Monitoring user activity with auditing in Data Virtualization

To monitor and record user activities that occur at the Data Virtualization database level, you can use the built-in Db2 audit logging feature, which seamlessly integrates with the IBM® Software Hub Audit Logging facility.

Important: Audited events in Data Virtualization are asynchronously streamed to the IBM Software Hub centralized audit service. The asynchronous nature of log streaming does not guarantee the delivery of the events to and acceptance by the downstream services, including the IBM Software Hub audit service.

Overview of audit logs

You can use Data Virtualization audit logs to solve security challenges in the following ways:

  • You can capture detailed information about user access to specific objects, including whether the access was granted or denied. Detail information about user access can help you identify potential security threats in real-time and to take appropriate action to mitigate these threats.

    • Audit logging captures both successful and failed events in the following audit event categories: AUDIT, VALIDATE, CHECKING, SECMAINT, and OBJMAINT.
      Note: Stored procedures and tables to store audit data is created in the AUDIT schema.

    • To view auditable events, see Db2 audit events for Data Virtualization.

  • You can generate historical audit logs to trace the actions that lead up to a particular issue. This feature lets you pinpoint concerning behaviors that are performed on a database or user interactions that might require further troubleshooting.

    By default, audit logs are streamed to the zen-audit service every 15 minutes. You can shorten the interval by running the following command; however, shortening the interval to less than 6 minutes is not recommended. Also, avoid any number that is divisible by 70 minutes or 1 hour and 10 minutes (such as 7, 10, 14) to avoid overlapping with other audit-related jobs.
    CALL SYSPROC.ADMIN_TASK_UPDATE( 'AUDIT_UPDATE', NULL, NULL, NULL, '*/6 * * * *', NULL, 'Periodically update audit log file' )

  • You can feed audit logs into an SIEM (Security Information and Event Management) system to receive alerts when abnormal activity is detected. SIEM systems can help you achieve compliance with organizational and governmental activity monitoring requirements.