The recorded events provide information useful for monitoring changes to the SAP system or for tracking a series of events. Legal. Then click on save button on above screen to save the background job. g. Application Server Started. SAP systems maintain their audit logs on a daily basis. Together, we plan to drive operational insights, automation and innovation, unlock new areas of growth, and deliver exceptional. This event could be used in the following scenarios:. Basically I'm tracking transaction use remotely, and am looking to extract the. The program GRAC_EAM_LOG_SYNC_TIMEBASED was also extecuted but still, log is not showing up in the FireVisit SAP Support Portal's SAP Notes and KBA Search. When i tried to run an SM20 report to list the actions I did but I get an empty result. ETM saves SAP security audit logs (SM20 logs), change documents and critical SAP information such as SAP gateway logs. SM20 Reports. The host name is in there. Every Java instance has a common shared memory area where server processes and the ICM store all their monitoring information (sessions. The security audit log saves its audits to a corresponding audit file on a daily basis. Where as able to get other information except that particular user. SYSTEM_NO_SHM_MEMORY is happening in the system. You might try to use SM21 with ID R47 but it's not straight forward and it. In transaction SM21 System Logging you can use RFC to read logs created locally in all the instances of the SAP system. Select the appropriate radio button under Expiry Date. I need to take a report on tracking the usage of SAP by user and transcation wise. You may choose to manage your own preferences. Activate Transaction SM19 and Transaction SM20 logging; 2. SAP NetWeaver 7. Using SM20 in such case can bring a result like: Even though there are SAL entries recorded in the files. You can use transaction RSAU_CONFIG_SHOW to get an overview of the audit log settings. This Audit Log data saves into files. Is it possible to enable Security Audit loging for a specific set of transactions or if all transactions need to be logged?Activate the user/users you want to monitor in SM19. SM20 / RSAU_READ_LOG) | SAP Blogs Relevancy Factor: 2. 1 - Firefighter Session Details Audit Log Report. Analysis and Recommended Settings of the Security Audit Log (SM19 / RSAU_CONFIG, SM20 / RSAU_READ_LOG) RSAU_BUF_DATA is a standard Security Transparent Table in SAP BC application, which stores SAL: Temporary Event Log data. Read more. all SAL files generated in the past 6 months), and the system ends up without available memory to. Run SM20 in background with variant. g. 3) Click "Yes". 2 ; SAP NetWeaver 7. Moreover, it's better to use new transaction RSAU_CONFIG than SM18 and likewise RSAU_READ_LOG instead of SM20/RSAU_SELECT_EVENTS. On transaction SUIM there is an option to find the last logon information of an user. The audit files are located in the individual application servers. These are security audit transactions. This means that Firefighter session could be started from the plugin system itself without the need to access the GRC Box. ABAP platform all versions ; SAP NetWeaver all versions ; SAP Web Application Server for SAP S/4HANA all versions. I tried to extract using st03 os01 sm20 etc but no luck. Report ZSM04000_SNC shows a cross-client list about users, their terminals, the connection type and the SNC status. Once the data is extracted the field “Terminal” will give you your answer. All this configuration you can do this through SM19. The Security A udit Log produces an audit analysis report that contains the audited activities. Therefore, the name is SLOG77, for example. In this blog post, you’ll discover some of our latest features and enhancements released in October and November 2023. But it will not give you the terminal id. g. I tried to check action configuration but could not find the right way to do it. If you fast forward a few years you can imagine lots of permissioned chains with each organisation belonging to many. 51 for SAP S/4HANA 1610 ; SAP enhancement. SM20 Security Audit Log errors for User SAPSYS for RFC/CPIC Logon. Report /IWFND/R_METERING_DELETE can be used to delete old metering information from Gateway tables. What I have also done for SM21 and a number of others in the past is create variants for their analysis reports which search for such events or change documents, and schedule them. Select this option to allow only a single security audit file for the application server and enable the Maximum Size of Audit File parameter. because logon is not stable, it does not have real session,SAP Application: An SAP application is an SAP software solution that serves a specific business area such as Enterprise Resource Planning (ERP) or Supply Chain Management (SCM). please explain the usage of transaction codes SM18, SM19, SM20 in SAP, for audit. You can use this special filter value ‘SAP#*’ in transaction