Posted   by 

Rsau Local File



This post introduces SAP® Security Audit Log.

  1. Rsau/local/file Not Found
  2. Rsau Local File Extension
  3. Rsau Local File Bankruptcy
  4. Rsau/local/file
  5. Rsau Local File Cabinet

Overview

Rsau/enable: Set to 1 to activates audit logging rsau/local/file: Name and location of the audit log file rsau/maxdiskspace/local: Max. Space of the audit file. If maximum size is reached auditing stops. Transactions SM19, SM20N e SM18 will be replaced with RSAUCONFIG, RSAUREADLOG, RSAUADMIN. Hera some new features:. Save log on database. Filter by User groups. Number of filter up to 90. Check the file integrity Below an image that show the new configuration of Security audit log.

According toSAP:The Security Audit Log records “security-related system information such as changes touser master records or unsuccessful login attempts. This log is a tool designed forauditors who need to take a detailed look at what occurs in the AS ABAP system. Byactivating the audit log, [the SAP system keeps a record] of those activities that youspecify for your audit. [Customers] can then access this information for evaluation in theform of an audit analysis report.

“The Security Audit Log provides for a long-term data access. The audit files are retaineduntil you explicitly delete them. Currently, the Security Audit Log does not support theautomatic archiving of the log files; however, you can manually archive them at any time.

“You can record the following information in the Security Audit Log:

  • Successful and unsuccessful dialog login attempts
  • Successful and unsuccessful RFC login attempts
  • RFC calls to function modules
  • Changes to user master records
  • Successful and unsuccessful transaction starts
  • Changes to the audit configuration”

According to Enterprise Threat Monitor:“SAP security audit log is the main location for the traces of events triggered by thesystem or by applications, which are related to security. [It is in the form of a table.]Based on the configuration which event types must be recorded, it saves the data to thedisk on the SAP application server instance.” Specify the audit files location by settingthe profile parameter, rsau/local/file, in the SAP system.

A SAP blogadds: “Since security audit logs are stored on the file system and not the database, they[do not impact performance]. The main consideration of the operations teams is the storagerequirements. Based on the activated event types (audit classes), the data volume [can vary].”

Configuration of Security Audit log

There are two configuration options in the security audit log:

  • Set Profile parameters
  • Use appropriate filter configuration using SM19 or RSAU_CONFIG

1. Profile parameters

Set profile parameters based on your release.

A) For releases earlier than 740: In the default profile, default.pfl, of the system,set the following profile parameters:

  • rsau/enable=1
  • rsau/user_selection=1
  • rsau/selection_slots=10 (or higher)
  • rsau/integrity=1 (if available - see SAP Notes 2033317 and 1810913)

B) For releases 740 to 751: Call transaction SM19. Activate the SecurityAudit Log by performing the following steps:

  1. Select the Security Audit active checkbox on the Kernel Parameters tab.
  2. Activate both Generic User Selection and Integrity Protection Format.
  3. Set the number of selection filters to at least 10.

C) For releases 752 and later: Call transaction RSAU_CONFIG. Activate the Security AuditLog by performing the following steps:

  1. Select the Static security audit active checkbox underSecurity Audit Log Configuration -> Parameters in the tree.
  2. Activate both Generic User Selection and Integrity protection format active.
  3. Set the Number of Filters per Profile to 10, which is the minimum requirement.

Note: When you use the Kernel parameters in the Security Audit Log configuration (step1B or 1C), existing settings with the same name in the system’s profile are ignored. Formore information, seeSAP Note 539404,answer 1a.

Local

2. Setting up appropriate filter configurations

To set up filters, perform the following steps:

  1. Call transaction SM19 or RSAU_CONFIG. Create a new profile.

  2. Create the following filters:

    • All clients (*), user SAP#*: Record all events. The character # serves to mask* as non-wildcard.
    • All clients (*), user <your emergency user IDs>*: Record all events.
    • Client 066, all users (*): Record all events.
    • All clients (*), all users (*): Record all events except AUW, AU5, AUK, CUV, DUR,and EUE (deactivate via Detailed Display).

