SAP Security Audit Logs, Extracts to BI for Data M...

Former Member · ‎02-11-2011

Has anyone in the SAP Security practice heard or developed extracts to BI from the Security audit logs. The reason for this questions is we would like to have historical data for transaction usage by users for a longer period of time than the standard setting for the purge of Sec Audit logs (Tcode: SM18). I have reached out to some BI folks and they have never heard of anything. Basically we are looking for a way to store historical data on transaction usage by user id. We have GRC, ECC< and BI systems currently.

Any ideas would be great.

Thanks

Former Member · ‎02-11-2011

Hi Mark,

What sort of data are you hoping to store for longer periods. If it is just transactional data, are you able to leverage the Alert Monitor in RAR?

Regards,

Chinmaya

Former Member · ‎02-11-2011

Ideally we would like to store mainly transaction started, transact failed initially but most likely would like to store more details like Report starts etc as well. As for GRC Alerts, we have not enabled that feature at this point but are looking into how likely and how it can be used for the client. Any ideas or input would be great on that as well.... thanks !

Former Member · ‎02-11-2011

Hi,

Alert Monitor will only store data a set of conflicting transactions are executed. And not any failed results etc.

That I would normally assume to be sufficient. I do not see any benefit in storing the other data to be honest.

Can you please let us know, what is the need here? IMHO your requirment seems to be slightly an "overkill" .

Regards,

Chinmaya

Former Member · ‎02-11-2011

There are APIs to use the ABAP application AS to remotely read the files and return them externally (e.g. to a SolMan or BW).

See the reports which start with RSAU* for some examples. A known demo program is RSAU_READ_AUDITLOG_EXTERNAL which will show you how to make the calls. You can also find the meta data here for your BI reports (don't forget to read all the fields, parameters 1 to 4 are very usefull as well).

Regarding "other" transaction usage logs, I can only recommend being very carefull. They have been widely misused for security although originally intended for response time statistics per program, to watch for "early" indications of problems.

The security audit log is the correct tool to use - others are semi-co-incidental.

Personally I then also use an external call as needed to rattle through 15 different logs I know of using import parameters from the drill down (in SolMan or local with user name, start time, no. of hours) exported into a cronologically sorted list showing the origin of the entry. Here it is usefull to use the STAT data to show what the user clicked on before hand to give the other 14 logs a context, but does not tell you what they actually did (particularly after the aggregation takes place).

The main hassle is the output formats. You will soon learn to hate spool....

Cheers,

Julius

Edited by: Julius Bussche on Feb 11, 2011 8:04 PM

Edited by: Julius Bussche on Feb 11, 2011 8:17 PM

sdipanjan · ‎02-11-2011

Hi,

When you explain the requirement to your BI Query developers please make sure to mention them that this data doesn't get stored in tables. Rather it is stored in OS level files (and most commonly BASIS team used to archieve them). So ask them to create a custom data sorce with the APIs which will periodically read those files (delta.. not all. just like think about the Algorithm which is used in RDBMS to calculate the latest data in redo log) to transfer in the PSA and then the next levels...

Please try to utlilize the standard APIs described by Julius as well if your requirement doesn't require any custom DSO.

regards,

Dipanjan

SAP Security Audit Logs, Extracts to BI for Data Mining and reporting