SM20, report. Click more to access the full version on SAP for Me (Login required). If he only had one, then he was kicked out of the system. CALL FUNCTION 'LIST_TO_ASCI'. The most used method to retrieve SAP User login history is using the standard SAP Transaction Code ST03N. SM20 only can trace the logon or logoff with DIAG protocol (SAPGUI) and RFC protocol. The right side offers the section criteria for the evaluation process. This log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP System. They will introduce performance. Click on Next push button. Security Audit Log, SM18, SM19, SM20, RSAU_CONFIG, RSAU_READ_LOG, RSAU_READ_ARC, RSAU_ADMIN, SAL , KBA , BC-SEC-SAL , Security Audit Log , How To About this page This is a preview of a SAP Knowledge Base Article. 3 ドキュメントの更新情報 このマニュアルの表紙には、以下の識別情報が記載されています。 † ソフトウェアのバージョン番号は、ソフトウェアのバージョンを示します。 † ドキュメントリリース日は、ドキュメントが更新されるたびに変更されます。 † ソフトウェアリリース日は、この. Parameter rsau/local/file has not been set, as. Print preview is provided in SAP List Viewer (ALV) for SAP GUI technology, from where actual printing can follow. I have activated static and dynamic filters and I have given all permissions for the sub folders How can I get user data from O/S level and I want to. I have try SLG2 with option delete before expiration date but nothing list as in SM20. In a SAP system, it is also possible that you use Security Audit Log (transactions SM18, SM19 and SM20) to record all the successful and unsuccessful logon attempts. Alert Moderator. Transparent Table. Jobs can be deleted in the following two ways −. We also changed the SID. The following parameters below are essential for you being able to read in SM20. When using SM20 or RSAU_READ_LOG to evaluate the security audit logs, one of the following behaviors is observed: When starting transactions no AU3 security audit. RFC/CPIC logon failed, reason=1, type=F, method=R. In the subject you mention authorization object for "print preview" and in the decription you mention "restricting the print". - Profile/Filter: 2 Selection by profile AUDIT/filter 002. HI, Anil , you did not mention for activat the Audit Parameters which is required , it might be the issue , because the audit log will stop if you did not activate it from parameter after performing Application restart. /o. For getting the Entries i would like to Execute the above function module. Using SM20 in such case can bring a result like: Even though there are SAL entries recorded in the files. 2 Answers. Customer executed Action Usage By User, Role and Profile report. TABLES. アプリケーション開発チームから、利用頻度の高いトランザクションやレポートプログラムを. Create a new record in table “W3GENSTYLES”. Now suppose the requirement is to get the Table that stores the Field of all Standard Tables. Solution: A) Temporary (Trace will be turn off after server restart) 1) Execute "SM19". Understood. Use the SAP Tcode SM19 for Security Audit Configuration. Login; Become a Premium Member; SAP TCodes; SAP Tables;. 2) Enter and select the relevant details and click "Reread Audit Log" button. Jan 23, 2008 at 01:50 PM. There is no difference between SCU3 or OY18, you can display the change documents of the tables using the tcodes, they both run the same program. (Transaction SM20). Terminates all separate sessions and logs off immediately (without any warning!). The Security Audit Log produces an audit analysis report that contains the audited activities. As of SAP Basis 740 (downported to ABAP 731 with Kernel 7. Sounds like your SM19 filters are set differently on the app server instances. Hope this will help. I have used SM19 to enable auditing on my SAP system, and when I logon using SNC or via HTTP I can see in audit file (using sm20) that the SAP user and client is shown, but there is no mention of the SNC name or HTTP logon method used to authenticate the SAP user. One user One ID. The following values are permitted: 1: Only the URL is searched. AUD before it was audit_+++++++. The Session Manager is a graphical navigation interface that enables you to manage the sessions of one or more SAP systems and several clients. Maintain the profile parameter “gw/logging” with appropriate logging activated in transaction SMGW; more information is available in SAP note 910919. i have one requirement I need to Get the Entries from the Function module. In SM20 after filling in the prerequisite fields and selecting the time frame, you will have to extract the audit log as shown in the screenshot below. Today I want to test the Security Audit Log to monitor RFC calls, but the analysis of Security Audit Log (SM20) doesn’t work on the trial system. This is a preview of a SAP Knowledge Base Article. In the User Information System (transaction SUIM), choose Change Documents For Profiles . SAP has recommend archiving your audit files on a regular basis and deleting the original files as necessary. Tcode for Analysis of Security Audit Log. Our audit log report is not populating with data and I'm trying to determine if that's ok or if there's a configuration issue. However when I schedule it as background job, it failed. Hey Community, In the past days I released a SAP Knowledge Base Article addressing the most common memory issue within the Security Audit Log. Page Not Found | SAP Help Portal. Choose transaction SLG2. We've load balancing, active log shipping and DB clustering. Enable SAP message server logging. 