Could not execute 'EXPORT 'PUBLIC'.' AUDITLOG' INTO '/tmp/' SAP DBTech JDBC: 7: feature not supported: Exporting object PUBLIC objects owned by SYS user is not allowed.: line 1 c. SAP Knowledge Base Article - Preview. 2684434-How to export HANA audit log when audit trail target is internal database table. Cannot export audit log. The Security Audit Log normally logs the terminal id if it’s available; otherwise the IP address is logged. You can set the (undocumented) profile parameter rsau/iponly to the value 1 to log the IP address instead (if available). See note 1497445 for details. Use the following options to get the terminal id and the IP address of active users.
SAP Audit tcodes regroups the main/ important SAP Transactions code for SAP ERP Management Audit.
Tags for SAP Audit Tcodes : sap audit management, sap audit program, sap auditing, sap security, audit, auditing sap, sap auditor, audit software, sap it audit , erp audit
Usefull SAP Audit Tcodes
| SAP Audit Tcodes | Description |
|---|---|
| 0REP | Start of program etc. from IMG |
| AL11 | Display SAP Directories |
| BD64 | Maintenance of Distribution Model |
| DB03 | Parameter Changes in Database |
| DB12 | DBA Backup Logs |
| FB01 | Post Document |
| FILE | Cross-Client File Names/Paths |
| OS03 | O/S Parameter changes |
| PE01 | HR: Maintain Payroll Schemas |
| PE02 | HR: Maintain Calculation Rules |
| PFCG | Role Maintenance |
| PFUD | User Master Data Reconciliation |
| RSGWLST | Accessible Gateways |
| RSPFPAR | Display profile parameter |
| RSRFCCHK | RFC destinations with logon data |
| RSTBHIST | Table history |
| RSUSR003 | Check standard user passwords |
| RSUSR200 | List of Users per Login Date |
| RZ01 | Job Scheduling Monitor |
| RZ03 | Presentation & Control SAP Instances |
| RZ04 | Maintain SAP Instances |
| RZ10 | Maintain Profile Parameters |
| RZ11 | Profile Parameter Maintenance |
| RZ20 | CCMS Monitoring |
| RZ27_SECURITY | MiniApp CCMS Alerts Security |
| SAINT | Add-On Installation Tool |
| SAMT | ABAP Program Set Processing |
| SARA | Archive Administration |
| SCC3 | Client Copy Log |
| SCDN | Change Documents: Number Ranges |
| SCDO | Display Change Document Objects |
| SCU0 | Customizing Cross-System Viewer |
| SCUL | Central User Administration Log |
| SCUM | Central User Administration |
| SD11 | Data Modeler |
| SE03 | Transport Organizer Tools |
| SE06 | Set Up Transport Organizer |
| SE09 | Transport Organizer |
| SE10 | Transport Organizer |
| SE12 | ABAP Dictionary Display |
| SE13 | Maintain Technical Settings (Tables) |
| SE15 | ABAP/4 Repository Information System |
| SE16 | Data Browser |
| SE16_RFCDESSECU | Data Browser RFCDESSECU |
| SE16_T000 | Data Browser T000 |
| SE16_TXCOMSECU | Data Browser TXCOMSECU |
| SE16_USR40 | Data Browser USR40 |
| SE16_USRACL | Data Browser USRACL |
| SE16_USRACLEXT | Data Browser USRACLEXT |
| SE16_V_T599R | Data Browser V_T599R |
| SE16_W3TREES | Data Browser W3TREES |
| SE16_WWWFUNC | Data Browser WWWFUNC |
| SE16_WWWREPS | Data Browser WWWREPS |
| SE84 | Repository Information System |
| SECR | Obsolete: Audit Information System |
| SEPS | SAP Electronic Parcel Service |
| SESS | Session Manager Menu Tree Display |
| SESSION_MANAGER | Session Manager Menu Tree Display |
| SH01 | Online help: F1 Help server |
| SICK | Installation Check |
| SLG1 | Application Log: Display Logs |
