You specify the information you want to audit in filters that you can either:
- Create and save permanently in the database in static profiles.
- Change dynamically on one or more application servers.
If you use this option, all of the application servers use identical filters for determining which events should be recorded in the audit log. You only have to define filters once for all application servers.
You can also define several different profiles that you can alternatively activate.
With this option, you can dynamically change the filters used for selecting events to audit. The system distributes these changes to all active application servers.
This topic concentrates on dynamically changing filters. For information on defining filters in static profiles, see Maintaining Static Profiles.
These changes are active until they are changed or the application server is shut down.
Prerequisites
The following profile parameters must be set:
Audit Log Profile Parameters
Profile Parameter | Description |
rsau/enable | Enable the Security Audit Log |
rsau/local/file | Names and locations of audit files |
rsau/max_diskspace/local | Maximum space to allocate for the audit files |
rsau/selection_slots | Number of filters to allow for the Security Audit Log |
Procedure
- To access the Security Audit Log configuration screen from the SAP standard menu, choose Tools ® Administration ® Monitor ® Security Audit Log ® Configuration.
- Choose the Dynamic configuration tabstrip or Goto à Dynamic configuration from the menu.
- Choose Configuration à Display <-> Change.
- Make sure the Filter active indicator is set for each of the filters you want to apply to the audit on the application server.
- If you want to distribute the filter definition to all of the application servers, choose Configuration à Distribute configuration.
- To change the auditing status on a single application server, select the status indicator in the List of active instances table.
The Security Audit: Administer Audit Profile screen appears with the Static configuration tabstrip activated.
In the upper section of the screen, you receive a list of the active instances and their auditing status. The lower section of the screen contains tabstrips for maintaining filters.
indicates an activated audit.
indicates a deactivated audit.
- To activate the filter (or filters) on all of the application servers, choose Configuration à Activate audit. (To deactivate the filters on all of the application servers, choose Configuration à Deactivate audit.)
If you receive a program failure, then make sure you have the authorization S_RFC with the value SECU in your authorization profile. (The system uses remote function calls to obtain a list of servers and therefore, you need the appropriate authorizations.)
Result
The audit filters are dynamically created on all active application servers. If you activate the profile(s), then any actions that match any of these filters are recorded in the Security Audit Log. Changes to the filter definitions are effective immediately and exist until the applic
No comments:
Post a Comment