Getting Data In

How to collect IBM DB2 audit logs

las
Contributor

Hi.

We have some IBM DB2 systems running primarily on AIX and now our Security team has tasked us with collecting the audit log in Splunk.

I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing, I then changed to look at subfolders, and I got some data.

I have looked at the DB2 documentation, and there is a very cumbersome process described (https://www.ibm.com/docs/en/db2/11.1?topic=facility-storage-analysis-audit-logs).

Does anybody have some experience collecting DB2 audit logs and how did you do it (file monitor or DB-Connect)?

 

Kind regards

las

Labels (3)
Tags (3)
0 Karma

venkatasri
Motivator

@las Since you mentioned 'I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing' i thought your inputs having trouble.

I suggest post IBM DB2 respective forum and get the audit logs exported to files and configure UF to monitor them.

0 Karma

venkatasri
Motivator

Hi @las 

The link seems pointing to export the logs to file system.  First place to check is your splunkd.log under $SPLUNK_HOME/var/log/splunk for any errors related to it. Can you share how your inputs conf looks like?

You have to make sure inputs.conf is correctly configured, you can run below command to find the files being monitored by UF and check what's their reading status you should find audit log paths here,

# Goto $SPLUNK_HOME/bin
./splunk list inputstatus

outputs.conf should have been configured already and connection should be established this is to index the logs read by UF. Run this command to find out if there is any active HF/indexer.

# Goto $SPLUNK_HOME/bin
./splunk list forward-server

 

 ---

An upvote would be appreciated and Accept the solution if this reply helps!

0 Karma

las
Contributor

Hi Venkatasri.

 

I think I might not have made myself clear, the problem is not creating an input stanza, the problem is if anyone has come up with an idea, about how to get the logs. IBM has outlined this, in my opinion, rather cumbersome process where you have to run several commands, an pass some input from one command to the next before the log is readable.

Kind regards

las

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.