Page 1 of 13

Security Audit Log Event Definition List

Event
Event Short Text Category SAL Event Documentation
Status Weighting
AU1 Logon successful Logon Severe The user has logged onto the system.
(type=&A, <ZU>Possible Types (= Access
method=&C) types):</>
A = Dialog logon (SAP GUI)
B = Background job start
H = HTTP logon
U = User switch (internal call)
' ' = Password check (API, internal
call)
M = SMTP
P = ABAP Push Channel (APC)
E = Build of a shared object area
(internal call)
O = AutoABAP (internal call)
T = Server startup procedure (internal
call)
V = SAP start service (internal call)
J = JAVA virtual machine (internal call)
W = BGRFC watchdog (internal call)

<ZU>Possible methods
(=authentication modes):</>
P = Password
T = Logon ticket
t = Assertion ticket
X = X.509 certificate
S = SNC
R = RFC ticket
A = Authorized impersonation
(background processing)
E = External (EXTID)
U = User switch
s = HTTP security session
2 = SAML2
1 = SAML1
o = OAuth2
N = SPNego
a = APC session

If a user type or a method is not listed

05.04.2022
 Page 2 of 13

here, you might find more

information in SAP Note 320991. A
minimum kernel patch level is required
to record the method. For more
information, see SAP Note 1789518.
AU2 Logon failed Logon Critical The user could not be logged on to
(reason=&B, the system.
type=&A,
method=&C) <ZU>Possible types (= access
types):</>
A = Dialog logon (SAP GUI)
B = Background job start
F = Internal RFC
R = External RFC
I = Internal system RFC
S = External system RFC
u = Session restore
H = HTTP logon
U = User switch (internal call)
' ' = Password check (API, internal
call)
M = SMTP
P = ABAP Push Channel (APC)
E = Build of a shared object area
(internal call)
O = AutoABAP (internal call)
T = Server startup procedure (internal
call)
V = SAP start service (internal call)
J = JAVA virtual machine (internal call)
W = BGRFC watchdog (internal call)
G = ABAP resource manager (internal
call)
r = RFC using WebSockets (external)

<ZU>Possible cause:</>
0 No error - successful logon
1 Incorrect logon data (client, user
name, password)
2 User is locked (by administrator or
incorrect logon attempts)
3 As 1 (connection to terminal also
terminated)
4 Logon using emergency user SAP*
(see SAP Note 2383)
5 Error creating the user buffer (==>
may be a follow-on error)
6 User only exists in Central User
Administration (CUA)
7 Invalid user type
8 User account is outside its validity

05.04.2022
 Page 3 of 13

period
10 Logon requires Secure Network
Communication (SNC)
11 No SAP user exists in the system
with this SNC ID
12 ACL entry missing for SNC-secured
server-server connection
13 No matching SAP account found for
SNC name
14 Ambiguous assignment between
SNC name and SAP account
15 Unencrypted SAP GUI connection
(was blocked)
20 Logon with logon ticket deactivated
in general
21 Syntax error in received logon
ticket
22 Check of logon ticket digital
signature failed
23 Issuer of logon ticket is not in ACL
table
24 Validity of logon ticket has expired
25 Unintended recipient (assertion
ticket)
26 Ticket contains empty ABAP user
ID
27 Ticket does not match current user
28 Ticket logon deactivated (security
policy)
30 Logon by X.509 certificate
deactivated in general
31 Syntax error in received X.509
certificate
32 X.509 certificate not from Internet
Transaction Server
34 No matching SAP account found for
X.509 certificate
35 Ambiguous assignment between
X.509 certificate and SAP accounts
36 X.509 certificate rejected due to
minimum validity period
requirement
40 Logon using external ID
deactivated generally
41 No matching SAP account found for
external ID
42 Ambiguous assignment between
external ID and SAP accounts
50 Logon using a password
deactivated generally
51 Initial password not used for too

05.04.2022
 Page 4 of 13

long => no longer valid

52 User does not have a password =>
password logon not possible
53 Too many failed password logon
attempts
54 Production password not used for
too long => no longer valid
60 SPNego logon deactivated
61 Invalid SPNego token (syntax)
62 NTLM token received instead of
SPNego token
63 Missing/incorrect KeyTab entry
64 Expired SPNego token (time)
65 SPNego replay attack detected
66 Kerberos user name -> SNC name
failed
67 SPNego: No SNC mapping found
68 SPNego: Multiple SNC mappings
found
100 Client does not exist
101 Client is currently locked for
logons
104 System is in maintenance mode
and locked for logons

