October 30, 2016

How to troubleshoot for SAP security log missing

Problem:

When performing "SM20" audit log review and found that the users tcode activities were missing from the trace

Solution:
A) Temporary (Trace will be turn off after server restart)

1) Execute "SM19"



2) Select the "DynamicConfiguration" tab -> Select "Configuration" -> Select "Activate audit"


3) Click "Yes"


4) The trace activated successfully


5) Log file created in "/usr/sap/QAS/DVEBMGS68/log" showing the trace was started


6) With this option the only limitation will be the trace will be turn off after server restart


B) Permanent (Trace will remain on after server restart)

1) Execute "SM19" and select the "Static Configuration" tab



2) Click "Environment" -> "Profile parameter"


3) Select parameter: "rsau/enable", value 0 = trace disable, value 1 = trace enable


4) Double click "rsau/enable" to show the explanation of the parameter


5) Execute "RZ10" to change the parameter, select the instance profile


6) Select "Extended maintenance" and click "display" button


7) Click "Create Parameter" button to insert the "rsau/enable=1"


8) Once profile added and activated, try restart the server and the log tracing will be still running.