Security Audit Log (SAL): No UNC, No NFS mounts
Today I am starting a new blog series, about some issues when incorrect configuration is made on the Security Audit Log (SAL).
If you are interested on reading the most comprehensive document on SAL that I ever found, then please read “Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)”.
Why no UNC and NFS mounts?
The story short: performance.
SAL needs a stable file system to write. UNC (Universal Naming Convention) and NFS (Network File System) mounts are not appropriate. There is a variety of known issues using any of both.
Note that the file handler for SAL file needs to keep opened, due to performance reasons. The file handler would point to an arbitrary location when the file system disappears.
What should I do then?
The SAL files I have are huge, and I do not have enough file system space to store them. What should I do, if I cannot use UNC and NFS mounts?
You should use the local file system. Of course, since you have limited file system space, then you should use OS-level tools to archive audit files. Archived files can be moved to NFS mount location or to a UNC path. If you want to read individual files, then you can use report RSAU_SELECT_EVENTS (a single file can be read at time).
- 539404 – FAQ: Answers to questions about the Security Audit Log
- 1810913 – Performance improvement when reading the Security Audit Log
- 2191612 – FAQ | Use of Security Audit Log as of NetWeaver 7.50
Stay tuned for my next blog on SAL.