cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

hey team, can i know how to see the security events logs of sap hana..

Go to solution
ruzi
Explorer

3 weeks ago

0 Kudos

I have refered https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of...

but its about 2014, I m receiving different logs.. how can i get information from my new logs.. or is there any updation you have?

Show replies
Show replies
Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos
You are "receiving different..." Sorry but we don't see what you are seeing (add a screenshot, indicate your software version, etc.) Please clarify.
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Sandra_Rossi
Active Contributor
3 weeks ago

As you can see in your record, it starts with "5" which corresponds to the field SLGFTYP in the blog post you mentioned (https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of...), but is not one of the possible values "q" and "2".

I describe below the meaning of SLGFTYP = "5".

The data below is from what I see in one audit file (/usr/sap/SID/D01/log/xxxxxxxxxx.AUD) in my ABAP 7.58 system.

File header

5SAL_SAP_19720607_000000_FFFFFFFFFFFF0BD7989C274D93028B5C747968FC85BC004CEC60D665F68CBEC0D06EEFBCC096003

I don't know what mean these 104 characters. Skip them?

First record

5AU220240409000013003636800022B1050100000008XXXX498400000008RSBTCRTE000000000005B&2&A0088F32F71FAA5694A08EE9623F37DCC22999B549AAE362CBDD3F99E7802CD418DEE003

Split and explanations

5AU2

  • 5: Entry type
    • "q" = DDIC structure RSAUENTR2 version 1 without field SLGLTRM2
    • "2" = DDIC structure RSAUENTR2 version 2 including field SLGLTRM2
    • "5" = variable length record
  • AU: Message area
  • 2: Message name ("sub-name")

2024040900001300 date time "00"
36368 Operating system process number?
00022 workprocess number
B1 workprocess type
050 mandant
1 file number?
0000 length of short terminal name + short terminal name??
0008XXXX4984 length of user name + user name
0000 length of transaction code + transaction code
0008RSBTCRTE length of program name + program name
0000 length of long terminal name + long terminal name
0000 length of Last Address Routed + Last Address Routed
0005B&2&A length of variables + variables (separated with &)
0088 offset of last character of this field with offset of 5AU2 considered zero (e.g. total of 89 characters from start of 5AU2 up to this offset field included, and offset of next field starts at 89)
F32F71FAA5694A08EE9623F37DCC22999B549AAE362CBDD3F99E7802CD418DEE Variable message data (64 characters)
003 ??

SM20 details

Date 09.04.2024
Time 00:00:13
Client 050
SysLog msg. group AU
Message Identifier AU2
Sub-name 2
User XXXX4984
ABAP Source RSBTCRTE
Audit Log Message Logon failed (reason=2, type=B, method=A)
First Variable Value for Event B
Second Variable Value for Event 2
Third Variable Value for Event A
Audit Class Dialog Logon
Criticality H
Message Severity High
File Number 1
SAP process B1
Work Process Number 022

Second record

5CUZ20240409001516003635100005D505010008xxxxst060006SM_SMY00000008SAPMSSY10020xxxxst0663.xxxxsap.a0011xx.xx.20.830011DBTABLOG&0301310C0D1EC53E3B3C32016B1EB0CF62D3E9B3F04314877C06E37FBB56EDB4445DD3003

Split and explanations

5CUZ
2024040900151600 date time "00"
36351 Operating system process number?
00005 workprocess number
D5 workprocess type
050 mandant
1 file number?
0008xxxxst06 length of short terminal name + short terminal name??
0006SM_SMY length of user name + user name
0000 length of transaction code + transaction code
0008SAPMSSY1 length of program name + program name
0020xxxxst0663.xxxxsap.a length of long terminal name + long terminal name
0011xx.xx.20.83 length of Last Address Routed + Last Address Routed
0011DBTABLOG&03 length of variables + variables (separated with &)
0131 offset of last character of this field with offset of 5CUZ considered zero (e.g. total of 131 characters from start of 5CUZ up to this offset field included, and offset of next field starts at 132)
0C0D1EC53E3B3C32016B1EB0CF62D3E9B3F04314877C06E37FBB56EDB4445DD3 Variable message data (64 characters)
003 ??

