Solved: Using SM21 to review write debug activity

Former Member · ‎06-16-2009

Our external auditors want us to run SM21 to review any debug write activity in our PRD environment. Does anyone know who much history is stored when SM21 is run? Is it a days worth? Week, month? Is there an automated way to sweep the log or history file for this activity as running SM21 manually is time consuming and cumbersome. Thanks

Mark

Former Member · ‎06-16-2009

Take a look into transaction RZ20 (the CCMS alerts) where you can centrally monitor such stuff and define threadholds and reaction methods.

What I have also done for SM21 and a number of others in the past is create variants for their analysis reports which search for such events or change documents, and schedule them each hour or once per day etc to output a result (if found) to a mail distribution list.

There is also an exit in the stat collectors where you can do this more discretely and selectively.

Cheers,

Julius

Former Member · ‎06-16-2009

Take a look into transaction RZ20 (the CCMS alerts) where you can centrally monitor such stuff and define threadholds and reaction methods.

What I have also done for SM21 and a number of others in the past is create variants for their analysis reports which search for such events or change documents, and schedule them each hour or once per day etc to output a result (if found) to a mail distribution list.

There is also an exit in the stat collectors where you can do this more discretely and selectively.

Cheers,

Julius

Former Member · ‎06-16-2009

Julius,

How much history (days, weeks etc.) is available using SM21? Thanks

Mark

former_member701183 · ‎06-17-2009

Hi,

As mentioned by Julius already this depends on the parameter settings that need to be checked in rz10 (rsau* parameters) are there. It is minimum of 3 days and vary from 30 days to little more in some cases. Please check that and let us know if any issue.

Regards

Aveek.

sdipanjan · ‎06-17-2009

Following are the total list of parameters associated with SM21. No such present to limit time, rather it is dependent in the size specified.. (bold rows)..

rslg/alert_filter_params

rslg/append/lock

rslg/central/file

rslg/central/old_file

rslg/collect_daemon/exe_file

rslg/collect_daemon/host

rslg/collect_daemon/listen_port

rslg/collect_daemon/pid_file

rslg/collect_daemon/talk_port

rslg/local/file

rslg/local/old_file

rslg/max_diskspace/central

rslg/max_diskspace/local

rslg/messages/flat_file

rslg/send_daemon/autostart

rslg/send_daemon/exe_file

rslg/send_daemon/listen_port

rslg/send_daemon/pid_file

rslg/send_daemon/status_file

rslg/send_daemon/talk_port

rslg/swap/lock

rslg/swap_daemon/exe_file

rslg/write_sync_disk

Regards,

Dipanjan

Edited by: Dipanjan Sanpui on Jun 17, 2009 11:49 AM

Former Member · ‎06-22-2009

Julius,

Can you talk some more about your variant solution? I would like to understand more of what you are proposing. Sounds like it might do what I am looking for. Thanks

Mark

Former Member · ‎06-22-2009

One simple example would be to schedule report RSUSR100N once per hour with a variant to search for profile SAP_ALL added OR removed for a time variable = the current date and yesterday.

For simplicity, you can create a mail distribution list and output the job to it. No coding involved.

If you don't want to have an empty email every hour, then in a second step get the spool request and check whether there is anything in it. If not, do nothing. If yes, send the mail with the contents to the distribution list.

You can use more fancy tricks (see Alex's post for one example), but that is the basic principle of the "watch job" approach, which is very easy to set up.

Another approach is to use database triggers to do the same, which is a layer away from the application user and a faster to be informed.

Cheers,

Julius

Former Member · ‎06-22-2009

OK, we are running 5.0 we don't have RSUSR100N but we have RSUSR100 and I see what you mean. Now, that said, how can I set up such a job via SM21, or obtain info generated by SM21? I need to see who did any debug related avtivity and what was changed, if anything, as a control for managers to review? This is my ultimate goal. Let me know if we can talk offline somehow about this if that makes it easier. Thanks

Mark

Former Member · ‎06-22-2009

Sounds as if your SP levels are a bit low then.

Regarding SM21 you can start the transaction, select all servers from the menu and in the selection screen choose SYSTEM --> Status to find the report. Otherwise just explore it in SE80 to see which options there are and try to use a stable one so that it does not change (the selection screen at least).

Take note that the system also writes SM21 messages for the "Go to Statement" function now, which does not change the variables but rather skips over the coding. The message is also in the A1 range.

There is also an API for exporting the messages to an external system for monitoring purposes. I have played around with that as well, but you need the infrastructure first and enough systems to make it worth while the effort.

> Let me know if we can talk offline somehow about this if that makes it easier.

No, its okay here

I also have a few other things in the logs you might want to check. What are you checking so far?

Cheers,

Julius

Former Member · ‎06-22-2009

Right now I go into SM21 manually and go to Expert Mode, click on the button Message ID's. From there I only want to see messages A1 9 for debug activity. Ideally what I would like is this report be run daily or weekly automagically and a report sent to managers so they can review activity if any. This would be a compensating control for any user that has the following object values: S_DEVELOP=01, 02 with Type=debug. Fortunately there are not a lot of users with these objects. So if somehow you can tell me how I can set this up so it runs nightly or some other time period and sends an email to the managers with the report. This would be easier than asking them to sign on and execute SM21 and go throught these steps. I am the IT Auditor so anything I can do to make life easier in the pursuit of compliance I'm all for it. Thanks

Mark

Former Member · ‎06-22-2009

Click on SYSTEM --> Status...

Cheers,

Julius

Former Member · ‎06-22-2009

OK, you lost me. If I do System---> Status from within SM21, this will allow me to automate the report? I don't see any option for that other than release, kernel, ip, aix version, transaction, program name information etc. Thanks for your patience.

Mark

Former Member · ‎06-22-2009

The program name?

Double-click it - in a development system

This will not automate the report. It will help you find the name. I recommend that you talk to someone from your SAP team to co-ordinate this and help you.

Cheers,

Julius

Edited by: Julius Bussche on Jun 22, 2009 11:27 PM

Former Member · ‎06-23-2009

Ahh, got it. I tried it in DEV and I get an error message at the bottom saying 'function code cannot be selected'. You mentioned we are behind on our patches. Could that cause this? In the Status window the Kernel patch level is 175. Is that the latest? Appreciate the assistance. Thanks

Mark

Former Member · ‎06-23-2009

Julius, update: I can open the program in our test client but I can't in DEV. I'm thinking I don't have the authorization to do so. But I would like to know what patch we should be up to for our release 5.0.

Thanks again.

Mark

Former Member · ‎06-23-2009

Sounds like you are missing S_DEVELOP authorizations to display program coding, which is what you are attempting to do when double-clicking.

Also see [SAP Note 1085326|https://service.sap.com/sap/support/notes/1085326] for an additional check which was introduced at a later stage.

I mentioned the support package level because your system does not have report RSUSR100N in it. This means you are about 18 months behind the current SP level...

Cheers,

Julius

Former Member · ‎08-26-2009

This message was moderated.