Skip to Content
Jan 25, 2013 at 04:32 PM

Recommended Settings for the Security Audit Log (SM19 / SM20)


Hi Security-Folks,

I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20).

Here's my proposal:

Profile Parameters:

rsau/enable = 1

rsau/selection_slots = 10

rsau/user_selection = 1

Filter settings in SM19:

1. Filter: Activate everything which is critical for all users '*' in all clients '*'.

  • You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.
  • Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
  • If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT

2. Filter: Activate everything for users 'SAP*' in all clients '*'
This includes the built-in user 'SAP*' as well as all users account names starting with 'SAP', e.g. 'SAPSUPPORTx' because of rsau/user_selection = 1

To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead.

3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'

4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).

5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see ).

6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see ).

7.-10. Filter: free for other project specific purpose

What settings are you using and why?

Kind regards

Frank Buchholz

Active Global Support - Security Services