  3. Save and activate the profile.

  4. Finally, check the configuration. If you have made changes to the profile parameters orthe static profile, restart the system to make them effective. Until you can restart thesystem: Convert the static profile to a dynamic profile and activate it.

Analysis of Security Audit log

Call transaction SM20/SM20N, or its equivalent transaction depending on your SAPNetweaver version (see the following table), and give the required selection criteria asinput. Click Reread Audit log to get the configured audit log for your system.

Table: Old and New functions of Transactions and reports related to the Security Audit Log

Table Source: https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/#jive_content_id_Recommended_Settings_for_the_Security_Audit_Log_SM19__SM20

According to aSAP blog post:“You can view the long text of the Security Audit Log event messages using transactionSE92 (or in transaction SE61 if you choose the document class SL (Syslog). Usingnote 1970644, you can get reportRSAU_INFO_SYAG which shows all the events of the Security Audit Log including thecurrent status of activation. The detail view allows you to create a HTML-based eventdefinition print list including the full documentation.”

It primarily depends on customer requirements to enable all successful and non-successfulevents for all clients and users. TheSAP postcontinues: “There is no performance impact, not in time nor in space, if you logunsuccessful (=critical) events as these events happens rarely. As soon as you start loggingsuccessful events you might look to space—the growing size of the auditfiles—but still not to time, as the Security Audit Log is optimized for speed.”

SAP offers functionality to email Security Audit Logs with the help of reportsRSAU_SELECT_EVENTS or RSAU_READ_LOG. Schedule any of these reports as a backgroundjob to receive the audit log from the SAP system.

Rsau local file bankruptcy

The following table gives an overview of the critical events messages store in the auditlog for different audit classes.

Table: Critical events of Dialog, Transaction, RFC, and User audit classes

Table source: (https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/#jive_content_id_Recommended_Settings_for_the_Security_Audit_Log_SM19__SM20)[https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/#jive_content_id_Recommended_Settings_for_the_Security_Audit_Log_SM19__SM20]

Conclusion

Switching on Security Audit log for all the clients and users is a crucial step in securityas it provides detailed information on the audit reports. Its benefits far outweigh itscosts and provide long term data access. I strongly recommended that you enable SecurityAudit log, especially in production environments.

Use the Feedback tab to make any comments or ask questions. You can also clickSales Chat to chat now and start the conversation.

The main system log, SAP systems can be seen by running transaction SM21
(Tools-> Administration-> Monitoring-> System Log). Displays a message with
the current SAP-instance. Log entries are read from the file specified by the
File
parameter rslg/local/file. By default /usr/sap/<sid>/<Instance_name>/log/SLOG <instance_number>. Parameter rslg/max_diskspace/local sets the size of the
After filling the old entries are deleted. The size of the single record 192 bytes.
You can collect log records from all application servers on the central instance.
Details on the SAP Help Portal .

Transaction ST22 -view ABAP-system dumps. You can via the menu
'move to-> Reorganize' set term of storage dumps. The retention value of
dumps depends on the frequency of analysis of your systems. Usually, 7 days is

You can enable Security Audit Log system. From this you can see log successful
and failed logons, user blocking users, run reports, edit the transaction key.

Rsau/local/file Not Found

Temporarily included in the transaction SM19. Constantly parameter
rsau/enable = 1. Option rsau/local/file sets the directory where to store the

Rsau Local File Extension

logs. By default,/usr/sap/<sid>/<Instance_name>/log/audit_ <instance_number>.

Rsau Local File Bankruptcy

Via parameter rsau/max_diskspace/local audit file size is set for the day.

Rsau/local/file

View history through the transaction SM20. Delete old logs transaction SM18.

There is also an option to activate auditing changes in tables. Write the profile parameter rec/client = XXX (client number).You can specify multiple

Rsau Local File Cabinet

comma-separated mandates. For the required tables in SE11 in technical settings
include 'change history'. View audit transaction SCU3. The audit log is stored in