assigned to a company: Company ID
User modification	Low	The modified user	All changed user attributes
User account modification	High	The modified user account	Password was changed (Forced to change / Success / Failed: Reason) User was locked (reason). User was unlocked Certificate was modified Possible reasons for a locked user are: · [1]: User was locked due to too many incorrect logon attempts. · [2]: User was locked by an administrator.
Group modification	High	The modified group	If group members were modified: Added or removed users and groups
Role modification	High	The modified role	If role members were modified: Added or removed users and groups If actions were modified: Added or removed actions
User deletion	Medium	The deleted user	(no details)
User account deletion	High	The deleted user account	Assigned user ID
Group deletion	High	The deleted group	(no details)
Role deletion	High	The deleted role	(no details)
User mapping
User mapping creation	Medium	The mapped user	System alias Remote user ID Type of system (SAP_R3, SAP_BW, or SAP_CRM) Includes modification of an existing mapping.
User mapping deletion	Medium	The mapped user	System alias Remote user ID
User mapping usage	Medium	The mapped user	System alias Remote user ID
Log in/Log off
Successful user logon	Medium	The used user account	User ID Logon method/ Authentication scheme IP address
Failed user logon	High	The used user account	User ID Logon method/ Authentication scheme IP address Reason why logon failed (wrong password, user locked, …)
User logoff	Medium	The used user account	(no details)
Permission (checking)
ACL creation	High	The object for which the ACL was created	Owner
ACL modification	High	The object whose ACL was modified	Added or removed owners Added or removed ACEs (access control entries): (Principle, Permission) Changed object ID
ACL deletion	High	The object to which the ACL was assigned	(no details)
Access violation or access denied	Very high	The object the user wanted to access (if available)	Permission the user would have needed to access the object
Access granted	Low	The object the user accessed (if available)	Permission that was needed to access the object
Configuration
Customizing	Medium	“Properties”	At start-up of AS Java: All customized properties with their values Otherwise: Changed properties

Configuring the Security Audit Log

You can configure what information appears in the security audit log. You can also change the default location of the security audit log file.

Configuring the Logging Options

You can use UME properties to configure what is logged. The table below lists the configuration options.

For more information, see Editing UME Properties.

Option	UME property	Description
Log the object ID of an event	ume.secaudit. get_object_name	Set this value to TRUE to display the object display name in the security log and trace files. Otherwise the object ID is used.
Disable the logging of the client host address	ume.security_policy. log_client_hostaddress	When enabled, the UME logs the user host IP address.
Log the client hostname	ume.security_policy. log_client_hostname	When enabled, the UME logs the client hostname. We do not recommend enabling this property. It requires a DNS lookup, which impacts system performance.

Changing the Default Location of the Security Audit Log File

By default the security audit logs are written in the file /usr/sap/<SID>/<instance>/j2ee/cluster/server<n>/security_audit.<n>.log. You can change the location of the file in the visual administrator:

...

1. Start the visual administrator.

2. On the Cluster tab, choose <SID> → Server → Services → Log Configurator.

3. Go to Advanced Mode → Destinations.

4. Select the service_security_audit destination.

5. Change the location of the security audit log file.

Note

In the default value, the ./ stands for /usr/sap/<SID>/<instance>/j2ee/cluster/serverX/.

6. Save your changes.