Thursday, January 6, 2011

Defining Filters

In filters you define the events that the security audit log should record.

You can specify the following information in the filters:

. User and SAP system client

. Audit class (for example, dialog logon attempts or changes to user master records)

. Weight of event (for example, critical or important)

You can define filters that you save in static profiles in the database or you can define them dynamically for one or more application.

The number of filters you can specify is defined in the profile parameter rsau/selection_slots. You can either define static profiles or change filters dynamically using the Security Audit Log configuration tool. For each allocated filter, a tab appears in the lower section of the screen.


1. Select the tab for the filter you want to define.

2. Enter the client and user names in the corresponding fields.

Hint: You can use the wildcard (*) value to define the filter for all clients or users. However, a partially generic entry such as 0* or ABC* is not possible.

3. Select the corresponding Audit classes for the events you want to audit.

4. Audit events are divided into three categories: critical, important, and non-critical. Select the corresponding categories to audit.

. Onlycriticalevents

. Important and critical events

. All events

5. If you want to define the events to audit more specifically:

. Choose Detailed configuration.

A table appears containing a detailed list of the audit classes with their corresponding event classes (critical, severe, non-critical) and message texts. (The message texts correspond to the system log messages AUx.)

. Select the events you want to audit. You can select either a single event or all events:

. Select a single event by activating the Recording indicator for a specific event.

. Select all events for an entire audit class by choosing the audit class descriptor (for example, Dialog logon).

. ChooseAccept changes.

Hint: If you have made detailed settings, the audit class and event class indicators no longer appear in the corresponding filter tab. To cancel the detailed settings and reload the default

configuration, choose Reset.

6. To activate the filter, select the Filter active indicator.

No comments:

Post a Comment