Changing Filters Dynamically
Use
You specify the information you want to audit in filters that you can either:
...
1. Create and save permanently in the database in static profiles.
If you use this option, all of the application servers use identical filters for determining which events should be recorded in the audit log. You only have to define filters once for all application servers.
You can also define several different profiles that you can alternatively activate.
2. Change dynamically.
With this option, you can dynamically change the filters used for selecting events to audit. The system distributes these changes to all active application servers.
This topic concentrates on dynamically changing filters. For information on defining filters in static profiles, see Maintaining Static Profiles.
These changes are active until they are changed or the application server is shut down.
Prerequisites
The following profile parameters must be set:
Audit Log Profile Parameters
Profile Parameter |
Description |
DIR_AUDIT |
Directory for security audit files |
FN_AUDIT |
Name of security audit file |
rsau/enable |
Enable the Security Audit Log |
rsau/max_diskspace/local |
Maximum space for security audit file |
rsau/max_diskspace/per_day |
Maximum size of all security audit files per day |
rsau/max_diskspace/per_file |
Maximum size of one single security audit file |
rsau/selection_slots |
Number of filters to allow for the Security Audit Log |
rsau/user_selection |
Defines the user selection method used inside kernel functions |
Procedure
...
1. To access the Security Audit Log configuration screen from the SAP standard menu, choose Administration → System Administration → Monitor → Security Audit Log → Configuration (transaction SM19).
The Security Audit: Administer Audit Profile screen appears with the Static configuration tab page activated.
2. Choose the Dynamic configuration tab page or Goto à Dynamic configuration from the menu.
In the upper section of the screen, you receive a list of the active instances and their auditing status. The lower section of the screen contains tab pages for maintaining filters.
3. Choose Configuration à Display <-> Change.
4. Define filters for the application server.
5. Make sure the Filter active indicator is set for each of the filters you want to apply to the audit on the application server.
6. To distribute the filter definition to the application servers, choose Configuration à Activate Audit and confirm that you want the filter configuration distributed to all application servers.
If you receive a program failure, then make sure you have the authorization S_RFC with the value SECU in your authorization profile. (The system uses remote function calls to obtain a list of servers and therefore, you need the appropriate authorizations.)
Result
The audit filters are dynamically created on all active application servers. If you activate the profile(s), then any actions that match any of these filters are recorded in the Security Audit Log. Changes to the filter definitions are effective immediately and exist until the application server is shut down.