Data Description

The SM20 event is used in SAP to view the security audit log.

Potential Use Cases

This event could be used in the following scenarios:

  • Dashboard audit log messages to view messages by criticality

  • Alert on specific audit log messages

  • Correlate the data from the system audit log with other data points such as user log-ins and authorization objects to identify potential malicious behavior.

Metric Filters

This filter is used to select or exclude specific messages from the audit log and is an optional configuration to control data volume sent to Splunk. To access the metric filter log into the managed system and execute the /n/bnwvs/main transaction. Then go to Administrator → Metric Filters → More → SM20 Audit log filter.

Then select the New Entries button, and enter the user selection parameters using the fields below, and save the configuration:

  • Transaction Code - This field is mandatory and is used to filter on a specific transaction code that is noted within the security audit log. To extract data from all transactions, enter a wildcard value (i.e. “*”).

  • Client - This field is mandatory and is used to filter on a specific client of the SAP system that is noted within the security audit log. To extract data from all the clients, enter a wildcard value (i.e. “*”).

  • User - This field is mandatory and is used to filter on a specific user that is noted within the security audit log. To extract data for all the users, enter a wildcard value (i.e. “*”).

  • Security Level - This field is mandatory and is used to filter on a specific 'Security Level' message that is noted within the security audit log. To extract data for all security level, enter a wildcard value (i.e. “*”).

  • Grp - This field is mandatory and represents the system log message group. To extract data for all message groups, enter a wildcard value.

  • N - This field is mandatory and represents the message group sub-name. To extract data for all the message group sub-names, enter a wildcard value.

  • Message Text - This field is mandatory and represents the message text from the system log. To extract data for all messages, enter a wildcard value.

  • INCL/EXCL - This field is mandatory and is an exclusion or inclusion criteria. To exclude the values defined in the selection criteria enter an “E“ in the field. Similarly, to include the values defined in the selection criteria enter an “I” in the field.

  • Active - This field is mandatory and is a checkbox used to enable or disable the filter criteria. To activate the filter criteria, ensure the checkbox is checked. Conversely, if you would like to disable data collection ensure the checkbox is unchecked.

Here is an example of what the filter can look like once it is filled out:

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Log into the managed system and execute the SM20 transaction. Then fill in the desired user selection parameters and hit the Reread Audit Log.

The data displayed will match the data collected and sent to Splunk.

Field Mapping

Field

Description

Unit of Measure

ALGAREA

System Log: Group of 36 System Log Messages

String

ALGCLIENT

Client

Number

ALGDATE

SecAudit: Date audit entry created

YYYYMMDD

ALGFILENO

SysLog: File number

Number

ALGFILEPOS

SysLog: File offset

Number

ALGINST

SAP Instance Name

String

ALGLTERM

SecAudit: Terminal name

String

ALGREPNA

Program Name

String

ALGSUBID

System log: Third character of message name

String

ALGSYSTEM

Server Name

String

ALGTASKNO

Work process number

Number

ALGTASKTYPE

System log: SAP process name

String

ALGTCODE

Transaction Code

String

ALGTEXT

SecAudit: Text part of displayed Security Audit Log message

String

ALGTIME

SecAudit: Time at which audit entry was created

HHMMSS

ALGUSER

User Name in User Master Record

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

SM20

String

IPADDRESS

Terminal

IP Address

PARAM1

SysLog: variable message data

String

PARAM2

SysLog: variable message data

String

PARAM3

SysLog: variable message data

String

PARAM4

SysLog: variable message data

String

TXSEVERITY

System audit log: Security level text format

String

TXSUBCLSID

System audit log: Security class text format

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -