FAQ about the Security Audit Log
 Question: What is the difference between static and dynamic configuration?
Answer: Static configuration is used for the ongoing storage of a Security Audit log configuration in the database and every time the system is restarted, it is transferred as the current configuration. If you want to operate the Security Audit log on an ongoing basis, for example, if requested to do so by a tax inspector, then you must create a static configuration and determine it as the active configuration!
Dynamic configuration is used to change the current configuration while the operation is running or to activate the Security Audit Log. For example: You want to monitor a SAP support employee whose login name was not contained up to now in the static configuration. Without dynamic configuration, you would have to restart the system for this type of temporary filter change.
With dynamic configuration, you call change all filter settings except the number of filters. A Security Audit log set by dynamic configuration only lasts until the system is restarted.
In addition, you must at least set the following profile parameters:
- DIR_AUDIT Directories for the audit files
- FN_AUDIT Names of the audit files (Name pattern)
- rsau/enable Enable Security Audit Log
- rsau/max_diskspace/local Maximum size of an audit file
- rsau/selection_slots Number of filters used for the Security Audit log
- Missing parameters are replaced by the default value.
 Question: Why do changes to the static configuration not take effect during the next system restart?
Answer: The Shared Memory SCSA was not deleted during the system restart (only with Unix, Note 173743)
 Question: Why does the configuration disappear after I reboot the system or an instance?
- 1. 4.0B: The special profile parameters were not used (Note 135210)
- 2. A static profile is not available or was not activated. A static profile is particularly essential for systems that operate on Windows.
 Question: How many different selections can I make?
Answer: Unfortunately, the documentation for the parameter rsau/selection_slots is incorrect in some releases. Here are the current values:
- 4.0 4 (with screen enhancement) (Note 107417)
- 4.5 4
- as of 4.6 10
 Question: Can I extend the number of selections beyond the maximum number with an ABAP modification?
Answer: No, as kernel functions would also have to be changed.
 Question: The Security Audit Log has deactivated itself. Why is this?
- 1. Automatic deactivation is not provided.
- 2. After a system restart, the following reasons may prevent audit events from being recorded:
- a) A static profile does not exist or is not activated,
- b) The audit file could not be opened (syslog AV4 *1),
- c) The audit file has already exceeded its maximum size.
- 3. The following reasons cause recording to terminate:
- a) The audit file has reached its maximum size (syslog AV1),
- b) An error occurred while the audit file was being written (Syslog AV5 *2).
- 4. During a release upgrade, the old shared memory SCSA was not explicitly deleted and is therefore still present. However, the new release requires the new version for this area and cannot be activated (Syslog AV8 *3).
 Question: The user and client fields in transaction SM19 cannot be maintained with SAP documentation with generic values and do not have a values list function. Can I still use generic user names?
Answer: No, this function is only introduced with technology Release 6.40, but it is already available in 6.20 as of Kernel Patch 400 and the necessary Support Package SAPKB62020 (see Note 574914).
 Question: Can the settings of the audit log be transported?
 Question: Why is the terminal name missing in some messages?
Answer: In the case of events that are created using RFC (Remote Function Call), the terminal name is not recognized in the kernel. As of the 6.40 kernel, the IP address is specified instead of the terminal name.
 Question: Why is the terminal name truncated (only 8 characters)?
- 1. In Releases 4.0, 4.5 and 4.6, only 8 characters are provided for saving the terminal name. Only the first 8 characters of a terminal name are copied by default. In Release 4.6 as of KP 504, you can treat terminal names in the same way as computer names (see Note 3116).
- 2. As of Basis Release 6.10, data terminal names are recorded with a length of 20 characters in the quality audit log.
 Question: In the Work directory of the instance, files with the "audit_" name pattern, or a similar name pattern, often fill the file system. What generates the files and how can I prevent this?
Answer: These files are created by the Security Audit Log component. The component must have been activated either with profile parameter rsau/enable or dynamically with transaction SM19. The component is deactivated by setting the profile parameter rsau/enable to 0. If the value is already 0, the component was activated using transaction SM19. To deactivate the component, you may have to delete the Shared Memory SCSA (see Note 173743).
 Question: What is the maximum size of an audit file?
