Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

audit log not capturing critical events

Former Member

‎11-17-2016 1:15 AM

0 Kudos

Hello,

I've have been reviewing specific events in the audit log and I'm seeing that critical events are either not being captured or not showing up when reviewing test data in SM20N. I have read through a number of blogs on the subject, reviewed notes (539404) and discussed with my colleagues without a conclusion. So I'm turning to the community with the hope that I'll get some feedback and suggestions for what to look for, check and try next.

Appreciate the help.

Cheers, Paul

2 REPLIES 2

yakcinar
Active Contributor

‎12-01-2016 9:45 PM

0 Kudos

Hello Paul,

Is the activation of the audit classes and events done accordingly in SM19?

What about parameters? Is there enough space for log file?

Regards,

Yuksel AKCINAR

Former Member

‎12-07-2016 6:13 PM

0 Kudos

Hi Yuksel,

Yes, in SM19 I have two filters set:

1) first active filter, set for all clients, all users, all audit classes and all events

2) second active filter, set for all clients, all users, audit classes (system and other events) and events = severe and critical

As for parameter settings, on all four application servers this is set:

rsau/max_diskspace/local = 2147483647

What I understand for critical events is that they should be covered by the first filter.

I read through all of this post on setting up auditing;

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

This post clearly states:

Using the debugger in general might already be seen as critical but using debug-replace is considered as very critical by all auditors. The corresponding Security Audit Log messages for changing field content and for jumping within the code

  • Other Events, Critical, CUL Field content changed: &A
  • Other Events, Critical, CU_M Jump to ABAP Debugger: &A


are already covered by the 1st filter “Activate everything which is critical for all users in all clients” as proposed above.

Is this also your understanding? Would you have any other things I should check if this critical events isn't being captured?

Thanks, Paul

,

Hi Yuksel,

Yes, in SM19 there are two filters set:

1) First active filter, for all clients, all users, all classes and all events

2) Second active filter, for all clients, all users, two classes (system and other events) and events = severe and critical

As for the parameters I have this set for four application servers:

rsau/max_diskspace/local = 2147483647

What I understand is that for logging critical events, these should be addressed by the first filter. Is this also your understanding?

I did review this post in detail and specifically states:

Using the debugger in general might already be seen as critical but using debug-replace is considered as very critical by all auditors. The corresponding Security Audit Log messages for changing field content and for jumping within the code

  • Other Events, Critical, CUL Field content changed: &A
  • Other Events, Critical, CU_M Jump to ABAP Debugger: &A


are already covered by the 1st filter “Activate everything which is critical for all users in all clients” as proposed above.

Taken from this post:

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)