Skip to Content

Recommended Settings for the Security Audit Log (SM19 / SM20)

Hi Security-Folks,

I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20).

Here's my proposal:

Profile Parameters:

rsau/enable = 1

rsau/selection_slots = 10

rsau/user_selection = 1

Filter settings in SM19:

1. Filter: Activate everything which is critical for all users '*' in all clients '*'.

  • You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.
  • Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
  • If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT

2. Filter: Activate everything for users 'SAP*' in all clients '*'
This includes the built-in user 'SAP*' as well as all users account names starting with 'SAP', e.g. 'SAPSUPPORTx' because of rsau/user_selection = 1

To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead.

3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'

4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).

5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see ).

6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see ).

7.-10. Filter: free for other project specific purpose

What settings are you using and why?

Kind regards

Frank Buchholz

Active Global Support - Security Services

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

11 Answers

  • Best Answer
    Posted on Dec 11, 2014 at 03:51 PM

    I got a question about "How to track changes on the settings of the Security Audit Log" and as the answer grew and grew during analysis I decided to move away from this "discussion thread" to a "document" to become able to update parts of the text later.

    Therefore let's move to this document: Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

    Kind regards


    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 25, 2013 at 05:37 PM

    Here's the complete list of events from tables TSL1D

    Audit ClassEvent classAREASUBIDMessageDialog LogonCriticalAU2Logon Failed (Reason = &B, Type = &A)Dialog LogonCriticalAUMUser &B Locked in Client &A After Erroneous Password ChecksDialog LogonCriticalAUNUser &B in Client &A Unlocked After Being Locked Due to Inval.Password EnteredDialog LogonCriticalBUDWS: Delayed logon failed (type &B, WP &C). Refer to Web service log &A.Dialog LogonImportantAU1Logon Successful (Type=&A)Dialog LogonImportantAUOLogon Failed (Reason = &B, Type = &A)Dialog LogonImportantCUARejected AssertionDialog LogonImportantCUB&A: &B (SAML 2.0 Logon)Dialog LogonImportantCUC&A (SAML 2.0 Logon)Dialog LogonImportantCUDName ID of a subjectDialog LogonImportantCUEAttributeDialog LogonImportantCUFAuthentication AssertionDialog LogonImportantCUGSigned LogoutRequest rejectedDialog LogonImportantCUHUnsigned LogoutRequest rejectedDialog LogonNon-Crit.AUCUser LogoffDialog LogonNon-Crit.BUEWS: Delayed logon successful (type &B, WP &C). Refer to Web service log &A.Dialog LogonNon-Crit.BUK&A Assertion UsedDialog LogonNon-Crit.BUL&A: &B (SAML 2.0 Logon)Dialog LogonNon-Crit.BUMName ID of a subjectDialog LogonNon-Crit.BUNAttributeDialog LogonNon-Crit.BUOAuthentication AssertionDialog LogonNon-Crit.BUP&A (SAML 2.0 Logon)Dialog LogonNon-Crit.BUQSigned LogoutRequest acceptedDialog LogonNon-Crit.BURUnsigned LogoutRequest acceptedRFC/CPIC LogonCriticalAU6RFC/CPIC Logon Failed, Reason = &B, Type = &ARFC/CPIC LogonNon-Crit.AU5RFC/CPIC Logon Successful (Type = &A)RFC Function CallCriticalAULFailed RFC Call &C (Function Group = &A)RFC Function CallCriticalCUWFailed Web service call (service = &A, operation = &B, reason = &C)RFC Function CallCriticalCUZGeneric table access by RFC to &A with activity &BRFC Function CallNon-Crit.AUKSuccessful RFC Call &C (Function Group = &A)RFC Function CallNon-Crit.CUVSuccessful WS Call (Service = &A, operation = &B)Transaction StartCriticalAU4Start of transaction &A failed (Reason=&B)Transaction StartImportantAUPTransaction &A LockedTransaction StartImportantAUQTransaction &A UnlockedTransaction StartNon-Crit.AU3Transaction &A StartedReport StartImportantAUXStart Report &A Failed (Reason = &B)Report StartNon-Crit.AUWReport &A StartedUser Master