We have some IBM DB2 systems running primarily on AIX and now our Security team has tasked us with collecting the audit log in Splunk.
I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing, I then changed to look at subfolders, and I got some data.
I have looked at the DB2 documentation, and there is a very cumbersome process described (https://www.ibm.com/docs/en/db2/11.1?topic=facility-storage-analysis-audit-logs).
Does anybody have some experience collecting DB2 audit logs and how did you do it (file monitor or DB-Connect)?
@las Since you mentioned 'I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing' i thought your inputs having trouble.
I suggest post IBM DB2 respective forum and get the audit logs exported to files and configure UF to monitor them.
The link seems pointing to export the logs to file system. First place to check is your splunkd.log under $SPLUNK_HOME/var/log/splunk for any errors related to it. Can you share how your inputs conf looks like?
You have to make sure inputs.conf is correctly configured, you can run below command to find the files being monitored by UF and check what's their reading status you should find audit log paths here,
# Goto $SPLUNK_HOME/bin ./splunk list inputstatus
outputs.conf should have been configured already and connection should be established this is to index the logs read by UF. Run this command to find out if there is any active HF/indexer.
# Goto $SPLUNK_HOME/bin ./splunk list forward-server
An upvote would be appreciated and Accept the solution if this reply helps!
I think I might not have made myself clear, the problem is not creating an input stanza, the problem is if anyone has come up with an idea, about how to get the logs. IBM has outlined this, in my opinion, rather cumbersome process where you have to run several commands, an pass some input from one command to the next before the log is readable.