Srini P,July 6, 2026 57
FREE – Anyone can read

5 SAP Notes Every Security Consultant Should Explore on SAL

The Security Audit Log (SAL) is one of the few SAP controls that auditors, SOC teams, and forensic investigators all rely on at the same time. Yet it remains one of the most misconfigured components in SAP landscapes. Filters are set once during go-live and rarely revisited. Retention decisions are made by Basis teams without security input. Read access is granted broadly, with little thought given to the fact that the log itself contains personal data.

The five SAP Notes below cover the lifecycle of SAL end to end · from initial configuration through archiving, privacy-compliant review, and gap analysis. A security consultant who has not read all five is working from an incomplete picture.

2191612 · FAQ - Use of Security Audit Log as of NetWeaver 7.50

This is the anchor note for any system on SAP_BASIS 7.50 or higher. It documents the transaction shift away from the legacy SM19/SM20 pair toward RSAU_CONFIG, RSAU_CONFIG_SHOW, RSAU_READ_LOG, and RSAU_ADMIN, and it explains the usage scenarios behind that redesign: local file-based auditing, database-based auditing for SIEM integration, and the hybrid model that writes to both destinations.

Two details matter most for a security review. First, the filter ceiling changed release over release · 10 slots on older kernels, 15 as of SAP_BASIS 7.40 SP08, and 90 as of SAP_BASIS 7.50 SP02. A landscape still configured for 10 or 15 filters after an upgrade is very likely under-logging, not because anyone decided to under-log, but because nobody revisited the ceiling once headroom became available. Second, the note describes the integrity protection format, which allows an HMAC-based tamper check on file-based logs. Once switched on, audit files can no longer be opened by third-party tools at the file-system level, which has downstream implications for any SIEM or log-forwarding integration that was built assuming raw file access.

For engagements running versions below 7.50, the equivalent reference is the older FAQ note 539404. Both should be checked against the actual SAP_BASIS release before any recommendation is written into a report.

3094328 · RSAU_ARCHIVE_RELOAD - Reloading Archives of Security Audit Log

Archiving strategy for SAL is a genuine design decision, not an afterthought. Database-resident logs give SIEM tools fast query performance but grow the RSAU_LOG table quickly, particularly on HANA where table growth carries a direct cost implication. The standard pattern is to keep recent activity in the database for real-time correlation and move history to archive files for cheaper, longer-term retention.

This note governs the reverse operation: pulling archived data back into the live table when an investigation needs to query historical events using RSAU_READ_LOG rather than the more limited RSAU_ARCHIVE_READ interface. SAP is explicit that this program should be handled with care, since reloading can produce inconsistencies if run against a table that has changed structure or partitioning since the archive was written. For a consultant supporting forensic or e-discovery requests, this is the note to check before promising a client that “we can pull anything from three years ago in a few minutes.” The honest answer usually involves a reload step, a time window, and a caveat.

2883981 · RSAU_READ* - Anonymized Display of Security Audit Log Data

This note sits at the intersection of security and data protection, which is exactly where it belongs. It introduces the pseudonymized view of SAL data, made available through RSAU_READ_LOG_ADM (and SM20_ADM on the older transaction naming), where user IDs and terminal identifiers are replaced with generated hash values rather than shown in clear text.

The relevance for GDPR- and DPDPA-aligned engagements is direct. The Security Audit Log records who did what and from where, which makes it personal data under most privacy frameworks the moment a natural person can be identified from it. A blanket “everyone with SAL access sees full user and terminal detail” design is difficult to defend in a privacy impact assessment. This note gives security teams a supportable middle ground: broad analytical access to event patterns through the pseudonymized transaction, with re-identification reserved for a narrower group under a documented process. Any SoD matrix or access model built for SAL review roles should reference this distinction explicitly, not leave it implicit.

3026042 · Missing Overview of Settings for Security Audit Log

Configuration drift is the single most common finding in SAL reviews, and this note addresses the tooling gap that allows drift to go unnoticed. RSAU_CONFIG_SHOW is meant to give administrators and auditors a consolidated view of what is actually active across application servers, as distinct from what the static profile says should be active. When that overview is incomplete or fails to reflect dynamic changes made outside the static profile, filters can appear active in documentation while being silently inactive at runtime, or vice versa.

For a consultant running a control walkthrough, this is a reminder that the audit trail supporting a SAL control test needs to include evidence from the overview transaction itself, not just a screenshot of the filter configuration screen. A profile that looks correct on paper is not evidence that the correct events were captured during the period under review.