ChangeCriticalAU7User &A CreatedUser Master ChangeCriticalAUU&A &B ActivatedUser Master ChangeImportantAU8User &A DeletedUser Master ChangeImportantAU9User &A LockedUser Master ChangeImportantAUAUser &A UnlockedUser Master ChangeImportantAUBAuthorizations for User &A ChangedUser Master ChangeImportantAUDUser Master Record &A ChangedUser Master ChangeImportantAUR&A &B CreatedUser Master ChangeImportantAUS&A &B DeletedUser Master ChangeImportantAUT&A &B ChangedUser Master ChangeNon-Crit.BU2Password changed for user &B in client &ASystemCriticalAUEAudit Configuration ChangedSystemCriticalAUFAudit: Slot &A: Class &B, Severity &C, User &D, Client &E, &FSystemCriticalAUGApplication Server StartedSystemCriticalAUHApplication Server StoppedSystemCriticalAUIAudit: Slot &A InactiveSystemCriticalAUJAudit: Active Status Set to &1Other EventsCriticalAUVDigital Signature Error (Reason = &A, ID = &B)Other EventsCriticalBU0BU0 to BUZ reserved for Security Audit LogOther EventsCriticalBU1Password check failed for user &B in client &AOther EventsCriticalBU3Change Security Check During Export: Old Value &A, New Value &BOther EventsCriticalBU4Transport Request &A Contains Security-Critical Source ObjectsOther EventsCriticalBU8Virus Scan Interface: Virus "&C" found by profile &A (step &B)Other EventsCriticalBUGHTTP Security Session Management was deactivated for client &A.Other EventsCriticalBUYField contents changed: &5&9&9&9&9&9Other EventsCriticalBUZ> in program &A, line &B, event &COther EventsCriticalCU0CU0 to CUZ reserved for Security Audit LogOther EventsCriticalCUKC debugging activatedOther EventsCriticalCULField content changed: &AOther EventsCriticalCUMJump to ABAP Debugger: &AOther EventsCriticalCUNA manually caught process was stopped from within the Debugger (&A)Other EventsCriticalCUOExplicit database commit or rollback from debugger &AOther EventsCriticalCUPNon-exclusive debugging session startedOther EventsCriticalCUY> &AOther EventsImportantAUYDownload &A Bytes to File &COther EventsImportantAUZDigital Signature (Reason = &A, ID = &B)Other EventsImportantBU5ICF recorder entry executed for user &A (Activity: &B)Other EventsImportantBU6ICF Recorder entry executed by user &A (&B,&C) (activity: &D).Other EventsImportantBU7Administration setting was changed for ICF Recorder (Activity: &A)Other EventsImportantBU9Virus Scan Interface: Error "&C" occurred in profile &A (step &B)Other EventsImportantBUAWS: Signature check error (reason &B, WP &C). Refer to Web service log &A.Other EventsImportantBUBWS: Signature insufficient (WP &C). Refer to Web service log &A.Other EventsImportantBUCWS: Time stamp is invalid. Refer to Web service log &A.Other EventsImportantBUHHTTP Security Session of user &A (client &B) was hard exitedOther EventsImportantCUQLogical file name &A not configured. Physical file name &B not checked.Other EventsImportantCURPhysical file name &B does not meet requirements set by logical file name &AOther EventsImportantCUSLogical file name &B is not a valid alias for logical file name &AOther EventsImportantCUTNo validation is active for logical file name &AOther EventsNon-Crit.AU0Audit - Test. Text: &AOther EventsNon-Crit.BUFHTTP Security Session Management was activated for client &A.
    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Apr 09, 2014 at 01:02 PM

    I just found an additional recommendation about the protection of the files in a recent note:

    In general, files of the Security Audit Log must not be accessed by other ABAP programs than the Security Audit Log application itself. Protect the files by assigning the appropriate S_DATASET authorizations to your users and by using S_PATH protection as described in note 177702. For this purpose, use an own dedicated folder for Security Audit Log files. Enter this directory into the SPTH table and enable the flags FS_NOWRITE and FS_NOREAD, thus disabling any read or write access from ABAP to this directory. Configure the Security Audit Log (parameter DIR_AUDIT) to use this directory.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jun 23, 2014 at 04:39 PM