3 ; SAP NetWeaver 7. It seems that, when trying to export audit data of users in tx. By using the audit analysis report you can analyze events that have occurred and have been recorded on a local server, a remote server, or all of the servers in the SAP System. Try going to Menu->pdf preview. Transaction code SM 20. RFC/CPIC Logon Failed, Reason = 1, Type = F The user listed is SAPSYS (client 000. Take a look into transaction RZ20 (the CCMS alerts) where you can centrally monitor such stuff and define threadholds and reaction methods. Jun 16, 2009 at 08:16 PM. OSS Note – 2227963, 2270355, 2029012. How updation of change log is done in SAP: The change log of delivery header is updated through CDHDR and CDPOS tables. But if the password lock happens within minutes, then STAD will be faster -> select the user -> you will see a step recorded in program SAPMSYST -> double-click it -> click on the hotspot "RFC" at the top and there you can see the connection details and the host names from the caller. I have been asked to get a report of all transactions started by all users since the beginning of the month. The SAP System logs is the all system errors, warnings, user locks due to failed log on attempts from known users, and process messages in the system log. Retention process is Holding back a portion of payment to vendors who works for your organization. Go to transaction SM20. This is the respective entry recorded in SM21. Program : SAPMSM20. Appreciate your advise. The Splunk and SAP partnership is focused on enabling the Intelligent Enterprise, by bringing new integrations and solutions for our joint customers to be successful in the experience economy. Hi Guru's. Run this report regularly and as soon. Choose (Execute). When creating table, you will find a check box 'Table maintenance allowed'. The solution is also simple: The field SSFCRESCL-OUTPUTDONE will return whether a printout occurs or not from preview windows. The only problem is that I not completely sure if it will work with a deleted user. This will be very important so that you can plan from now to use the Updated Transaction Codes. GRC provides six reports specifically for EAM, e. You will find detailed explanations of the system log functions, features, and settings, as well as examples and tips for best practices. Hi, I would like to create an audit log / audit report analysis in background. The first server in the list is typically the host to which you are currently connected. According to DIN EN ISO 9000, this is a systematic, independent, and documented process used to obtain audit results and to evaluate these results objectively in order to determine to what extent the criteria of audit have been fulfilled. One pop-up will display. 3. The Security Audit Log is a standard SAP tool and is used to record security-relevant information with which you can track and log a series of events. Automatically save SM20 results to a file. Sm20 Transaction Codes List. I have to extract log for more than 100 users by using SM20 log. File -> New -> Project ‘New Project’ window will appear as below. SM21 is very easy to use, just specify the criteria: Suppose I changed the content of LV to 123. SM21 ( SAP System Log ) : The SAP System logs all system errors, warnings, user locks due to failed logon attempts from known users, and process messages in the system log. It is very important to know which are the Transaction Codes that are replaced with new Transaction Codes. SM20 is a SAP tcode coming under BC module and SAP_BASIS component. 様々な条件でレポートを出力できるように. SM20 Logs in SAP S/4HANA Cloud. Whereas the system log records system events, you can use the application log to record application-specific events. Create a new class: ZCL_ITS_GEN_SAPUI5_MOBILE. Click to access the full version on SAP for Me (Login required). In this regard I used SM20 transaction code and calculate time using Logon Successful time and User Log off time data. Concepts and Security Model. For RSAU_CONFIG, first, check and implement note 2743809. BC - Security. By continuing to browse this website you agree to the use of cookies. 