SECPOL_LOG - Change Logs for Security Policies
The SECPOL_LOG event is used to determine and log all changes made to user and authorization management entity i.e. security policies.
Potential Use Cases
This event could be used in the following scenarios:
Determine which security policies with attributes are created in the SAP system/s, for which you explicitly do not want to use the default value
Monitor to determine if critical security policies and attributes are being changed
Identify and alert on security policies changes, which could create compliance concerns
The event will look like this in Splunk:
Log in to the SAP system and execute the transaction SECPOL_CHANGES. Select the display option “Show Raw Change Documents” along with required inputs in selection fields.
Change Documents/Logs for the policies are displayed in the output screen as below.
Note: This event type is available from PowerConnect version 6.08 onwards and SAP NetWeaver version 7.40 and above.