Reference: Custom Checks

Please enter the active user count to be used as Warning threshold

Please enter the active user count to be used as Critical threshold

In order to find the appropriate values for this field, log into your SAP System and proceed to transaction RZ20.

If this flag is set the Avantra Agent automatically confirms the CCMS Alerts corresponding to the Monitoring Tree Element and imports them into Avantra where they can be viewed using Avantra UI.

Choose the check status Avantra is to display in case the SAP status is either unknown or invalid.

Define the name of the Monitoring Set containing the Monitor you want to integrate into Avantra.

Define the name of the Monitor in Monitor Name. Avantra includes all MTE objects attributes (i.e. the leaves of the CCMS monitor tree) of the given monitor.

If this flag is set the Avantra Agent automatically confirms the CCMS Alerts corresponding to the Monitoring Tree Elements and imports them into Avantra where they can be viewed using the Avantra UI.

Choose the check status Avantra is to display in case the SAP status is either unknown or invalid.

Define the amount of time used to calculate the I/O throughput average values. The higher the time you specify, the better occasional peaks will be “flattened”, i.e. may less frequently cause Warning or Critical check status.

Define the file systems you want this Custom Check to monitor. You may use * as file system to make a single entry for all file filesystems.If you make multiple specifications and a file system matches the same, the threshold values are merged together for each file system and the lowest of each will be the effective one.

Define the absolute path name of the file monitored this field. File name substitution is provided in case wildcard characters (like * or ?) are used.

Define the check status to be returned if the file exists.

Define the check status to be returned if the file does not exist.

Define the absolute path name of the file monitored this field. File name substitution is provided in case wildcard characters (like * or ?) are used.

Define the Warning threshold.

Define a Critical threshold.

Define the absolute path name of the file monitored this field. File name substitution is provided in case wildcard characters (like * or ?) are used.

Define a Critical threshold.

Specify the file systems to be included. Wildcards * and ? are supported.

Specify the thresholds, see as well FSUsageWarn and FSUsageWarn. For Unix, you can as well define thresholds for the inodes, see FSNodeWarn and FSNodeCrit.

Specify the thresholds for monitoring the inodes on Unix, see as well FSNodeWarn and FSNodeCrit.

Performs an HTTP HEAD request, i.e. only the header of the response will be retrieved.

Performs an HTTP GET request. Basic Authentication is supported as well

Performs an HTTP POST request. HTML Form data can be provided URL-encoded

The URL of the site you want to verify.

Set this flag if you want to interpret JavaScript eventually returned with the response.

If you need to define a proxy server in order to access the site defined in the URL field you may fill in this value.

By default Avantra Agent uses the string agent/[version] in order to identify as user agent. Some web servers may restrict access to certain browser, like the Microsoft Internet Explorer or Mozilla Firefox, or they behave differently using one of these browsers.

Choose HEAD or GET or POST.

In case you have chosen GET in the Method field you may fill in a user name and a password in this field if Basic Authentication is required by the requested URL.

In case you have chosen POST in the Method field, you have to fill in the form data in URL-encoded format.

You may define a value for the connection timeout. The default is 10 seconds. Please note: This is a timeout for the sub-process spawned to perform the connection attempt. The timeout for the HTTP request itself will always be 80% of the defined value.

If filled with a value > 1, all consecutive failed connection attempts will return a Warning check status until the threshold is exceeded. The Check turns to Critical afterwards.

You can filter the response for one or multiple strings by filling in data in this field.

If there is a value defined in the Content must contain string and the string is not found in the response, this check status is returned.

If there is a value defined in the Content must contain string and the string is found in the response, this check status is returned.

Fill in a Warning threshold for the response time.

Fill in a Critical threshold for the response time.

Fill in a Warning threshold if the check shall verify SSL certificate expiry time.

Fill in a Critical threshold if the check shall verify SSL certificate expiry time.

Select the check status to return in case a SSL certificate is invalid.

This parameter defines the component type the mapping shall be applied to.

