Another scenario involving SAL: do you want to have a single SAL file created per day? Alternatively, do you want to have more than one file, limiting the file size and the total amount of space occupied per day?


Making myself tireless on spreading a good advice, the most comprehensive document on SAL that I ever found, is available here: “Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)”.

a) SAL configuration: a single file per day

The configuration is simple: just set:


FN_AUDIT = ++++++++.AUD


and:


rsau/max_diskspace/local = xxxxx


The unit used for the disk space is Bytes (if the number does not present a suffix), or k (or K) for Kilobytes, or m (or M) for Megabytes.

b) SAL configuration: multiple files per day

Similar to the configuration to have a single file per day, you have to set:


FN_AUDIT = audit_++++++++_######.AUD


and two additional parameters:


rsau/max_diskspace/per_file = xxxxx

rsau/max_diskspace/per_day = yyyyy


Where xxxxx < yyyyy. The unit used for the disk space is the same as above.

Note that the mask in FN_AUDIT now contains ######, which will be replaced by a sequential number, i.e. a new number as soon as the file have reached the permitted file size. The new number is used to create the new SAL file.

c) SAL configuration: mixing things with odd results

I already saw cases where a configuration like this was used:


FN_AUDIT = audit_++++++++_######.AUD

rsau/max_diskspace/local = zzzzz

rsau/max_diskspace/per_file = xxxxx

rsau/max_diskspace/per_day = yyyyy


In such case, the configuration is not correct. It is not possible have a single file and multiple files, using a specific FN_AUDIT value.

Using SM20 in such case can bring a result like:

SM20.jpg

Even though there are SAL entries recorded in the files.

The solution is simple: use a) or b). Option c) is not valid – and can give you headaches.

Additional Information

539404 – FAQ: Answers to questions about the Security Audit Log

875835 – SecAudit: Analysis finds no audit events

909738 – SecAudit: Files are created with other names

Stay tuned for my last blog on SAL.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply