Skip to Content
Author's profile photo Cristiano Hansen
Cristiano Hansen
April 14, 2016 1 minute read

Security Audit Log (SAL): One directory for all SAL files

Today I will present a scenario about SAL: use one directory to store all SAL files from all application servers in a SAP system.

As I mentioned in my previous blog, the most comprehensive document on SAL that I ever found, is available here: “Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)”.

My system landscape

For testing purposes, I will use a SAP Netweaver 7.31 system. It have the following hosts and instances:


Host A: ASCS01 and DVEBMGS00

Host B: D00 and D01

SID.jpg

SAL configuration

I will set DIR_AUDIT to \\Host B\usr\sap\SID\Audit\ in all dialog instances from the system.


Additional parameters:


FN_AUDIT = audit_++++++++_######.AUD

rsau/max_diskspace/per_day = 1000M

rsau/max_diskspace/per_file = 100M

Thus, all SAL files will be recorded in a single directory, using the pattern above (given by FN_AUDIT). I expect multiple files per day, having each file 100 MB. The maximum disk space that can be used every day is 1000 MB.

In SM19 I decided to record all Audit classes in all clients for all user IDs.

Where are the entries?

Well, all the entries are recorded in the same file, for all application servers. You will find incorrect information in SM20:

SM20.jpg

As you can see, 1, 2 and 3 show the exact same entries, for the same User and same Terminal name (even though I omitted this information from the screenshot). The entries from 1 and 2 are from Host B, instances D00 and D01. The entries from 3 are from Host A, instance DVEBMGS00.

Solution

Set individual directories for SAL files. Each application server should write its own files in an exclusive directory.

So, in my landscape, fixing things means setting DIR_AUDIT in the instance profile, using:

SID_DVEBMGS00_HOSTA:

DIR_AUDIT = X:\usr\sap\SID\DVEBMGS00\log

SID_D00_HOSTB:

DIR_AUDIT = X:\usr\sap\SID\D00\log

SID_D01_HOSTB:

DIR_AUDIT = X:\usr\sap\SID\D01\log

Then I executed one transaction code in each app server, resulting in the following SM20 report:


SM20 v2.jpg

Additional Information

539404 – FAQ: Answers to questions about the Security Audit Log

Stay tuned for my next blog on SAL.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Pusat herbal bliherbal menganjurkan bagi pelanggan setia yang sering menggunakan obat herbal, mudah-mudahan manfaat dari obat-obatan herbal terlihat, maka dari itu sebaiknya dibarengi dengan terapkan pola hidup yang baik dan sehat.  obat herbal tbc ampuh