SAP Security Audit Logs: Auditor wants me to switch ALL on!!! Here is what I told him
So, suddenly your security team or audit department wants you to log everything but you are not very comfortable making this change. What do you tell them?
First: Isn’t switching on all SM19 logs for all users, all clients, all events a very bad idea?
Common perception about switching on SAP security audit logs (also referred as SM19 or SM20 logs) is as follows:
- On a reasonably-sized ERP system they will fill up a lot of disk space.
- They will introduce performance issues.
- They are useless. No one reviews them.
Stop! Wrong! Here is why:
1. On a reasonably-sized ERP system they will fill up a lot of disk space.
No, they won’t
Here is the summary of what we recently discovered after analyzing a PROD ERP system which has over 10.000 users. Keep in mind, that’s not a small system! (The detailed statistics can be found at: SAP Security Audit Logs: Which event types should I enable? There are 90 of them! And how much disk space do I need?).
- Security audit log volume of this system on a peak day is around 2GB in total (for all users in all clients and for all SM19 event types/classes).
- The SM19 logs can be compressed very well. Even with the traditional zip format, the file size can be reduced ~96-98%. Bzip or rar boosts this to more than 99%. That’s a huge reduction!
- In our case, auditors and legal wanted 18 months of data retention. For sizing requirements that means around 1-1.5 TB of uncompressed data for 18 months, 20-30GB if everything is compressed. That’s peanuts for a system this important.
2. Switching on SAP security audit logs will introduce performance issues.
No, they won’t
SAP security audit logs are optimized in the kernel and written to the file system directly. They are not stored in the database. So, even for the extreme event of writing couple of gigabytes of logs in 24 hours, that’s nothing. Your 5-year-old laptop can write 3GB in less than a minute.
3. They are useless. No one reviews those logs.
That’s a valid point.
If you don’t have the tools and processes for evaluating them close to real time, their value is pretty low. Remember, the real value of security is stopping incidents from happening or neutralizing them as they happen.
For this purpose SAP has its solution ETD (http://scn.sap.com/docs/DOC-58501).
I’m the founder of a company which has another solution, Enterprise Threat Monitor, which sends out notifications in real time, when incidents are detected.
There are also other solutions and methodologies available utilizing SIEM or similar infrastructures.
Conclusion
Switching on all SM19 audit classes for all clients and all users causes fewer problems than typically assumed and it is a very important step in security. For almost all cases its benefits far outweigh its costs. I strongly recommend it!
I hope this blog post helps change the answer “We’ll do our best within our operational capacity to comply with this audit finding” (meaning: “No”) to a nice and clean “Yes” for some of the readers.
Problems around SAP security monitoring is a topic of the past. It can be easily overcome using the latest tools and technologies.
Very Good!
I also asked this here. Do you gain anything from having additional filters active? Since your logging all events in all clients? Is there any gain?
I want to say: "No." but I could be missing something SM19/SM20 does with these filters I am unaware of.
Hello Drew, sorry I just saw your message. No, in our case activating other filters would not bring us any value since already everything is logged.
Good points!