Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security audit log for the last 30 days?

Former Member

‎01-22-2010 6:03 AM

0 Kudos

Hi,

My current settings for the security audit log is 20 MB (by default). I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).

What are the parameters that I would need to maintain?

Or any additinal config is required?

Thanks,

Abdul

8 REPLIES 8

Former Member

‎01-22-2010 6:44 AM

0 Kudos

Hi

I think the security audit logs are setup on a dialy basis and the audit file size can be changed in paramater

rsau/max_diskspace/local , max size is up to 2GB.

This link might be usefull

http://help.sap.com/printdocu/core/Print46c/en/data/pdf/BCCSTADM/BCCSTSAL.pdf

Experts, please correct if iam wrong.

Thanks,

Sanketh

Edited by: Sanketh Teegala on Jan 22, 2010 7:59 AM

former_member289039
Explorer

‎01-22-2010 1:23 PM

0 Kudos

Hi Abdul,

Security audit logs are setup on daily basis, i don't think it can be be set to no of days.

Moreover why you need to restrict the logs based on number of days?

If you want analyze the logs only for 30days, in sm20n set the dates accordingly and execute

Regards,

Jai

Former Member
In response to former_member289039

‎01-23-2010 7:22 AM

0 Kudos

Hi Jai

To put it the other way:

I want to find out who have logged in to the system, at what time, what transaction the user has run during the last 30 days. How do I get it?

Regards

/Abdul

former_member289039
Explorer
In response to former_member289039

‎01-23-2010 8:37 AM

0 Kudos

Hi Abdul,

If you need the logs for just 30 days, in sm20n set the from and todates accordingly and it will give you the relavent data.

You can also get the list of transactions or reports executed by an user in ST03N

Regards,

Jai

Former Member
In response to former_member289039

‎01-23-2010 8:56 AM

0 Kudos

Jai

Audit recorded is limited to 20 MB by default. I can increase the size of the audit file by a certain size.

My requirement is - I dont want to limit the file size by MBs. I want to record the audit file untiil it records the previous 30 days' data.

SM20 or SM20N shows only the data what is recorded in the audit files. Currently the audit file extends only upto 20 MB and records only for 1-2 days (depending on the transaction volume).

Thanks

Abdul

Former Member
In response to former_member289039

‎01-23-2010 11:04 AM

0 Kudos

The audit log does not throw older entries or files out as new ones come in, otherwise someone could flood the system with entries and wipe out the track of how they got in.

What you are looking for is either only reading the last 30 days (use the selection screen in SM20N) or delete files older than 30 days (see SM18).

However I would recommend keeping at least 45 days, as the symptoms of many events you might want to take a closer look into might only be found at month end periodic controls in the system (e.g. cost center reconciliations, bank statements, checking change documents, etc).

So go for selective reading first - you can very easily do this with a variant.

Cheers,

Julius

Former Member
In response to former_member289039

‎02-04-2010 10:17 AM

0 Kudos

Hi,

My current configuration is like this:

Name Description Current value System default value

FN_AUDIT Name of security audit file audit_++++++++

DIR_AUDIT Directory for security audit files /usr/sap/GSP/DVEBMGS00/log /usr/sap/GSP/D00/log

rsau/enable Enable Security Audit 0

rsau/max_diskspace/local Maximum space for security audit file 300M 20M

rsau/max_diskspace/per_day Maximum size of all security audit files per day 0

rsau/max_diskspace/per_file Maximum size of one single security audit file 0

rsau/selection_slots Number of selection slots for security audit 2

rsau/user_selection Defines the user selection method used inside kernel functions 0

I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB. If this is the growth rate, the 300MB allocated for audit will completely used in just a day.

My requirement is - I want to track users and their activities for the last 30 days (or 45 days). No log should be overwritten unless it is atleast 30 days old.

In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.

Other doubts: Do I have to start auditing manually every day? Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.

Regards

Abdul

Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM

Former Member
In response to former_member289039

‎02-04-2010 6:25 PM

0 Kudos

You have not done any config yet - you appear only to have set a dynamic filter once.

You need to work out what you want to log and for which users (or name ranges of them).

Much the same as in other areas of SAP security, just popping a * into everything is not a solution.

I suggest you read the SM19 FAQ SAP note in the FAQ sticky at the top of the forum before "proceeding further" ...

Cheers,

Julius