Go to ST03N > Expand Detailed Analysis > Select Business transaction analysis --> Give the user name in the User field and run the report for the day on which you want this report and double click on the report entries and in the details you can find the teminal ID in the "Task and memory information". OS01. It is very important to know which are the Transaction Codes that are replaced with new Transaction Codes. Jun 30, 2015 at 07:34 PM. list_index_invalid = 2. Step By Step Guide. Choose the relevant Options. Number of filters to allow for the security audit log. Always make sure that the Web Dispatcher Administrative Functions are not accessible from networks. Please refer SAP Notes: 2191612 - FAQ | Use of. FCHT Audit Trail - SM20 and AUT10. Internal ID ( This id stands for , if user opens the multiple session in same login) 4. Transaction codes SM20 or RSAU_READ_LOG can be used to view the audit log results. Take a look into transaction RZ20 (the CCMS alerts) where you can centrally monitor such stuff and define threadholds and reaction methods. Per default, the system suggests a name for all technical users required. This parameter specifies which methods are used to search for SAP-specific parameters in the HTTP request. Click to access the full version on SAP for Me (Login required). Go to transaction SM20. 次回はSAPのユーザ. Read more. Consolidated log report, EAM, SPM, Firefighter, Transaction log, Session log, Change log, Audit log, OS Command Log, SM20, SM49, CDPOS, CDHDR, STAD,. 0. For more info on this, kindly refer the following notes and simplification list for SAP S/4 HANA 1610 Initial Shipment stack. 0 or later, select STAD – use SWNC_COLLECTOR_GET_AGGREGATES; Follow the directions from SailPoint Support to determine which SAP Security Audit Log option to select: Use RSAU_READ_LOG . In the Selection, Audit classes, and Events to select sections of the Security Audit Log: Local Analysis screen, provide your information to filter the audit information. The Security Audit Log - SAP Online Help Enhancement. RSS Feed. This system account is used to run the background processing scheduler and to perform other system-internal operations (most of them executed as so-called AutoABAP programs). If you find out table logging is not enabled you can enable the same from SE16 -> Table name-> Change -> technical Setting . Change Log: capture from CDHDR, CDPOS. Also looking at the output of SM20 the data includes the user entering a specific transaction but not what they do within the. Audit. Parameter rsau/local/file has not been set, as. Depending on the amount of data that you collect, the risk of impacting a production process is greatly reduced. The transaction field is not set correctly for all log entries of type AU3/AU4 written by the SAP kernel. My system landscape. By I cannot see the terminal name. Instances that do not have an RFC connection can be accessed through the instance agent. In such case, the configuration is not correct. g. This event could be used in the following scenarios:. - I've checked the BDC 'Call Transaction' approach, but I've just found out that it wouldn't return the list of data to me as well (as this isn't what the BDC 'Call Transaction' is built to do). These jobs may no longer be required and may occupy a lot of space on the system. Indeed i am looking for coloring the particular cell as you mentioned above , passing values to it_excel . The Splunk and SAP partnership is focused on enabling the Intelligent Enterprise, by bringing new integrations and solutions for our joint customers to be successful in the experience economy. Regards. For security administrators that need to extract SAP audit logs continuously for upload into a third-party analytical system like SIEM or Splunk. SUIM --> User Information System --> User --> By Logon Date and Password Change. Style: ZMOBSAPUI5. From the initial screen, go to System Log -> Choose -> All remote system logs. Every Java instance has a common shared memory area where server processes and the ICM store all their monitoring information (sessions. Choose Execute. Report /IWFND/R_METERING_DELETE can be used to delete old metering information from Gateway tables. It have the following hosts and instances: Host A: ASCS01. The field SSFCOMPOP-TDIEXIT will Immediately exit after printing/faxing from the print preview, the user has no chance to close the print preview window after clicking the print button. SAP Security Audit can track not only user activity but also program activity. SM20 is a transaction code used for Analysis of Security Audit Log in SAP. Does anyone know which tables are used to log the audit information. I am unable to do so in 46C environment. Normally only customizing tables should have the logging flag. Per default, the system suggests a name for all technical users required. You can read the log using the transaction SM20. This is a preview of a SAP Knowledge Base Article. Product. Audit