Specify the Name Pattern for the components to be mapped. You may enter an exact name, a name with wildcards (? for single character wildcard, * for multiple character wildcard), or a regex. For a regex, you’ll have to provide '/' at the beginning and at the end of the expression. Regex mapping will always be case insensitive.

Specify a list of status names to be mapped, separated by commas. The status names correspond directly to the data retrieved from the SAP Control interface, usually the following status names are available: running, stopped, failed, starting, stopping.

Select the sub Status for the entry if the mapping matches.

Select the sub Status for the entry if the mapping doesn’t match.

This path defines the Monitor MBean you want to access. Use one of the following methods to retrieve the Monitor MBean path:

Specify the node type this check should be applied to. There are many MBeans with the same path for server and dispatcher nodes, but some MBeans exist only for server nodes and vice-versa. There are even MBeans that exist for both node types but are registered under a different path (like for example /Services/Memory Info/UsedMemory on a dispatcher node and /Services/Memory/UsedMemory on a server node).

Select the monitor type. In the Visual Administrator you can find this value in the Type field of the Monitor Configuration dialog window for the selected monitor object. Apparently there is no equivalent information in the SAP NetWeaver Administrator, so you probably have to perform educated guessing based on the information provided in the Value field.

The available options for this field depend on the value selected in Monitor Type. Choose the one of your interest. There are some special cases if the selected value in Monitor Type is Table Monitor or Configuration Monitor.

See the description of Monitor Value.

See the description of Monitor Value.

See the description of Monitor Value.

Specify a Warning threshold and the desired comparison operator.

Specify a Critical threshold and the desired comparison operator.

Choose the check status Avantra is to display in case the SAP status is either unknown or invalid.

Hostname or IP address of the JMX application server. If the agent runs on the same host you might use localhost as hostname. Please make sure, that your application server is bound to the hostname or IP address you specify here.

The TCP/IP port of the application server’s JMX remote access.

Name of the user in case required by the remote JMX access.

Password corresponding to User in case required by the remote JMX access.

Object Name of the MBean to be monitored. We recommend to copy this value from jconsole and paste it here.

The attribute to be monitored of the MBean with Object Name above. Again we recommend to paste it here.

The expression to be used calculate a value to be monitoed from the attributes or Composite Data attribute values. Supported are basic calculations (+ - / *), but no paratheses.

Specify a Warning condition and a threshold for the MBean Attribute Evaluation

Specify a Critical condition and a threshold for the MBean Attribute Evaluation

Specify the custom checks result message. If you leave this field blank, a standard message giving the result of the MBean Attribute Evaluation will be displayed.

The type of a Log Adapter.

Select your desired Log Adapter. As soon as you have selected a Log Adapter, the available Macros are loaded and the Expression Editors in various fields are initialized.

If you have selected File Adapter in Log Adapter Type you have to fill in this value, that indicates path and file name of the target log files.

See Log File Path Pattern.

This setting defines which entries of the log files are to be processed. Log entries written since last check cycle processes all log entries that have been added after the last read of the file. Log entries written in last x minutes reads all entries that have been added during the past Log Entry Timespan minutes.

Fill in the period of time the {avantra-agent} should look back while processing the log file if Log entries written in last x minutes is selected in _Log Adapter Processing>.

Define a conditional expression that indicates log entries considered as Warning.

Define a conditional expression that indicates log entries considered as Critical.

In the Warning Trigger section the value defines how many entries matching the check status to Warning.

Define a conditional expression that indicates log entries that resolve issues found using Warning Condition or Critial Condition.

You can specify the format of the check message shown in RealTime Monitoring or used in Notifications.

Define the display of a matched log entry in the check message. You may enter arbitrary text tokens in the field, and you may use all Macros available for the selected Log Adapter (using the icon) to build a meaningful description text.

Define the amount of time used to calculate the I/O throughput average values. The higher the time you specify, the better occasional peaks will be "flattened", i.e. may less frequently cause Warning or Critical check status.

Define the network interfaces you want to monitor. You may use * as network interface name to make a single entry for all network interfaces. * is a good value for an initial setup, because all network interfaces are then displayed in the check results table including description (if available) and IP address.

Fill in the host name or the IP address of the remote host.

Define a Warning threshold for packet loss.

Define a Critical threshold for packet loss.

Define a Warning threshold for the average round-trip-time.

Define a Critical threshold for the average round-trip-time.

Define a time out for the Check. The check status will be Critical if the time out is exceeded.

Define the number of ICMP packets to send per Check

Define the size of ICMP echo request packets

The type of system configuration to be verified, either Profile Parameter for parameters found in an SAP instance profile, or Java Service Property for parameters of Services and Managers found in the section Java System Properties of the SAP NetWeaver Administrator.

The name of the profile parameter, you want to verify the value of. Examples in the security area of an ABAP instance are login/no_automatic_user_sapstar or in the compliance area rec/client.

The operator used to compare the actual value against the given value. You can choose from a variety of text and numerical operators, a between operator, and regular expressions. If you use numerical operators, the given value and the actual value will be checked if they look like a number. A wide range of numerical notations are supported, integers, floating point, scientific. The between operator will evaluate to true, when the actual value is inclusively between the two given values.

The given value of the profile parameter, i.e. the value the monitoring parameter should have. This value will be compared against the actual value. The actual value is retrieved by RFC using a kernel function, so no matter if it is defined in the default or instance profile, the actual effective value will be used.

Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.

Select the status, in case the parameter actual value does not match the given value, either Warning or Critical.

Select the status, in case the parameter actual value does not exist, either Ok, Warning or Critical.

Select the status, in case the parameter actual value is the null value, either Ok, Warning or Critical.

Enter the name of the process you want to monitor.

If the number of running processes falls below this threshold, a Critical check status is returned.

If the number of running processes falls below this value, but does not exceed the value defined in Critical alert if number of processes is lower than a Warning check status is returned.

If the number of running processes exceeds this threshold, but is still below the value defined in Critical alert if number of processes is higher than a Warning check status is returned.

If the number of running processes exceeds this threshold, a Critical check status is returned. If the field is left blank, no Critical Check Results will be returned.

The JavaScript program providing the check data retrieval and evaluation logic. See section JavaScript based Custom Check API.

If this option is enabled, the time to run the script is appended to the check result text. This might be useful to check if the performance of a script is good.

Define the full command line call to be executed by the Avantra Agent. It is recommended to use absolute path names whenever possible.

/bin/sh "%%PROG_DIR%%/proggy.sh" -param 1 -param 2

"C:\Program Files\system32\cmd.exe" "%%PROG_DIR%%\proggy.cmd" /param 1 /param 2

Define a working directory of the executed script or program.

Define a time out for the executed script or program. The check status will be Critical if the time out is exceeded.

Use this field to define the exit code of your program that shall indicate an Unknown check status.

If you want the {custom-check} to collect performance data (which must be written to console output by the program), check _Select Performance Resource Type and choose a previously defined custom performance resource type from the list. See Configuring Custom Performance Data Resource Types on how to define custom performance resource types.

Defines if the script or program is deployed by Avantra or if an already installed one shall be used. In the first case set the flag.

This field is only available if Deploy program is set.

This field is only available if Deploy program is set.

If you set this flag the Avantra Agent takes care to remove the script/program once theCustom Check is deleted. The Program Directory is also being removed if it is empty.

Read only field containing the name of the script or program once it is deployed. The name is displayed as a link that allows you to download the script or program.

Read only field containing the MD5http://en.wikipedia.org/wiki/Checksum[checksum] of the script or program once it is deployed. This value is used to detect whether the file copied to the target System's filesystem has not been modified.

Read only field containing the date the script or program was uploaded.

Define an upload target (e.g. an InfoCube or ODS). Wildcard * is supported.

Define a Warning threshold for the upload time.

Define a Critical threshold for the upload time.

Defines a comma or space separated list of clients the given rule shall be checked on. You may use wilcard * to define multiple clients, i.e. 1* to define all 1xx clients. Use * to apply a rule to all clients found.

Optionally exclude clients from include rule before. For example, you may want to apply a rule to all clients using * but want to exclude client 000 and 066.

