Troubleshooting
Problem
How do I set up DB2audit to only audit sysadmin activities?
Resolving The Problem
Here are the steps you need to take in order set up the db2audit to only look for sysadmin activities:
1.) Connect to your database
db2 CONNECT TO SAMPLE
2.) To configure db2 audit to only look for system administrator events run the following command:
- db2audit configure scope sysadmin status both
3.) To make sure that the db2audit shows the type of event set run the following command:
- db2audit describe
- DB2 AUDIT SETTINGS:
Audit active: "TRUE "
Log audit events: "FAILURE"
Log checking events: "FAILURE"
Log object maintenance events: "FAILURE"
Log security maintenance events: "FAILURE"
Log system administrator events: "BOTH"
Log validate events: "FAILURE"
Log context events: "NONE"
Return SQLCA on audit error: "FALSE "
Audit Data Path: ""
Audit Archive Path: ""
AUD0000I Operation succeeded.
3.) To start db2audit run:
- db2audit start
4.) Then perform an action that takes SYSADMIN permissions for example:
- db2 update dbm cfg using svcename 50002
5.) Before reviewing events that db2 audit has collected a flush is need, to do run:
- db2audit flush
5.) Then db2 audit will need to be stopped by running:
- db2audit stop
6.) The data will need to be archived by running:
db2audit archive to /home/db2inst
Node AUD Archived or Interim Log File
Message
-------- -------- ---------------------------------------------------
0 AUD0000I db2audit.instance.log.0.20110203191349
7.) Then take the above archive file name and run the below command:
- db2audit extract delasc to /home/db2inst from files /home/db2inst/db2audit.instance.log.0.20110203191349
8.) Then the audit.out is ready for viewing for example:
timestamp=2011-02-03-18.38.47.688491;
category=SYSADMIN;e
audit event=UPDATE_DBM_CFG;
event correlator=0;
event status=0;
userid=db2inst;
authid=DB2inst;
origin node=0;
coordinator node=0;
application id=*LOCAL_APPLICATION;
application name=db2flacc;
timestamp=2011-02-03-18.38.47.688499;category=SYSADMIN;audit
event=START_DB2;
event correlator=0;
event status=-1026;
userid=db2inst;
authid=DB2inst;
origin node=0;
coordinator node=0;
application id=*LOCAL_APPLICATION;
application name=db2start;
Related Information
[{"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Security \/ Plug-Ins - Auditor","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.7;9.5;9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21461792