has requested that a monthly review be put in place. The report runs perfectly in foreground now. Add a Comment. We have enabled the audit parameters (and restarted) but are unable to view the audit log in sm20. SM20 でも同じ問題が発生することがあります。. This way, allocated memory will be released after leaving the transaction. The Security Audit Log is a standard SAP tool and is used to record security-relevant information with which you can track and log a series of events. When i tried to run an SM20 report to list the actions I did but I get an empty result. Regards, Deborah. About Press Copyright Contact us Creators Advertise Developers Terms Privacy Policy & Safety How YouTube works Test new features Press Copyright Contact us Creators. You can use this special filter value ‘SAP#*’ in transaction SM20, report. Dear all, How to check terminal name and tcode used by specific user in sap previous month. I have run t-code SM20 and AUT10 for the same purpose but it is showing no data available for the transaction code. Our audit log report is not populating with data and I'm trying to determine if that's ok or if there's a configuration issue. Run this report. I have try SLG2 with option delete before expiration date but nothing list as in SM20. Here the main SAP SM* Tcodes used for User, System Administration. Everyone will move to SAP S/4HANA someday. Basis - Syntax, Compiler, Runtime. I am turning on my SAP security audit log. This is a preview of a SAP Knowledge Base Article. Based on keywords in the short dump SAP will look for known solution correction notes. First you need to activate the SAP audit. Analysis and Recommended Settings of the Security Audit. Via fully auditable workflows in the ‘Access Request Service’ of SAP Cloud Identity Access Governance, users in SAP S/4HANA Cloud for advanced financial closing can initiate self-service access requests for user. The right side offers the section criteria for the evaluation process. You can delete logs in dialog ( Program Execute ) or in the background ( Program Execute in Background ). 1. In addition to an invoked transaction, these events contain information from what a report the call was. Audit log SM20 Not Activate After Reset. Click to access the full version on SAP for Me (Login required). Goto st03n and check the transaction profile for Jan month and by double clicking on transaction code you will get expected result. We also changed the SID. In transaction SCC4, you have selected the option "Changes w/o automatic recording, no transports allowed" When you edit a repository object in the client, you are still prompted to record the changes in a Transport RequestThe archiving of IDocs leads to a dump with the message TSV_TNEW_PAGE_ALLOC_FAILED. 0 (audit log is not activated)Enhancement. a) File names. Alert Moderator. You now have the option to filter message. You can delete old logs with the transaction SM18. press execute. 2 ; SAP NetWeaver 7. Pay Scale Tables. One of the problems of this SmartConnector is that the connector is reading the SAL Logfile which is missing message texts. user lock, SM19, SM20, RFC, JCO, Security Audit Log, analyze user lock, . g. Click more to access the full version on SAP. SAP Knowledge Base Article - Preview. In this regard I used SM20 transaction code and calculate time using Logon Successful time and User Log off time data. The first server in the list is typically the host to which you are. In the User Information System (transaction SUIM), choose Change Documents For Profiles . One Audit File per Day. The Security Audit Log is a tool designed to be used by the auditors to monitor the activities in the SAP System. s SM35 is a transaction code in SAP Basis UI Services. then, need to restart of SAAP system after that you can see the logs with Tx SCC4 -> Utilities -> Change Logs. Option c) is not valid – and can give you headaches. Loaded 0%. Number of filters to allow for the security audit log. In the case of a timeout-triggered logoff, no security audit log events are generated. 2546993-Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20) Symptom You want to know more about recommended settings of the security audit log. 3 ; SAP NetWeaver 7. It depends on the retention period which is set for these tcodes I am afraid wthr 1 year old data can be pulled out using these monitoring tcodes. But if the password lock happens within minutes, then STAD will be faster -> select the user -> you will see a step recorded in program SAPMSYST -> double-click it -> click on the hotspot "RFC" at the top and there you can see the connection details and the host names from the caller. Client - This field is mandatory and is used to filter on a specific client of the SAP system that is noted within the security audit log. This is a preview of a SAP Knowledge Base Article. For Web-based logon procedures as in our case, the selection can be restricted to report SAPMHTTP (this selection screen is dependent on NetWeaver. Dear All, I want to activate security audit logs on my production and development servers. 