Answer: 2 gigabytes
For a single day, this means:
<= 4.6: 11,930,464 events or 138 events per second;
>= 6.10: 10.737.418 events or 124 events per second;
Value ranges of the profile parameters
rsau/max_diskspace/local 1000000 2 GB
rsau/max_diskspace/per_file 1 MB 2 GB
rsau/max_diskspace/per_day 3*per_file 1024 GB
Changed minimum values (see Note 909734):
as of 6.40
rsau/max_diskspace/local 10 MB
as of 6.40 PL 143
rsau/max_diskspace/local 100 MB
 Question: What happens if the audit file reaches its maximum size?
Answer: The file is closed and recording is terminated. On the next day, the system creates a new file (only as of 4.5B KP 632 4.6D KP 2088, 6.40 KP 80, 7.00 KP 51).
 Question: Do restrictions exist for the length of the names for audit files?
Answer: Yes, in addition to the restrictions that apply because of the operating system used, the following restrictions also exist because of the kernel functions used in ABAP parts:
- Maximum length for file names = 75 characters
- Maximum length for directories = 75 characters
 Question: What interdependencies exist between the DIR_AUDIT, FN_AUDIT and rsau/local/file profile parameter?
Answer: The rsau/local/file parameter must be specified in Releases 4.0 and 4.5. For compatibility reasons, it is also still analyzed up to and including Release 6.20. As of Release 4.6 it can be left out. It no longer exists as of Release 6.40.
If it is used, the two profile parameters DIR_AUDIT and FN_AUDIT must correspond to the parameter rsau/local/file, that is:
rsau/local/file = DIR_AUDIT + FN_AUDIT
'+' here stands for the directory separator ('/' or '').
Otherwise, audit files cannot be deleted with transaction SM18 (RSAUPURG report) or evaluation with transaction SM20 is not possible as of Release 4.6. (See Notes 198646 and 441639).
 Question: Can I create audit files on a central file server?
Answer: Yes, but bear in mind that the performance can suffer as a result. All audit events are written synchronously and unbuffered to the files. Higher response times with the users can result depending on the volume of data involved.
You must also note that a separate filename or a separate directory is used for each instance, which prevents several servers writing into a file (data loss).
Be careful when using virus scan programs. With permanent monitoring, problems can occur with UNC names (nonsense error messages when you open the audit files, for example, "Invalid argument").
 Question: I cannot delete any audit files with transaction SM18 or report RSAUPURG.
Answer: This may be an upper/lower case problem in the DIR_AUDIT, FN_AUDIT and rsau/local/file profile parameters (different notation). Before the actual deletion, the system checks again whether it is an audit file name. Here, the "case-sensitive" path in particular is compared, for example:
- "f:usrsapZV1DVEBMGS00log" and
- "F:usrsapZV1DVEBMGS00log" are not the same! (Note 198646)
 Question: Transaction SM18 displays a field for entering a minimum age. However, the unit in question is not specified.
Answer: The unit in question is a day. The lowest minimum age is 3 days. The current day is not included in the calculation of the files to be deleted!
 Question: If the audit files reach their maximum size, the size exceeds the size specified in the profile parameter.
Answer: Since Release 4.6, the maximum file sizes are processed internally in kilobytes. Profile parameter values in bytes are then converted into kilobytes (KB). For example, 1,000,000 gives the value 976 KB. Recording is stopped as soon as the KB value is exceeded, in the example case with the value 977 KB or 1,000,620.
If you use the rsau/max_diskspace/per_file profile parameter, the minimum size of the file is 1 megabyte (= 1024 KB = 1048576). If the value of the profile parameter is smaller than 1 MB, for example if it is only 1,000,000, it is automatically set to this value. In this case, the recording is stopped as soon as the KB value is exceeded.
Due to the check for the kilobyte limit, the file can become very slightly larger than specified in the profile parameter.
 Question: Audit files are not closed immediately after a day change. Sometimes, the last time access by the operating system is several days after the file change. As a result, it is not possible to carry out a regular deletion.
Answer: An audit file is only closed for the operating system if all work processes have closed the file. If a lot of work processes are configured, some of which are only rarely used, a WP may only make the file change a few days later and then, for example, change from January 28th to January 30th immediately. To close a file, for example on January 28th exactly, all WPs would have to be notified (woken) to close the files. However, this is not technically possible. However, most operating systems should allow you to close the files.
 Question: After you convert to a Unicode system, you can no longer evaluate audit files that were created beforehand. What do I have to do?
Answer: Convert all non-Unicode files into Unicode files. To do this, use one of the tools described in Notes 747615 or 752859.
 Question: Although the Security Audit Log is activated and audit files also exist at operating system level, does transaction SM20 indicate that audit files do not exist?
