Skip to Content
0

audit log not capturing critical events

Nov 17, 2016 at 01:15 AM

134

avatar image

Hello,

I've have been reviewing specific events in the audit log and I'm seeing that critical events are either not being captured or not showing up when reviewing test data in SM20N. I have read through a number of blogs on the subject, reviewed notes (539404) and discussed with my colleagues without a conclusion. So I'm turning to the community with the hope that I'll get some feedback and suggestions for what to look for, check and try next.

Appreciate the help.

Cheers, Paul

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Yuksel AKCINAR Dec 01, 2016 at 09:45 PM
0

Hello Paul,

Is the activation of the audit classes and events done accordingly in SM19?

What about parameters? Is there enough space for log file?

Regards,

Yuksel AKCINAR

Share
10 |10000 characters needed characters left characters exceeded
Paul Vipond Dec 07, 2016 at 06:13 PM
0

Hi Yuksel,

Yes, in SM19 I have two filters set:

1) first active filter, set for all clients, all users, all audit classes and all events

2) second active filter, set for all clients, all users, audit classes (system and other events) and events = severe and critical

As for parameter settings, on all four application servers this is set:

rsau/max_diskspace/local = 2147483647

What I understand for critical events is that they should be covered by the first filter.

I read through all of this post on setting up auditing;

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

This post clearly states:

Using the debugger in general might already be seen as critical but using debug-replace is considered as very critical by all auditors. The corresponding Security Audit Log messages for changing field content and for jumping within the code

  • Other Events, Critical, CUL Field content changed: &A
  • Other Events, Critical, CU_M Jump to ABAP Debugger: &A


are already covered by the 1st filter “Activate everything which is critical for all users in all clients” as proposed above.

Is this also your understanding? Would you have any other things I should check if this critical events isn't being captured?

Thanks, Paul

,

Hi Yuksel,

Yes, in SM19 there are two filters set:

1) First active filter, for all clients, all users, all classes and all events

2) Second active filter, for all clients, all users, two classes (system and other events) and events = severe and critical

As for the parameters I have this set for four application servers:

rsau/max_diskspace/local = 2147483647

What I understand is that for logging critical events, these should be addressed by the first filter. Is this also your understanding?

I did review this post in detail and specifically states:

Using the debugger in general might already be seen as critical but using debug-replace is considered as very critical by all auditors. The corresponding Security Audit Log messages for changing field content and for jumping within the code

  • Other Events, Critical, CUL Field content changed: &A
  • Other Events, Critical, CU_M Jump to ABAP Debugger: &A


are already covered by the 1st filter “Activate everything which is critical for all users in all clients” as proposed above.

Taken from this post:

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

Share
10 |10000 characters needed characters left characters exceeded