2, logs were returned on that particular date. Please note that certain sensitive data has been blocked out in the above screenshots to protect the integrity and security of. 1. Now suppose the requirement is to get the Table that stores the Field of all Standard Tables. Module : BC-SEC (Security) Parent Module : BC (Basis Components) Package : SECU (Security Audit) ABAP Program : SAPMSM20. In this blogpost I like to shine a light on the handling of log files of the ICM. SM20 tcode used for : Analysis of Security Audit Log in SAP. "miss: TSL1T (J,Q0M)" のようなメッセージが SM21 または. The. 0. One Audit File per Day. 3) All the detail activities of the particular login will be shown. You can add the profile parameters about SNC to the header of the list. The control to mitigate this risk could be the Security Audit Log and the adoption of a control procedure of the instrument’s output. 2 SP9 and above; SAP BusinessObjects Business Intelligence Platform 4. Successful and unsuccessful transaction and report start. Start Analysis of Security Audit Log (transaction SM20). If the configuration is not active or has an unclean state, there is a risk in the form of security breaches due to. How. A tool that contains a log of security-related system events such as configuration changes or unsuccessful logon attempts. 10 characters required. The Security Audit Log is a tool designed to be used by the auditors to monitor the activities in the SAP System. but still if as Security audit log is required is there any way to get the log from SAP from any of the standard report, program or table. Transaction Code. SAMT. The left side displays the host servers of the AS ABAP. When attempting to read security audit logs from SM20, the following popup notification appears. 44. Transaction codes SM20 or RSAU_READ_LOG can be used to view the audit log results. A selection groups a range of consolidation master data, typically the financial statement (FS) items, by using various filter criteria. Add a Comment. In such case, the configuration is not correct. Methods which can be used to generate runtime dump: collecting via HANA Studio from os level via fullSystemInfoDump. Consolidated log report, EAM, SPM, Firefighter, Transaction log, Session log, Change log, Audit log, OS Command Log, SM20, SM49, CDPOS, CDHDR, STAD,. I've been looking for a function module that will allow me to read the security audit logs that are viewed via SM20. You can then access this information for evaluation in. SM35 (Batch Input Monitoring) TCode in SAP. In transaction SCC4, you have selected the option "Changes w/o automatic recording, no transports allowed" When you edit a repository object in the client, you are still prompted to record the changes in a Transport RequestThe archiving of IDocs leads to a dump with the message TSV_TNEW_PAGE_ALLOC_FAILED. /nex, opening new transaction). How to mass lock all users. Select ‘XS Project’. We will set out the approach to adopt for 5 critical SoD conflicts you should prevent in your company. AIS is a tool designed to take a more detailed look at specific activities occurring in the SAP R/3 System, such as: Three transactions let you configure, activate, report, and remove audit log. You may choose to manage your own preferences. user locked, ABAP, RFC, user is getting locked. 3. This is first time when I am configuring any action in WebUi. I was hoping to find a single module where I could input date/time/user etc, but unfortunately that doesn't appear possible. These actions are always audited and recorded. Visit SAP Support Portal's SAP Notes and KBA Search. There is requirement to schedule SM18 or RSAU_ADMIN as a background job to admin the Security Audit Log file automatically. The following services should be logged and, ideally, proactively monitored for suspicious activity: Ensure SAP Gateway logging is configured. In a list in fullscreen view, choose . A restart of the instance is required to activate the profile parameter. For the message you cite, the user or an administrator has cancelled one of the sessions for user KRUDD. For more. Hi All, I have a question on how to define the maximum number of the log to be kept in SAP? is there a parameter to define in RZ10? because currently the log generated by SM19 been deleted after 3 months and I checked the total size are less than 100MB, while the current system is being setup to maximum 200MB. Search for additional results. then you can see the logs with Tx SCC4 -> Utilities -> Change Logs. . Hi Jabin, Helpful blog . 知りたいといような要望で使うこともあります。. About this page This is a preview of a SAP Knowledge Base Article. The data and metrics are used by other subsystems in SAP Landscape Management such as dashboards, and alerts. 3148 Views. listasci = i_ascii " list converted to ASCII. . To create the change audit report Go to Action Search –> Change audit report. I understand best practice says to lock. communication_failure = 3 MESSAGE last_rfc_mess. This is a preview of a SAP Knowledge Base Article. An audit is modeled in SAP Audit Management as a named auditing. Recommended Settings for the Security Audit Log (SM19 / SM20) This blog had started to give recommendations about settings for the Security Audit Log, but. Regards, Sivaganesh. Personnel Area Tables. 