SAP Audit Trail Configuration

Why the audit trail is the core control

The audit trail is the core technical control that supports external audit, SoX testing, regulator review, and security incident response. Without a properly configured audit trail the customer cannot answer the basic question of who did what and when. With a properly configured audit trail the customer can demonstrate operating effectiveness for the access management ITGC, can support the data subject access request, and can investigate a security incident with evidence. The trail is the foundation under every other security and compliance control in the SAP landscape.

This article documents the configuration baseline, the retention policy, the SIEM integration, and the audit defensible trail posture. Reference the SAP security audit pillar, the table logging configuration, and the security hardening expertise.

Configuration baseline

The audit trail configuration baseline rests on the security audit log (SAL), the system log, the change document log, and the table change log. The SAL filter set captures successful and failed logon, RFC call to critical destinations, user master record changes, authorization profile changes, and transaction execution by privileged users. The system log captures the runtime events including the dialog work process activity. The change document log captures the changes to business documents through change document objects. The table change log captures changes to tables flagged with logging in the technical settings. The customer position is to maintain the SAL filter as standing configuration in every system, never to leave SAL on default, and to maintain the table logging list in tandem with the data classification.

Reference the basis security analysis, the table logging configuration, and the privileged access analysis.

Retention policy

The retention policy covers how long the audit trail is stored and where. The SAL retention is set at 12 months minimum for SoX scoped systems and 24 months for systems subject to additional regulator scrutiny. The change document log retention follows the business document retention which is typically 7 to 10 years. The table change log retention follows the underlying table data retention. The customer position is to externalize the SAL and the SIEM forwarding so that the production database does not carry the long term retention load. Reference the license audit pillar (cross cluster reference for the named user logging that supports audit user counting), the compliance framework pillar, and the SoX ITGC analysis.

Forwarding the security audit log to the enterprise SIEM in real time with documented detection rules is the single most leveraged audit trail control. The discipline lifts the trail from a passive log into an active monitoring source.

SIEM integration

The SIEM integration forwards the audit trail to the enterprise security operations platform in real time. The integration runs through a syslog gateway or through a dedicated connector. The customer position is to deploy the integration as standing infrastructure with a documented data flow, an identified data owner, and a service level objective for forwarding latency. The SIEM detection rules apply on top of the forwarded trail. The first three rules cover failed logon from non corporate network, successful logon by privileged user from off hours, and a critical authorization assignment outside the change window. Reference the cybersecurity analysis, the security notes and patches analysis, and the firefighter id analysis.

Audit defensible trail posture

The audit defensible trail posture has five components. First, the SAL filter as standing configuration in every system. Second, the table logging list maintained in tandem with data classification. Third, the retention policy at 12 to 24 months SAL and 7 to 10 years change documents. Fourth, the SIEM integration with documented data flow and forwarding service level objective. Fifth, the annual review of filter, retention, and detection rules by a control function separate from basis operations. The five components together support the external auditor opinion, the SoX testing program, the cybersecurity monitoring program, and the data subject rights operating procedure.

The implementation detail is in our GRC implementation analysis, the GDPR compliance analysis, the user access review process, and the security audit pillar. The SoX compliance expertise documents the full senior advisor methodology.