Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security Audit Log SM19 and Log Management external tool

former_member577095
Participant

‎11-25-2010 6:02 PM

0 Kudos

Hi all,

we are connecting a SAP ECC system with a third part product for log management.

Our SAP system is composed by many application servers.

We have connected the external tool with the SAP central system.

The external product gathers data from SAP Security Audit Log (SM19/SM20).

The problem is that we see, in the external tool, only the data available in the central system.

The mandatory parameters have been activated and the system has been restarted.

The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.

In our scenario, we do not use SM20 since we want read the collected data in the external tool.

Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?

Thanks in advance.

Andrea Cavalleri

6 REPLIES 6

Former Member

‎11-25-2010 7:01 PM

0 Kudos

Hi Andrea,

Is this a periodic (e.g. nightly) extract or is it running close to real time?

You could schedule a job using RSAU_SELECT_EVENTS which will read the logs on all app servers & use the output from that to send to the external tool.

mvoros
Active Contributor

‎11-25-2010 8:29 PM

0 Kudos

Hi,

you can use external OS commands/scripts to push all your logs to one directory. Another solution could be to share folder over the network and store logs there. I am not sue but this may have negative impact on performance. BTW shouldn't you speak with vendor of that 3rd party tool? It looks like a flaw to me if it can't collect logs from each application server.Or maybe just misconfiguration of 3rd party tool.

Cheers

Former Member

‎11-25-2010 8:44 PM

0 Kudos

I am always amazed at these questions...

For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.

However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...

Cheers,

Julius

former_member577095
Participant

‎11-25-2010 8:58 PM

0 Kudos

Hi all,

thanks for the help.

For Julius, in Italy there is a law which asks to log all systems. In the company I am working, we need to track more than 20 systems and only 6 of them are SAP.

I agree with yuou that Solution Manager in not fully used but, anyway, it is related to SAP only.

Thanks again for then help.

Andrea

Former Member
In response to former_member577095

‎11-25-2010 9:10 PM

0 Kudos

I hope the law does not forbid SolMan?

You could pull all the data from the 6 SAP systems into the SolMan and then monitor the SolMan log only. That is 5 systems less.

You can also auto-react in the CCMS... so you do not even need to read the log anymore. Just wait for an email from it

Cheers,

Julius

former_member577095
Participant

‎01-14-2011 5:50 PM

0 Kudos

We found the solution: we have all SAP instance to write on the same log file.

The central istance writes log file on it's own directory. The others 2 systems write on the same directory as the central system in the same file name.

Andrea