Define the rule you want to check on the set of clients defined using Clients field.

Define the arguments, i.e. the given value of this rule. The list or field depends on the argument Rule defined before. For example, if you choose Changes and transports must be as rule, you select one of the following arguments as given value:

Add an optional Tag which appears in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.

Define the status if the rule is violated, either Warning or Critical. The overall Check status will be the worst of all rules.

Set the alert nodes you want to include in the check. Click on + and - to include multiple nodes. You can use wildcard * to select multiple alerts.

Alert nodes are hierarchically in a tree structure organized. Mark this option if you want to include the full path to the alert nodes in the check result.

If checked, unknown alerts (GRAY) are included in the check result.

Set to report unknown/GRAY alerts as a different status. E.g. report unknown alerts as CRITICAL.

If set, the overall check status remains OK even though some alerts are RED or YELLOW. Use this option if you are only interested in the value of the alerts but not in the status.

Defines selection criteria to query for Idocs. All criteria are used with an AND clause, i.e. an Idoc must match all criteria specified to be found.

Defines a comma or space separated list of clients to be used as selection criteria. You may use wildcard * to define multiple clients, i.e. 1* to define all 1xx clients. Leave the field blank to select from all clients.

Specify one or many status numbers of the Idoc to be used as selection criteria. Use comma separated list to define multiple values. It is alsoo possible to select ranges, e.g. 03-10. Use ! to exclude a status, and please make sure to always use a leading 0 for the status.

Define the time and date specifications of the Idocs to be selected. You can choose amongst creation time, last mondification time, max age, etc. Field IDOC max age in days is a required field and initialized to one day.

Define the Idoc’s message type, variant, or function. Each field supports comma separated list to define multiple values. Wildcard * is supported as well.

Define the Idoc’s direction, which is either Inbox or Outbox. The setting has an influence which fields to use for further selection, i.e. the setting defines if either Receiver or Sender specs needs to be used.

Define the Idoc’s following criteria for either Receiver or Sender: Port, Number, Type, or, Partner Function. Each field supports comma separated list to define multiple values. Wildcard * is supported as well.

Define the maximum number of Idoc’s to retrieve. It is recommended to use this setting. Default: 500.

Fill in the number of Idocs for the Critical and Warning thresholds. Obviously, the Critical should be above Warning value. You can leave one of each blank, then the check result will either be only Critical or Warning.

Fill in the name of the job. The wildcard * is supported in order to monitor multiple jobs using the same Custom Check definition. Each SAP job matching the pattern given as job name, is considered on it’s own and reported as sub check inside the given check.

Specify the client of the job as either black- or whitelist. If you use a blacklist, jobs must not run in the list of clients provided, otherwise they will not be selected. If you use a whitelist, jobs must run in the given list of clients. The list of clients can be separated by spaces, comma, or semicolon and a client must be a three-digit number. When selecting jobs, the client is determined from SAP jobs overview table field TBTCO.AUTHCKMAN.

Per default, SAP_JOB Custom Check searches globally for jobs in all clients (or the white- or black-listed if this option is used) and sorts them by date/time to check the most recent one. You can change this behavior by enabling Check in each client. SAP_JOB Custom Check will then group all job query results by client and run the same checks for each client separately. You may, for instance, want to check, if a job with same name finished successfully in several clients, etc. Before this option existed, you would have to create several SAP_JOB Custom Check for each client. Using Check in each client this can now be done in one Custom Check.

Specifiy the user of the job as either black- or whitelist. If you use a blacklist, jobs must not be scheduled by users in the list provided, otherwise they will not be selected. If you use a whitelist, jobs must have been scheduled by one of the users given in the list. The list of users can be separated by spaces, comma, or semicolon. If you want to use one of these characters in the user name, you must escape it by a backslash (\). Please note that the custom check will select the field TBTCO.SDLUNAME of SAP jobs overview table TBTCO and thus querying the user who scheduled the job.

Set this time to select only jobs which are started after this time. Set a time beetween 00:00 and 23:59.

Set this time to select only jobs which are started before this time. Set a time between 00:00 and 23:59.

