Security Audit Log (SAL): One directory for all SAL files
Today I will present a scenario about SAL: use one directory to store all SAL files from all application servers in a SAP system.
As I mentioned in my previous blog, the most comprehensive document on SAL that I ever found, is available here: “Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)”.
My system landscape
For testing purposes, I will use a SAP Netweaver 7.31 system. It have the following hosts and instances:
Host A: ASCS01 and DVEBMGS00
Host B: D00 and D01
I will set DIR_AUDIT to \\Host B\usr\sap\SID\Audit\ in all dialog instances from the system.
FN_AUDIT = audit_++++++++_######.AUD
rsau/max_diskspace/per_day = 1000M
rsau/max_diskspace/per_file = 100M
Thus, all SAL files will be recorded in a single directory, using the pattern above (given by FN_AUDIT). I expect multiple files per day, having each file 100 MB. The maximum disk space that can be used every day is 1000 MB.
In SM19 I decided to record all Audit classes in all clients for all user IDs.
Where are the entries?
Well, all the entries are recorded in the same file, for all application servers. You will find incorrect information in SM20:
As you can see, 1, 2 and 3 show the exact same entries, for the same User and same Terminal name (even though I omitted this information from the screenshot). The entries from 1 and 2 are from Host B, instances D00 and D01. The entries from 3 are from Host A, instance DVEBMGS00.
Set individual directories for SAL files. Each application server should write its own files in an exclusive directory.
So, in my landscape, fixing things means setting DIR_AUDIT in the instance profile, using:
DIR_AUDIT = X:\usr\sap\SID\DVEBMGS00\log
DIR_AUDIT = X:\usr\sap\SID\D00\log
DIR_AUDIT = X:\usr\sap\SID\D01\log
Then I executed one transaction code in each app server, resulting in the following SM20 report:
539404 – FAQ: Answers to questions about the Security Audit Log
Stay tuned for my next blog on SAL.