he Design of the Security Audit Log

Overview

The Security Audit Log keeps a record of security-related activities in SAP Systems. This information is recorded daily in an audit file on each application server. To determine what information should be written to this file, the audit log uses filters, which are stored in memory in a control block. When an event occurs that matches an active filter (for example, a transaction start), the audit log generates a corresponding audit message and writes it to the audit file. A corresponding alert is also sent to the CCMS alert monitor. Details of the events are provided in the Security Audit Log's audit analysis report. See the graphic below:

Security Audit Log Architecture

SAP Systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that may accumulate, you should archive these files on a regular basis and delete the originals from the application server (see Deleting Old Audit Files).

The Audit File / The Audit Record

The audit files are located on the individual application servers. You define the name and location of the files in the profile parameter rsau/local/file . When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains the following information (if known):

• Event identifier (a 3-character code)
• SAP user ID and client
• Terminal name
• Transaction code
• Report name
• Time and date when the event occurred
• Process ID
• Session number
• Miscellaneous information

You define the maximum size of the audit file in the profile parameter rsau/max_diskspace/local . The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.

Filters

You define the events you want to audit in filters. This information is stored in the control block, which is located in the application server's shared memory. The SAP System uses this information to determine which audit messages should be written to the audit file.

Filters consist of the following information:

• Client
• User
• Audit Class
• Dialog logon
• RFC/CPIC logon
• RFC function call
• Transaction start
• Report start
• User master change
• Other
• Weight of Events to Audit
• Only critical
• Important and critical
• All

For more details, see Defining Filters.

The Audit Analysis Report

You can view the contents of the audit files in the audit analysis report. For more information, see Displaying the Audit Analysis Report and Reading the Audit Analysis Report.

Alerts in the Computing Center Management System Alert Monitor

The Security Audit Log also generates security alerts for the events recorded in the Computing Center Management System (CCMS) alert monitor. For more information, see Security Alerts in the CCMS Alert Monitor.