Activating the SAP R/3 Security Audit Log

In Release 4.0 and later, SAP R/3 supports an internal auditing system, called the Security Audit Log. Each SAP application server maintains a daily audit file. You can specify the name and location of the Security Audit Log using the rsau/local/file profile parameter. To activate the internal audit system, set the audit log parameters as described in Table 82: Table 82. Audit Log parameter settings Set value to... 1 path to audit log file 3

Audit Log Parameter rsau/enable rsau/local/file rsau/selection_slots

rsau/max_diskspace/local maximum space to allocate for the audit files rec/client ALL Note: The rsau/local/file parameter contains the entire path name to the audit logs, as well as the file name. The file name must include plus sign (+) symbols to contain a variable datepart. Do not include a file extension in the file name. See the following examples for clarification.

This example shows a valid path and filename:

/usr/sap/machine1/log/audit_++++++++

This example shows a path and filename that is not valid; the filename does not include a datepart:
/usr/sap/machine1/log/audit

This example shows a path and filename that is not valid; the filename includes a file extension:
/usr/sap/machine1/log/audit_++++++++.aud

Archiving and deleting Audit logs

The SAP R/3 audit log is not circular. After it reaches the size specified by the rsau/max_diskspace/local parameter, the audit process stops. To avoid this:

Set the rsau/max_diskspace/local parameter to a reasonable size. Schedule an operating system job to delete old SAP R/3 audit files. Alternatively, use transaction SM18 to delete old audit log files. Transaction SM19, program RSAUCONF

Cause and prerequisites

Thanks Rohit, really i have founded my solution with the document. one more adivise please..can you pass me suitable values for the following below: 1.rsau/local/file: Name and location of the audit log file 2.rsau/max_diskspace/local: Max. space of the audit file. If maximum size is reached auditing stops. 3.rsau/selection_slots: Max. number of filters Thanks alot, Nani

Configuring SAP audit filters

After you set the audit log profile parameters, start transaction SM19 to specify which events to log in the Audit Security Log. The following table lists the suggested events to log along with the audit settings for each event. Table 83. Event auditing: suggested settings for SAP Active Security Level Y Low = All Y Low = All Y Low = All Y Medium = Important and critical (All) Y Medium = Important Y Medium = Important (All) Y High = Critical

Audit Class Dialog logon RFC/CPIC logon RFC call Transaction start Report start User master change Other events

To set up the recommended audit levels, set the rsau/selection_slots parameter to 3. This setting creates three filters that you configure as follows: Filter 1: Select each of the following options:

Filter Active Audit Classes Dialog Logon, RFC/CPIC logon, RFC call, and User master change

Low

Filter 2: Select each of the following options:

Filter Active Transaction Start Medium Report Start

Filter 3: Select each of the following options:

Filter Active Other Events High

For more information about how to set filters, see the SAP online help or contact your company SAP specialist. After you have configured SAP for event auditing with the Tivoli Compliance Insight Manager, installed and configured an Actuator for the system operating system, and configured your system audit settings, the Tivoli Compliance Insight Manager can now start auditing SAP audit logs.

Re: Security Audit Log Configuration(SM19) Information Posted: Feb 20, 2009 10:00 PM in response to: Yoganand Vedagiri hello Nani, Here is you solution:

Reply

1. *rsau/local/file*-Hello Nani,which version of SAP do you use if 4.6 or more than that you dont require this parameter The rsau/local/file parameter must be specified in Releases 4.0 and 4.5. For compatibility reasons, it is also still analyzed up to and including Release 6.20. As of Release 4.6 it can be left out. It no longer exists as of Release 6.40. If it is used, the two profile parameters DIR_AUDIT and FN_AUDIT must correspond to the parameter rsau/local/file, that is: rsau/local/file = DIR_AUDIT + FN_AUDIT '+' here stands for the directory separator ('/' or '\'). Otherwise, audit files cannot be deleted with transaction SM18 (RSAUPURG report) or evaluation with transaction SM20 is not possible as of Release 4.6. "

Please refer to Note 539404 for more info. 2. *rsau/max_diskspace/local*- Answer: 2 gigabytes For a single day, this means: < = 4.6: 11,930,464 events or 138 events per second; > = 6.10: 10.737.418 events or 124 events per second; Value ranges of the profile parameters Min Max rsau/max_diskspace/local 1000000 2 GB rsau/max_diskspace/per_file 1 MB 2 GB rsau/max_diskspace/per_day 3*per_file 1024 GB Changed minimum values (see Note 909734): as of 6.40 rsau/max_diskspace/local 10 MB as of 6.40 PL 143 rsau/max_diskspace/local 100 MB Please refer to Note 539404 for more info 3. *rsau/selection_slots*- as of 4.6 release you can make 10 selections.please refer to note 539404 for more info Hope this helps Rohit

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[1] Question: What is the difference between static and dynamic configuration? Answer: Static configuration is used for the ongoing storage of a Security Audit log configuration in the database and every time the system is restarted, it is transferred as the current configuration. If you want to operate the Security Audit log on an ongoing basis, for example, if requested to do so by a tax inspector, then you must create a static configuration and determine it as the active configuration! Dynamic configuration is used to change the current configuration while the operation is running or to activate the Security Audit Log. For example: You want to monitor an SAP support employee whose login name was not contained

up to now in the static configuration. Without dynamic configuration, you would have to restart the system for this type of temporary filter change! With dynamic configuration, you call change all filter settings except the number of filters. A Security Audit log set by dynamic configuration only lasts until the system is restarted. In addition, you must at least set the following profile parameters:

DIR_AUDIT Directories for the audit files FN_AUDIT Names of the audit files (Name pattern) rsau/enable Enable Security Audit Log rsau/max_diskspace/local Maximum size of an audit file rsau/selection_slots Number of filters used for the Security Audit log

Missing parameters are replaced by the default value. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++

21] Question: What is the maximum size of an audit file? Answer: 2 gigabytes For a single day, this means: <= 4.6: 11,930,464 events or 138 events per second; >= 6.10: 10.737.418 events or 124 events per second; Value ranges of the profile parameters Min Max rsau/max_diskspace/local 1000000 2 GB rsau/max_diskspace/per_file 1 MB 2 GB rsau/max_diskspace/per_day 3*per_file 1024 GB Changed minimum values (see Note 909734): as of 6.40 rsau/max_diskspace/local 10 MB as of 6.40 PL 143 rsau/max_diskspace/local 100 MB