44. Where as able to get other information except that particular user. The SAP System logs is the all system errors, warnings, user locks due to failed log on attempts from known users, and process messages in the system log. View some details about SM20 tcode in SAP. So no security audit log is generated in SAP. This is the respective entry recorded in SM21. SM20: Security Audit Logs Analysis. You need to set the parameter rec/client = ALL in the DEFAULT profile. ST03 (n) /STAD will fetch you the user activities. None. SM20 Security Audit Log errors for User SAPSYS for RFC/CPIC Logon. We will set out the approach to adopt for 5 critical SoD conflicts you should prevent in your company. These can be helpful when analyzing issues. The Security Audit Log is a tool designed to be used by the auditors to monitor the activities in the SAP System. Use the SAP Tcode SM19 for Security Audit Configuration. RFC Callback Whitelist. SAP ERP Central Component all versions ; SAP ERP all versions ; SAP S/4HANA Cloud all versions ; SAP S/4HANA all versions ; SAP enhancement package for SAP ERP all versions ; SAP enhancement package for SAP ERP, version for SAP HANA all versions Keywords. - Profile/Filter: 2 Selection by profile AUDIT/filter 002. The parameter rsau/max_diskspace/local is for specifying the maximum size for the file. search for the msgid in the SAP service marketplace. Currently, the shipment reason maintained is ‘Complete Delevery Bl’. 1, version for SAP NetWeaver ; SAP Business Planning and Consolidation 11. (Transaction SM20). Able to identify transaction used in st03 for that user. Select this option to allow only a single security audit file for the application server and enable the Maximum Size of Audit File parameter. This site uses cookies and related technologies, as described in our privacy statement, for purposes that may include site operation, analytics, enhanced user experience, or advertising. Regards, sudheer. Blank Security Audit Log in SM20. SAP offer Blockchain-as-a-Service options for chains like these and have some excellent documentation on the use-cases. 次回はSAPの. Rakesh. You can add the profile parameters about SNC to the header of the list. Uday Kiran. In transaction SM21 System Logging you can use RFC to read logs created locally in all the instances of the SAP system. Step 3 : Analyze the Security Audit log via transaction SM20. It is very important for SAP Consultant to know which are the Transaction Codes that are. Transparent Table. I understand best practice says to lock. Log file rotation and retention in ICM and WebDispatcher. More Information. Info: For Mobile Responsive Design. Secondly with the help of SAP All Profile a user can perform all as SAP all it. 1. Right now i didn't enabled the rec/client in my system. Audit Logging - SM19 and SM20 As we know it is being used in the SAP BC-SEC (Security in Basis) component which is coming under BC module (BASIS) . Because SAP Consulters always need more and more privileges. 2 SP8 Patch 4 and above; SAP BusinessObjects Business Intelligence Platform 4. . Terminates all separate sessions and logs off (corresponds to System - Logoff. log Records of Table Changes. HI, Anil , you did not mention for activat the Audit Parameters which is required , it might be the issue , because the audit log will stop if you did not activate it from parameter after performing Application restart. There is a possibility of monitoring program behavior through the SAP Security Audit (SM20). You can use the Session Manager to generate company-specific menus and create user-specific menus. Solution: A) Temporary (Trace will be turn off after server restart) 1) Execute "SM19". 3) All the detail activities of the particular login will be shown. when using /n<TCODE> or /o<TCODE> in the OK code field. At Operating System level, it is desired to read logs from the Security Audit logs (SM20 or RSAU_READ_LOGS). "For an improved user interface, use the transaction SM20N . Security Audit Log (transaction SM19 and SM20) is used for reporting and audit purposes. List of SAP SM* Transaction Codes. Can SM20 security logs be activated only for specific id's. RSS Feed. This site uses cookies and related technologies, as described in our privacy statement, for purposes that may include site operation, analytics, enhanced user experience, or advertising. GRC - SAP Audit Management (GRC-AUD) According to DIN EN ISO 9000, this is a systematic, independent, and documented process used to obtain audit results and to evaluate these results objectively in order to determine to what extent the criteria of audit have been fulfilled. Go to transaction SM19 or RSAU_CONFIG (for SAP Netweaver 750 or higher), and there we have 2 options “Static configuration” and “Dynamic Configuration”. Go to Transaction Code ST05 and activate Trace for your SAP User Id. The events to be logged are defined in the Security Audit Log’s configuration. Enable SAP message server logging. 