2. Number of Selection Filters. These can be helpful when analyzing issues. You may choose to manage your own preferences. Basis - Syntax, Compiler, Runtime. Opens a new session and starts transaction xzy in the session. Search for additional results. 4 ; SAP NetWeaver 7. In this example I want to Find the Table that stores EKKO Table field as a matter of fact any table fields. SM20 tcode used for : Analysis of Security Audit Log. - Current DB size is about 90GB with about. 0, you can use the Security Audit Log to record security-related system information such as changes to user master records or unsuccessful logon attempts. Application logging records the progress of the execution of an application so that you can reconstruct it later if necessary. When I select below combination: - Selection Type: 3 Selection by profile/filter. SM21 ( SAP System Log ) : The SAP System logs all system errors, warnings, user locks due to failed logon attempts from known users, and process messages in the system log. In this example I want to Find the Table that stores EKKO Table field as a matter of fact any table fields. Can SM20 security logs be activated only for specific id's. ETM’s method for compression typically achieves 98% of log volume reduction. I've experimented a bit with SM19 authorizations and figured out that a read-only access to SM19 is possible if I deactivate S_C_FUNCT. My system landscape. after change the. SAP Knowledge Base Article - Preview 2878506 - Security Audit Log: SAPMSSYC Logon successful (type=E, method=A ) FCHT Audit Trail - SM20 and AUT10. You can use the below function module to get the details from the system. Depending on the amount of data that you collect, the risk of impacting a production process is greatly reduced. To see other options, click “v” button. To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead. 1. In general, sessions are used to keep the state of a user accessing an application between several requests. empty_list = 1. when using /n<TCODE> or /o<TCODE> in the OK code field. Go to SM20. Specify Selection Conditions. It means that after transaction has finished, you should leave the transaction to free the memory (i. 0 ; SAP NetWeaver 7. Everything you need to perform the analyses can be found in a standard SAP system. The Security Audit Log is a tool designed to be used by the auditors to monitor the activities in the SAP System. SAP migration overview : As the Greek philosopher, Heraclitus, said: “change is the only constant. The. My dev sys is becoming slow when the logs are full. 0 Keywords Action Usage by User, Role and Profile, timestamp, last executed, , KBA , GRC-SAC-EAM , Emergency Access Management , ProblemSM20, SAPMSSYC Logon successful (type=E, method=A ), Security Audit Log , KBA , BC-ABA-LA , Syntax, Compiler, Runtime , BC-SEC , Security - Read KBA 2985997 for subcomponents , BC-SEC-SAL , Security Audit Log , Problem. A New Home in New Year for SAP Community: Exciting times ahead for the SAP Community! Not yet a member on the new home? Join today and start participating in the discussions!. The SAP Fiori applications are based on the USER INTERFACE TECHNOLOGY software component (SAP_UI). log Records of Table Changes. I want to make a report to calculate total SAP Used (logon) hours for a specified period (week/year/month) for User (s). Provide. The selection inputs I'm passing in are the standard options displayed in screen 300 and the subscreen on the main screen. "No data was found the server". Whether you use the process documented in SAP Note 1716731 or a utility program that reads the statistics data, you. When you call SM04 and choose "Goto -> Memory", the system displays the memory that is allocated for each user; the bottom line specifies the total memory requirement for all users. For instance, you can add system ID and client of the target system in question to your users, such as. To access the Security Audit Log analysis screen, you can use transaction code SM20 security audit log sm20 You May The Security Audit Log produces an audit analysis. Understood. last updated: 2023-07-10 Introduction The article explains the SAP GUI – TCODE (Transaction Code): SM21 usage in details. By activating the audit log, you keep a. 4) Then Use SM20 to read your logs. Depending on the client’s needs, the option “log on centrally” (current version 10 behavior) or “log on locally” (5. Please show me that how can i find that which IP address accessed my sap server? I know the user ID but the same is using by 4 persons. You can find the file information below if your logging activated ; RSAU/local/file. Hint: Using sap note 1970644 you can get report RSAU_INFO_SYAG,. The audit analysis report produced by. Transaction logs: capture from STAD. and we have turned on rdisp/gui_auto_logout = 1hour so those users could not be remained in system from yesterday. Use tcode sm19 and sm20 to maintain and see the user history. There are many perspectives that we need to consider when doing this planning. The transaction field is not set correctly for all log entries of type AU3/AU4 written by the SAP kernel. Here the main SAP SM* Tcodes used for User, System Administration. SAP Transaction Code SM20 (Analysis of Security Audit Log) - SAP TCodes - The Best Online SAP Transaction Code Analytics BC SAP_BASIS SM28 Installation Check BC-ABA-LA BC SAP_BASIS SM29 Model Transfer for Tables BC-CTS-CCO BC SAP_BASIS SM30 Call View Maintenance BC-CUS-TOL-TME BC SAP_BASIS SM30VSNCSYSACL Start Analysis of Security Audit Log (transaction SM20). Hi All, I am trying to understand RSAU_READ_LOG report. This log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP System. 