Audit record layout for VALIDATE events
VALIDATE event records log authentication and user validation activities.
Sample audit record:
timestamp=2007-05-07-10.30.51.585626;
category=VALIDATE;
audit event=AUTHENTICATION;
event correlator=1;
event status=0;
userid=newton;
authid=NEWTON;
execution id=gstager;
application id=*LOCAL.gstager.070507143051;
application name=db2bp;
auth type=SERVER;
plugin name=IBMOSauthserver;
Each item is shown in the table in the same order as it is output in the delimited file after the extract operation.
| NAME | FORMAT | DESCRIPTION |
|---|---|---|
| Timestamp | CHAR(26) | Date and time of the audit event. |
| Category | CHAR(8) | Category of audit event. Possible values are:
VALIDATE
|
| Audit Event | VARCHAR(32) | Specific Audit Event. Possible values include: AUTHENTICATION and GET_USERMAPPING_FROM_PLUGIN. The following events are not generated by Db2 9.5 and later, but may still appear when audit records from pre-9.5 Db2 instances are formatted: CHECK_GROUP_MEMBERSHIP, GET_GROUPS, and GET_USERID. |
| Event Correlator | INTEGER | Correlation identifier for the operation is audited. Can be used to identify what audit records are associated with a single event. |
| Event Status | INTEGER | Status of audit event, represented by an SQLCODE where
Successful event > = 0
Failed event < 0 |
| Database Name | CHAR(8) | Name of the database for which the event was generated. Blank if this was an instance level audit event. |
| User ID | VARCHAR(1024) | User ID at time of audit event. |
| Authorization ID | VARCHAR(128) | Authorization ID at time of audit event. |
| Execution ID | VARCHAR(1024) | Execution ID in use at the time of the audit event. |
| Origin Node Number | SMALLINT | Member number at which the audit event occurred. |
| Coordinator Node Number | SMALLINT | Member number of the coordinator member. |
| Application ID | VARCHAR(255) | Application ID in use at the time the audit event occurred. |
| Application Name | VARCHAR(1024) | Application name in use at the time the audit event occurred. |
| Authentication Type | VARCHAR(32) | Authentication type at the time of the audit event. |
| Package Schema | VARCHAR(128) | Schema of the package in use at the time of the audit event. |
| Package Name | VARCHAR(128) | Name of package in use at the time the audit event occurred. |
| Package Section Number | SMALLINT | Section number in package being used at the time the audit event occurred. |
| Package Version | VARCHAR(64) | Version of the package in use at the time the audit event occurred. |
| Plug-in Name | VARCHAR(32) | The name of the plug-in in use at the time the audit event occurred. |
| Local Transaction ID | VARCHAR(10) FOR BIT DATA | The local transaction ID in use at the time the audit event occurred. This is the SQLU_TID structure that is part of the transaction logs. |
| Global Transaction ID | VARCHAR(30) FOR BIT DATA | The global transaction ID in use at the time the audit event occurred. This is the data field in the SQLP_GXID structure that is part of the transaction logs. |
| Client User ID | VARCHAR(255) | The value of the CURRENT CLIENT USERID special register at the time the audit event occurred. |
| Client Workstation Name | VARCHAR(255) | The value of the CURRENT CLIENT_WRKSTNNAME special register at the time the audit event occurred. |
| Client Application Name | VARCHAR(255) | The value of the CURRENT CLIENT_APPLNAME special register at the time the audit event occurred. |
| Client Accounting String | VARCHAR(255) | The value of the CURRENT CLIENT_ACCTNG special register at the time the audit event occurred. |
| Trusted Context Name | VARCHAR(255) | The name of the trusted context associated with the trusted connection. |
| Connection Trust Type | CHAR(1) |
Possible values are:
'' - NONE '1' - IMPLICIT_TRUSTED_CONNECTION '2' - EXPLICIT_TRUSTED_CONNECTION |
| Role Inherited | VARCHAR(128) | The name of the role that is inherited through the trusted context. |
| Original User ID | VARCHAR(1024) | The value of the CLIENT_ORIGUSERID global variable at the time the audit event occurred. |
| Instance name | VARCHAR(128) | Instance name in use at the time the audit event occurred. |
| Hostname | VARCHAR(255) | Hostname in use at the time the audit event occurred. |
| Tenant name | VARCHAR(128) | Tenant name in use at the time the audit event occurred. |