Audit record layout for AUDIT events
The following table shows the layout of the audit record for AUDIT events.
Sample audit record:
timestamp=2007-04-10-08.29.52.000001;
category=AUDIT;
audit event=START;
event correlator=0;
event status=0;
userid=newton;
authid=NEWTON;
application id=*LOCAL_APPLICATION;
application name=db2audit.exe;
NAME | FORMAT | DESCRIPTION |
---|---|---|
Timestamp | CHAR(26) | Date and time of the audit event. |
Category | CHAR(8) | Category of audit event. Possible values are:
AUDIT
|
Audit Event | VARCHAR(32) | Specific Audit Event. For a list of possible values, refer to the section for the AUDIT category in Audit events. |
Event Correlator | INTEGER | Correlation identifier for the operation being audited. Can be used to identify what audit records are associated with a single event. |
Event Status | INTEGER | Status of audit event, represented by an SQLCODE where
Successful event > = 0
Failed event < 0 |
User ID | VARCHAR(1024) | User ID at time of audit event. |
Authorization ID | VARCHAR(128) | Authorization ID at time of audit event. |
Database Name | CHAR(8) | Name of the database for which the event was generated. Blank if this was an instance level audit event. |
Origin Node Number | SMALLINT | Member number at which the audit event occurred. |
Coordinator Node Number | SMALLINT | Member number of the coordinator member. |
Application ID | VARCHAR(255) | Application ID in use at the time the audit event occurred. |
Application Name | VARCHAR(1024) | Application name in use at the time the audit event occurred. |
Package Schema | VARCHAR(128) | Schema of the package in use at the time of the audit event. |
Package Name | VARCHAR(128) | Name of package in use at the time the audit event occurred. |
Package Section | SMALLINT | Section number in package being used at the time the audit event occurred |
Package Version | VARCHAR(64) | Version of the package in use at the time the audit event occurred. |
Local Transaction ID | VARCHAR(10) FOR BIT DATA | The local transaction ID in use at the time the audit event occurred. This is the SQLU_TID structure that is part of the transaction logs. |
Global Transaction ID | VARCHAR(30) FOR BIT DATA | The global transaction ID in use at the time the audit event occurred. This is the data field in the SQLP_GXID structure that is part of the transaction logs. |
Client User ID | VARCHAR(255) | The value of the CURRENT CLIENT USERID special register at the time the audit event occurred. |
Client Workstation Name | VARCHAR(255) | The value of the CURRENT CLIENT_WRKSTNNAME special register at the time the audit event occurred. |
Client Application Name | VARCHAR(255) | The value of the CURRENT CLIENT_APPLNAME special register at the time the audit event occurred. |
Client Accounting String | VARCHAR(255) | The value of the CURRENT CLIENT_ACCTNG special register at the time the audit event occurred. |
Trusted Context Name |
VARCHAR(255) |
The name of the trusted context associated with the trusted connection. |
Connection Trust Type |
CHAR(1) |
Possible values are:
'' - NONE '1' - IMPLICIT_TRUSTED_CONNECTION '2' - EXPLICIT_TRUSTED_CONNECTION |
Role Inherited |
VARCHAR(128) |
The role inherited through a trusted connection. |
Policy Name | VARCHAR(128) | The audit policy name. |
Policy Association Object Type | CHAR(1) | The type of the object that the audit policy is associated with. Possible
values include:
|
Policy Association Subobject Type | CHAR(1) | The type of sub-object that the audit policy is associated with. If the
Object Type is ? (authorization id), then possible values are:
|
Policy Association Object Name | VARCHAR(128) | The name of the object that the audit policy is associated with. |
Policy Association Object Schema | VARCHAR(128) | The schema name of the object that the audit policy is associated with. This is NULL if the Policy Association Object Type identifies an object to which a schema does not apply. |
Audit Status | CHAR(1) | The status of the AUDIT category in an audit policy. Possible values are:
|
Checking Status | CHAR(1) | The status of the CHECKING category in an audit policy. Possible values
are:
|
Context Status | CHAR(1) | The status of the CONTEXT category in an audit policy. Possible values
are:
|
Execute Status | CHAR(1) | The status of the EXECUTE category in an audit policy. Possible values
are:
|
Execute With Data | CHAR(1) | The WITH DATA option of the EXECUTE category in the audit policy. Possible
values are:
|
Objmaint Status | CHAR(1) | The status of the OBJMAINT category in an audit policy. Possible values
are:
|
Secmaint Status | CHAR(1) | The status of the SECMAINT category in an audit policy. See Audit Status field for possible values. |
Sysadmin Status | CHAR(1) | The status of the SYSADMIN category in an audit policy. Possible values
are:
|
Validate Status | CHAR(1) | The status of the VALIDATE category in an audit policy. Possible values
are:
|
Error Type | CHAR(8) | The error type in an audit policy. Possible values are: AUDIT and NORMAL. |
Data Path | VARCHAR(1024) | The path to the active audit logs specified on the db2audit configure command. |
Archive Path | VARCHAR(1024) | The path to the archived audit logs specified on the db2audit configure command |
Original User ID | VARCHAR(1024) | The value of the CLIENT_ORIGUSERID global variable at the time the audit event occurred. |