Reverse Engineering SAS Code from Workspace Server Logs
A Technical Strategy for Smarter Content Assessment
When organizations embark on a SAS Content Assessment, one of the biggest challenges is visibility: how do you account for all the code executed across Enterprise Guide (EG) projects when you don’t have access to every user’s folders or .egp files? The answer lies in the logs — specifically, Workspace Server logs. These logs capture real-time execution of SAS code submitted via EG and other clients, making them a powerful source for reverse engineering user-authored logic.
Building on the insights shared in the blog "Accelerating SAS9 to Viya Migration with Log Intelligence," the process of reverse engineering SAS code from Workspace Server logs offers a strategic advantage for organizations undergoing SAS Content Assessment. By leveraging the detailed execution traces captured in these logs, organizations can identify and prioritize active code, streamline migration efforts, and reduce costs associated with moving legacy clutter.
Why Reverse Engineer from Logs?
Enterprise Guide projects often contain business-critical logic — but they’re stored in user folders, scattered across the organization, and difficult to access centrally. Workspace Server logs offer a workaround solving the following challenges:
|
Challenge |
Solution via Logs |
|
No access to .egp files across mount points |
Logs capture executed code regardless of file location |
|
Requesting EGPs from users is slow and incomplete. Often old projects are provided |
Automated reverse engineering ensures only the active code is present. |
|
Migration costs are inaccurate due to too much old content or too little active content |
We know the definite steps and PROCS which are run for all users |
This approach brings EG projects into scope without disrupting users or requiring elevated permissions. You just need to be a SAS Admin who can access the central WorkspaceServer logs.
Technical Workflow: From Logs to Code
Let’s break down the reverse engineering process step by step.
1. Log Aggregation
Collect logs from Workspace Server directories, typically found at:
/opt/sas/config/Lev1/SASApp/WorkspaceServer/Logs/
Ensure logs include:
- Timestamps
- User identifiers
- Full execution trace set at an INFO level with %m (log message).
2. Noise Filtering: Remove EG Preamble and Postamble
Enterprise Guide wraps user code with system-generated code. To isolate meaningful logic, we strip this out and remove any pre and post amble from the logs. This gets us down to the statements users have submitted.
EG Preamble Includes:
EG Postamble Includes:
Filtering Logic
Why it matters: This step ensures that only user-authored logic is retained — the actual data steps, PROC calls, macro definitions, and %INCLUDE statements that drive business processes.
3. Code Extraction
Once the pre and post amble is removed the next step is to extract meaningful code blocks.
%INCLUDE Detection
Macro and PROC Extraction
Why it matters: These elements represent the core logic of EG projects — surfacing them enables them to be processed by the SAS Content Assessment Code Check application.
4. Create Code
The process has been built so that it can be run on a single log or a collection of logs. When processing if the _SASPROGRAMFILE is present in the log then it will rename the code as this when it saves in a mirror folder structure. This allows for situations where users are using Enterprise Guide to open code and then run it. In an open workspace server connection a user can run multiple pieces of code in one session. All pieces will be logged, parsed, extracted and a SAS code file created.
When users use %INCLUDE the log will contain the following message:
The executed code will be present in the log wit “+” to denote that this is the code being pulled from the %INCLUDE location. This becomes a marker for reconstructing the code and naming it correctly as the code name and path can be held from the %INCLUDE and all statements taken from “+” included in the code file.
In this example the process found markers for several %INCLUDE statements and each one was extracted and placed into a folder structure which matched Credit Risk Process 301
Strategic Impact
This reverse engineering approach delivers tangible business value:
|
Value |
Description |
|
Visibility Without Access |
Brings EG logic into scope without needing .egp files or folder access |
|
Automation at Scale |
Enables bulk processing of logs across environments |
|
Supports Modernization |
Surfaces legacy logic for transition to Viya or cloud platforms |
|
Improves Governance |
Helps identify undocumented processes and shadow IT |
The Result
Reverse engineering SAS code from Workspace Server logs is a low-friction, high-impact strategy for SAS Content Assessment. It combines technical precision with strategic insight — enabling organizations to modernize confidently, assess comprehensively, and automate intelligently.
Whether you're migrating to Viya, auditing legacy code, or simply trying to understand what’s running in your environment, this approach gives you the visibility you need — without the access headache.
