Monitoring user activity with auditing in Watson Query

To monitor and record user activities that occur at the Watson Query database level, you can use the built-in Db2® audit logging feature, which seamlessly integrates with the IBM Cloud Pak® for Data Audit Logging facility.

Important: Audited events in Watson Query are asynchronously streamed to the Cloud Pak for Data centralized audit service. The asynchronous nature of log streaming does not guarantee the delivery of the events to and acceptance by the downstream services, including the Cloud Pak for Data audit service.

Overview of audit logs

You can use Watson Query audit logs to solve security challenges in the following ways:
  • You can capture detailed information about user access to specific objects, including whether the access was granted or denied. Detail information about user access can help you identify potential security threats in real-time and to take appropriate action to mitigate these threats.

    • Audit logging captures both successful and failed events in the following audit event categories: AUDIT, CONTEXT, VALIDATE, CHECKING, SECMAINT, OBJMAINT, and EXECUTE.
      Note: Stored procedures and tables to store audit data is created in the AUDIT schema.
    • To view auditable events, see Db2 audit events for Watson Query.

  • You can generate historical audit logs to trace the actions that lead up to a particular issue. This feature lets you pinpoint concerning behaviors that are performed on a database or user interactions that might require further troubleshooting.
    Note: By default, audit logs are streamed to the zen-audit service every 15 minutes. You can shorten the interval by running the following command; however, shortening the interval to less than 6 minutes is not recommended. Also, avoid any number that is divisible by 70 minutes or 1 hour and 10 minutes (such as 7, 10, 14) to avoid overlapping with other audit-related jobs.
    CALL SYSPROC.ADMIN_TASK_UPDATE( 'AUDIT_UPDATE', NULL, NULL, NULL, '*/6 * * * *', NULL, 'Periodically update audit log file' )
  • You can feed audit logs into an SIEM (Security Information and Event Management) system to receive alerts when abnormal activity is detected. SIEM systems can help you achieve compliance with organizational and governmental activity monitoring requirements.

    • To learn how to forward audit logs in to SIEM solutions like Mezmo, QRadar®, and Splunk, see Audit events.

Learn more

For information on known issues and limitations for auditing, see Audit issues.