Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to collect IBM DB2 audit logs

las
Contributor
‎07-21-2021 12:57 AM

Hi.

We have some IBM DB2 systems running primarily on AIX and now our Security team has tasked us with collecting the audit log in Splunk.

I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing, I then changed to look at subfolders, and I got some data.

I have looked at the DB2 documentation, and there is a very cumbersome process described (https://www.ibm.com/docs/en/db2/11.1?topic=facility-storage-analysis-audit-logs).

Does anybody have some experience collecting DB2 audit logs and how did you do it (file monitor or DB-Connect)?

 

Kind regards

las

Labels (3)
Labels
Tags (3)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-22-2021 03:03 AM

@las Since you mentioned 'I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing' i thought your inputs having trouble.

I suggest post IBM DB2 respective forum and get the audit logs exported to files and configure UF to monitor them.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-21-2021 04:53 PM

Hi @las 

The link seems pointing to export the logs to file system.  First place to check is your splunkd.log under $SPLUNK_HOME/var/log/splunk for any errors related to it. Can you share how your inputs conf looks like?

You have to make sure inputs.conf is correctly configured, you can run below command to find the files being monitored by UF and check what's their reading status you should find audit log paths here,

# Goto $SPLUNK_HOME/bin
./splunk list inputstatus

outputs.conf should have been configured already and connection should be established this is to index the logs read by UF. Run this command to find out if there is any active HF/indexer.

# Goto $SPLUNK_HOME/bin
./splunk list forward-server

 

 ---

An upvote would be appreciated and Accept the solution if this reply helps!

0 Karma
Reply

las
Contributor
‎07-21-2021 10:35 PM

Hi Venkatasri.

 

I think I might not have made myself clear, the problem is not creating an input stanza, the problem is if anyone has come up with an idea, about how to get the logs. IBM has outlined this, in my opinion, rather cumbersome process where you have to run several commands, an pass some input from one command to the next before the log is readable.

Kind regards

las

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...