06-16-2009 9:06 PM
Our external auditors want us to run SM21 to review any debug write activity in our PRD environment. Does anyone know who much history is stored when SM21 is run? Is it a days worth? Week, month? Is there an automated way to sweep the log or history file for this activity as running SM21 manually is time consuming and cumbersome. Thanks
Mark
06-16-2009 9:16 PM
Take a look into transaction RZ20 (the CCMS alerts) where you can centrally monitor such stuff and define threadholds and reaction methods.
What I have also done for SM21 and a number of others in the past is create variants for their analysis reports which search for such events or change documents, and schedule them each hour or once per day etc to output a result (if found) to a mail distribution list.
There is also an exit in the stat collectors where you can do this more discretely and selectively.
Cheers,
Julius
06-16-2009 9:16 PM
Take a look into transaction RZ20 (the CCMS alerts) where you can centrally monitor such stuff and define threadholds and reaction methods.
What I have also done for SM21 and a number of others in the past is create variants for their analysis reports which search for such events or change documents, and schedule them each hour or once per day etc to output a result (if found) to a mail distribution list.
There is also an exit in the stat collectors where you can do this more discretely and selectively.
Cheers,
Julius
06-16-2009 9:43 PM
Julius,
How much history (days, weeks etc.) is available using SM21? Thanks
Mark
06-17-2009 3:57 AM
Hi,
As mentioned by Julius already this depends on the parameter settings that need to be checked in rz10 (rsau* parameters) are there. It is minimum of 3 days and vary from 30 days to little more in some cases. Please check that and let us know if any issue.
Regards
Aveek.
06-17-2009 4:49 PM
Following are the total list of parameters associated with SM21. No such present to limit time, rather it is dependent in the size specified.. (bold rows)..
rslg/alert_filter_params
rslg/append/lock
rslg/central/file
rslg/central/old_file
rslg/collect_daemon/exe_file
rslg/collect_daemon/host
rslg/collect_daemon/listen_port
rslg/collect_daemon/pid_file
rslg/collect_daemon/talk_port
rslg/local/file
rslg/local/old_file
rslg/max_diskspace/central
rslg/max_diskspace/local
rslg/messages/flat_file
rslg/send_daemon/autostart
rslg/send_daemon/exe_file
rslg/send_daemon/listen_port
rslg/send_daemon/pid_file
rslg/send_daemon/status_file
rslg/send_daemon/talk_port
rslg/swap/lock
rslg/swap_daemon/exe_file
rslg/write_sync_disk
Regards,
Dipanjan
Edited by: Dipanjan Sanpui on Jun 17, 2009 11:49 AM
06-22-2009 3:20 PM
Julius,
Can you talk some more about your variant solution? I would like to understand more of what you are proposing. Sounds like it might do what I am looking for. Thanks
Mark
06-22-2009 5:14 PM
One simple example would be to schedule report RSUSR100N once per hour with a variant to search for profile SAP_ALL added OR removed for a time variable = the current date and yesterday.
For simplicity, you can create a mail distribution list and output the job to it. No coding involved.
If you don't want to have an empty email every hour, then in a second step get the spool request and check whether there is anything in it. If not, do nothing. If yes, send the mail with the contents to the distribution list.
You can use more fancy tricks (see Alex's post for one example), but that is the basic principle of the "watch job" approach, which is very easy to set up.
Another approach is to use database triggers to do the same, which is a layer away from the application user and a faster to be informed.
Cheers,
Julius
06-22-2009 6:56 PM
OK, we are running 5.0 we don't have RSUSR100N but we have RSUSR100 and I see what you mean. Now, that said, how can I set up such a job via SM21, or obtain info generated by SM21? I need to see who did any debug related avtivity and what was changed, if anything, as a control for managers to review? This is my ultimate goal. Let me know if we can talk offline somehow about this if that makes it easier. Thanks
Mark
06-22-2009 8:58 PM
Sounds as if your SP levels are a bit low then.
Regarding SM21 you can start the transaction, select all servers from the menu and in the selection screen choose SYSTEM --> Status to find the report. Otherwise just explore it in SE80 to see which options there are and try to use a stable one so that it does not change (the selection screen at least).
Take note that the system also writes SM21 messages for the "Go to Statement" function now, which does not change the variables but rather skips over the coding. The message is also in the A1 range.
There is also an API for exporting the messages to an external system for monitoring purposes. I have played around with that as well, but you need the infrastructure first and enough systems to make it worth while the effort.
> Let me know if we can talk offline somehow about this if that makes it easier.
No, its okay here
I also have a few other things in the logs you might want to check. What are you checking so far?
Cheers,
Julius
06-22-2009 9:23 PM
Right now I go into SM21 manually and go to Expert Mode, click on the button Message ID's. From there I only want to see messages A1 9 for debug activity. Ideally what I would like is this report be run daily or weekly automagically and a report sent to managers so they can review activity if any. This would be a compensating control for any user that has the following object values: S_DEVELOP=01, 02 with Type=debug. Fortunately there are not a lot of users with these objects. So if somehow you can tell me how I can set this up so it runs nightly or some other time period and sends an email to the managers with the report. This would be easier than asking them to sign on and execute SM21 and go throught these steps. I am the IT Auditor so anything I can do to make life easier in the pursuit of compliance I'm all for it. Thanks
Mark
06-22-2009 10:03 PM
06-22-2009 10:14 PM
OK, you lost me. If I do System---> Status from within SM21, this will allow me to automate the report? I don't see any option for that other than release, kernel, ip, aix version, transaction, program name information etc. Thanks for your patience.
Mark
06-22-2009 10:20 PM
The program name?
Double-click it - in a development system
This will not automate the report. It will help you find the name. I recommend that you talk to someone from your SAP team to co-ordinate this and help you.
Cheers,
Julius
Edited by: Julius Bussche on Jun 22, 2009 11:27 PM
06-23-2009 1:59 PM
Ahh, got it. I tried it in DEV and I get an error message at the bottom saying 'function code cannot be selected'. You mentioned we are behind on our patches. Could that cause this? In the Status window the Kernel patch level is 175. Is that the latest? Appreciate the assistance. Thanks
Mark
06-23-2009 2:14 PM
Julius, update: I can open the program in our test client but I can't in DEV. I'm thinking I don't have the authorization to do so. But I would like to know what patch we should be up to for our release 5.0.
Thanks again.
Mark
06-23-2009 4:39 PM
Sounds like you are missing S_DEVELOP authorizations to display program coding, which is what you are attempting to do when double-clicking.
Also see [SAP Note 1085326|https://service.sap.com/sap/support/notes/1085326] for an additional check which was introduced at a later stage.
I mentioned the support package level because your system does not have report RSUSR100N in it. This means you are about 18 months behind the current SP level...
Cheers,
Julius
08-26-2009 11:36 AM