| SM01 | Lock Transactions |
| SM13 | Administrate Update Records |
| SM20 | Analysis of Security Audit Log |
| SM21 | Online System Log Analysis |
| SM30 | Call View Maintenance |
| SM30_TVARV | Call SM30 for Table TVARV |
| SM30_VSNCSYSACL | Call Up SM30 for Table VSNCSYSACL |
| SM30_V_BRG | Call SM30 for View V_BRG |
| SM30_V_DDAT | Call SM30 for View V_DDAT |
| SM34 | Viewcluster maintenance call |
| SM35 | Batch Input Monitoring |
| SM37 | Overview of job selection |
| SM50 | Work Process Overview |
| SM51 | List of SAP Systems |
| SM54 | TXCOM Maintenance |
| SM58 | Asynchronous RFC Error Log |
| SM59 | RFC Destinations (Display/Maintain) |
| SM63 | Display/Maintain Operating Mode Sets |
| SM66 | Systemwide Work Process Overview |
| SM69 | Maintain External OS Commands |
| SMEN | Session Manager Menu Tree Display |
| SMGW | Gateway Monitor |
| SMT1 | Trusted-Trusting Connections |
| SMT2 | Trusted-Trusting Connections |
| SMW0 | SAP Audit Tcodes : SAP Web Repository |
| SO70 | Hypertext: Display/Maint. Structure |
| SP01 | Output Controller |
| SPAD | Spool Administration |
| SPAM | Support Package Manager |
| SPAT | Spool Administration (Test) |
| ST01 | System Trace |
| ST07 | Application monitor |
| ST10 | Table Call Statistics |
| ST22 | ABAP Dump Analysis |
| STMS | Transport Management System |
| SU22 | Maintain Authorization Defaults(SAP) |
| SU24 | Maintain Authorization Defaults |
| SU26 | Upgrade Tool for Profile Generator |
| SU3 | Maintain Users Own Data |
| SU53 | Evaluate Authorization Check |
| SU56 | Analyze User Buffer |
| SUIM | User Information System |
| SUPC | SAP Audit Tcodes :Role Profiles |
| SWEL | Display Event Trace |
| SWI5 | Workload Analysis |
| SWU2 | Workflow RFC Monitor |
| SWU3 | Automatic Workflow Customizing |
| SWU9 | Display Workflow Trace |
| SWUD | SAP Audit Tcodes :Workflow Diagnosis |
| S_BIE_59000197 | Report cross-system information |
| S_BIE_59000198 | Report cross-system information |
| S_BIE_59000199 | Report cross-system information |
| S_PH0_48000151 | Maintain log |
| TU02 | Parameter Changes on this Instance |
| USMM | Customer Measurement |
| WE21 | Port definition |
SAP Audit Tcodes S_ALR_*
The following list is for SAP Audit Transaction/ Program starting with S_ALR_*
Sap Sm20 Transaction Audit Log Table
| SAP Audit Tcodes | Description |
|---|---|
| S_ALR_87014082 | Log of Report Starts |
| S_ALR_87101193 | Hardcoded SAP* |
| S_ALR_87101194 | Check standard user passwords |
| S_ALR_87101195 | Rules for Logging on |
| S_ALR_87101196 | Where-Used List: Authorization Objct |
| S_ALR_87101198 | All Authorizations |
| S_ALR_87101199 | Number of User Master Records |
| S_ALR_87101200 | List Users |
| S_ALR_87101201 | Currently Active Users |
| S_ALR_87101202 | Users with Initial Password |
| S_ALR_87101203 | Not logged on for 30 Days |
| S_ALR_87101204 | Unchanged for 180 Days |
| S_ALR_87101205 | Users who can call OS Commands |
| S_ALR_87101206 | Users with ABAP Authorization |
| S_ALR_87101207 | Users who can use CTS |
| S_ALR_87101208 | Update Accounting Periods |
| S_ALR_87101209 | Update Company Codes |
| S_ALR_87101210 | Update Chart of Accounts |
| S_ALR_87101211 | Users who can Execute RFC Function |
| S_ALR_87101212 | List of Internet users |
| S_ALR_87101213 | Profile Generator |
| S_ALR_87101219 | Check Table Logging |
| S_ALR_87101220 | Display |
