SAP从业者联盟

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
SAP从业者联盟 信息 SAP notes 查看内容

Note 539404 - FAQ: Answers to questions about the Security Audit Log

2012-9-5 11:18| 发布者: isap| 查看: 8069| 评论: 0|来自: SAP MarketPlace

摘要: SummarySymptomThis note contains answers to frequently asked questions (FAQ).Configuration Question: What is the difference between static and dynamic configuration? Question: Why do changes to the st ...

Summary

Symptom

This note contains answers to frequently asked questions (FAQ).

Configuration
[1] Question: What is the difference between static and dynamic configuration?

[2] Question: Why do changes to the static configuration not take effect during the next system restart?

[3] Question: Why does the configuration disappear after I reboot the system or an instance?

[4] Question: How many different selections can I make?

[5] Question: Can I extend the number of selections beyond the maximum number with an ABAP modification?

[6] Question: The Security Audit Log has deactivated itself. Why is this?

[7] Question: The user and client fields in transaction SM19 cannot be maintained with SAP documentation with generic values and do not have a values list function. Can I still use generic user names?

[8] Question: Can the settings of the audit log be transported?


Terminal names
[10] Question: Why is the terminal name missing in some messages?

[11] Question: Why is the terminal name truncated (only 8 characters)?


Audit files
[20] Question: In the Work directory of the instance, files with the "audit_" name pattern, or a similar name pattern, often fill the file system. What generates the files and how can I prevent this?

[21] Question: What is the maximum size of an audit file?

[22] Question: What happens if the audit file reaches its maximum size?

[23] Question: Do restrictions exist for the length of the names for audit files?

[24] Question: What interdependencies exist between the DIR_AUDIT, FN_AUDIT and rsau/local/file profile parameter?

[25] Question: Can I create audit files on a central file server?

[26] Question: I cannot delete any audit files with transaction SM18 or report RSAUPURG.

[27] Question: Transaction SM18 displays a field for entering a minimum age. However, the unit in question is not specified.

[28] Question: If the audit files reach their maximum size, the size exceeds the size specified in the profile parameter.

[29] Question: Audit files are not closed immediately after a day change. Sometimes, the last time access by the operating system is several days after the file change. As a result, it is not possible to carry out a regular deletion.

[30] Question: After you convert to a Unicode system, you can no longer evaluate audit files that were created beforehand. What do I have to do?

[31] Question: Can I archive audit files?



Evaluation
[40] Question: Although the Security Audit Log is activated and audit files also exist at operating system level, does transaction SM20 indicate that audit files do not exist?

[41] Question: Is it possible that events in the audit log are missing?

[42] Question: Is it possible that the events AUR, AUS, and AUT, as well as the events BU3, BU4, BUA, BUB, BUC, BUD, and BUE, are not recorded?

[43] Question: Is it possible that not all download events are recorded?

[44] Question: Is it possible that events are recorded repeatedly in the audit log, for example, the same logon of each server?

[45] Question: Can I be sure that audit files from older releases can still be evaluated in newer releases?

[46] Question: Can external programs carry out evaluations?

[47] Question: Sometimes there are values missing from the 'transaction code' and 'program' columns.

[48] Question: The entries for the transaction start and report start do not contain any information about the data that was edited. Where can this detailed information be found?

[49] Question: Can similar events (calling a transaction using user X) be compressed in the trace output?

SQL audit
[50] Question: Note 115224 describes the activation of the SQL audit. Can I evaluate the audit files in the standard systems?

[51] Question: Is there a description of the data structure?

Other terms

FAQ, Q+A, SM18, SM19, SM20, RSAUPURG, SQL audit

Reason and Prerequisites

-

Solution

Configuration

[1] Question: What is the difference between static and dynamic configuration?
Answer: Static configuration is used for the ongoing storage of a Security Audit log configuration in the database and every time the system is restarted, it is transferred as the current configuration. If you want to operate the Security Audit log on an ongoing basis, for example, if requested to do so by a tax inspector, then you must create a static configuration and determine it as the active configuration!

Dynamic configuration is used to change the current configuration while the operation is running or to activate the Security Audit Log.  For example: You want to monitor an SAP support employee whose login name was not contained up to now in the static configuration. Without dynamic configuration, you would have to restart the system for this type of temporary filter change!