300 Internal OIDC error

301 Invalid parameter in OIDC login
function
302 OIDC authentication not
supported (kernel too old)
303 OIDC authentication not
supported (ABAP too old according to
kernel)
304 HTTPS connection mandatory for
OIDC in AS ABAP
305 Error in HTTP client handling
(AuthCode for ID token)
306 Error in OIDC log
307 OIDC provider reports error
308 Error when reading or deleting the
persisted initial HTTP request
309 Log-on category in persisted initial
HTTP request does not match
category in called redirection service
310 Error when reading the OIDC
configuration
311 Error when parsing the ID token
structure
312 Error when checking the ID token
with respect to the OIDC
configuration

05.04.2022
 Page 5 of 13

313 Error in user mapping (user not

found)
314 Error in user mapping (mapping
not unique)
315 Error in reauthentication (user
before OIDC authentication does not
match user after authentication=
316 Kernel error in session
personalization for user

999 Other error (see trace)

1002 Trusted system logon: Missing
S_RFCACL authorization

<ZU>Possible methods
(=authentication modes):</>
P = Password
T = Logon ticket
t = Assertion ticket
X = X.509 certificate
S = SNC
R = RFC ticket
A = Authorized impersonation
(background processing)
E = External (EXTID)
U = User switch
s = HTTP security session
2 = SAML2
1 = SAML1
o = OAuth2
N = SPNego
a = APC session
B = SAML bearer
r = Reentrance ticket
D = OpenId connect (with interaction)
d = OpenId connect (no interaction)

If a user type, a cause, or a method is

not listed here, you might find
more information in SAP Note 320991.
A minimum kernel patch level is
required to record the method. For
more
information, see SAP Note 1789518.
AU3 Transaction &A Transaction Non-Critical The user started the transaction
started. Start specified in the message.
AU4 Start of transaction Transaction Critical The user attempted to start the
&A failed Start transaction specified in the message.
(Reason=&B) However, starting the transaction
failed; that is, the transaction was

05.04.2022
 Page 6 of 13

not executed.
<ZU>Possible Reasons</>
0,,Cause unknown
1,,Error in call parameters when
calling the kernel function
2,,Transaction does not exist
3,,Transaktion & is locked (in
transaction SM01)
4,,Transaction is an area menu and
therefore cannot be executed
5,,Parameter transaction is an area
menu and therefore cannot be
executed
6,,User is not authorized for this
transaction
AU6 RFC/CPIC logon RFC Login Critical RFC:
failed, reason=&B, The call check of a function module in
type=&A, a function group was not
method=&C successful, that is, the user is not
allowed to call the function mo
dule.

CPIC:
A CPI-C communication partner could
not be logged on.

<ZU>Possible Types (= Access

types):</>
C = CPIC call
R = external RFC call
F = internal RFC call
S = external RFC system call (function
group SRFC)
I = internal RFC system call (function
group SRFC)

<ZU>Possible cause:</>
0 No error - successful logon
1 Incorrect logon data (client, user
name, password)
2 User is locked (by administrator or
incorrect logon attempts)
4 Logon using emergency user SAP*
(see SAP Note 2383)
5 Error creating the user buffer (==>
may be a follow-on error)
6 User only exists in Central User
Administration (CUA)
7 Invalid user type
8 User account is outside its validity
period

05.04.2022
 Page 7 of 13

10 Logon requires Secure Network

Communication (SNC)
11 No SAP user exists in the system
with this SNC ID
12 ACL entry missing for SNC-secured
server-server connection
13 No matching SAP account found for
SNC name
14 Ambiguous assignment between
SNC name and SAP account
16 unencrypted RFC connection (was
blocked)
20 Logon with logon ticket deactivated
in general
21 Syntax error in received logon
ticket
22 Check of logon ticket digital
signature failed
23 Issuer of logon ticket is not in ACL
table
24 Validity of logon ticket has expired
25 Unintended recipient (assertion
ticket)
26 Ticket contains empty ABAP user
ID
27 Ticket does not match current user
28 Ticket logon deactivated (security
policy)
30 Logon by X.509 certificate
deactivated in general
31 Syntax error in received X.509
certificate
32 X.509 certificate not from Internet
Transaction Server
34 No matching SAP account found for
X.509 certificate
35 Ambiguous assignment between
X.509 certificate and SAP accounts
40 Logon using external ID
deactivated generally
41 No matching SAP account found for
external ID
42 Ambiguous assignment between
external ID and SAP accounts
50 Logon using a password
deactivated generally
51 Initial password not used for too
long => no longer valid
52 User does not have a password =>
password logon not possible
53 Too many failed password logon

