The security audit log of the SAP NetWeaver Application Server (AS) Java contains a log of important security events, such as successful and failed user logons, and creation or modification of users, groups and roles. This information is used by auditors to track changes made in the system.
For more information about the security log, see Logging and Tracing.
Each entry in the log file has the following format:
[TimeStamp] | [Severity] | [Actor] | [Event] | [ObjectType] = [ObjectID] | [ObjectName] | [Details]
Feb 12, 2003 6:20:48 PM | Info | <systemuser> | LOGIN.OK | USER = … | TestUser02
The parts of the log file entries are described in the table below:
Timestamp |
Includes time zone (UTC) |
Severity |
Path = Low Info = Medium Warning = High Error = Very High |
Actor |
The logged in user or <systemuser> if no user was logged in (optional). |
Event |
Consists of a category (such as USER, LOGIN, ACL) and an action (such as CREATE, DELETE). |
ObjectType |
The type of object involved in the event, for example, USER, USERACCOUNT, ROLE, GROUP, PRINCIPIAL, or NONE |
ObjectID |
Unique ID of the object. Only the object IDs of users, groups, UME roles, and user accounts can be displayed. For all other objects, only a hash value is available. |
ObjectName |
Human readable description of the object (optional). Only the object names of users, groups, UME or portal roles, and user accounts can be displayed. Object names of other objects are not available. |
Details |
Additional information as a comma-separated list of key=value pairs. |
The following table lists at which events an entry is made in the log file and provides details on what information is logged.
Event |
Severity |
Object ID |
Details |
Principal modification |
|||
User creation |
Medium |
The new user |
Company ID |
Low |
The new user |
All user attributes |
|
User account creation |
High |
The new user account |
Assigned user ID |
Group creation |
High |
The new group |
Assigned users and groups |
Role creation |
High |
The new role |
Assigned users and groups Assigned actions |
User modification |
Medium |
The modified user |
If user was assigned to a company: Company ID |
Low |
The modified user |
All changed user attributes |
|
User account modification |
High |
The modified user account |
Password was changed (Forced to change / Success / Failed: Reason) User was locked (reason). User was unlocked Certificate was modified
Possible reasons for a locked user are: · [1]: User was locked due to too many incorrect logon attempts. · [2]: User was locked by an administrator. |
Group modification |
High |
The modified group |
If group members were modified: Added or removed users and groups |
Role modification |
High |
The modified role |
If role members were modified: Added or removed users and groups If actions were modified: Added or removed actions |
User deletion |
Medium |
The deleted user |
(no details) |
User account deletion |
High |
The deleted user account |
Assigned user ID |
Group deletion |
High |
The deleted group |
(no details) |
Role deletion |
High |
The deleted role |
(no details) |
User mapping |
|||
User mapping creation |
Medium |
The mapped user |
System alias Remote user ID Type of system (SAP_R3, SAP_BW, or SAP_CRM) Includes modification of an existing mapping. |
User mapping deletion |
Medium |
The mapped user |
System alias Remote user ID |
User mapping usage |
Medium |
The mapped user |
System alias Remote user ID |
Log in/Log off |
|||
Successful user logon |
Medium |
The used user account |
User ID Logon method/ Authentication scheme IP address |
Failed user logon |
High |
The used user account |
User ID Logon method/ Authentication scheme IP address Reason why logon failed (wrong password, user locked, …) |
User logoff |
Medium |
The used user account |
(no details) |
Permission (checking) |
|||
ACL creation |
High |
The object for which the ACL was created |
Owner |
ACL modification |
High |
The object whose ACL was modified |
Added or removed owners Added or removed ACEs (access control entries): (Principle, Permission) Changed object ID |
ACL deletion |
High |
The object to which the ACL was assigned |
(no details) |
Access violation or access denied |
Very high |
The object the user wanted to access (if available) |
Permission the user would have needed to access the object |
Access granted |
Low |
The object the user accessed (if available) |
Permission that was needed to access the object |
Configuration |
|||
Customizing |
Medium |
“Properties” |
At start-up of AS Java: All customized properties with their values Otherwise: Changed properties |
You can configure what information appears in the security audit log. You can also change the default location of the security audit log file.
You can use UME properties to configure what is logged. The table below lists the configuration options.
For more information, see Editing UME Properties.
Option |
UME property |
Description |
Log the object ID of an event |
ume.secaudit. |
Set this value to TRUE to display the object display name in the security log and trace files. Otherwise the object ID is used. |
Disable the logging of the client host address |
ume.security_policy. |
When enabled, the UME logs the user host IP address. |
Log the client hostname |
ume.security_policy. |
When enabled, the UME logs the client hostname.
We do not recommend enabling this property. It requires a DNS lookup, which impacts system performance. |
By default the security audit logs are written in the file /usr/sap/<SID>/<instance>/j2ee/cluster/server<n>/security_audit.<n>.log. You can change the location of the file in the visual administrator:
...
1. Start the visual administrator.
2. On the Cluster tab, choose <SID> → Server → Services → Log Configurator.
3. Go to Advanced Mode → Destinations.
4. Select the service_security_audit destination.
5. Change the location of the security audit log file.
In the default value, the ./ stands for /usr/sap/<SID>/<instance>/j2ee/cluster/serverX/.
6. Save your changes.