This checkbox is only relevant if Select Jobs started after and Select Jobs started before are set. If both are set, the check is by default not executed when the current agent time is in the selection interval! If you want to execute the check also when the current agent time is in the selection window, then mark this checkbox.

Choose a check status to return in case the watched Job is cancelled.

By default, a canceled job will no longer be reported, if a more recent and successfully finished job with same name has been found. You can change this behavior by enabling this option.

Choose a check status to return in case the watched Job is not found as a released job. If you do not want to have this feature enabled, you simply leave the field blank, which is the default.

WARNING - Multiple jobs with different names found for target name <yourjob*>: <list>
Please turn 'Status If Job Not Found' option off or do not use wildcards for job name.

You may define a time span after which the check status is set back to Ok in this field.

You may define Warning and/or Critical thresholds for the number of simultaneously running Jobs with the same name.

You may define Warning and/or Critical thresholds for the delay of Job start.

You may define Warning and/or Critical thresholds for the maximum Job run time.

You may define Warning and/or Critical thresholds for the minimum Job run time.

You may define Warning and/or Critical thresholds for the maximum elapsed time since the last start of the Job.

Check this flag if you want to display the jobs finished properly in the check message.

Define a filter expression for the party attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma separated list of patterns to match multiple channels.

Define a filter expression for the service attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma separated list of patterns to match multiple channels.

Define a filter expression for the channel name attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma separated list of patterns to match multiple channels.

Define a filter expression for the message attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma separated list of patterns to match multiple channels.

Define a filter expression for the activation state attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma separated list of patterns to match multiple channels.

Define a filter expression for the channel state attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma separated list of patterns to match multiple channels.

Define one or a set of qRFC queues which are to be monitored. Multiple queues can be entered separated by comma (,). You can use spaces before or after a separating comma since they are ignored. In case your queue name contains a comma, you need to escape it with \. Wildcard * is supported.

Define one or a set of qRFC queues which are to be excluded from the include set above. For multiple queues the same applies as for Include Queue Names. In upper example all queues MYQUEUE2* are included. Using MYQUEUE2EX1, MYQUEUE2EX2 you can exclude two queues from the set.

Limit upper defined queue names to a list of specified clients. Leave this field blank to get qRFC queues from all clients. Multiple clients can be entered separated by comma. You can use spaces before or after a separating comma since they are ignored. Wildcard * is supported.

Define one or a set of clients which are to be excluded from the include set above. For multiple clients the same applies as for Include Clients. In upper example all queues 9* are included. Using 910, 911 you can exclude two clients from the set.

Define if all conditions provided must match a queue to be reported or if any of the conditions is enough.

Condition is matched, if the status of the queue is marked as erroneous or hanging by the SAP system. Examples: CPICERR, SYSFAIL and others.

Using this option you can exactly define which status a queue must have to match the condition. You can specify a list of status strings either separated by comma or spaces.

As before but the other way round: you might for example want to have all status reported except one which is the OK status.

Condition matches if the number of queued entries is equal to or above the given threshold.

Condition matches if the age of the oldest (i.e. the first) queued entry is equal to or above the given threshold. Format is days/hours/minutes, with the digit followed by the one letter abbreviation of the unit, i.e. d/h/m. You use more than one unit, e.g. 1d 12h or 1h 30m.

Define the check status in case a matching system log entry is found.

Enter the timespan you wish to monitor.

Define whether you want to watch for certain system log entries or for a whole problem class.

Define a message text you want to filter. The wildcard * is supported.

Fill in a (blank-separated) list of message numbers to watch for.

Select the problem class you want to monitor.

Restrict to certain transactions. Multiple entries have to be separated by a blank. The wildcard * is supported.

Restrict to certain clients. Multiple entries have to be separated by a blank.

Restrict to certain users. Multiple entries have to be separated by a blank. The wildcard * is supported.

Restrict to a certain work process type.

Exclude a list of message numbers or a list of message number ranges.

Fill in the name of the report

Define optionally the variant of the report.

