Integrating IBM DB2 Audit Events

The IBM® DB2® DSM allows you to integrate your DB2 audit logs into IBM QRadar® for analysis.

The db2audit command creates a set of comma-delimited text files with a .del extension that defines the scope of audit data for QRadar when auditing is configured and enabled. Comma-delimited files created by the db2audit command include:

  • audit.del
  • checking.del
  • context.del
  • execute.del
  • objmaint.del
  • secmaint.del
  • sysadmin.del
  • validate.del

To integrate the IBM DB2 DSM with QRadar, you must:

  1. Use the db2audit command to ensure the IBM DB2 records security events. See your IBM DB2 vendor documentation for more information.
  2. Extract the DB2 audit data of events contained in the instance to a log file, depending on your version of IBM DB2.
  3. Use the Log File protocol source to pull the output instance log file and send that information back to QRadar on a scheduled basis. QRadar then imports and processes this file.