Extracting audit data for DB2 v9.5
You can extract audit data when you are using IBM® DB2® v9.5.
Procedure
- Log in to a DB2 account with SYSADMIN privilege.
-
Move the audit records from the database instance to the audit log:
db2audit flush
For example, the flush command response might resemble the following output:
AUD00001 Operation succeeded.
-
Archive and move the active instance to a new location for future extraction:
db2audit archive
For example, an archive command response might resemble the following output:
Node AUD Archived or Interim Log File Message ---- --- ----------------------------- - 0 AUD00001 dbsaudit.instance.log.0.20091217125028 AUD00001 Operation succeeded.
Note: In DB2 v9.5 and later, the archive command replaces the prune command.The archive command moves the active audit log to a new location, effectively pruning all non-active records from the log. An archive command must be complete before an extract can be executed.
-
Extract the data from the archived audit log and write the data to .del
files:
db2audit extract delasc from files db2audit.instance.log.0.200912171528
For example, an archive command response might resemble the following output:
AUD00001 Operation succeeded.
Note: Double-quotation marks ("
) are used as the default text delimiter in the ASCII files, do not change the delimiter. -
Move the .del files to a storage location where IBM
QRadar can pull the file. The
movement of the comma-delimited (.del) files should be synchronized with the
file pull interval in QRadar.
You are now ready to create a log source in QRadar to collect DB2 log files.