Extracting audit data for DB2 v9.5

You can extract audit data when you are using IBM® DB2® v9.5.

Procedure

  1. Log in to a DB2 account with SYSADMIN privilege.
  2. Move the audit records from the database instance to the audit log:

    db2audit flush

    For example, the flush command response might resemble the following output:

    AUD00001 Operation succeeded.

  3. Archive and move the active instance to a new location for future extraction:

    db2audit archive

    For example, an archive command response might resemble the following output:

    Node AUD Archived or Interim Log File Message 
    ---- --- -----------------------------
    - 0 AUD00001 dbsaudit.instance.log.0.20091217125028 AUD00001 Operation succeeded.
    Note: In DB2 v9.5 and later, the archive command replaces the prune command.

    The archive command moves the active audit log to a new location, effectively pruning all non-active records from the log. An archive command must be complete before an extract can be executed.

  4. Extract the data from the archived audit log and write the data to .del files:

    db2audit extract delasc from files db2audit.instance.log.0.200912171528

    For example, an archive command response might resemble the following output:

    AUD00001 Operation succeeded.

    Note: Double-quotation marks (") are used as the default text delimiter in the ASCII files, do not change the delimiter.
  5. Move the .del files to a storage location where IBM QRadar can pull the file. The movement of the comma-delimited (.del) files should be synchronized with the file pull interval in QRadar.

    You are now ready to create a log source in QRadar to collect DB2 log files.