With dynamic configuration, you call change all filter settings except the number of filters. A Security Audit log set by dynamic configuration only lasts until the system is restarted.

In addition, you must at least set the following profile parameters:

  • DIR_AUDIT Directories for the audit files
  • FN_AUDIT Names of the audit files (Name pattern)
  • rsau/enable Enable Security Audit Log
  • rsau/max_diskspace/local Maximum size of an audit file
  • rsau/selection_slots Number of filters used for the Security Audit log

Missing parameters are replaced by the default value.


[2] Question: Why do changes to the static configuration not take effect during the next system restart?
Answer: The Shared Memory SCSA was not deleted during the system restart (only with Unix, Note 173743)


[3] Question: Why does the configuration disappear after I reboot the system or an instance?
Answer:

    1. 4.0B: The special profile parameters were not used (Note 135210)
    2. A static profile is not available or was not activated. A static profile is particularly essential for systems that operate on Windows.


[4] Question: How many different selections can I make?
Answer: Unfortunately, the documentation for the parameter rsau/selection_slots is incorrect in some releases. Here are the current values:

  • 4.0     4 (with screen enhancement) (Note 107417)
  • 4.5     4
  • as of 4.6  10


[5] Question: Can I extend the number of selections beyond the maximum number with an ABAP modification?
Answer: No, as kernel functions would also have to be changed.

[6] Question: The Security Audit Log has deactivated itself. Why is this?
Answer:

    1. Automatic deactivation is not provided.
    2. After a system restart, the following reasons may prevent audit events from being recorded:
      a) A static profile does not exist or is not activated,
      b) The audit file could not be opened (syslog AV4 *1),
      c) The audit file has already exceeded its maximum size.
    3. The following reasons cause recording to terminate:
      a) The audit file has reached its maximum size (syslog AV1),
      b) An error occurred while the audit file was being written (Syslog AV5 *2).
    4. During a release upgrade, the old shared memory SCSA was not explicitly deleted and is therefore still present. However, the new release requires the new version for this area and cannot be activated (Syslog AV8 *3).



[7] Question: The user and client fields in transaction SM19 cannot be maintained with SAP documentation with generic values and do not have a values list function. Can I still use generic user names?
Answer: No, this function is only introduced with technology Release 6.40, but it is already available in 6.20 as of Kernel Patch 400 and the necessary Support Package SAPKB62020 (see Note 574914).

[8] Question: Can the settings of the audit log be transported?
Answer: No


Terminal names

[10] Question: Why is the terminal name missing in some messages?
Answer:  In the case of events that are created using a Remote Function Call (RFC) or HTTP(S), the terminal name in the kernel is not always known. As of the 6.40 kernel, the system will therefore try to determine the IP address in addition to the terminal name. If both can be determined, the system outputs the terminal name; otherwise, the system logs the value that can be determined. If neither the terminal name nor the IP address can be determined, the value of the terminal name in the Security Audit Log remains blank for this message. As of the kernel enhancement specified in Note 1497445, you can also control whether the IP address is logged instead of the terminal name if the system is able to determine both values.

[11] Question: Why is the terminal name truncated (only 8 characters)?
Answer:

    1. In Releases 4.0, 4.5 and 4.6, only 8 characters are provided for saving the terminal name. Only the first 8 characters of a terminal name are copied by default. In Release 4.6 as of KP 504, you can treat terminal names in the same way as computer names (see Note 3116).
    2. As of Basis Release 6.10, data terminal names are recorded with a length of 20 characters in the quality audit log.
    3. For Releases 6.40 and 7.00, also see Note 1050441.



Audit files

[20] Question: In the Work directory of the instance, files with the "audit_" name pattern, or a similar name pattern, often fill the file system. What generates the files and how can I prevent this?
Answer: These files are created by the Security Audit Log component. The component must have been activated either with profile parameter rsau/enable or dynamically with transaction SM19. The component is deactivated by setting the profile parameter rsau/enable to 0. If the value is already 0, the component was activated using transaction SM19. To deactivate the component, you may have to delete the Shared Memory SCSA (see Note 173743).


