Sapnote 539404 Faq About Security Audit Log | Computer File | Filename

Please download to get full document.

View again

of 7
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Documents

Published:

Views: 6 | Pages: 7

Extension: PDF | Download: 1

Share
Related documents
Description
Sapnote 539404 Faq About Security Audit Log
Tags
Transcript
  Header Data Symptom  This note contains ans w ers to frequently asked questions (F A Q ).   C onfiguration  [1] Question: What is the difference between static and dynamic configuration? [2] Question: Why do changes to the profile parameter not take effect during the next system restart? [3] Question: Why does the configuration disappear after I reboot the system or an instance? [4] Question: How many different selections can I make? [5] Question: Can I extend the number of selections beyond the maximum number with an ABAP modification? [6] Question: The Security Audit Log has deactivated itself. Why is this? [7] Question: The user and client fields in transaction SM19 cannot be maintained with SAP documentation with generic values and do not have a values list function. Can I still use generic user names? [8] Question: Can the settings of the audit log be transported? Ter m inal na m es  [10] Question: Why is the terminal name missing in some messages? [11] Question: Why is the terminal name truncated (only 8 characters)? A udit files  [20] Question: In the Work directory of the instance, files with the audit_<yyyymmdd> name pattern, or a similar name pattern, often fill the file system. What generates the files and how can I prevent this? [21] Question: What is the maximum size of an audit file? [22] Question: What happens if the audit file reaches its maximum size? [23] Question: Do restrictions exist for the length of the names for audit files? [24] Question: What interdependencies exist between the DIR_AUDIT, FN_AUDIT and rsau/local/file profile parameter? [25] Question: Can I create audit files on a central file server? [26] Question: I cannot delete any audit files with transaction SM18 or report RSAUPURG. Why? [27] Question: Transaction SM18 displays a field for entering a minimum age. However, the unit in question is not specified. [28] Question: If the audit files reach their maximum size, the size exceeds the size specified in the profile parameter. Why? [29] Question: Audit files are not closed immediately after a day change. Sometimes, the last time access by the operating system is several days after the file change. As a result, it is not possible to carry out a regular deletion. [30] Question: After you convert to a Unicode system, you can no longer evaluate audit files that were created beforehand. What do I have to do? [31] Question: Can I archive audit files? Evaluation  [40] Question: Although the Security Audit Log is activated and audit files also exist at operating system level, does transaction SM20 indicate that audit files do not exist? 41 uestion: Is it ossible that events in the audit lo are missin? 539404 - FAQ: Answers to questions about the Security Audit Log   Version  41 Validity:  04.10.2013 - active Language  English Released On  04.10.2013 14:02:14 Release Status  Released for Customer Component  BC-SEC-SAL Security Audit Log Priority  Recommendations / Additional Info Category  FAQ   [43] Question: Is it possible that not all download events are recorded? [44] Question: Is it possible that events are recorded repeatedly in the audit log, for example, the same logon of each server? [45] Question: Can I be sure that audit files from older releases can still be evaluated in newer releases? [46] Question: Can external programs carry out evaluations? [47] Question: Sometimes there are values missing from the 'transaction code' and 'program' columns. Why? [48] Question: The entries for the transaction start and report start do not contain any information about the data that was edited. Where can this detailed information be found? [49] Question: Can similar events (calling a transaction using user X) be compressed in the trace output? [50] Question: The evaluation of users displays more events than are fixed in the audit configuration. Why? S Q L audit  [90] Question: Note 115224 describes the activation of the SQL audit. Can I evaluate the audit files in the standard systems? [91] Question: Is there a description of the data structure? Other Terms  FAQ, Q+A, SM18, SM19, SM20, RSAUPURG, SQL audit Reason and Prerequisites  - Solution  C onfiguration  [1] Question: What is the difference between static and dynamic configuration? Answer: Static configuration is used for the ongoing storage of a Security Audit log configuration in the database and every time the system is restarted, it is transferred as the current configuration. If you want to