    Support for customer-specific events

    Using Notes 1941526 and 1941568 you can utilize the custom messages DUX, DUY and DUZ in SAP_BASIS release as of 7.30. Call function RSAU_WRITE_CUSTOMER_EVTS to create these messages.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 06, 2014 at 01:12 PM

    How to log critical debugger events:

    Using the debugger in general might already be seen as critical but using debug-replace is considered as very critical by all auditors. The corresponding Security Audit Log messages for changing field content and for jumping within the code

    • Other Events, Critical, CU L Field content changed: &A
    • Other Events, Critical, CU M Jump to ABAP Debugger: &A

    are already covered by the 1st filter "Activate everything which is critical for all users in all clients" as proposed above.

    These both messages are extended by another message to add more details describing the event:

    • Other Events, Critical, BU Z > in program &A, line &B, event &C

    The messages CU K, CU N, CU O, and CU P are related to the debugger as well.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jun 17, 2013 at 09:10 PM

    Hi Frank,

    this is kinda off topic, I'm sorry for intruding. But I'm new to the SAP world and it isn't a straight forward world to get into (not for me at least).

    I am supposed to import the data that is displayed by SM20 into another tool (Splunk) without accessing SAP directly but by reading the .AUD files that are generated. This might not be the easiest/best way to get the data but that's what I have to live with (at least for now).

    So I'm stuck with these 200 character log entries, but I can't really find any documentation what the characters mean (some can be guessed others are black boxes):

    2AU520130409010803000505200009D9a234ba.pDOKUSTAR SAPMSSY1 0201R&0

    The table you list in TSL1D explains the AU5 (and is brilliant starting point) and I can enrich the log entries with what you have posted but that does not explain the entire 200 characters.

    Is there any documentation of the .AUD files. I found out that the source of RSAU_SELECT_EVENTS could give me hints but since I do not have access to an SAP system I ended up here there is a reference to TSL1D there but I'm not able to decipher the .AUD entries based on that information.

    Any help/pointers would be great!



    Alternating colors added to example by Frank Buchholz

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Oct 03, 2013 at 12:30 AM

    this is something I want to know for a long time.

    thank you.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 15, 2013 at 05:20 PM

    Is there a way to log the IP source address (NOT hostname) from a user connects to SAP in audit log ? ( i.e. in SM04 and correct layout, I can see this, but it is "online", current connected users )



    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Frank Buchholz

      Hi Frank,

      This might be veering a little off topic, but since the discussion is about SAP Audit reports and traces, I thought I could post my query here..

      We have had a few incidents of people deleting Layouts via t-code COOIS and COHV. We found out that many users get the authorization through S_ALV_LAYO, and have already started changing roles replacing it with F_IT_ALV, only the Support teams would get the access to S_ALV_LAYO and not the business users.

      My query is, is there a report that I can use, to find out who deleted the earlier layouts, so if there is a training issue, we can take care of it..


      Prakash Sharan

  • author's profile photo Former Member
    Former Member
    Posted on Mar 10, 2014 at 09:24 AM

    Question: would the German Data protection authorities have an issue with activating this level of logging?

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Denis/Frank

      The last time I did this with a German project (2010/2011) we settled on the following (cleared through German, Austrian, French & Belgian data controllers):

      Logging everything was OK as there is are legitimate reasons for it. The following additional controls were required:

      - Access to logs limited to Basis & Security team

      - Acceptable use (of logs) policy circulated to everyone with access

      - Data had to be summarised before use (e.g. could not be easily attributable to an individual. Obviously difficult to achieve if someone is in a team of 1...)

      - Distribution of data outside security team had to be approved by local data controller (local to the people who's data it was).

      - Detailed records existing outside the system had to be deleted after the summarisation work had been completed

      Exceptions to these included:

      - legitimate use of data in event of security breach (agreed by local counsel and data controllers)

      - use of data with written approval of user (we used this a lot when redesigning access based on patterns of 'model' users).

  • author's profile photo Former Member
    Former Member
    Posted on Jun 05, 2014 at 05:37 AM

    Hi Frank,

    Do you know if the audit file settings will affect GRC Fire Fighter logging?



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.