| S_ALR_87101223 | Table Recording |
| S_ALR_87101225 | Cust. Tables without Log |
| S_ALR_87101226 | Standard Variant |
| S_ALR_87101228 | AIS Financial Accounting |
| S_ALR_87101235 | AIS Accounting |
| S_ALR_87101236 | SAP Audit Tcodes :AIS Finances |
| S_ALR_87101237 | Table Access Statistics |
| S_ALR_87101238 | Display Change Documents |
| S_ALR_87101239 | Display Change Documents |
| S_ALR_87101247 | Call System |
| S_ALR_87101248 | Parameters for External Tools |
| S_ALR_87101249 | System Overview |
| S_ALR_87101250 | SAP Audit Tcodes :SAP Gateway |
| S_ALR_87101252 | Installation Check for R/3 Spool |
| S_ALR_87101253 | Spool Parameters |
| S_ALR_87101254 | SNC Status |
| S_ALR_87101256 | TMS: Display Configuration |
| S_ALR_87101257 | Import Overview |
| S_ALR_87101258 | System Overview |
| S_ALR_87101259 | TMS: Alert Viewer |
| S_ALR_87101260 | Verbose |
| S_ALR_87101261 | Transport Monitor ALOG |
| S_ALR_87101262 | Transport Monitor SLOG |
| S_ALR_87101263 | Search for Objects in Requests/Tasks |
| S_ALR_87101265 | Requests with USR Tables |
| S_ALR_87101266 | Requests with PA Tables |
| S_ALR_87101267 | Analyze Objects in Requests/Tasks |
| S_ALR_87101268 | RSWBOSSR |
| S_ALR_87101269 | Set System Change Option |
| S_ALR_87101270 | Syslog parameters |
| S_ALR_87101271 | Performance Analysis |
| S_ALR_87101272 | Performance analysis |
| S_ALR_87101273 | Workload Statistics |
| S_ALR_87101274 | Statistical Evaluations |
| S_ALR_87101275 | Consistency Check |
| S_ALR_87101276 | IDoc List |
| S_ALR_87101277 | RFC Statistics |
| S_ALR_87101278 | Remote Function Call |
| S_ALR_87101279 | RFC Trace |
| S_ALR_87101281 | Customer Exits |
| S_ALR_87101282 | Objects in Customer Namespace |
| S_ALR_87101283 | Audit Info System: Locked/Unlocked |
| S_ALR_87101284 | Authorization Group Transfer |
| S_ALR_87101285 | Authorization Groups |
| S_ALR_87101286 | Maintain/Restore Authorization Grps |
| S_ALR_87101287 | Program Analysis |
SAP Audit Tcode S_BCE_*
List of SAP Audit management Tcodes starting with S_BCE_*
| SAP Audit Tcodes | Description |
|---|---|
| S_BCE_68001393 | Users by address data |
| S_BCE_68001394 | Users According to Complex Criteria |
| S_BCE_68001395 | Users According to Complex Criteria |
| S_BCE_68001396 | Users According to Complex Criteria |
| S_BCE_68001397 | Users According to Complex Criteria |
| S_BCE_68001398 | Users According to Complex Criteria |
| S_BCE_68001399 | Users According to Complex Criteria |
| S_BCE_68001400 | Users According to Complex Criteria |
| S_BCE_68001401 | Critical Combinations of Auth. |
| S_BCE_68001402 | With Unsuccessful Logons |
| S_BCE_68001403 | With Critical Authorizations |
| S_BCE_68001404 | Profiles by Contained Profiles |
| S_BCE_68001405 | Profiles by Authorization Name |
| S_BCE_68001406 | SAP Audit Tcodes :Profiles by Values |
| S_BCE_68001407 | Profiles by Changes |
| S_BCE_68001408 | SAP Audit Tcodes :Profiles by Roles |
| S_BCE_68001409 | Profiles According to Complex Crit. |
| S_BCE_68001410 | Auth. Objects According to Complex |
| S_BCE_68001411 | Auth. Objects According to Complex |
| S_BCE_68001412 | Auth. Objects According to Complex |
| S_BCE_68001413 | Auth. Objects According to Complex |
| S_BCE_68001414 | Auth. According to Complex Criteria |
| S_BCE_68001415 | Authorizations by Values |
| S_BCE_68001416 | Authorizations by Changes |
