BookmarkSubscribeRSS Feed
Obsidian | Level 7

How to trace user activity monitoring on sas server like


what time user login

what are the jobs ran

what are the sas code files referred/open/modifyed

what are the sas data sets are created and location 


Is it possible get user metrics ? Any reference sample sas code or note pls


We have only SAS EG nd SAS SMC

SAS Employee

Can you provide more information, like what version of SAS 9.4 platform are you using? What does the installation look like,how many machines? Do you have a web server? Is SAS environment manager installed?



Obsidian | Level 7
Yes, it's SAS 9.4 M6 (Linux)
Topology (1 Meta, 1 Compute) no Mid.

only SAS SMC and SAS EG

what time user login

what are the jobs ran

what are the sas code files referred/open/modifyed

what are the sas data sets are created and location

Is it possible get user metrics ? Any reference sample sas code or note pls
SAS Employee



When the user logs in is in the SASMetadataServer*.log in the form:



2020-03-15T12:05:00,163 INFO [00330077] :sasevs@saspw - New client connection (9374) accepted from server port 8561 for user sasevs@saspw. Encryption level is Credentials using encryption algorithm SASPROPRIETARY. Peer IP address and port are [::ffff:]:45570 for APPNAME=Environment Manager 904500.


You could probably figure out when they logged out examining the closed line matching the (9374) connection.


You can help yourself in the admin guide to auditting but the recommended way to monitor is to use SAS Environment Manager.

SAS Help Center: Audit Changes to Server Logging Configurations


Please look into the SAS environment Manager Service Architecture Framework for 9.4 -
The list of available reports is at the end of that link, in particular the Audit Reports - log forensic section should be of interest to you.



Obsidian | Level 7
Login and logout can be track Metadata logs, fine,

Jobs ran list, sas code files referred/open/modified and sas data sets are created and location

this which logs will capture
Obsidian | Level 7

@huntdoug has given the correct answer. You can either install / configure the auditing and logging / EM service architecture - which records much more detailed information, or you can look at the metadata server log for basic connection info.


I had to do this for someone just a few days ago and they didn't have the the full auditing and logging installed, so I analysed the metadata server log. using this simple program - it may not be perfect, so check your results:


*reads in metadata server log and attempts to determine who connected.;

filename mdlog "/Path to the metadata server log/sasmeta......log" ;

data connections;
length userid $32;
format time time. date date.;
infile mdlog ;
input @1 date yymmdd10. @12 time time8.;


Sample data
2021-03-29T23:43:35,642 INFO [133178522] :sastrust@saspw - Request made to cluster SASMeta - Logical Metadata Server (A5L3816M.AX000001).
2021-03-29T23:43:35,642 INFO [133178522] :sastrust@saspw - Redirect client in cluster SASMeta - Logical Metadata Server (A5L3816M.AX000001) to server SASMeta - Metadata Server (A5L3816M.AZ000001) at
2021-03-29T23:43:35,652 INFO [133178526] :sasevs@saspw - New client connection (6181722) accepted from server port 8561 for SAS token user sasevs@saspw. Encryption level is Everything using encryption algorithm AES. Peer IP address and port are [10.123.456.789]:56444 for APPNAME=/SASAuthorizationServices - Web Infra Platform Identity Services 9.4.


if userid not in('svc_sas_prod','sasevs@saspw','sasadm@saspw','sastrust@saspw','svc_lasradm_prod');


*unique users;
proc sort data=connections out=uniqueusers nodupkey;
by userid;


And I only had to report on connections for one week, so I just ran this 7 times to analyse the 7 daily metadata log files, so clearly this could be enhanced to automate processing of a range of logs.

Unfortunately, it only reports who connected to the SAS System, not what they did.


To implement more comprehensive auditing and logging can be a reasonable amount of work to set up. If you set up workspace server logging (for example, every EG session has the log saved to disk), this can consume lots of disk space, so you need to consider retention periods, automated archiving etc. Typically a dedicated log disk volume is set up of maybe 100 or 200GB in size just to store logs.

Auditing and logging seems to be a requirement more and more these days. I've had to set this up for a number of government sites to comply with increased security requirements.








Just to be clear you will need a SAS mid-tier server to run SAS Environment Manager. This could be installed on one of your existing physical servers or on a new one. You will also need to install the Environment Manager agent on all SAS servers you want to monitor. 

Obsidian | Level 7
Noted, but we don't have Mid-tier box, we have only SAS Meta (1) and SAS Compute (1)

Yes, I was already aware of that. That's why I pointed out the requirement to add one if you go with Environment Manager.

Meteorite | Level 14

It is possible to have midtier on metadata or compute server.
As your installation is 9.4M6, midtier must already be there.

As about the information you are trying to seek is achievable but requires some degree of programming/scripting with your local environment in view. Your Linux administrator should be able to help.

Super User

To see what your users are doing, without using Environment Manager, activate server-side logging for the workspace server (logconfig.xml), and then parse the logs.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 10 replies
  • 7 in conversation