[21] Question: What is the maximum size of an audit file?
Answer: 2 gigabytes
For a single day, this means:
<= 4.6:  11,930,464 events or 138 events per second;
>= 6.10: 10.737.418 events or 124 events per second;

Value ranges of the profile parameters
                                  Min                  Max
   rsau/max_diskspace/local    1000000                  2 GB
   rsau/max_diskspace/per_file  1 MB                    2 GB
  rsau/max_diskspace/per_day   3*per_file            1024 GB

Changed minimum values (see Note 909734):
as of 6.40
   rsau/max_diskspace/local     10 MB
as of 6.40 PL 143
   rsau/max_diskspace/local     100 MB

Note that the largest numeric value you can enter for these three parameters is 4294967295. All numbers higher than that will automatically be reduced to this maximum value. If you want to set, for example, rsau/max_diskspace/per_day to 5 GB, you CANNOT enter this value in bytes (5368709120) but you must enter the size in KB, as "5242880K", or in MB as "5120" MB.

[22] Question: What happens if the audit file reaches its maximum size?
Answer: The file is closed and recording is terminated. On the next day, the system creates a new file (only as of 4.5B KP 632 4.6D KP 2088, 6.40 KP 80, 7.00 KP 51).


[23] Question: Do restrictions exist for the length of the names for audit files?
Answer: Yes, in addition to the restrictions that apply because of the operating system used, the following restrictions also exist because of the kernel functions used in ABAP parts:

  • Maximum length for file names = 75 characters
  • Maximum length for directories = 75 characters
  • The total length for the file name and the directory must not exceed 79 characters.


[24] Question: What interdependencies exist between the DIR_AUDIT, FN_AUDIT and rsau/local/file profile parameter?
Answer: The rsau/local/file parameter must be specified in Releases 4.0 and 4.5. For compatibility reasons, it is also still analyzed up to and including Release 6.20. As of Release 4.6 it can be left out. It no longer exists as of Release 6.40.

If it is used, the two profile parameters DIR_AUDIT and FN_AUDIT must correspond to the parameter rsau/local/file, that is:
    rsau/local/file = DIR_AUDIT + FN_AUDIT
'+' here stands for the directory separator ('/' or '\').
Otherwise, audit files cannot be deleted with transaction SM18 (RSAUPURG report) or evaluation with transaction SM20 is not possible as of Release 4.6. (See Notes 198646 and 441639).


[25] Question: Can I create audit files on a central file server?
Answer: Yes, but bear in mind that the performance can suffer as a result. All audit events are written synchronously and unbuffered to the files. Higher response times with the users can result depending on the volume of data involved.
You must also note that a separate filename or a separate directory is used for each instance, which prevents several servers writing into a file (data loss).
Be careful when using virus scan programs. With permanent monitoring, problems can occur with UNC names (nonsense error messages when you open the audit files, for example, "Invalid argument").


[26] Question: I cannot delete any audit files with transaction SM18 or report RSAUPURG.
Answer: This may be an upper/lower case problem in the DIR_AUDIT, FN_AUDIT and rsau/local/file profile parameters (different notation). Before the actual deletion, the system checks again whether it is an audit file name. Here, the "case-sensitive" path in particular is compared, for example:
    "f:\usr\sap\ZV1\DVEBMGS00\log" and
    "F:\usr\sap\ZV1\DVEBMGS00\log" are not the same!    (Note 198646)


[27] Question: Transaction SM18 displays a field for entering a minimum age. However, the unit in question is not specified.
Answer: The unit in question is a day. The lowest minimum age is 3 days. The current day is not included in the calculation of the files to be deleted!


[28] Question: If the audit files reach their maximum size, the size exceeds the size specified in the profile parameter.
Answer: Since Release 4.6, the maximum file sizes are processed internally in kilobytes. Profile parameter values in bytes are then converted into kilobytes (KB). For example, 1,000,000 gives the value 976 KB. Recording is stopped as soon as the KB value is exceeded, in the example case with the value 977 KB or 1,000,620.
If you use the rsau/max_diskspace/per_file profile parameter, the minimum size of the file is 1 megabyte (= 1024 KB = 1048576). If the value of the profile parameter is smaller than 1 MB, for example if it is only 1,000,000, it is automatically set to this value. In this case, the recording is stopped as soon as the KB value is exceeded.
Due to the check for the kilobyte limit, the file can become very slightly larger than specified in the profile parameter.