Read only application log entries from the clients defined here. Multiple clients are supported. If you leave it empty, the client defined for the SAP RFC user is used.

Read only log entries written in within the last configured minutes.

Read only logs from this object. Wildcard * is allowed. Use comma to separate multiple values.

Read only logs from this subobject. Wildcard * is allowed. Use comma to separate multiple values.

Read only logs from this External ID. Wildcard * is allowed. Use comma to separate multiple values.

Read only logs from this User. Wildcard * is allowed. Use comma to separate multiple values.

Read only logs from this Transaction Code. Wildcard * is allowed. Use comma to separate multiple values.

Read only logs from this Program. Wildcard * is allowed. Use comma to separate multiple values.

Define the log class to which the log entry must belong to.

Define the log creation process type to filter log entries from. You may filter by multiple process types.

Define the log message filter to filter log entries from. You may filter by multiple message filters.

The check becomes WARNING if your sap application log select criterias select more log entries than the defined threshold.

The check becomes CRITICAL if your sap application log select criterias select more log entries than the defined threshold.

Check this box if you want to include all application log messages in the check result. If this box is not checked, only the first message is included in the check result. This option has no effect on log entry selection. It is only used to display more detailed information in the check result.

Define at least one RFC destination.

Choose the check status to return in case the connection test fails.

Enter the technical name of the software component you want to apply a rule for. You can define multiple entries separated by comma. Any white spaces before of after the comma will be ignored. Wildcard * is supported as well.

Enter the technical ID of the namespace you want to apply a rule for. You can define multiple entries separated by comma. Any white spaces before of after the comma will be ignored. Wildcard * is supported as well.

Optionally exclude software components or namespaces from include rule before. For example, you may want to apply the Not modifiable rule to all software components using * but want to exclude components LOCAL and HOME.

Define the rule you want to check on the set of software components/namespaces defined. Select either:

Define the Modifiable given value for this rule. As in transaction SE06, for software change options, you have the choice between 4 options, for namespaces there are only two, modifiable or not.

Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.

Define the status if the rule is violated, either Warning or Critical. The overall Check status will be the worst of all rules.

Define the transaction code of the transaction to be monitored. If you do not know your transaction code, open the transaction to be monitored with SAP GUI and choose System  Status. You will find the transaction code in the dialog displayed.

If you want to restrict the runtime to be evaluated in a single client only, you may enter the client number. It is possible to monitor all transactions of a given client as well. In this case you have to leave the Transaction field blank and to fill in the client only.

Define a Warning threshold for the runtime.

Define a Critical threshold for the runtime.

The time to search back in the audit log from the point in time the check is evaluated. This time configures as well how long entries are displayed. If you setup the check for RealTime Monitoring, reasonable values would be 60 or 120 minutes. In case you may want to run it as Daily Checks, e. g. to document additionally on a daily basis, you might want to enter 1440 minutes, for one day.

Define the clients to filter the audio log records. If you specify *, all clients in the system are checked, except the ones on the exclude list.

Exclude clients from being checked. This makes sense if * is used as the client list above.

Define the users you want to check, again wildcard * might be useful to specify a certain selection. If you don’t want to filter on users, you can as well leave this field blank.

Exclude users from being checked. This makes sense if all users are to be checked except some where it well known that records exist.

Directly define 3 characters audit message IDs to query for. You can use wildcard * to use to specify selections for example use AU* to query for all message IDs stat start with AU. You can leave this field as well blank and filter on whole audit classes. If used together with audit classes, both selections are linked by and OR operation.

Exclude message IDs from being checked. This makes sense if a range with * is used as the message IDs and you want to exclude individual message IDs.

Filter on the selected audit classes. I you specify none, it is the same than select on all. If used together with message ID selection, both criteria are linked by an OR operation.

Filter on the type of event, choose either All, Severe and Critical, or Only Critical.

Specifies the number of records which are to be found to turn the check result status to the corresponding check status. For example, if you want to check be Critical starting from one record found, enter 1 into the Crit Count field.

