on 06-24-2010 10:34 AM
Hi All,
Issue in Audit sm20:
one of the account with special privileges which was set open for doing changes directly in production for a limited time.
When i tried to run an SM20 report to list the actions I did but I get an empty result.Where as able to get other information except that particular user.
Findings:
1.Able to identify transaction used in st03 for that user.
2, logs were returned on that particular date.
3.cheked in sm19 all activities were active.
4.all related parameters were set accordingly.
PLease help me out in finding out the result and to solve the issue
4.all related parameters were set accordingly.
Are you sure you had rsau/enable = 1 on all of your application servers ? Also, you can activate table auditing using parameter rec/client and then enable logging for specific tables requiring it(should only be done on small tables). Table T000(SCC4) has logging enabled by default when table auditing is activated.
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
With table auditing enabled you can check in SCC4 -> Utilities -> Change Logs to see who opened the system for changes. The other thing to check is the size of your audit logs for storing data with parameter rsau/max_diskspace_local ...It may be set too small to capture all information(default is 10MB). Otherwise, I have no idea.
Nelis
>
> Hi Neils,
>
> Thank you for the inputs.
>
> Mentioned parameter is set to 1 and also rec/client=All.
>
> Any other options to identify the cause.
Hi,
rec/client has nothing to do with SM19/SM20.
It enables the system to log a very bare version of changelogs
for tables tagged in SE13 to do so and is only intended to be used
for customizing tables. The changelogs are stored in table
DBTABLOG / DBTABPRT (depending on release).
You can list these changes with report RSTBHIST.
Volker
> When i tried to run an SM20 report to list the actions I did but I get an empty result.Where as able to get other information except that particular user.
>
--> I believe you were able to view other users' activities during the same time, but specifically not for one user ?
In case there are many instances in your SAP system, could you check for all instances individually from SM20 ?
Also Security Audit logs cease to write when the audit log max size is achieved / quota for the day is done. Even this is instance specific and hence you need to verify this for the instance to which user logged on.
There are also occurances of Audit logs not being written owing to product error. Could you go through the following SAP Notes , in case the SAP release mentioned in the notes match with that of yours ?
-
SAP Note 763159 - Security Audit Log: some transaction starts not audited
SAP Note 710138 - Security Audit Log: Transactions are not recorded (3)
SAP Note 317883 - SecAudit: Transactions are not recorded
SAP Note 483953 - Security Audit Log: AU9 and AUA events are not recorded
SAP Note 840798 - SecAudit: Transaction code sometimes missing
-
cheers !
PRADi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
81 | |
24 | |
11 | |
9 | |
7 | |
5 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.