operate the Security Audit log on an ongoing basis, for example, if requested to do so by a tax inspector, then you must create a static configuration and determine it as the active configuration! Dynamic configuration is used to change the current configuration while the operation is running or to activate the Security Audit Log. For example: You want to monitor an SAP support employee whose login name was not contained up to now in the static configuration. Without dynamic configuration, you would have to restart the system for this type of temporary filter change! With dynamic configuration, you call change all filter settings except the number of filters. A Security Audit log set by dynamic configuration only lasts until the system is restarted. In addition, you must at least set the following profile parameters:  DIR_AUDIT Directories for the audit files  FN_AUDIT Names of the audit files (name pattern)  rsau/enable Enable Security Audit Log  rsau/max_diskspace/local Maximum size of an audit file  rsau/selection_slots Number of filters used for the Security Audit log Missing parameters are replaced by the default value. [2] Question: Why do changes to the profile parameter not take effect during the next system restart? Answer: The Shared Memory SCSA was not deleted during the system restart (only with Unix, Note 173743) [3] Question: Why does the configuration disappear after reboot of the system or an instance? Answer: 1. 4.0B: The special profile parameters were not used (Note 135210)   [4] Question: How many different selections can I make? Answer: Unfortunately, the documentation for the parameter rsau/selection_slots is incorrect in some releases. Here are the current values:  4.0 4 (with screen enhancement) (SAP Note 107417)        as of 4.6 10   [5] Question: Can I extend the number of selections beyond the maximum number with an ABAP modification? Answer: No, as kernel functions would also have to be changed. [6] Question: The Security Audit Log has deactivated itself. Why is this? Answer: 1. Automatic deactivation is not provided. 2. After a system restart, the following reasons may prevent audit events from being recorded: a) A static profile does not exist or is not activated, b) The audit file could not be opened (syslog AV4 *1), c) The audit file has already exceeded its maximum size. 3. The following reasons cause recording to terminate: a) The audit file has reached its maximum size (syslog AV1), b) An error occurred while the audit file was being written (Syslog AV5 *2). 4. During a release upgrade, the old shared memory SCSA was not explicitly deleted and is therefore still present. However, the new release requires the new version for this area and therefore cannot be activated (Syslog AV8 *3). [7] Question: The user and client fields in transaction SM19 cannot be maintained with SAP documentation with generic values and do not have a values list function. Can I still use generic user names? Answer: No, this function is only introduced with technology Release 6.40, but it is already available in 6.20 as of Kernel Patch 400 and the necessary Support Package SAPKB62020 (see Note 574914). [8] Question: Can the settings of the audit log be transported? Answer: No Ter m inal na m es  [10] Question: Why is the terminal name missing in some messages? Answer: In the case of events that are created using a Remote Function Call (RFC) or HTTP(S), the terminal name in the kernel is not always known. As of the 6.40 kernel, the system will therefore try to determine the IP address in addition to the terminal name. If both can be determined, the system outputs the terminal name; otherwise, the system logs the value that can be determined. If neither the terminal name nor the IP address can be determined, the value of the terminal name in the Security Audit Log remains blank for this message. As of the kernel enhancement specified in Note 1497445, you can also control whether the IP address is logged instead of the terminal name if the system is able to determine both values. [11] Question: Why is the terminal name truncated (only 8 characters)? Answer: 1. In Releases 4.0, 4.5 and 4.6, only 8 characters are provided for saving the terminal name. Only the first 8 characters of a terminal name are copied by default. In Release 4.6 as of KP 504, you can treat terminal names in the same way as computer names (see Note 3116). 