05.04.2022
 Page 8 of 13

attempts
54 Production password unused for
too long => no longer valid
100 Client does not exist
101 Client is currently locked for
logons (upgrade running)
999 Other error (see trace)
1002 Trusted system logon: Missing
S_RFCACL authorization

<ZU>Possible methods
(=authentication modes):</>
P = Password
T = Logon ticket
t = Assertion ticket
X = X.509 certificate
S = SNC
R = RFC ticket
A = Authorized impersonation
(background processing)
E = External (EXTID)
U = User switch
If a user type, a cause, or a method is
not listed here, you might find
more information in SAP Note 320991.
A minimum kernel patch level is
required to record the method. For
more information, see SAP Note
1789518.
AUO Logon failed (reason Logon Severe The user could not be logged on to
= &B, type = &A) the system.
Possible types:
A = Dialog user

Possible reasons:
13 (MULTIPLE_LOGON) Multiple logon
not allowed
AUY Download &A Bytes Other Severe Using a standard front-end service
to File &C function, data was transferred from a
SAPGUI-based front end to a local end
device.
The event is triggered when the
function modules WS_DOWNLOAD or
GUI_DOWNLOAD or the method
GUI_DOWNLOAD
(CL_GUI_FRONTEND_SERVICES) are
used in standard SAP programs and/or
customer programs.
Check the binding of the activity to
identify any unauthorized

05.04.2022
 Page 9 of 13

activities.
This event cannot be used to trace
Web-browser-based downloads.
BU1 Password check Other Critical with
failed for user &B in Monitor
client &A Alert
BUD WS: Delayed logon Logon Critical Message based authentication failed.
failed (type &B, WP
&C). Refer to Web Authentication type:
service log &A. <ZH>wsse:UsernameToken:</>
Message based authentication with
User
ID/Password
<ZH>wsse:SAMLAssertion:</>
Message based authentication with
SAML
assertion
<ZH>wsse:</> <ZH>X509v3:</>
Message based authentication with
X.509
signature

Further details are contained in the

logs of the SOAP runtime. Use the
log ID to locate the logs of the failed
call.

BUE WS: Delayed logon Logon Critical

successful (type &B,
WP &C). Refer to
Web service log &A.
BUZ > in program &A, Other Critical The contents of the specified field
line &B, event &C were changed in the ABAP Debugger.
CUK C debugging Other Critical Kernel debugging called up in the
activated system.
CUL Field content in Other Critical In ABAP Debugger, the content of the
debugger changed specified field was modified by the
by user &A(&B): &C specified user. This also modified data
(&D) in the current request and
possibly the program flow.
CUM Jump to ABAP Other Critical In the ABAP Debugger, the user set
Debugger by user the instruction pointer to another
&A(&B): &C (&D) line or statement. This changed the
program flow. During the continued
execution of the program you may
pass through parts of the program
that
would usually not have been executed,
or at least not under these

05.04.2022
 Page 10 of 13

conditions.
CUN A process was Other Critical A running process was caught
stopped from the externally by the debugger. This is
debugger by user usually
&A(&B) (&D) done using transaction SM50. In the
debugger, the caught process was
then canceled by the specified user.
CUO Explicit database Other Critical In ABAP Debugger, the specified user
operation in triggered a database operation (a
debugger by user commit or a rollback).
&A(&B): &C (&D) When a commit is triggered explicitly,
it may be the case that the data
cannot be rolled back by the
application itself.
When a rollback is triggered explicitly,
there is a risk of data loss.
CUP Non-exclusive Other Critical The system started the debugging
debugging session session of the specified user ,,in
started by user &A non-exclusive mode.
(&B) (&D) A non-exclusive debugging session
performs an implicit rollout of the
debuggee (the request controlled by
the debugger) after every debugger
action. A database commit is
associated with every rollout, which
means
that data can no longer be rolled back
(for example, when the
transaction is canceled by the user).
Debugging in non-exclusive mode
saves resources but is permitted in
development systems only and
requires change authorization for the
user
who starts the debugger.
If the maximum number of exclusive
debugging sessions is exhausted, the
system assigned a non-exclusive
debugging session (if permitted by the
system state and the current user
authorizations).
EU1 System System Critical System changeability is usually
changeability adapted using transaction SE06, to
changed (&A to &B) make
changes to Workbench objects in your
own or in an external namespace.
Releasing the changeability globally
and/or changing the changeability
of non-local application or name
ranges can result in unwanted

