A more detailed analysis on the audit log format
First of all we take 3 records for example:
2AU120161009194142000203600005D5ThinkPadZJU SESSION_MANAGER SAPMSYST 1001A&0&P ThinkPad
2AUW20161009203525000203600005D5T430s TOMMY SE38 RSABAPPROGRAM 1003RSABAPPROGRAM& T430s
2DU920161009183657000511600002D2Adam-W54ALI SE16 SAPLSETB 1001USR02&02&passed Adam-W540
- Each record has 200 characters
- [1-1] -- Seems always "2"
- [2-4] -- type of activities, for example, AU1 means login activities, AUW means start a report, AU3 means start a transaction
- [5-12] -- YYMMDD, for example, 20161009, means year 2016, month 10, date 09
- [13-18] -- HHMMSS, for example, 203525, means 20:35:25
- [19-25] -- OS process number, for example, 0005116, means the OS process is 5116, which can be seen in SM50 as well
- [26-28] -- Seems always be "000", I think it's reversed.
- [29-30] -- Work process number. which can be seen in SM50
- [31-31] -- Type of work process. For example, D for DIA, B for BTC
- [32-32] -- Work process number(again?). There is a trick: 1~9, then a-b-c, meanshi 10-11-12. I think this was a design limitation from SAP. Since in early version of SAP, they think the servers shall not have more than 36 work processes? So later when they realize that some servers have 50+ work processes, and this 1 character cannot fullfill the requirement so that they have to use [29-30] to replace this [32]
- [33-40] -- Terminal name. However it could be trimmed so these 8 char seem to be useless
- [41-52] -- SAP User ID. This is extremely important
- [53-72] -- Tcode
- [73-112] -- Program name
- [113-115] -- SAP Client number, such as 100
- [116-116] -- value "1", or "2", or "3". Not sure what this is, but seems it shows how many times the tcodes or programs been used
- [117-180] -- Login results or tcode/transactions result. For example, "B&0&P" means Batch login with Password was Successful. "A&1&P" means Dialog login with Password was Failed. The "&" comes with the tcode or transactions means "Started and that's it"
- [181-200] -- Terminal information. Such as laptop or workstation names
A more detailed analysis on the audit log format
==================
First of all we take 3 records for example:
````
2AU120161009194142000203600005D5ThinkPadZJU SESSION_MANAGER SAPMSYST 1001A&0&P ThinkPad
2AUW20161009203525000203600005D5T430s TOMMY SE38 RSABAPPROGRAM 1003RSABAPPROGRAM& T430s
2DU920161009183657000511600002D2Adam-W54ALI SE16 SAPLSETB 1001USR02&02&passed Adam-W540
````
1. Each record has 200 characters
1. [1-1] -- Seems always "2"
1. [2-4] -- type of activities, for example, AU1 means login activities, AUW means start a report, AU3 means start a transaction
1. [5-12] -- YYMMDD, for example, 20161009, means year 2016, month 10, date 09
1. [13-18] -- HHMMSS, for example, 203525, means 20:35:25
1. [19-25] -- OS process number, for example, 0005116, means the OS process is 5116, which can be seen in SM50 as well
1. [26-28] -- Seems always be "000", I think it's reversed.
1. [29-30] -- Work process number. which can be seen in SM50
1. [31-31] -- Type of work process. For example, D for DIA, B for BTC
1. [32-32] -- Work process number(again?). There is a trick: 1~9, then a-b-c, meanshi 10-11-12. I think this was a design limitation from SAP. Since in early version of SAP, they think the servers shall not have more than 36 work processes? So later when they realize that some servers have 50+ work processes, and this 1 character cannot fullfill the requirement so that they have to use [29-30] to replace this [32]
1. [33-40] -- Terminal name. However it could be trimmed so these 8 char seem to be useless
1. [41-52] -- SAP User ID. This is extremely important
1. [53-72] -- Tcode
1. [73-112] -- Program name
1. [113-115] -- SAP Client number, such as 100
1. [116-116] -- value "1", or "2", or "3". Not sure what this is, but seems it shows how many times the tcodes or programs been used
1. [117-180] -- Login results or tcode/transactions result. For example, "B&0&P" means Batch login with Password was Successful. "A&1&P" means Dialog login with Password was Failed. The "&" comes with the tcode or transactions means "Started and that's it"
1. [181-200] -- Terminal information. Such as laptop or workstation names
![57faf4185f544.jpg](serve/attachment&path=57faf4185f544.jpg)