05-13-2015 8:12 AM
Hi all,
After kernel 721_EXT_500 upgrade, i am not able to see Security audit logs in sm20. However logs are generating at OS level.
i have observed after kernel upgrade at OS level audit file format was changed in to ++++++++######.AUD before it was audit_+++++++. Then accordingly i have set the below parameters
FN_AUDIT | ++++++++######.AUD |
DIR_AUDIT | /usr/sap/SID/DVEBMGS00/log |
RSAU/ENABLE | 1 |
after change the FIN_AUDIT parameter , i can see the logs only after kernel upgrade. but i want to see the full logs before and after kernel upgrade.
appreciate your quick response
Regards,
Raghav.
.
05-13-2015 9:13 AM
Hi,
As far as I know, it is not possible to evaluate both format audit logs at the same time.
However, you could use report RSAU_SELECT_EVENTS to evaluate past logs.
I hope this information is useful.
Best regards,
Ning
05-13-2015 11:53 AM
hi,
i have came across this report. but this report is useful only for particular day/file .it wont work if you want to fetch the whole month or year data.
05-13-2015 11:13 AM
05-13-2015 11:55 AM
hi,
i have already tried this .its working fine, but its ok for one or two files. i need to change one year files.
regards,
raghav.
05-13-2015 12:22 PM
05-13-2015 12:56 PM
hi,
our basis level is Rel 701 and Sp level is 14. i have nt maintained Parameter FT_Audit.
05-13-2015 2:22 PM
When you set rsau/integrity=1 you starting to use new security log format
Integrity protection was introduced in note 2033317.
It refers to extensions from note 1810913,but corrections aren't available for your basis level.
It looks like you need to have BASIS >=7.30 to fully use the feature.
I have no problems (on 7.30, 721_EXT_500) reading both formats at once in SM20.
You can :
Disable integrity mode with rsau/integrity=0 and set FN_AUDIT=audit_+++++++
Or
Use script to mass rename files you want.
05-14-2015 7:57 AM
hi,
With rsau/integrity=0 , i can able to see new logs by SM20 but with FN_AUDIT value must be ++++++++######.AUD.
05-15-2015 7:15 AM
05-14-2015 7:46 AM
Hi Raghu,
Have you tried keeping FN_AUDIT parameter value same as old one???
Hope you have only few audit files with new file names!!
Regards,
Gangadhar
05-14-2015 8:01 AM
hi gangadhar,
i have tried but not working.
yes i have only few logs after kernel upgrade but if want to read, i have to change the format everyday.
Regards,
Raghu.
05-14-2015 9:44 AM
Hi Raghu,
Seems we have only one option left 😞 Converting the file names to new format -
Kindly check the note 539404 (question 30) and use the report RSCP_CONVERT_FILE to covert the file name to new format
This report should allow you to do mass file name change
OR
You can check with basis team to get OS level command/Script to mass rename of old files.
It is better to take a back up of files before doing this conversion.
Regards,
Gangadhar
05-19-2015 8:59 AM