| S_BCE_68001417 | Auth. According to Complex Criteria |
| S_BCE_68001418 | Roles by Role Name |
| S_BCE_68001419 | Roles by User Assignment |
| S_BCE_68001420 | Roles by Transaction Assignment |
| S_BCE_68001421 | Roles by Profile Assignment |
| S_BCE_68001422 | Roles by Authorization Object |
| S_BCE_68001423 | Roles by Authorization Values |
| S_BCE_68001424 | Roles by Change Data |
| S_BCE_68001425 | Roles by Complex Criteria |
| S_BCE_68001426 | Transactions for User |
| S_BCE_68001427 | Transactions for User |
| S_BCE_68001428 | Transactions for User |
| S_BCE_68001429 | Transactions for User |
| S_BCE_68001430 | SAP Audit Tcodes :Compare Users |
| S_BCE_68001431 | Compare Profiles |
| S_BCE_68001432 | Compare Authorizations |
| S_BCE_68001433 | SAP Audit Tcodes: Comparisons |
| S_BCE_68001434 | Where-used lists |
| S_BCE_68001435 | Where-used lists |
| S_BCE_68001436 | Where-used lists |
| S_BCE_68001437 | Where-used lists |
| S_BCE_68001438 | Where-used lists |
| S_BCE_68001439 | For user |
| S_BCE_68001440 | For profiles |
| S_BCE_68001441 | For authorizations |
Tags for SAP Audit Tcodes? 😕sap audit management,?sap audit program,?sap auditing,?sap security, audit,?auditing sap,?sap auditor,?audit software,?sap it audit ,?erp audit
This post introduces SAP® Security Audit Log.
Overview
According toSAP:The Security Audit Log records “security-related system information such as changes touser master records or unsuccessful login attempts. This log is a tool designed forauditors who need to take a detailed look at what occurs in the AS ABAP system. Byactivating the audit log, [the SAP system keeps a record] of those activities that youspecify for your audit. [Customers] can then access this information for evaluation in theform of an audit analysis report.
“The Security Audit Log provides for a long-term data access. The audit files are retaineduntil you explicitly delete them. Currently, the Security Audit Log does not support theautomatic archiving of the log files; however, you can manually archive them at any time.
“You can record the following information in the Security Audit Log:
- Successful and unsuccessful dialog login attempts
- Successful and unsuccessful RFC login attempts
- RFC calls to function modules
- Changes to user master records
- Successful and unsuccessful transaction starts
- Changes to the audit configuration”
According to Enterprise Threat Monitor:“SAP security audit log is the main location for the traces of events triggered by thesystem or by applications, which are related to security. [It is in the form of a table.]Based on the configuration which event types must be recorded, it saves the data to thedisk on the SAP application server instance.” Specify the audit files location by settingthe profile parameter, rsau/local/file, in the SAP system.
A SAP blogadds: “Since security audit logs are stored on the file system and not the database, they[do not impact performance]. The main consideration of the operations teams is the storagerequirements. Based on the activated event types (audit classes), the data volume [can vary].”
Configuration of Security Audit log
There are two configuration options in the security audit log:
- Set Profile parameters
- Use appropriate filter configuration using SM19 or RSAU_CONFIG
1. Profile parameters
Set profile parameters based on your release.
