SAP HANA Audit logs

Question

Have been exploring SAP HANA Auditing feature with Audit policies. Read tons of articles at help.sap.com, documents from sap.com/support past few days and played with policies in HANA DB. After experimenting, questions came up, that can't find the answers.

Situation: When creating policy, one in the steps, you have to set the "Audit Level", a list from values "INFO","WARNING","ALERT","CRITICAL","EMERGENCY". Created all different policies with each "Audit level", with same configurations ("Audited Action Status => "All", "Audited Actions" => all the DML actions, "DELETE","EXECUTE","INSERT","SELECT","UPDATE"). When performing the actions in DB, almost all policies logs the event (when selecting with no rights, "WARNING" doesn't pop up)

Questions:

• What are the differences between the Audit levels?
• Is one of them the "Master" level, that logs everything?
• Is there a dependency between "Audit levels" and "Audited Actions"?

Could someone provide an explanation from their experience or provide a link, where i can find answers? Thank you for your time.

P.S. Using SAP HANA 2.0 SPS04

Answer 1

The "AUDIT LEVEL" setting is purely non-functional.

You can assign the level of importance, severity, urgency or whatever you want to associate with a specific type of logged audit event.

There is no interdependence between those levels, except the order which is provided by convention:

INFO < WARNING < CRITICAL < ALERT < EMERGENCY

This order is not an official standard but something similar is rather commonly used and the eagle-eyed observer will notice the similarity to the syslog levels.

To be clear: this setting assigns the level to an audit event message after the event occurred. It does not group audit events per se into those levels, but leaves it to the administrator to decide which audit action should correspond to which level.

The idea here is that these levels are application/system-specific and that upon review of the audit-logs the messages might be filtered by the level.

Not sure why in your case an audit policy for SELECT did not write out the event when the level was configured to WARNING, though. If you can reproduce this, I'd propose to file a bug for that.