Search This Blog

Thursday, January 6, 2011

Setting Dynamic Filters


Dynamic filters enable you to respond to real-time events in your system environment, setting traps that can assist you in addressing a security problem. With this option, you can dynamically change the filters used for selecting events to audit. The system distributes these changes to all active application servers.

To set dynamic filters, you must set the profile parameters listed below

Profile Parameters for Setting Dynamic Filters

rsau/local/file This parameter defines names and locations of the audit files. (This

was an optional parameter starting with 4.6C. It no longer exists in Web Application Server 6.30.)

rsau/max_diskspace/local This parameter defines the maximum space to allocate for the audit files.

rsau/selection_slots This parameter defines the number of filters to allow for the security audit log.

The figure shows the screen used to configure dynamic security audit filters.


Procedure

1. To access the Security Audit Log Configuration screen from the SAP standard menu, choose Tools -> Administration -> Monitor -> Security Audit Log -> Configuration.

The Security Audit: Administer Audit Profile screen appears with the Static configuration tab activated.

2. Choose the Dynamic configuration tab or Goto -> Dynamic configuration from the menu.

In the upper section of the screen, you receive a list of the active instances and their auditing status. The lower section of the screen contains tabs for maintaining filters.

3. Choose Configuration -> Change.

4. Define filters for the application server.

5. Make sure the Filter active indicator is set for each of the filters you want to apply to the audit on the application server.

6. If you want to distribute the filter definition to all of the application servers, choose Configuration -> Distribute configuration.

7. To change the auditing status on a single application server, select the status indicator in the List of active instances table.

. A green light indicates an activated audit.

. A red light indicates a deactivated audit.

8. To activate the filter (or filters) on all of the application servers, choose Configuration -> Activate audit. To deactivate the filters on all of the application servers, choose Configuration -> Deactivate audit.

Hint: If you receive a program failure message, make sure you have the authorization S_RFC with the value SECU in your authorization profile. (The system uses remote function calls to obtain a list of servers; for this reason, you need the appropriate authorizations.)

Result

The audit filters are dynamically created on all active application servers.

If you activate the profile(s), any actions that match any of these filters are recorded in the security audit log. Changes to the filter definitions are effective immediately and exist until the application server is shut down.


No comments:

Post a Comment