Answer: The DIR_AUDIT or FN_AUDIT profile parameter was probably not set or is set with incorrect values. See interdependencies between the profile parameters DIR_AUDIT, FN_AUDIT and rsau/local/file in the section on audit files.
By choosing Goto -> File list, you get a list of the currently available audit files on the selected instance, in accordance with profile parameters DIR_AUDIT and FN_AUDIT.
You can now display the current profile parameter values with the function Environment -> Profile parameters.
Incorrect specifications in the parameter FN_AUDIT are corrected by the kernel, for example missing '+' or missing '#'. The evaluation transactions conform to the original parameter. You can use transaction AL11 to search for the audit files created by the kernel. Now the parameter FN_AUDIT should be corrected.
 Question: Is it possible that events in the audit log are missing?
Answer: Possible causes:
- 1. A selection was not activated ("Filter active" checkbox).
- 2. New selections were not activated after a system restart.
- 3. Recording was terminated because of I/O errors or the maximum file size was exceeded (Syslog AV4 *1 or AV5 *2).
- 4. Only one file is used for all instances (where file servers are used).
 Question: Is it possible that event AUR, AUS and AUT, as well as events BUA, BUB, BUC, BUD and BUE, are not recorded?
Answer: This is possible. Recording of these events from the authorization and profile administration, and the use of external breakpoints was not implemented until now.
 Question: Is it possible that not all download events are recorded?
Answer: This is possible. Up to now, only downloads that are carried out by means of function module WS_DOWNLOAD are recorded. There are now additional interfaces in the system with which a download can be performed. For more information, see Note 641481.
 Question: Is it possible that events are recorded repeatedly in the audit log, for example, the same logon of each server?
Answer: Possible causes:
- 1. You are using external monitors that retrieve data periodically from individual servers and must perform a logon for this. Since this RFC logon occurs with an unattended program, this is done simultaneously and with the same SAP user.
- 2. Mistakenly, only one common file is being used on a network disk drive for all servers. During the evaluation across all servers, this file is processed repeatedly and all existing events are displayed for each server.
 Question: Can I be sure that audit files from older releases can still be evaluated in newer releases?
Answer: Yes, the evaluation programs have been compatible to date and will most probably remain so in the future. An exception occurs after you migrate to Unicode. After this, the files created beforehand must be converted (see Question 30).
 Question: Can external programs carry out evaluations?
Answer: Yes, in the same way as the system log, the Security Auditlog can be analyzed by external programs using XMI BAPIs. However, not all the information about this interface is available. The terminal name is missing, for example. As a guideline for how to use the BAPIs, you can use the sample program RSAU_READ_AUDITLOG_EXTERNAL in addition to the detailed documentation in the XMI interface.
 Question: Sometimes there are values missing from the 'transaction code' and 'program' columns.
Answer: When you write an audit event, the system attempts to determine the current values for 'transaction code' and 'program' from the statistics area and - if this is not available - from the management area of the mode. In addition to the processing types, which generally do not deliver any information about the transaction code and program (for example, RFC and all system events), there are situations in which the information is not available.
 Question: Note 115224 describes the activation of the SQL audit. Can I evaluate the audit files in the standard systems?
 Question: Is there a description of the data structure?
Answer: A Word document is available with a detailed description of the data structures. You can find this document under:
-> Archive (Old Documents)
-> File "SQL Audit - Format of the Log Files"
*1) This message is generated as of Release 4.6 if an error is reported in the kernel when you open a (new) audit file. This also issues an alert in the CCMS.
The cause is only logged in the developer trace. You receive the message:
SecAudit(check_daily_file): cannot open Audit file...
contains the error message of the operating system.
In Releases 4.0B and 4.5B, the error messages are written to STDERR.
You can search for the following messages:
- rsauwr1(38): rstrbseek I/O error
- rsauwr1(40): rstrbfl_flush I/O error.
- rsauwr1(41): rstrbopen cannot open Audit file.
Before each of these messages is issued, another message is issued, containing the error message and the name of the audit file, (created with C-function perror). No processing occurs on the next day. You have to restart the system again after you eliminate the problem.
*2) Message AV5 is issued as of Release 4.6
*3) Message AV8 exists as of Release 6.40.
In Release 4.6, search for the message in the developer trace files.
- SecAudit(rsauascsa): Invalid version of audit control block (v1,v2)
- SecAudit(rsauascsa): Try to clear the old shared memory (cleanipc )
In Releases 4.0B and 4.5B, messages are written to STDERR.
- rsauwr1(46): Invalid version of audit control block (v1,v2)