Analysis of Security Audit Log in SAP

The security audit log monitors and records security-related events in the SAP ecosystem. It centralizes log management and enhances security efforts. The security audit log in SAP ensures the transparency, confidentiality, and privacy of business operations.

Administrators or auditors can track SAP security audit log files to detect and address vulnerabilities, conduct security investigations, and ensure compliance with relevant regulations and laws. Therefore, this blog will focus on the detailed analysis of the security audit log in the SAP environment.

What is the SAP Security Audit Log?

The SAP security audit log is a built-in tool that logs all security-related activities within systems or applications. Auditors or administrators can use it to detect, prevent, and recover from anomalies or unauthorized actions in the SAP environment.

SAP security audit log is not active by default; therefore, administrators must activate it to monitor and track events effectively. Furthermore, the audit log does not significantly impact system performance because the logs are stored in the file system rather than the database. However, storage management is critical because logs will not be recorded if sufficient storage space is unavailable. Similarly, file systems will keep security audit logs until admins explicitly delete them.

Auditors utilize event-type codes to track issues or activities in the security audit log. These three-character identifiers enable users to monitor and identify system activities, data changes, and suspicious events.

Admins should manually archive security audit logs because there is no automatic archiving option. Manual archiving prevents data exhaustion and ensures proper handling of historical records for further analysis.

Why are SAP Audit Logs So Important?

SAP Security Audit Logs are vital for security operations in the SAP ecosystem. Administrators must activate and configure the audit logs to proactively identify suspicious events and address security issues. Here are some reasons why the SAP audit logs are so important:

1. Security audit logs ensure the integrity and confidentiality of daily business procedures.
2. Inactive or unattended logs can make systems or applications vulnerable to malicious activities.
3. Audit logs ensure accountability by recording all actions within the system, providing evidence supporting non-repudiation---users cannot deny their activities.
4. SAP audit logs help organizations comply with regulations and legal requirements to detect potential threats, avoid penalties, and safeguard their reputations.
5. Security audit logs support business continuity, ensure that SAP systems are continuously available, and reduce downtime in the SAP ecosystem.
6. Security logs detect unauthorized modifications to sensitive data and ensure that critical information remains untampered and trustworthy.
7. Proper handling and continuous monitoring of security audit logs reflect transparency and enhance trust between parties.

How to Use SAP Security Audit Logs?

Admins should continuously configure, monitor, and analyze security audit logs for a robust SAP environment. Because they are not active by default, admins should activate security audit logs using transaction code SM19. This transaction code (code) is also used to configure the security audit logs, including setting up filters. Alternatively, the RSAU_CONFIG tool can be used to configure the filter.

Once the SAP security audit logs are configured, admins can access and analyze the logs using transaction code SM20. For SAP Basis 7.50 and later versions, the updated transaction code RSAU_READ_LOG offers improved usability and enhanced features for log analysis and reporting.

Reviewing these logs regularly helps identify abnormal activities, detect potential threats, and ensure compliance with relevant frameworks and regulations.

Which SAP Security Audit Logs Must Activated to Robust Cyber Security?

Admins should activate and configure SAP security audit logs to capture critical events to achieve robust SAP cybersecurity. Here are the key types of security audit logs that should be activated.

Authorization and User Access: This type of audit log focuses on detecting unauthorized activities through access control, authentication, and authorization logs. For example, auditors can detect brute force attacks, suspicious account activities, and unauthorized role modifications. In that context, they can monitor the AU1 transaction code to detect successful login attempts, AU2 to detect failed login attempts, and AU3 to monitor user password changes.

System Configuration: This type of audit log tracks any modifications in the system settings and configurations. For instance, admins can monitor login restrictions or password policies. They can use relevant SAP security audit log transaction codes to detect system parameter changes and monitor audit log configuration changes.

Transaction and Report Monitoring: This audit log monitors sensitive transactions to identify unauthorized activities for data exfiltration.

