Solved: Security Audit Log - how to modify the logging?

Former Member · ‎02-24-2009

Hi experts,

we want to log the logon/logoff for a specific group.

In SM19 we defined a filter for this.

The result in sm20 is nearly perfect, but the logged terminal (Hostname) is not sufficient.

We have to log the users Ip-adress instead.

Is there a possibility to modify the "list of possible audit events" that we can log the IP-adress?

Or is there another way to get the ip-adress into this log?

kind regards

Tom

Former Member · ‎03-09-2009

Hi,

The structure which displays the data Sm20 aduit log data is RSAULIST. I have checked this structure in se11 and didn't find the field IP address. It means its not registering the IP address. Also you can check the root of the data populated into this structure.

Regards,

Gowrinadh

Former Member · ‎03-06-2009

any ideas?

Former Member · ‎03-09-2009

Hi,

The structure which displays the data Sm20 aduit log data is RSAULIST. I have checked this structure in se11 and didn't find the field IP address. It means its not registering the IP address. Also you can check the root of the data populated into this structure.

Regards,

Gowrinadh

Former Member · ‎03-10-2009

Hy,

thanks.

I know that there is no field actually for filtering the ip-adress, but actual the machine name is logged.

Unfortunately we have to log our users for security reasons- so we need the username and another parameter like the client ip-adress.

The actual logged host- or computername is to easy to manipulate even it is not unique.

kind regards

Tom

Former Member · ‎03-10-2009

Hi,

The easiest way is through SM04 and looking at the terminal number. However, that doesn't show the IP address. But through AD you can run an NBSTAT to show what the IP is and who is logged in to that particular machine.

Rgds,

Raghu

mvoros · ‎03-10-2009

Hi,

you can see IP in SM04. You just need to add IP address field into field catalog.

Cheers

Former Member · ‎03-10-2009

Hi

thanks again.

But first let me explain the issue

We have to log the username, login-time, logout-time and the ip adress for security reasons, only for the users with a special username (like mycompany1, mycompany2 ...)

These users have a lot of permissions - so they can change anything or damage or ...

We have not to log the users activities en detail, cause there are enough other logs available in the system to be compared with the above logged information.

But without the ip adress (It will better be the mac adress) we cannot identify the user afterwards.

A combination of logs is even not sufficent - and against the security policy

OK?

kind regards

Tom

mvoros · ‎03-10-2009

Hi,

I do understand your requirements. I just wrote that unfortunately it looks like you can not get IP address into security audit log (I'm not 100% sure). My proposed workaround is to implement user exit which is called for every dialog user after successful log on. The problem is that you will have to implement it, it will not be integrated with SM20 and you will be able to log only successful logons (this might be the biggest issue).

BTW you can not log MAC address. MAC address is only visible in segment of network where PC is connected. I am sure that your SAP system is in different segment than client's PCs.

Cheers

Former Member · ‎03-10-2009

Hi,

I know that this is not a simple question - but if the information of the clients computername is loggable there must be a possibility to get its ip adress (just thinking ).

If we use your proposal - we get the login information of all users, right?

As there are a few hundreds of users in our systems we have to log only the information for the mycompany## users.

A combination of logs is not OK -> our security guideline forces a single logfile.

kind regards

Tom

Former Member · ‎03-10-2009

Hi,

If you follow the naming standards for the user names (i.e. in yor company) then you can follow the above modifications.

Or else you can modify the Secuirty logging program and add one more feild as mac address or IP address and start registering the same.

Since the standard sap doesn't support this, so its better to go for custom modifications

Regards,

Gowrinadh

Former Member · ‎03-10-2009

Hy,

my problem is even an implementation (no standards therefore available) is not possible.

.. you know ... security & laws ...

So I'll keep on searching ...

Kind regards

Tom

mvoros · ‎03-10-2009

Hi,

I am not even sure if modification is possible. I assume that security logging program is on kernel level. Hence there is no ABAP program to modify. I am talking about code which is responsible for creating logs, not settings and reporting such as SM19, SM20.

Cheers

mvoros · ‎03-10-2009

Hi,

it looks like audit system does not log IP address which is really silly. For example you can see IP address in SM04. I am not absolutely sure, maybe someone from SAP could confirm it. It's really weird that audit system uses host name instead of IP address. Maybe you can try to use user exit SUSR0001 and log IP address by your self. Unfortunately it will not go to audit log. It also works only for dialog users.

Good luck