Security Audit Log (SAL): One directory for all SAL files

Today I will present a scenario about SAL: use one directory to store all SAL files from all application servers in a SAP system.

As I mentioned in my previous blog, the most comprehensive document on SAL that I ever found, is available here: “Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)”.

My system landscape

For testing purposes, I will use a SAP Netweaver 7.31 system. It have the following hosts and instances:

Host A: ASCS01 and DVEBMGS00

Host B: D00 and D01

SAL configuration

I will set DIR_AUDIT to \\Host B\usr\sap\SID\Audit\ in all dialog instances from the system.

Additional parameters:

FN_AUDIT = audit_++++++++_######.AUD

rsau/max_diskspace/per_day = 1000M

rsau/max_diskspace/per_file = 100M

Thus, all SAL files will be recorded in a single directory, using the pattern above (given by FN_AUDIT). I expect multiple files per day, having each file 100 MB. The maximum disk space that can be used every day is 1000 MB.

In SM19 I decided to record all Audit classes in all clients for all user IDs.

Where are the entries?

Well, all the entries are recorded in the same file, for all application servers. You will find incorrect information in SM20:

As you can see, 1, 2 and 3 show the exact same entries, for the same User and same Terminal name (even though I omitted this information from the screenshot). The entries from 1 and 2 are from Host B, instances D00 and D01. The entries from 3 are from Host A, instance DVEBMGS00.

Solution

Set individual directories for SAL files. Each application server should write its own files in an exclusive directory.

So, in my landscape, fixing things means setting DIR_AUDIT in the instance profile, using:

SID_DVEBMGS00_HOSTA:

DIR_AUDIT = X:\usr\sap\SID\DVEBMGS00\log

SID_D00_HOSTB:

DIR_AUDIT = X:\usr\sap\SID\D00\log

SID_D01_HOSTB:

DIR_AUDIT = X:\usr\sap\SID\D01\log

Then I executed one transaction code in each app server, resulting in the following SM20 report:

Additional Information

539404 - FAQ: Answers to questions about the Security Audit Log

Stay tuned for my next blog on SAL.