[29] Question: Audit files are not closed immediately after a day change. Sometimes, the last time access by the operating system is several days after the file change. As a result, it is not possible to carry out a regular deletion.
Answer: An audit file is only closed for the operating system if all work processes have closed the file. If a lot of work processes are configured, some of which are only rarely used, a WP may only make the file change a few days later and then, for example, change from January 28th to January 30th immediately. To close a file, for example on January 28th exactly, all WPs would have to be notified (woken) to close the files. However, this is not technically possible. However, most operating systems should allow you to close the files.


[30] Question: After you convert to a Unicode system, you can no longer evaluate audit files that were created beforehand. What do I have to do?
Answer: Convert all non-Unicode files into Unicode files. To do this, use one of the tools described in Notes 747615 or 752859.
You can read the target code page in report RSCP0013 in the "Appl. server character set" field.

[31] Question: Can I archive audit files?
Answer: SAP does not provide an archive connection for audit files. However, you can copy the audit files (that are already closed) to another medium and evaluate these files using the report RSAU_SELECT_EVENTS if required.
We recommend that you store the files of each application instance in a separate directory on the target medium (to avoid possible file name conflicts).
The reorganization of these files that are stored externally cannot be supported by transaction SM18.

Evaluation

[40] Question: Although the Security Audit Log is activated and audit files also exist at operating system level, does transaction SM20 indicate that audit files do not exist?
Answer: The DIR_AUDIT or FN_AUDIT profile parameter was probably not set or is set with incorrect values. See interdependencies between the profile parameters DIR_AUDIT, FN_AUDIT and rsau/local/file in the section on audit files.
By choosing Goto -> File list, you get a list of the currently available audit files on the selected instance, in accordance with profile parameters DIR_AUDIT and FN_AUDIT.
You can now display the current profile parameter values with the function Environment -> Profile parameters.
Incorrect specifications in the parameter FN_AUDIT are corrected by the kernel, for example missing '+' or missing '#'. The evaluation transactions conform to the original parameter. You can use transaction AL11 to search for the audit files created by the kernel. Now the parameter FN_AUDIT should be corrected.


[41] Question: Is it possible that events in the audit log are missing?
Answer: Possible causes:

    1. A selection was not activated ("Filter active" checkbox).
    2. New selections were not activated after a system restart.
    3. Recording was terminated because of I/O errors or the maximum file size was exceeded (Syslog AV4 *1 or AV5 *2).
    4. Only one file is used for all instances (where file servers are used).


[42] Question: Is it possible that the events AUR, AUS, and AUT, as well as the events BU3, BU4, BUA, BUB, BUC, BUD, and BUE, are not recorded?
Answer: Recording of these events is missing for the following reasons:

  • The recording of the events (AUR, AUS, and AUT) from authorization management and profile management is redundant if the update of change documents exists; therefore, it has not been implemented.
    The information in the Security Audit Log documents only the fact that an authorization or a profile has changed. The change documents also contain information about the contents of the change.
    Therefore, use the reports for the change documents in the user information system (transaction SUIM).
    For compatibility reasons, you cannot delete these (unused) event definitions.
  • The recording of events to use external breakpoints has not yet been implemented.

  • Up to now, recording the events to transport security-relevant objects (BU3, BU4) was not yet implemented.



[43] Question: Is it possible that not all download events are recorded?
Answer: This is possible. Up to now, only downloads that are carried out by means of function module WS_DOWNLOAD are recorded. There are now additional interfaces in the system with which a download can be performed. For more information, see Note 641481.


[44] Question: Is it possible that events are recorded repeatedly in the audit log, for example, the same logon of each server?
Answer: Possible causes:

    1. You are using external monitors that retrieve data periodically from individual servers and must perform a logon for this. Since this RFC logon occurs with an unattended program, this is done simultaneously and with the same SAP user.
    2. Mistakenly, only one common file is being used on a network disk drive for all servers. During the evaluation across all servers, this file is processed repeatedly and all existing events are displayed for each server.



[45] Question: Can I be sure that audit files from older releases can still be evaluated in newer releases?
Answer: Yes, the evaluation programs have been compatible to date and will most probably remain so in the future. An exception occurs after you migrate to Unicode. After this, the files created beforehand must be converted (see Question 30).


[46] Question: Can external programs carry out evaluations?
Answer: Yes, in the same way as the system log, the Security Auditlog can be analyzed by external programs using XMI BAPIs. However, not all the information about this interface is available. The terminal name is missing, for example. As a guideline for how to use the BAPIs, you can use the sample program RSAU_READ_AUDITLOG_EXTERNAL in addition to the detailed documentation in the XMI interface.