SM20 details

Date 09.04.2024
Time 00:15:16
Client 050
SysLog msg. group CU
Message Identifier CUZ
Sub-name Z
User SM_SMY
Terminal Name xxxxst0663.xxxxsap.a
Last Address Routed xx.xx.20.83
ABAP Source SAPMSSY1
Audit Log Message Generic table access by RFC to DBTABLOG with activity 03
First Variable Value for Event DBTABLOG
Second Variable Value for Event 03
Audit Class RFC Function Call
Criticality H
Message Severity High
File Number 1
SAP process D5
Work Process Number 005

Third record

5BU420240409000013003637000024B1600100000004DDIC0004S0000020FIN_EDI_EXTRACT_ADVC000000000006-&G!&-0101053D316789EF7C633B09A4779077787A911DAE3F48BB478754DBB92E8AA99D2F003

Split and explanations

5BU4
2024040900001300 date time "00"
36370 Operating system process number?
00024 workprocess number
B1 workprocess type
600 mandant
1 file number?
0000 length of short terminal name + short terminal name??
0004DDIC length of user name + user name
0004S000 length of transaction code + transaction code
0020FIN_EDI_EXTRACT_ADVC length of program name + program name
0000 length of long terminal name + long terminal name
0000 length of Last Address Routed + Last Address Routed
0006-&G!&- length of variables + variables (separated with &)
0101 offset of last character of this field with offset of 5CUZ considered zero (e.g. total of 131 characters from start of 5CUZ up to this offset field included, and offset of next field starts at 132)
053D316789EF7C633B09A4779077787A911DAE3F48BB478754DBB92E8AA99D2F Variable message data (64 characters)
003 ??

SM20 details

Date 09.04.2024
Time 00:00:13
Client 600
SysLog msg. group BU
Message Identifier BU4
Sub-name 4
User DDIC
Started by Application S000
ABAP Source FIN_EDI_EXTRACT_ADVC
Event number within a second 7
Audit Log Message Dynamic ABAP code: Event -, event type G!, check total -
First Variable Value for Event -
Second Variable Value for Event G!
Third Variable Value for Event -
Audit Class Other Events
Criticality L
Message Severity Low
File Number 1
SAP process B1
Work Process Number 024

Show replies
Show replies
ruzi
Explorer
3 weeks ago
0 Kudos

Hi Sandra,

Thank u for this deep explanation, I need more clarity on some areas

  • 5: Entry type
    • "q" = DDIC structure RSAUENTR2 version 1 without field SLGLTRM2
    • "2" = DDIC structure RSAUENTR2 version 2 including field SLGLTRM2
    • "5" = variable length record
  • you have mentioned 5 as a variable length.. which length does it holds?? bcoz i m clear with other things like length of user+username

what is 0000 - length of ?? + ?? . This u have mentioned.. what is the meaning of that?

And in this doc, https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of...

every field has a defined length ,but u have here described with variable lengths, does this occurs in the latest version of sap?? Bcoz in this doc,its mentioned as

variable message has 64 bits,program has 40 like that.. and follows an order.. and here is there any order.. if possible can u provide a table like this.. so that i would be more helpful

FieldSub-fieldLengthDescription

SLGTYPE  SysLog: LIKE structure RSLGETYP
 SLGFTYP1Entry type: "q" = version 1 without field SLGLTRM2, "2" = version 2 including field SLGLTRM2
 AREA2Message area
 SUBID1Message name
SLGDATTIM  Time stamp (CHAR 16)
 DATE8Date in format YYYYMMDD
 TIME6Time in format hhmmss
 DUMMY2not used
SLGPROC  SysLog: LIKE RSLGPID structure
 UNIXPID5Process ID
 TASKTNO5Task
 SLGTTYP2Process type (short form)
SLGLTRM 8Terminal name (truncated)
SLGUSER 12User name
SLGTC 20Transaction
SLGREPNA 40Program
SLGMAND 3Client
SLGMODE 1External mode of an SAP dialog
SLGDATA 64Variable message data
SLGLTRM2 20Terminal name (continued), only available if SLGFTYP=2

 

Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos
I only deduced the format from the file and SM20 display, because it seems that you couldn't do it yourself. As I couldn't find a value between the user and the program, I can't deduce its meaning hence indicating "0000 - length of ?? + ??". Probably it's the transaction code. The blog post is not talking about "5", nothing more to say about it, and that's why I answered.
ruzi
Explorer
3 weeks ago
0 Kudos
okay!! Then what about the length of each fields ...does this varies from one log to another or can u take my request on providing a table structure for the log fields
Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos
Example added for BU4 which contains the transaction code S000. I think that you didn't understand that the first four characters contain the variable length. In the second record, the terminal short name (right after the file number) has length 0008 which means that the next 8 characters contain the terminal short name, and the next field (user name) starts right after it. 0000 means "no value".
ruzi
Explorer
3 weeks ago
0 Kudos

yahh i have no doubt regarding ur length explanation... one more question is what is offset?? does it defaultly has a length of 4?? and i waanna know does this fields like username,transaction code etc have static(predefined) length or it varies??

Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos
offset = number of characters from a given position (e.g. start of record). As I said and as you can see in the 3 records of my answer, that is a "variable length" so it varies.
ruzi
Explorer
3 weeks ago
0 Kudos
okay.. one more query is in that old pattern mentioned in blog... client value is coming after program... but here its coming after the processid... so is this standard format and does the old log format is deprecated?
Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos
As I said: "I only deduced the format from the file and SM20 display". If you need more information, ask the developers of this feature directly. In case you ask, I don't know who they are. The whole question would deserve asking the blog post author.
ruzi
Explorer
3 weeks ago
0 Kudos
Thank u for ur support @Sandra_Rossi
Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos
"Variable length" means that a structure IS NOT POSSIBLE. A structure has fixed length. I guess your question is: "is it possible to tell SAP software to write in fixed-length format?" I don't see what could be the reason that such a possibility exists.
ruzi
Explorer
3 weeks ago
0 Kudos

I understand @Sandra_Rossi  .. But i hope u saw the table which has the fields with a standard length... and in this new format log you said the length is variying.. and i m taking in a way that the fields doesn't have standard or maximum length.. like if a username name means it may length upto some value...

ruzi
Explorer
3 weeks ago
0 Kudos

Hi, as discussed earlier 

053D316789EF7C633B09A4779077787A911DAE3F48BB478754DBB92E8AA99D2F003 Variable message data (64 characters) i can get the 64 character of message data by excluding 003 ... and this value is occuring in all logs.. so can i take 64 characters excluding this

and offset value is how calculated.. because its mentioned 0131 including this... but the actual length is 132 

Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos

The ABAP type STRING can be any length, so it should not be a problem to not know the limit. I guess you may consider the length limit of the fields as defined by RSAUENTR2, but I don't know if it's true for all the fields (it is at least true for user, program name, transaction code, client). Thanks for the feedback about my error concerning the variable message data.

Concerning the variable message data length (e.g. 0131), you're correct, it's what I tried to explain. Anyway, this length is useless to decode the file.

Answers (3)

Answers (3)

Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos

As you can see in your record, it starts with "5" which corresponds to the field SLGFTYP in the blog post you mentioned (https://community.sap.com/t5/application-development-blog-posts/analysis-and-recommended-settings-of...), but is not one of the possible values "q" and "2".

I describe below the meaning of SLGFTYP = "5".

The data is from what I see in one audit file (/usr/sap/SID/D01/log/xxxxxxxxxx.AUD) in my ABAP 7.58 system.

File header

5SAL_SAP_19720607_000000_FFFFFFFFFFFF0BD7989C274D93028B5C747968FC85BC004CEC60D665F68CBEC0D06EEFBCC096003

First record

5AU220240409000013003636800022B1050100000008XXXX498400000008RSBTCRTE000000000005B&2&A0088F32F71FAA5694A08EE9623F37DCC22999B549AAE362CBDD3F99E7802CD418DEE003

Split and explanations

5AU2

  • 5: Entry type
    • "q" = DDIC structure RSAUENTR2 version 1 without field SLGLTRM2
    • "2" = DDIC structure RSAUENTR2 version 2 including field SLGLTRM2
    • "5" = variable length record
  • AU: Message area
  • 2: Message name ("sub-name")

2024040900001300 date time "00"
36368 Operating system process number?
00022 workprocess number
B1 workprocess type
050 mandant
1 file number?
0000 length of short terminal name + short terminal name??
0008XXXX4984 length of user name + user name
0000 length of ?? + ??
0008RSBTCRTE length of program name + program name
0000 length of long terminal name + long terminal name
0000 length of ?? + ??
0005B&2&A variables separated with &
0088 offset of last character of this field with offset of 5AU2 considered zero (e.g. total of 89 characters from start of 5AU2 up to this offset field included, and offset of next field starts at 89)
F32F71FAA5694A08EE9623F37DCC22999B549AAE362CBDD3F99E7802CD418DEE003 64 characters