05.04.2022
 Page 11 of 13

changes
in the system.
Changing these attributes in the
productive system does not need to be
classified as critical.
To track the changes in detail, use the
log function in transaction
SE06.
EU2 Client setting for &A System Critical Client settings are usually changed
changed (&B) using transaction SCC4, to adapt the
role of the client in accordance with
the use requirements.
Changes to client settings of
productive systems should be treated
as
critical and have a significant effect on
how revision suitability is
evaluated. In this event, the changed
client and the fields of the new
table entry that are relevant to
revision (T000-MWAER, T000-
CCCATEGORY,
T000-CCCORACTIV, T000-
CCNOCLIIND, T000-CCCOPYLOCK,
T000-CCNOCASCAD,
T000-CCIMAILDIS, and T000-LOGSYS)
are documented in technical form.
To track the changes in detail, use the
log function in transaction
SCC4.
EUQ Analysis program Report Start Severe The user executed the program
&A &B was started specified in the event in simulation
in simulation mode mode.
This program is generally used to
analyze data inconsistencies.
For more information, see SAP Note
3021889.
EUR Analysis program Report Start Critical The user executed the program
&A &B was started specified in the event in production
in production mode mode.
This program is generally used to
analyze data inconsistencies (for
example as part of SAP Product
Support).
Potentially, data on the database was
modified to correct the data
inconsistencies that were found.
For more information, see SAP Note
3021889.
EUS Other Severe

05.04.2022
 Page 12 of 13

Read access to DCT

change log (&A)
EUT DCT change log Other Severe
(&A) was
reorganized
FU3 Template &A (&B) Other Non-Critical The template indicated in the message
loaded was loaded into the system.

Details can be checked in the relevant

FIORI app for importing templates
or under the object “ATO” and the
subobject “UPLOAD_TEMPLATE” in
transaction SLG1.

FU4 Could not upload Other Severe The user attempted to load the file in
enhancement question as a template into the
template &A system. The upload was canceled due
to errors in the file content.
Details can be checked under the
object “ATO” and the subobject
“UPLOAD_TEMPLATE” in transaction
SLG1.
FU5 Access to object &A Other Severe The application "Customer Data
(&B), &C entries Browser" was called to access the data
contain &D, object <(>&<)>A (<(>&<)>B = data
authorization check object type ).
&E The browser displayed <(>&<)>C
entries, classified in accordance with
<(>&<)>D. The result of the
authorization check is in <(>&<)>D.

Note:
If there were no sufficient display
authorizations, the output of hits
is 0.
Check whether the call is permitted
and contact your authorization
administrator if you have any
questions.
FUD Successful read on Other Non-Critical Successful read on output document <
output document (>&<)>A of business object <(>&<)
&A for object &B >B
( &C ) by the action GET_DOCUMENT. The
technical key is the UUID of the output
item.
More information about the output
item can be found in the “Manage
Output Items” app. You require the
administrator application role to
launch this app.

05.04.2022
 Page 13 of 13

FUE Failed read on Other Non-Critical Failed read on output document <
output document (>&<)>A of business object <(>&<)
&A for object &B >B by
( &C ) the action GET_DOCUMENT. The
technical key is the UUID of the output
item.
More information about the output
item can be found in the “Manage
Output Items” app. You require the
administrator application role to
launch this app.

GU1 Start authority Transaction Non-Critical The event states that a frontend
check for &A ( &B ) Start application was started.
successful
This event will be collected for
statistical reasons and created from
perfomance statistic data. The event
will be collected later on and must
not be used for legal requirements!

There are no generic follow up

activities needed.

05.04.2022