0. The left side displays the host servers of the AS ABAP. s SM35 is a transaction code in SAP Basis UI Services. We run the SM20 audit log reports each month for DDIC activity when its associated with a terminal name. 4. Normally only customizing tables should have the logging flag. How to enable Security Audit Logging on all SAP transactional systems (SM19/20). Here in this. SAP provides standard transaction STAD for this, but it is restricted for only one day. UCON - Missing RFC Function Modules. Logging and Monitoring enable earlier detection of any weaknesses or vulnerabilities in the SAP system as the administrator can pro-actively monitor security-related activities, address any security problems that may arise and enforce security policies appropriately. This log is a tool designed for auditors who need to take a detailed look at what occurs in the AS ABAP system. Transaction SM20 is used to see the Audit log . Using Security Audit Log. By activating the audit log, you keep a record of those activities which can be accessed using transaction SM20 transactions. 31 system. SAP BusinessObjects Business Intelligence Platform 4. It enables a user to either process or monitor batch input jobs. Add a Comment. I have to extract log for more than 100 users by using SM20 log. - A solution that might have worked is via the 'SUBMIT' statement, but this would not fit because SM20 is not a report program. Analysis and Auto-Reaction Methods. For more info on this, kindly refer the following notes and simplification list for SAP S/4 HANA 1610 Initial Shipment stack. Please let me know the following: - 1. Select “Packing”. Transaction code SM21 is used to check and analyze system logs for any critical log entries. When we execute this transaction code, SAPMSM20 is the normal standard SAP program that is being executed in background. Infotype Subtype Tables. Uday Kiran. The events to be logged are defined in the Security Audit Log’s configuration. Business Scenario: From a microeconomic perspective, a business scenario is a cycle, which consists of severalsecurity audit log (SM20N) has anyone turned on the audit log in your system ? please share with me how you make use of this log and what to be monitored. Employee Master Tables. For example the "Transaction Code" column shows entries S000 or SESSION_MANAGER. i wanna check my logs & wanna delete it. 0 Keywords Action Usage by User, Role and Profile, timestamp, last executed, , KBA , GRC-SAC-EAM , Emergency Access Management , Problem Following dialog logon message can be seen in SM20: SAPMSSYC Logon successful (type=E, method=A ) You want to know more details about this Security Audit Log. For security administrators that need to extract SAP audit logs continuously for upload into a third-party analytical system like SIEM or Splunk. 3 ; SAP enhancement package 2 for SAP NetWeaver 7. 3) SM20 : Result Empty. We have enabled the audit parameters (and restarted) but are unable to view the audit log in sm20. SAP Audit Management for SAP S/4HANA provides an end-to-end audit management solution that can be used to build audit plans, prepare audits, analyze relevant information, document result, form an audit opinion, communicate results, and monitor progress. SAP Access Control 12. The SAP Security Audit log is a weird beast, it is written in UTF-16 even though it only shows simple ASCII, maybe SAP has a deal with disk manufacturers. Please refer SAP Notes: 2191612 - FAQ | Use of. The first server in the list is typically the host to which you are currently connected. 様々な条件でレポートを出力できるように. It is similar to SM20 but offers advanced selection options. One such TCode is SM20, which provides access to Analysis of Security Audit Log SAP screen functionality within R/3 SAP (Or S/4HANA) systems, depending on your version and release level. Option c) is not valid – and can give you headaches. I tried with wild card characters, it is not giving accurate user list. Number of filters to allow for the security audit log. Transparent Table. You can see SM20 logs below : Application Server Stopped. Visit SAP Support Portal's SAP Notes and KBA Search. To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead. The logs are deleted from the database. You can assign analysis and auto-reaction methods to the alerts.