Security Log

Use

Administrators can use the security log to help identify any potential unauthorized access to the system. The security log is configured with the parameter icm/security_log.

The following irregularities are logged:

·        Data with invalid syntax

·        Attempted access to objects that do not exist (NOT found)

·        Access to objects that is not permitted due to filter rules (permission denied)

·        Logon errors to Web administration (in ICM and Web Dispatcher)

Examples of Log Entries

·         Error: Permission denied (-13), authorization failed for user >sap< [http_auth_mt.c 745]

·         Error: Protocol error (-21), illegal request version: 1009

·         Error: Protocol error (-21), NULL bytes in HTTP request [http_plg_mt.c 4037]

Depending on the configuration the data that gave rise to the log entry is also output:

[Thr 5126] ------------------------------------------------------------------------

[Thr 5126] 0x47a8b614  000000  47455420 2f736170 2f62632f 6273702f |GET /sap/bc/bsp/|

[Thr 5126] 0x47a8b624  000016  7361702f 69743035 20485454 502f312e |sap/it05 HTTP/1.|

[Thr 5126] 0x47a8b634  000032  310d0a68 6f73743a 206c6470 3030372e |1..host: ldp007.|

...

The security log gives an indication of the possible security procedures that could be followed. In particular cases a decision must be made as to whether the entry really is a serious security risk.