Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to get terminal name in SM20 audit log?

0 Kudos

Hi All,

There is a user of 'System' type which was getting locked at regular intervals in my system through incorrect logon attempts (KRNL).

I tried to find the source RFC connection which was trying to log on with this user using incorrect credentials - using the SM20logs.

I checked all the parameters for this particular user and client in SM19 - Dynamic configuration filters, and distributed the filters to all servers.

Unlocked the user, and as expected, it got locked again within minutes.

Then I took a look a the SM20 logs, found the specific records for the RFC logon attempts, and the lock itself. However, there was nothing under the column 'Terminal'. Neither the terminal name, nor the IP address of the source was mentioned.

Am I doing something wrong here, or is there something else which would need to be activated to obtain the terminal name in the SM20 logs?

Thanks in advance,

Rohit.

2 REPLIES 2

Former Member
0 Kudos

If I remember correctly you need to extent the layout in SM20N to include additional parameter fields. The host name is in there.

But if the password lock happens within minutes, then STAD will be faster -> select the user -> you will see a step recorded in program SAPMSYST -> double-click it -> click on the hotspot "RFC" at the top and there you can see the connection details and the host names from the caller. The data is there for about 24 hours after the event.

Cheers,

Julius

Former Member
0 Kudos

Hi Rohit,

please check this SAP Security Note: 1497445.

Actually there is an issue in the Security Audit Log regarding the source of the event, by default you will find the terminal name (or nothing) and if you want to force the IP address in the terminal name you need to change the profile parameter rsau/ip_only to 1.

As this is a static profile parameter, you will need to restart the system to make it available.

However, if you want to check it quickly, as Julius said, you can check transaction STAD filtering by the user. Once you find the row related to the RFC call, you double-click on the row, then in "RFC", and you will see more details about it. You can find the source ip address there.