5 ; SAP enhancement package 1 for SAP NetWeaver 7. Use SM20 -. Hint: Using sap note 1970644 you can get report RSAU_INFO_SYAG,. 1. Here’s an example without IP addresses and without terminal names: Limitation: the report shows current sessions only. You can use transaction RSAU_CONFIG_SHOW to get an overview of the audit log settings. Forward your SAP NetWeaver Audit Log to a Splunk Indexer (no need for any third party adapters, add-ons and tools). In transaction SM21 System Logging you can use RFC to read logs created locally in all the instances of the SAP system. However, this has many limitations. . A tool that contains a log of security-related system events such as configuration changes or unsuccessful logon attempts. These can be helpful when analyzing issues. As of Release 4. It is not clear how information in fields Execution Count and Last Executed On is calculated. To delete logs in the background, choose the Delete Immediately option. SAP GUI, plugin, firefighter, rfc, audit, RFC/CPIC Logon successful, ABAP4_LEAVE_TO_TRANSACTION, ff session, logoff, ffid, plug-in , KBA , GRC-SAC. Otherwise you can find the values using the SAP Fiori App Reference Library – you have to lookup the values in the target mapping of the section configuration at the implementation information for you desired app. Click more to access the full version on SAP for Me (Login required). Search for additional results. Following screen will appear –. You now have the option to filter message. This KBA aims to provide a manner of monitoring which ICF services are active/inactive and how to keep track of changes to the service state. RSS Feed. New checks. /nex. RSS Feed. Create a new class: ZCL_ITS_GEN_SAPUI5_MOBILE. 51 for SAP S/4HANA 1610 ; SAP enhancement. You also observed that once you log on system AG3 via SAP gui,Hi Experts, I was just wondering if there's any table or way to check the activation/deactivation dates of services under TX SICF? Hoping you have any inputs. This is a preview of a SAP Knowledge Base Article. When attempting to read security audit logs from SM20, the following popup notification appears. after change the. all SAL files generated in the past 6 months), and the system ends up without available memory to. I understand best practice says to lock DDIC but because it is used for so many automated jobs the Basis group has not had the time to evaluate and simply pulling the plug could have downstream implications that. I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20). i have one requirement I need to Get the Entries from the Function module. This TCODE could be used along with ST01 to. You now have the option to filter message. The solution is simple: use a) or b). The Security Audit Log is a tool designed to be used by the auditors to monitor the activities in the SAP System. empty_list = 1. - Current DB size is about 90GB with about. To create the change audit report Go to Action Search –> Change audit report. export, excel, spreadsheet, local file, text with tabs, sichern, lokale Datei. Could you guide me. This log is a tool designed for auditors who need to take a detailed look at what occurs in the AS ABAP system. 2 Answers. EXCEPTIONS. XI7 , KBA , BC-CCM-MON-SLG , SAP System Log , How To . The following services should be logged and, ideally, proactively monitored for suspicious activity: Ensure SAP Gateway logging is configured. << Moderator message - Everyone's problem is important. For example the "Transaction Code" column shows entries S000 or SESSION_MANAGER. By activating the audit log, you keep a. Run this report regularly and as soon. Transaction code SM 20. This is a preview of a SAP Knowledge Base Article. GRC provides six reports specifically for EAM, e. Batch input sessions enable the user to schedule jobs at regular intervals and store the data that is entered in the batch job. Visit SAP Support Portal's SAP Notes and KBA Search. We can use the above concept to get any table behind a Transaction Code. Select “Manually Re-Pack Handling Unit Item”. When attempting to list the files in SM20, we receive the message: "No audit files found on server". Please show me that how can i find that which IP address accessed my sap server? I know the user ID but the same is using by 4 persons. This is a preview of a SAP Knowledge Base Article. 言語 JA (日本語) でログオンした際に、以下のように SM19 において一部のメッセージテキストが表示されません。. Transaction SE38 and provide the program name RSSTAT26 as in screen. Run SM20 in background with variant. By activating the audit log, you keep a. Security Audit Log, SM18, SM19, SM20, RSAU_CONFIG, RSAU_READ_LOG, RSAU_READ_ARC, RSAU_ADMIN, SAL , KBA , BC-SEC-SAL , Security Audit Log , How To About this page This is a preview of a SAP Knowledge Base Article. 1. 