Dear readers,
In the ever-evolving world of information technology, the need for secure and comprehensive monitoring mechanisms is increasing. Central to this are security logs that record critical system information. One such tool is the SAP Security Audit Log, an audit log specifically designed to capture security-relevant system information in SAP AS ABAP systems. It documents events such as changes to user master records or unsuccessful login attempts, thereby providing an excellent basis for security analyses and compliance checks.
The SAP Security Audit Log, accessible through transaction SM20, allows auditors to gain detailed insights into operations within the AS ABAP system. Once this log is activated, a record of specifically defined activities is created. The types of information that can be logged include successful and unsuccessful dialog and RFC login attempts, RFC calls to function modules, changes to user master records, successful and unsuccessful transaction starts, and changes to the audit configuration. SM20 aids in security monitoring and can be used to detect potential security breaches that might indicate a data leak. However, it is important to emphasize that SM20 is not a specific tool for detecting data leaks, like SAP ETD (Enterprise Threat Detection), for example.
Here’s an overview:
- Successful and unsuccessful dialog login attempts
- Successful and unsuccessful RFC login attempts
- RFC calls to function modules
- Changes to user master records
- Successful and unsuccessful transaction starts
- Changes to the audit configuration
Explore how the SAP Security Audit Log, which maintains audit files on specific application servers, enables you to manually define file locations and sizes via profile parameters. Uncover the functionalities that allow for manual archiving at any given time, despite the lack of automatic archiving support. Learn how to set up activity logging filters using transaction SM19, read log files with SM20, and clean up old log files with SM18. Dive into the additional logging features offered by SAP NetWeaver Application Server for ABAP that records activities by transaction and user, accessible through SAP Workload: Business Transaction Analysis (transaction STAD).
The SAP Security Audit Log (SM20) is an effective tool for security monitoring and auditing. With its ability to record security-relevant activities and provide them for later evaluation, it offers companies a robust solution for identifying and mitigating potential security risks. It thus plays a crucial role in compliance with IT security policies and compliance requirements, while simultaneously strengthening trust in the company’s security infrastructure. However, it has certain limitations that prevent it from fully meeting all the requirements of a Security Information and Event Management (SIEM) system:
1) Complexity of correlation rules: SIEM solutions are known for their ability to create complex correlation rules across various systems and platforms to detect anomalies and security breaches. While the SAP Security Audit Log allows recording various security-relevant events, it lacks advanced correlation and analysis capabilities typical of SIEM systems.
2) Real-time monitoring and alerting: SIEM systems often have the ability to monitor events in real-time and send notifications when specific conditions are met. In contrast, the SAP Security Audit Log stores events but does not offer real-time monitoring or automatic alerting.
3) Automated responses: Many SIEM systems can be configured to automatically respond to certain events, such as blocking an IP address or isolating a network segment. The SAP Security Audit Log does not offer such automatic response capabilities.
4) Centralized view: SIEM systems provide a centralized view of all systems and applications within an organization. In contrast, the SAP Security Audit Log is limited to the SAP system and does not provide a comprehensive view of all other systems and platforms.
5) Long-term storage and compliance reporting: SIEM solutions typically offer functions for long-term storage of event data and generating compliance reports. While the SAP Security Audit Log allows for long-term data storage, it does not support automatic archiving of log files and also does not offer specialized functions for compliance reporting.
These limitations do not mean that the SAP Security Audit Log is useless – it is a valuable tool for security monitoring within SAP systems. However, it should be seen as part of a more comprehensive SIEM strategy that includes other tools and platforms. We refer here to SAP’s own SAP Enterprise Threat Detection (ETD) SIEM tool.