2676384 · Best Practice Configuration of the Security Audit Log

This is SAP's own baseline for what a reasonably configured SAL should look like, and it is referenced directly inside the S/4HANA Security Guide as the primary source for audit logging configuration. It complements the FAQ notes by moving from “how the feature works” to “what SAP recommends you turn on,” covering recommended filter design for critical user activity, superuser monitoring using the SAP#* selection pattern to exclude the SAPSYS background user, and the baseline event classes that should be active by default on new installations.

Two practical points are worth calling out for client work. First, “secure by default” behavior in newer releases activates a baseline SAL configuration automatically on installation, but only where no customer-defined configuration already exists · a system migrated or copied from an older landscape will typically not benefit from this default and needs the baseline applied deliberately. Second, the note's filter guidance is the natural reference point for building a client-specific SAL design document, since it gives a defensible, SAP-sourced starting position rather than a consultant's personal preference.

Closing Perspective

None of these five notes stands alone. 2191612 sets the architectural context, 2676384 supplies the configuration baseline, 3026042 protects the integrity of the evidence that configuration produces, 2883981 governs who can see what once that evidence exists, and 3094328 determines whether historical evidence can still be retrieved when it is needed most. A SAL control that has been designed against only one or two of these notes will hold up during a routine review and fail during an actual investigation, which is precisely the scenario in which it matters most. Reviewing all five together, against the specific SAP_BASIS release in scope, should be a standard step in any SAP security or GRC engagement that touches logging, monitoring, or forensic readiness.

Frequently Asked Questions

What is SAP Note 2191612 used for?

SAP Note 2191612 is the FAQ note governing use of the Security Audit Log on SAP_BASIS 7.50 and higher. It explains the shift from SM19/SM20 to RSAU_CONFIG, RSAU_CONFIG_SHOW, RSAU_READ_LOG, and RSAU_ADMIN, and documents the local file, database, and hybrid logging scenarios along with the filter slot limits per release.

How do I reload archived Security Audit Log data back into a live system?

Archived Security Audit Log data can be reloaded into the live table using program RSAU_ARCHIVE_RELOAD, documented in SAP Note 3094328. SAP recommends handling this operation carefully, since reloading can introduce inconsistencies if the target table structure or partitioning has changed since the data was archived.

Can the SAP Security Audit Log be reviewed without exposing personal data?

Yes. SAP Note 2883981 introduces a pseudonymized view of Security Audit Log data through transaction RSAU_READ_LOG_ADM, where user IDs and terminal identifiers are replaced with generated hash values. This allows broader analytical access to event patterns while limiting re-identification to a smaller, defined group of reviewers.

What is SAP's recommended baseline configuration for the Security Audit Log?

SAP Note 2676384 provides the recommended baseline configuration for the Security Audit Log, covering filter design for critical user activity, superuser monitoring using the SAP#* selection pattern, and the event classes SAP recommends activating by default. It is referenced directly in the S/4HANA Security Guide as the primary source for audit log configuration.

Why does my Security Audit Log configuration look correct but seem to be missing events?

This usually indicates configuration drift between the static profile and the active runtime settings across application servers. SAP Note 3026042 addresses gaps in the settings overview available through RSAU_CONFIG_SHOW, which can cause filters to appear active in documentation while being inactive at runtime, or the reverse.

Which SAP Note applies if my system is on SAP_BASIS lower than 7.50?

Systems on SAP_BASIS releases prior to 7.50 SP03 should reference SAP Note 539404 rather than 2191612, which applies to 7.50 and higher. Note 2676384 for best practice configuration and 2883981 for pseudonymized review apply across both generations of the transaction set.

Srini P

SAP GRC Team Lead

Srini P is an experienced SAP Security & GRC Advisor and independent consultant with extensive expertise in designing, implementing, and optimizing SAP Security and Governance, Risk, and Compliance (GRC) solutions. He has helped organizations strengthen access governance, regulatory compliance, and security controls across complex SAP landscapes. With a practical, business-focused approach, Srini specializes in SAP authorization design, Segregation of Duties (SoD), user access governance, and security assessments. As a trusted advisor, he works closely with clients to deliver scalable, compliant, and risk-aware SAP security strategies that align with business objectives.

5 SAP Notes Every Security Consultant Should Explore on SAL | SAP Security Expert