SAP security audit log setup

1.Introduction

The Security Audit Log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP system. By activating the audit log, you keep record of those activities you consider relevant for auditing. This information is recorded on a daily basis in an audit file on each application server. You can then access this information for evaluation in the form of an audit analysis report. Statistical information can easily be retrieved on transactions and reports. Although it was not designed for this purpose, the information it generates is invaluable when estimating the number of resources needed for the next upgrade project and when you want to know to which transactions or reports most attention and effort should go to.

The following information can be recorded in the Security Audit Log:
Successful and unsuccessful dialog and RFC logon attempts
RFC calls to function modules
Successful and unsuccessful transaction and report starts

2.Activating the audit log

The following instance profiles must be set in order to activate audit logging (use transaction RZ10 to do so).
rsau/enable: Set to 1 to activates audit logging
rsau/local/file: Name and location of the audit log file
rsau/max_diskspace/local: Max. space of the audit file. If maximum size is reached auditing stops.
rsau/selection_slots: Max. number of filters

The settings are activated after the instance has been restarted.

3.Defining Filters

To access the Security Audit Log configuration screen from the SAP standard menu, choose:
Tools-> Administration->Monitor->Security Audit Log->Configuration (or transaction SM19).

Filters define what needs to be recorded. The following information can be specified:
Which User(s), Client(s) (wildcards can be used)
Audit class (for example, dialog or RFC attempt, start of transaction, report...)
Importance of the event (critical, important...)

Filters can be static (permanently) or dynamic (temporarily):
Static filters are stored inside the database. All application servers use the same filter for determining which events should be recorded in the audit log. After saving (Save) and activating (Profile->Activate) the static profile, it will be loaded at the next restart of the application server.
Dynamically created profiles, on the contrary, can be activated at any time to filter for selected events.They are automatically distributed to all active application servers (after saving and distributing them by selecting Configuration->Distribute Configuration).

Transaction SM19 - Administer Audit Profile

4.Analyzing the Audit Log

The Security Audit Log produces an audit analysis report that contains the audited activities.

By using the audit analysis report you can analyze events that have occurred and have been recorded on a local server, a remote server, or all of the servers in the SAP System.

To access the Security Audit Log Analysis screen from the SAP standard menu, choose:
Tools->Administration->Monitor->Security Audit Log->Analysis (or transaction SM20).

The Audit Log can be scanned for a period of time, user, transaction, report, etc.

  Transaction SM20 - Analyzing the Audit Log

5.Reorganizing the Audit Log

The Security Audit Log saves its audits to a corresponding audit file on a daily basis.

Depending on the size of your SAP System and the filters specified, you may be faced with an enormous quantity of data within a short period of time.

Old audit log files can be deleted via Tools->Administration->Monitor ->Security Audit Log-> Configuration (or transaction SM18).

How to trace user's activity

How to trace user's activity :-

Creating a User Audit Profile :-

1. Log on to any client in the appropriate SAP system.

2. Go to transaction SM19.

3. From the top-most menu bar on the Security Audit: Administer Audit Profile screen, click Profile
   -> Create.

4. On the Create new profile popup, type in a new Profile name and click the green √ picture-icon.

5. On the Filter 1 tab of the Security Audit: Administer Audit Profile screen, click the icon to the left of Filter active to place a √ in the box. In the Selection criteria section, select the Clients and User names to be traced. In the Audit classes section, click “on” all the auditing functions you need for this profile. In the Events section, click the radio button to the left of the level of auditing you need. Once you have entered all your trace information, click the Save picture-icon. You will receive an Audit profile saved in the status bar at the bottom of the screen.

6. Please note that while the user trace profile has been saved, it is not yet active. To activate the user trace, see the next section Activating a User Audit Profile.

7. You may now leave the SM19 transaction.

Activating a User Audit Profile :-

1. Log on to any client in the appropriate SAP system.

2. Go to transaction SM19.

3. On the Security Audit: Administer Audit Profile screen, select the audit profile to be activated from the Profile drop down. Click the lit match picture-icon to activate it. You will receive an Audit profile
activated for next system start in the status bar at the bottom of the screen. The audit will not begin
until after the SAP instance has been recycled.

4. You may now leave the SM19 transaction.

Viewing the Audit Analysis Report :-

1. Log on to any client in the appropriate SAP system.

2. Go to transaction SM20.

3. In the Selection, Audit classes, and Events to select sections of the Security Audit Log: Local Analysis screen, provide your information to filter the audit information. If you need to trace the activities of a specific user, be sure to include that user’s ID. Click the Re-read audit log button.

4. The resulting list is displayed. This list can be printed using the usual methods.

5. You may now leave the SM20 transaction.