SAP ABAP systems provides two transactions to configure security audit log configuration: SM19 and RSAU_CONFIG. While SM19 provides only basic selection criterias, the newer RSAU_CONFIG provides much more detailed configuration settings. If the security audit log configuration is configured with transaction SM19, then use the Classic selection. If the security audit log configuration is configured with transaction RSAU_CONFIG, then use the Detail selection.

Define the clients for which you want to check the security audit log configuration. If you specify *, the security audit log configuration must be set on all clients.

Define the users for which you want to check the security audit log configuration. If you specify *, the security audit log configuration must be set for all users.

Define the event priority which must be set for the defined client(s) and users(s). Choose either All, Severe and Critical, or Only Critical.

Mark the audit class which must be selected for the defined client(s) and users(s). You cannot deselect the System Events checkbox, this is always enabled from SAP by default.

Setting the security audit log for specific message IDs can be configured in RSAU_CONFIG and only in Detail event selection. Directly define the 3 characters audit message IDs to check for. Wildcards * are supported.

Report this status if your SAP system does not have the required security audit log configuration for the defined client(s) and users(s).

Use this optional tag to show a specific message for this check in the check result. Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.

Define the SQL SELECT statement to perform on the Database. Update, delete and other queries which could modify data will not be executed for security reasons.

Define a JavaScript code snippet to provide the evaluation logic. See JavaScript based Custom Check API below on how to use the provided API.

the status of the actual row. The values must be 2 for CRITICAL, 1 for WARNING, 0 for OK, -1 for UNKNOWN

the check message of the actual row

Define the clients the user authorizations are to be checked. If you specify *, all clients in the system are checked, except the ones on the exclude list.

Exclude clients from being checked. This makes sense if * is used as the client list above.

Define the users you want to check, again wildcard * might be useful to check all users.

Exclude users from being checked. This makes sense if * is used in the user list above. For example, you might want to exclude certain system users, like SAP* or DDIC.

The check will search for users which match all of the authorization objects specifications listed below.

The check will search for users which at least one of the authorization objects specifications listed below. This is especially useful to check that important authorizations are not given to any user, except some users.

This specific condition is intended for segregation scenarios. If a user matches the first row, all the following rows starting from 2 to n are checked, and if a least one of 2-n matches, the whole condition is true.

Choose a check status, mostly Critical or Warning cause usually you would search for unwanted authorizations.

This is the authorisation object to be checked. For example to check for the permission to maintain users, you would enter S_USER_GRP. See the corresponding SAP transaction.

This corresponds to the authorisation object. In case of the example with S_USER_GRP the field would be ACTVT, i. e. an authorizations activity.

The value of the corresponding field to check. In case of activities ACTVT these are numbers, but it could as well be transaction codes, i. e. text strings. Multiple values are separated by spaces or comma.

Either Select users having all listed values, or Select users having at least one of the listed values. This way you could for example, select for forbidden activities of a certain authorisation object in one line.

Define the clients the user profiles and roles are to be checked. If you specify *, all clients in the system are checked, except the ones on the exclude list.

Exclude clients from being checked. This makes sense if * is used as the client list above.

Define the users you want to check. I you want to check all users, you can simply leave this field blank or enter *.

Exclude users from being checked. This makes sense if all users are to be checked * is used in the user list above. For example, you might want to exclude certain system users, like SAP* or DDIC.

The check will search for users which have all profiles and all roles listed assigned. In the real world it makes sense to check for profiles and roles separately, for example to run a check which checks for SAP_ALL and SAP_NEW profiles.

The check will search for users which have any of the profiles or roles listed assigned. This would be the right choice to check for users which have SAP_ALL or SAP_NEW profiles assigned.

List of profiles to search for separated by ,. Trailing or leading spaces are ignored.

List of roles to search for separated by ,. Trailing or leading spaces are ignored.

Select the severity of the check result if users are found. Possibly only Critical and Warning make sense here.

Define the display name or the technical service name in this field. You can find the technical Service Name in the field Service Name of the General tab in the Properties of the respective service.

Select the check status in case the service is running.

Select the check status in case the service exists but is not running.

Select the check status in case the service does not exist.