Audit logs not displaying in sm20

Former Member · ‎05-13-2015

Hi all,

After kernel 721_EXT_500 upgrade, i am not able to see Security audit logs in sm20. However logs are generating at OS level.

i have observed after kernel upgrade at OS level audit file format was changed in to ++++++++######.AUD before it was audit_+++++++. Then accordingly i have set the below parameters

FN_AUDIT	++++++++######.AUD
DIR_AUDIT	/usr/sap/SID/DVEBMGS00/log
RSAU/ENABLE	1

after change the FIN_AUDIT parameter , i can see the logs only after kernel upgrade. but i want to see the full logs before and after kernel upgrade.

appreciate your quick response

Regards,

Raghav.

.

former_member157391 · ‎05-13-2015

Hi,

As far as I know, it is not possible to evaluate both format audit logs at the same time.

However, you could use report RSAU_SELECT_EVENTS to evaluate past logs.

I hope this information is useful.

Best regards,

Ning

Former Member · ‎05-13-2015

hi,

i have came across this report. but this report is useful only for particular day/file .it wont work if you want to fetch the whole month or year data.

Private_Member_69416 · ‎05-13-2015

Hi

Try to change old files names to new format.

Best regards

Przemek

Former Member · ‎05-13-2015

hi,

i have already tried this .its working fine, but its ok for one or two files. i need to change one year files.

regards,

raghav.

Private_Member_69416 · ‎05-13-2015

What basis level and parameter FT_AUDIT do you have ?

Former Member · ‎05-13-2015

hi,

our basis level is Rel 701 and Sp level is 14. i have nt maintained Parameter FT_Audit.

Private_Member_69416 · ‎05-13-2015

When you set rsau/integrity=1 you starting to use new security log format

Integrity protection was introduced in note 2033317.

It refers to extensions from note 1810913,but corrections aren't available for your basis level.

It looks like you need to have BASIS >=7.30 to fully use the feature.

I have no problems (on 7.30, 721_EXT_500) reading both formats at once in SM20.

You can :

Disable integrity mode with rsau/integrity=0 and set FN_AUDIT=audit_+++++++

Or

Use script to mass rename files you want.

Former Member · ‎05-14-2015

hi,

With rsau/integrity=0 , i can able to see new logs by SM20 but with FN_AUDIT value must be ++++++++######.AUD.

Private_Member_69416 · ‎05-15-2015

According to notes 875835, 909738 kernel set default name due to conflict in parameters:
rsau/max_diskspace/per_day and rsau/max_diskspace/per_file

SM20 is using strictly FN_AUDIT value from profile

gangadharvegi · ‎05-14-2015

Hi Raghu,

Have you tried keeping FN_AUDIT parameter value same as old one???

Hope you have only few audit files with new file names!!

Regards,

Gangadhar

Former Member · ‎05-14-2015

hi gangadhar,

i have tried but not working.

yes i have only few logs after kernel upgrade but if want to read, i have to change the format everyday.

Regards,

Raghu.

gangadharvegi · ‎05-14-2015

Hi Raghu,

Seems we have only one option left 😞 Converting the file names to new format -

Kindly check the note 539404 (question 30) and use the report RSCP_CONVERT_FILE to covert the file name to new format

This report should allow you to do mass file name change

OR

You can check with basis team to get OS level command/Script to mass rename of old files.

It is better to take a back up of files before doing this conversion.

Regards,

Gangadhar

Former Member · ‎05-19-2015

hi,

issue resolved , Note 909738 is helpful .

Regards,

raghu.