[47] Question: Sometimes there are values missing from the 'transaction code' and 'program' columns.
Answer: When you write an audit event, the system attempts to determine the current values for 'transaction code' and 'program' from the statistics area and - if this is not available - from the management area of the mode. In addition to the processing types, which generally do not deliver any information about the transaction code and program (for example, RFC and all system events), there are situations in which the information is not available.


[48] Question: The entries for the transaction start and report start do not contain any information about the data that was edited. Where can this detailed information be found?
Answer: The Security Audit Log records the transaction start or the report start, but not information about the exact activities that were performed or about data that was edited during these activities. This information is generally not available in the Security Audit Log.
However, information about the changes that were made can be recorded by the individual applications themselves in the change documents.  If the application you use does not store such change documents, you can still use the table logging.  For information about table logging, see Note 1916 and related notes.

[49] Question: Can similar events (calling a transaction using user X) be compressed in the trace output?
Answer: Transaction SM20 does not contain this type of function. Instead, you should use the report RSAU_SELECT_EVENTS for the evaluation and set the "Compression" indicator.



SQL audit

Also see *4) under Remarks.

[50] Question: Note 115224 describes the activation of the SQL audit. Can I evaluate the audit files in the standard systems?
Answer: No


[51] Question: Is there a description of the data structure?
Answer: A Word document is available with a detailed description of the data structures. You can find this document under:

service.sap.com/security
      -> Archive (Old Documents)
          -> File "SQL Audit - Format of the Log Files"

Remarks


*1)
This message is generated as of Release 4.6 if an error is reported in the kernel when you open a (new) audit file. This also issues an alert in the CCMS.
The cause is only logged in the developer trace. The message:
   SecAudit(check_daily_file): cannot open Audit file...
contains the error message of the operating system.

In Releases 4.0B and 4.5B, the error messages are written to STDERR.
  You can search for the following messages:
rsauwr1(38): rstrbseek I/O error
rsauwr1(40): rstrbfl_flush I/O error.
rsauwr1(41): rstrbopen cannot open Audit file.

Before each of these messages is issued, another message is issued, containing the error message and the name of the audit file, (created with C-function perror). No processing occurs on the next day. You have to restart the system again after you eliminate the problem.

*2)
Message AV5 is issued as of Release 4.6


*3)
Message AV8 exists as of Release 6.40.
In Release 4.6, search for the message in the developer trace files.
- SecAudit(rsauascsa): Invalid version of audit control block (v1,v2)
- SecAudit(rsauascsa): Try to clear the old shared memory
                      (cleanipc )

In Releases 4.0B and 4.5B, messages are written to STDERR.
- rsauwr1(46): Invalid version of audit control block (v1,v2)


*4)
Note that the SQL audit is no longer available as of Basis Release 8.0.

Header Data

Release Status:Released for Customer
Released on:08/13/2012  07:29:53
Master Language:德语
Priority:Recommendations/additional info
Category:FAQ
Primary Component:BC-SEC-SAL Security Audit Log

Affected Releases

Release-Independent

Related Notes

 
1497445 - SAL| Logging the IP address instead of the terminal name
 
1319517 - Unicode Collection Note
 
1050441 - SecAudit: Only short terminal names and no transaction codes
 
752859 - sapiconv - a tool for converting the encoding of files
 
747615 - Tool for converting files from one code page to another
 
641481 - SecAudit: No recording of "Download" (AUY) event
 
441639 - Security Audit: No evaluation occurs in transaction SM20
 
198646 - Security Audit: Collective note for problems with SM18
 
173743 - SecAudit: Changing parameters does not perform
 
135210 - Security Audit configuration is lost
 
115224 - SQL audit
 
114045 - Consulting: Technical system security
 
107417 - SecAudit: configuration with SM19 / no. of filters (slots)
 
3116 - Computer name in SAP must be only 8 char. long

鲜花

握手

雷人

路过

鸡蛋

Archiver|SAP从业者联盟 ( 京ICP备09055458号-2 

GMT+8, 2022-5-21 08:07 , Processed in 0.191337 second(s), 13 queries .

Powered by i-sap.org X2

© 2001-2011 Comsenz Inc.

回顶部