A) For releases earlier than 740: In the default profile, default.pfl, of the system,set the following profile parameters:
- rsau/enable=1
- rsau/user_selection=1
- rsau/selection_slots=10 (or higher)
- rsau/integrity=1 (if available - see SAP Notes 2033317 and 1810913)
B) For releases 740 to 751: Call transaction SM19. Activate the SecurityAudit Log by performing the following steps:
- Select the Security Audit active checkbox on the Kernel Parameters tab.
- Activate both Generic User Selection and Integrity Protection Format.
- Set the number of selection filters to at least 10.
C) For releases 752 and later: Call transaction RSAU_CONFIG. Activate the Security AuditLog by performing the following steps:
- Select the Static security audit active checkbox underSecurity Audit Log Configuration -> Parameters in the tree.
- Activate both Generic User Selection and Integrity protection format active.
- Set the Number of Filters per Profile to 10, which is the minimum requirement.
Note: When you use the Kernel parameters in the Security Audit Log configuration (step1B or 1C), existing settings with the same name in the system’s profile are ignored. Formore information, seeSAP Note 539404,answer 1a.
2. Setting up appropriate filter configurations
To set up filters, perform the following steps:
Call transaction SM19 or RSAU_CONFIG. Create a new profile.
Create the following filters:
- All clients (
*), userSAP#*: Record all events. The character#serves to mask*as non-wildcard. - All clients (
*), user<your emergency user IDs>*: Record all events. - Client 066, all users (
*): Record all events. - All clients (
*), all users (*): Record all events except AUW, AU5, AUK, CUV, DUR,and EUE (deactivate via Detailed Display).
- All clients (
Save and activate the profile.
Finally, check the configuration. If you have made changes to the profile parameters orthe static profile, restart the system to make them effective. Until you can restart thesystem: Convert the static profile to a dynamic profile and activate it.
Analysis of Security Audit log
Call transaction SM20/SM20N, or its equivalent transaction depending on your SAPNetweaver version (see the following table), and give the required selection criteria asinput. Click Reread Audit log to get the configured audit log for your system.
Table: Old and New functions of Transactions and reports related to the Security Audit Log
Table Source: https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/#jive_content_id_Recommended_Settings_for_the_Security_Audit_Log_SM19__SM20
According to aSAP blog post:“You can view the long text of the Security Audit Log event messages using transactionSE92 (or in transaction SE61 if you choose the document class SL (Syslog). Usingnote 1970644, you can get reportRSAU_INFO_SYAG which shows all the events of the Security Audit Log including thecurrent status of activation. The detail view allows you to create a HTML-based eventdefinition print list including the full documentation.”
It primarily depends on customer requirements to enable all successful and non-successfulevents for all clients and users. TheSAP postcontinues: “There is no performance impact, not in time nor in space, if you logunsuccessful (=critical) events as these events happens rarely. As soon as you start loggingsuccessful events you might look to space—the growing size of the auditfiles—but still not to time, as the Security Audit Log is optimized for speed.”
SAP offers functionality to email Security Audit Logs with the help of reportsRSAU_SELECT_EVENTS or RSAU_READ_LOG. Schedule any of these reports as a backgroundjob to receive the audit log from the SAP system.
The following table gives an overview of the critical events messages store in the auditlog for different audit classes.
Sap Audit Log Table Pdf
Table: Critical events of Dialog, Transaction, RFC, and User audit classes
Table source: (https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/#jive_content_id_Recommended_Settings_for_the_Security_Audit_Log_SM19__SM20)[https://blogs.sap.com/2014/12/11/analysis-and-recommended-settings-of-the-security-audit-log-sm19-sm20/#jive_content_id_Recommended_Settings_for_the_Security_Audit_Log_SM19__SM20]
Conclusion
Sap Audit Tcode
Switching on Security Audit log for all the clients and users is a crucial step in securityas it provides detailed information on the audit reports. Its benefits far outweigh itscosts and provide long term data access. I strongly recommended that you enable SecurityAudit log, especially in production environments.
Use the Feedback tab to make any comments or ask questions. You can also clickSales Chat to chat now and start the conversation.