Furthermore, auditors can utilize the SM59 transaction code to configure and manage RFC (Remote Function Call) destinations.

Important SAP Audit Logs

Administrators benefit from security audit logs to manage, investigate, and troubleshoot various events. Here are some important SAP security audit logs:

SM18

Administrators can delete old audit logs from local or application servers using the SM18 transaction code. Removing unnecessary logs helps save storage space and enables administrators to focus on analyzing essential logs. This process is critical because new events are only recorded if the storage capacity is maintained. Additionally, SM18 does not permit the deletion of audit logs that are less than three days old by default.

SM19

This transaction code is used for SAP security audit log configuration. Administrators can specify which types of logs to record. They can set up and manage the audit log parameters using static or dynamic configuration, which enables real-time adjustments without restarting the system.

SM20

Administrators can review security-relevant events in the SAP environment using the SM20 transaction code. SM20 monitors and analyzes logs based on filter criteria. Auditors can detect, investigate, and respond to potential security threats and suspicious activities in the SAP ecosystem. In addition to system monitoring, it is also helpful in forensic analysis operations.

SM21

This code maintains system stability and provides troubleshooting. It logs system messages and errors that occur during SAP operations. It provides a centralized view of system log data, enabling administrators to take necessary actions in the SAP system.

With the SAP BASIS update, some new codes will replace older versions but operate alongside them during the transition phase.

RSAU_ADMIN

It is the newer version of SM18 that is used for the administration of security logs.

RSAU_CONFIG

It is the newer version of SM19 that is used for system configurations of audit logs.

RSAU_READ_LOG

It is the newer version of SM20 that is used for reviewing security audit logs.

How to Configure Security Audit Log in SAP?

Proper configuration of security audit logs is essential to avoid unnecessary storage overhead and to capture and focus on relevant security data. Admins should follow some steps to configure the SAP security audit log properly:

1. Activate the security audit log to start recording events.
2. Access the tcode SM19 to set up audit parameters, including assigning user roles and permissions.
3. Specify which events to be logged to avoid system fatigue and ensure a more focused operation.
4. Edit other filters, such as the log storage location, to ensure efficient data management.
5. Review and update the security audit log settings continuously to adapt to changing security requirements.

How to Capture Data Changes in Sap Security Audit Log?

To capture data changes in the SAP Security Audit Log, administrators must activate the appropriate audit filters using transaction code SM19. This allows the system to record various types of activities, including modifications to master data records, logon attempts, Remote Function Call (RFC) activities, transaction executions, and configuration changes.

To learn more about How to Capture Data Changes in SAP Security Logs you can visit our blog page.

How to Read SAP Security Audit Log?

Administrators can read and analyze security audit logs by utilizing the transaction code SM20 in the SAP systems. Auditors can filter logs based on criteria such as event type, user, or date to identify and respond to suspicious events. After properly configuring and applying relevant filters, this security audit log tcode in SAP enables users to detect anomalies and generate reports for further analysis.

Where Can We Store the Security Audit Log Events in SAP?

Security audit log events are typically stored in file systems rather than databases in SAP systems. However, admins can store security audit logs in external repositories or SAP databases.

How to Enable Security Audit Log in SAP?

There are specific procedures to enable the security audit log in SAP:

• Utilize the tcode SM19 or rsau_config to start the configuration.
• Enable the security audit log by activating rsau/enable. The default setting is '0', so this parameter should be set to '1' to activate.
• Specify the storage location. Admins should set the rsau/local/file parameter to define the directory of the log location.
• Define the disk space using the rsau/max_diskspace_local parameter to set the maximum size of the audit log.
• Set filters using the 'Filter Settings' to define which audit logs will be captured.
• Save all configuration settings and activate the security audit log.

In conclusion, the SAP Security Audit Log is an indispensable tool for safeguarding the integrity and security of your SAP environment. By actively monitoring and analyzing these logs, administrators can not only detect and mitigate security threats but also ensure compliance with regulatory requirements.