SM20 details

Date 09.04.2024
Time 00:00:13
Client 050
SysLog msg. group AU
Message Identifier AU2
Sub-name 2
User XXXX4984
ABAP Source RSBTCRTE
Audit Log Message Logon failed (reason=2, type=B, method=A)
First Variable Value for Event B
Second Variable Value for Event 2
Third Variable Value for Event A
Audit Class Dialog Logon
Criticality H
Message Severity High
File Number 1
SAP process B1
Work Process Number 022

Second record

5CUZ20240409001516003635100005D505010008xxxxst060006SM_SMY00000008SAPMSSY10020xxxxst0663.xxxxsap.a0011xx.xx.20.830011DBTABLOG&0301310C0D1EC53E3B3C32016B1EB0CF62D3E9B3F04314877C06E37FBB56EDB4445DD3003

Split and explanations

5CUZ
2024040900151600 date time "00"
36351 Operating system process number?
00005 workprocess number
D5 workprocess type
050 mandant
1 file number?
0008xxxxst06 length of short terminal name + short terminal name??
0006SM_SMY length of user name + user name
0000 length of ?? + ??
0008SAPMSSY1 length of program name + program name
0020xxxxst0663.xxxxsap.a length of long terminal name + long terminal name
0011xx.xx.20.83 length of Last Address Routed + Last Address Routed
0011DBTABLOG&03
0131 offset of last character of this field with offset of 5CUZ considered zero (e.g. total of 131 characters from start of 5CUZ up to this offset field included, and offset of next field starts at 132)
0C0D1EC53E3B3C32016B1EB0CF62D3E9B3F04314877C06E37FBB56EDB4445DD3003

SM20 details

Date 09.04.2024
Time 00:15:16
Client 050
SysLog msg. group CU
Message Identifier CUZ
Sub-name Z
User SM_SMY
Terminal Name xxxxst0663.xxxxsap.a
Last Address Routed xx.xx.20.83
ABAP Source SAPMSSY1
Audit Log Message Generic table access by RFC to DBTABLOG with activity 03
First Variable Value for Event DBTABLOG
Second Variable Value for Event 03
Audit Class RFC Function Call
Criticality H
Message Severity High
File Number 1
SAP process D5
Work Process Number 005

Show replies
Show replies
ruzi
Explorer
3 weeks ago
0 Kudos

Hii team, my query is why the log pattern differs from the blog post... Is there any changes regarding this 

 

FieldSub-fieldLengthDescription

SLGTYPE  SysLog: LIKE structure RSLGETYP
 SLGFTYP1Entry type: "q" = version 1 without field SLGLTRM2, "2" = version 2 including field SLGLTRM2
 AREA2Message area
 SUBID1Message name
SLGDATTIM  Time stamp (CHAR 16)
 DATE8Date in format YYYYMMDD
 TIME6Time in format hhmmss
 DUMMY2not used
SLGPROC  SysLog: LIKE RSLGPID structure
 UNIXPID5Process ID
 TASKTNO5Task
 SLGTTYP2Process type (short form)
SLGLTRM 8Terminal name (truncated)
SLGUSER 12User name
SLGTC 20Transaction
SLGREPNA 40Program
SLGMAND 3Client
SLGMODE 1External mode of an SAP dialog
SLGDATA 64Variable message data
SLGLTRM2 20Terminal name (continued), only available if SLGFTYP=2
Show replies
Show replies
ruzi
Explorer
3 weeks ago
0 Kudos

5AU120240328000051002678400060B3100100000005BASIS0004S0000008RSBTCRTE000000000005B&0&A008910F235B11EB31624C68A74FB7ED6E413E59900DFD8963838A9EC16B543B2CB39003

this is the log i am getting..

but in the post the mentioned log likes 

2AU520130409010803000505200009D9a234ba.pDOKUSTAR SAPMSSY1 0201R&0 h020co.pt.com

Show replies
Show replies
ruzi
Explorer
3 weeks ago
0 Kudos
i cannot match the fields that are listed in this log
Sandra_Rossi
Active Contributor
3 weeks ago
0 Kudos
I don't understand what your problem is. The blog post says to "Use report RSAU_SELECT_EVENTS to analyze the file format." It will show you exactly how you need to interpret this line.
Ask a Question