Changing Filters Dynamically

You specify the information you want to audit in filters that you can either:

  1. Create and save permanently in the database in static profiles.
  2. If you use this option, all of the application servers use identical filters for determining which events should be recorded in the audit log. You only have to define filters once for all application servers.

    You can also define several different profiles that you can alternatively activate.

  3. Change dynamically on one or more application servers.

With this option, you can dynamically change the filters used for selecting events to audit. The system distributes these changes to all active application servers.

This topic concentrates on dynamically changing filters. For information on defining filters in static profiles, see Maintaining Static Profiles.

These changes are active until they are changed or the application server is shut down.

Prerequisites

The following profile parameters must be set:

Audit Log Profile Parameters

Profile Parameter

Description

rsau/enable

Enable the Security Audit Log

rsau/local/file

Names and locations of audit files

rsau/max_diskspace/local

Maximum space to allocate for the audit files

rsau/selection_slots

Number of filters to allow for the Security Audit Log

Procedure

  1. To access the Security Audit Log configuration screen from the SAP standard menu, choose Tools ® Administration ® Monitor ® Security Audit Log ® Configuration.
  2. The Security Audit: Administer Audit Profile screen appears with the Static configuration tabstrip activated.

  3. Choose the Dynamic configuration tabstrip or Goto à Dynamic configuration from the menu.
  4. In the upper section of the screen, you receive a list of the active instances and their auditing status. The lower section of the screen contains tabstrips for maintaining filters.

  5. Choose Configuration à Display <-> Change.

  6. Define filters for the application server.
  7. Make sure the Filter active indicator is set for each of the filters you want to apply to the audit on the application server.
  8. If you want to distribute the filter definition to all of the application servers, choose Configuration à Distribute configuration.
  9. To change the auditing status on a single application server, select the status indicator in the List of active instances table.
    • indicates an activated audit.
    • indicates a deactivated audit.
  1. To activate the filter (or filters) on all of the application servers, choose Configuration à Activate audit. (To deactivate the filters on all of the application servers, choose Configuration à Deactivate audit.)

If you receive a program failure, then make sure you have the authorization S_RFC with the value SECU in your authorization profile. (The system uses remote function calls to obtain a list of servers and therefore, you need the appropriate authorizations.)

Result

The audit filters are dynamically created on all active application servers. If you activate the profile(s), then any actions that match any of these filters are recorded in the Security Audit Log. Changes to the filter definitions are effective immediately and exist until the applic

No comments:

topics