2. As of Basis Release 6.10, data terminal names are recorded with a length of 20 characters in the quality audit log. 3. For Releases 6.40 and 7.00, also see SAP Note 1050441. A udit files  [20] Question: In the work directory of the instance, files with the audit_<yyyymmdd> name pattern, or a similar name pattern, often fill the file system. What generates the files and how can I prevent this? Answer: These files are created by the Security Audit Log component. The component must have been activated either with profile parameter rsau/enable or dynamically with transaction SM19. The component is deactivated by setting the profile parameter rsau/enable to 0. If the value is already 0, the comonent was activated usin transaction SM19. To deactivate the comonent, ou ma have to   Answer: 2 gigabytes For a single day, this means: <= 4.6 11.930.464 events or 138 events per second >= 6.10: 10.737.418 events or 124 events per second; Value ranges of the profile parameters                       Changed minimum values (see Note 909734): as of 6.40     as of 6.40 PL 143     Note that the largest numeric value you can enter for these three parameters is 4294967295. All numbers higher than that will automatically be reduced to this maximum value. If you want to set, for example, rsau/max_diskspace/per_day to 5 GB, you CANNOT enter this value in bytes (5368709120) but you must enter the size in KB, as 5242880K , or in MB as 5120 MB. [22] Question: What happens if the audit file reaches its maximum size? Answer: The file is closed and recording is terminated. On the next day, the system creates a new file (only as of 4.5B KP 632 4.6D KP 2088, 6.40 KP 80, 7.00 KP 51). [23] Question: Do restrictions exist for the length of the names for audit files? Answer: Yes, in addition to the restrictions that apply because of the operating system used, the following restrictions also exist because of the kernel functions used in ABAP parts:  Maximum length for file names = 75 characters  Maximum length for directories = 75 characters  The total length for the file name and the directory must not exceed 79 characters. [24] Question: What dependencies exist between the DIR_AUDIT, FN_AUDIT and rsau/local/file profile parameter? Answer: The rsau/local/file parameter must be specified in Releases 4.0 and 4.5. For compatibility reasons, it is also still analyzed up to and including Release 6.20. As of Release 4.6 it can be left out. It no longer exists as of Release 6.40. If it is used, the two profile parameters DIR_AUDIT and FN_AUDIT must correspond to the parameter rsau/local/file, that is:       '+' here stands for the directory separator ('/' or '\'). Otherwise, audit files cannot be deleted with transaction SM18 (RSAUPURG report) or evaluation with transaction SM20 is not possible as of Release 4.6. (See Notes 198646 and 441639). [25] Question: Can I create audit files on a central file server? Answer: Yes, but bear in mind that the performance can suffer as a result. All audit events are written synchronously and unbuffered to the files. Higher response times with the users can result depending on the volume of data involved. You must also note that a separate filename or a separate directory is used for each instance, which prevents several servers writing into a file (data loss). Be careful when using virus scan programs. With permanent monitoring, problems can occur with UNC names (nonsense error messages when you open the audit files, for example, Invalid argument ). [26] Question: I cannot delete any audit files with transaction SM18 or report RSAUPURG. Why? Answer: This may be an upper/lower case problem in the DIR_AUDIT, FN_AUDIT and rsau/local/file profile parameters (different notation). Before the actual deletion, the system checks again whether it is an audit file name. Here, the case-sensitive path in particular is compared, for example:     F:\usr\sap\ZV1\DVEBMGS00\log are not the same. (SAP Note 198646) [27] Question: Transaction SM18 displays a field for entering a minimum age. However, the unit in question is not specified. Answer: The unit in question is a day. The lowest minimum age is 3 days. The current day is not included in the calculation of the files to be deleted! [28] Question: If the audit files reach their maximum size, the size exceeds the size specified in the profile parameter. Why? Answer: Since Release 4.6, the maximum file sizes are processed internally in kilobytes. Profile parameter values in bytes are then converted into kilobytes (KB). For example, 1,000,000 gives the value 976 KB. Recording is stopped as soon as the KB value is exceeded, in the example case with the value 977 KB or 1,000,620. If you use the rsau/max_diskspace/per_file profile parameter, the minimum size of the file is 1 megabyte (= 1024 KB = 1048576). If the value of the profile parameter is smaller than 1 MB, for example if it is only 1,000,000, it is automatically set to this value. In this case, the recording is stopped as soon as the KB value is exceeded. Due to the check for the kilobyte limit, the file can become very slightly larger than specified in the profile parameter.
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks