Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to collect IBM DB2 audit logs

las
Contributor
‎07-21-2021 12:57 AM

Hi.

We have some IBM DB2 systems running primarily on AIX and now our Security team has tasked us with collecting the audit log in Splunk.

I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing, I then changed to look at subfolders, and I got some data.

I have looked at the DB2 documentation, and there is a very cumbersome process described (https://www.ibm.com/docs/en/db2/11.1?topic=facility-storage-analysis-audit-logs).

Does anybody have some experience collecting DB2 audit logs and how did you do it (file monitor or DB-Connect)?

 

Kind regards

las

Labels (2)
Labels
Tags (3)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 03:03 AM

@las Since you mentioned 'I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing' i thought your inputs having trouble.

I suggest post IBM DB2 respective forum and get the audit logs exported to files and configure UF to monitor them.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-21-2021 04:53 PM

Hi @las 

The link seems pointing to export the logs to file system.  First place to check is your splunkd.log under $SPLUNK_HOME/var/log/splunk for any errors related to it. Can you share how your inputs conf looks like?

You have to make sure inputs.conf is correctly configured, you can run below command to find the files being monitored by UF and check what's their reading status you should find audit log paths here,

# Goto $SPLUNK_HOME/bin
./splunk list inputstatus

outputs.conf should have been configured already and connection should be established this is to index the logs read by UF. Run this command to find out if there is any active HF/indexer.

# Goto $SPLUNK_HOME/bin
./splunk list forward-server

 

 ---

An upvote would be appreciated and Accept the solution if this reply helps!

0 Karma
Reply

las
Contributor
‎07-21-2021 10:35 PM

Hi Venkatasri.

 

I think I might not have made myself clear, the problem is not creating an input stanza, the problem is if anyone has come up with an idea, about how to get the logs. IBM has outlined this, in my opinion, rather cumbersome process where you have to run several commands, an pass some input from one command to the next before the log is readable.

Kind regards

las

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...