5) Occasionally you will use SM18 to free up space of old logs by either deleting them or archiving them to tape. Now suppose the requirement is to get the Table that stores the Field of all Standard Tables. By activating the audit log, you keep a record of those activities which can be accessed using transaction SM20 transactions. By activating the audit log, you keep a. Click in setting icon from there u can get the program name field . There is a difference between the function modules listed by the UCON (transaction UCONCOCKPIT) and by the Security Audit Log (transaction SM20 or SM20N). I want to make a report to calculate total SAP Used (logon) hours for a specified period (week/year/month) for User (s). I need to supply SM20 report of a particular user and trying to schedule it as a batch job. Please provide a distinct answer and use the comment option for clarifying purposes. An audit is modeled in SAP Audit Management as a named auditing. In the "transforms. delete, remove, archive, reorganize Security Audit Log file. After a few months , we restarted the system and the slots which we add later changed to inactive . SAP systems maintain their audit logs on a daily basis. Logging and Monitoring. SAP DDIC Weird Activity. It also provides a cleaner UI when filtering on multiple values. If the configuration is not active or has an unclean state, there is a risk in the form of security breaches due to. Hi. The ability to filter a dashboard via a text search, frees users from having to enter or know explicit values when searching. Alternatively, choose List Print Preview . Then use SM20 for all the SAP user history including: Login; Reports he ran; Password Change; Lock and Unlocked User; Authorization Change. --- Jose Garcia via sap-r3-basis wrote: > > All, >SAP Transaction Codes. Transactions STAD, SM19, SM20 SAP security audit log setup 1. Analysis and Auto-Reaction Methods. Has anyone able to achieve something like this? I need to supply SM20 report of a particular user and trying to schedule it as a batch job. OSS Note – 2227963, 2270355, 2029012. Audit Trail Transaction Codes in SAP (62 TCodes) Login; Become a Premium Member; SAP TCodes; SAP Tables; SAP Table Fields; SAP Glossary Search; SAP FMs; SAP ABAP Reports; SAP BW Datasources;. e. Specify Selection Conditions. User logon information, identity theft attempts. This log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP System. The log of the local instance for a maximun of the last two hours is displayed by default. For getting the Entries i would like to Execute the above function module. 6C to ECC6. SM20: Analysis of Security audit Log Basis - Security: 17 : SM19: Security audit Configuration Basis - Security: 18 : AUT01: Configuration of. I have a question on how to define the maximum number of the log to be kept in SAP? is there a parameter to define in RZ10? because currently the log generated by SM19 been deleted after 3 months and I checked the total size are less than 100MB, while the current system is being setup to maximum 200MB. Go to SM20. Hi All, I am trying to understand RSAU_READ_LOG report. When you use the ABAP statement “CALL FUNCTION <func> DESTINATION <DEST>” to call a synchronous RFC, you can, when executing the remote function. 4 SPS 18, which includes SAP_UI 751 SP 5 with SAP UI5 version 1. SM21 as per sap docs is the system logs that logs all the system errors, warnings, user locks due to failed logon attempts from known users etc. SAP Web Dispatcher configuration. According to DIN EN ISO 9000, this is a systematic, independent, and documented process used to obtain audit results and to evaluate these results objectively in order to determine to what extent the criteria of audit have been fulfilled. Tcode for Analysis of Security Audit Log. Failed transations,users running the critical reports. 31 system. The advantage of this method is that you can once specify. WhatSAP Community Thu, 12 Jan 2023 13:47:36 +0000 hourly 1We would like to show you a description here but the site won’t allow us. General selection conditions. Transaction SM20 is. SM21 is very easy to use, just specify the criteria: Suppose I changed the content of LV to 123. Basically I'm tracking transaction use remotely, and am looking to extract the. 10 characters required. Hi, Use sm35 for batch or sm36 for background jobs. rsau/selection_slots. Find SAP product documentation, Learning Journeys, and more. The host name is in there. SAP provides standard transaction STAD for this, but it is restricted for only one day. 3148 Views. Goto. T. One such TCode is SM20, which provides access to Analysis of Security Audit Log SAP screen functionality within R/3 SAP (Or S/4HANA) systems, depending on your version and release level. Probably you might know SAP note 495911, which tells about SM20 and SM50 logon traces, but sometimes the SM50 settings are not correctly used, making. 