I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20).
Here's my proposal:
rsau/enable = 1
rsau/selection_slots = 10
rsau/user_selection = 1
Filter settings in SM19:
1. Filter: Activate everything which is critical for all users '*' in all clients '*'.
2. Filter: Activate everything for users 'SAP*' in all clients '*'
This includes the built-in user 'SAP*' as well as all users account names starting with 'SAP', e.g. 'SAPSUPPORTx' because of rsau/user_selection = 1
To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead.
3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'
4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).
5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ).
6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ).
7.-10. Filter: free for other project specific purpose
What settings are you using and why?
Active Global Support - Security Services