06-24-2008 10:31 AM
This should be a simple question for you. Is there a transaction where I can see who was logged in last night between two time points? Something happened last night with some data that seem corrupt now. We would like to see whose fault that was. Thanks!
06-24-2008 10:34 AM
Hi,
if you have enabled the security audit log (SM19) with the appropriate filters, that will be easy (check the result in SM20). You can also try TX STAD. I hope that helps.
b.rgds, bernhard
06-24-2008 10:34 AM
> I can see who was logged in last night between two time points?
Most likely a job step user by the sounds of it. Shouting at them and cutting their pay does not help...
Check the job log (SM37) and also the security audit log (SM20). The problem of missing data most likely left some dumpts behind (ST22) and possibly update terminations (SM13) which will tell you more.
06-24-2008 11:13 AM
Thanks! STAD helped so far, though this list is way too long What exactly does SM19 do? It is disabled here, should we give it a try? What´s the difference to STAD?
06-24-2008 11:38 AM
Hi Peter,
regarding SM19, please refer to SAP note 139418.
b.rgds, Bernhard
06-24-2008 12:23 PM
> What exactly does SM19 do? It is disabled here, should we give it a try?
Activating SM19 will not bring back last night though. You will need to use other investigations.
If something happens during the night, the first thing I would check are batch jobs.
Cheers,
Julius
06-24-2008 12:33 PM
I have to correct the time to "6pm to 12pm" I have just spoken to an admin, there were no data broken but some important values have changed, like a stock number.
I will test sm19 for 24 hours and see what it can so. I created a new profile and added a filter, then activated it. Do I have to restart the system now or does it work right away?
06-24-2008 12:48 PM
If you use the dynamic profiles, then you do not need to restart the system. Only for the static profiles to take affect.
Cheers,
Julius
06-24-2008 1:20 PM
06-24-2008 1:27 PM
Depends on where you write them to But you normally read them from SM20.
Check the rsau/* params in RZ11 or open the menu in SM19. There are defaults, but you can change a number of the params for the Security Audit Log; these generally do require a restart though.
Cheers,
Julius
PS: Also see the sticky thread at the top of the forum. In the monitoring section there is a thread about monitoring and legal requirements which also contains more infos.
Edited by: Julius Bussche on Jun 24, 2008 12:28 PM