1 - Firefighter Session Details Audit Log Report. SAP BusinessObjects Business Intelligence Platform 4. You need to set the parameter rec/client = ALL in the DEFAULT profile. Now, we have a requirement to automate this activity and generate the Audit report. How to enable Security Audit Logging on all SAP transactional systems (SM19/20). Maintain the profile parameter “gw/logging” with appropriate logging activated in transaction SMGW; more information is available in SAP note 910919. 0 EHP5 with 2 physical servers: APP and DB. communication_failure = 3 MESSAGE last_rfc_mess. The parameter DIR_AUDIT in the current value fulfill your directory. You can use SAP’s SM20 transaction to analyze the raw logs. This log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP System. 85) / SAP S/4 HANA Cloud 2108 are required. Thanks and Regards, SriThe process of collecting and displaying data and metrics from the SAP system and its components (for example, dialog instance, central instance, database instance), the virtualization layer, and the physical system. is then implemented within SM20 program and export the output table to my report for further manipulation. IP address or host name. Visit SAP Support Portal's SAP Notes and KBA Search. For the message you cite, the user or an administrator has cancelled one of the sessions for user KRUDD. A restart of the instance is required to activate the profile parameter. Also check that a variant has not been set or changed. In the last part, we will explain how to custom tracking the SAP login action. SM20 Audit Log displays "No data was found on the server". New navigation features in ABAP Platform 2108 (AS ABAP 7. I know that the SAL is also stored on the OS. These actions are always audited and recorded. rsau/user_selection. Sm20 Audit Log Tabl Database Tables in SAP (30 Tables)In our SM20 security audit log, we are getting the following error every 5 minutes. 2. The report runs perfectly in foreground now. You can then access this information for evaluation in. Ergo: If I just add the. I have used SM19 to enable auditing on my SAP system, and when I logon using SNC or via HTTP I can see in audit file (using sm20) that the SAP user and client is shown, but there is no mention of the SNC name or HTTP logon method used to authenticate the SAP user. As of Release 4. In this regard I used SM20 transaction code and calculate time using Logon Successful time and User Log off time data. Does anyone know which tables are used to log the audit information. The left side displays the host servers of the AS ABAP. 3 ; SAP enhancement package 2 for SAP NetWeaver 7. Table maintenance is for creating, adding data to an existing table. One Audit File per Day. The. SAP System Logging (SM21) We use cookies and similar technologies to give you a better experience, improve performance, analyze traffic, and to personalize content. Visit SAP Support Portal's SAP Notes and KBA Search. Is it possible to enable Security Audit loging for a specific set of transactions or if all transactions need to be logged? Activate the user/users you want to monitor in SM19. The SM20 event is used in SAP to view the security audit log. To see other options, click “v” button. 2. GRC - SAP Audit Management (GRC-AUD) According to DIN EN ISO 9000, this is a systematic, independent, and documented process used to obtain audit results and to evaluate these results objectively in order to determine to what extent the criteria of audit have been fulfilled. One such TCode is SM20, which provides access to Analysis of Security Audit Log SAP screen functionality within R/3 SAP (Or S/4HANA) systems, depending on your version and release level. Consolidated Log report. With the old version of Kernel, all the details of RFC failures will not be logged in SM20. SM20, SAPMSSYC Logon successful (type=E, method=A ), Security Audit Log , KBA , BC-ABA. it is for adding multiple records at a time in the table. The layout and content structure defined via spaces and pages can be reused for different user roles, while the tiles/apps which are actually shown on the on a page depend on the catalog. Is there a way to lock all users. SAMT: Information and Results for ABAP/4 Mass Tests. please explain the usage of transaction codes SM18, SM19, SM20 in SAP, for audit. Select servers to include in the analysis. SM20 cannot show clearly if a users has performed PO related. A selection groups a range of consolidation master data, typically the financial statement (FS) items, by using various filter criteria. When Fiori is exposed to outside world, web dispatchers should be used to load balance the HTTPS Traffic instead of Instance message server. I see the terminal. RSS Feed. We have set up the Security Audit Log via SM20 for our Production system. First, you need to setup a splunk user id on the SAP servers that can read the log files, so typically it should be in group sapsys. If yes, please let us know how ? 2. For example, the retention amount is released to the vendor when certain expectations are met or on a specified date that your vendor has agreed upon. Thanks.