Getting Data In

How to collect IBM DB2 audit logs

las
Contributor

Hi.

We have some IBM DB2 systems running primarily on AIX and now our Security team has tasked us with collecting the audit log in Splunk.

I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing, I then changed to look at subfolders, and I got some data.

I have looked at the DB2 documentation, and there is a very cumbersome process described (https://www.ibm.com/docs/en/db2/11.1?topic=facility-storage-analysis-audit-logs).

Does anybody have some experience collecting DB2 audit logs and how did you do it (file monitor or DB-Connect)?

 

Kind regards

las

Labels (3)
Tags (3)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

@las Since you mentioned 'I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing' i thought your inputs having trouble.

I suggest post IBM DB2 respective forum and get the audit logs exported to files and configure UF to monitor them.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @las 

The link seems pointing to export the logs to file system.  First place to check is your splunkd.log under $SPLUNK_HOME/var/log/splunk for any errors related to it. Can you share how your inputs conf looks like?

You have to make sure inputs.conf is correctly configured, you can run below command to find the files being monitored by UF and check what's their reading status you should find audit log paths here,

# Goto $SPLUNK_HOME/bin
./splunk list inputstatus

outputs.conf should have been configured already and connection should be established this is to index the logs read by UF. Run this command to find out if there is any active HF/indexer.

# Goto $SPLUNK_HOME/bin
./splunk list forward-server

 

 ---

An upvote would be appreciated and Accept the solution if this reply helps!

0 Karma

las
Contributor

Hi Venkatasri.

 

I think I might not have made myself clear, the problem is not creating an input stanza, the problem is if anyone has come up with an idea, about how to get the logs. IBM has outlined this, in my opinion, rather cumbersome process where you have to run several commands, an pass some input from one command to the next before the log is readable.

Kind regards

las

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...