Extracting audit data for DB2 v8.x to v9.4
You can extract audit data when you are using IBM® DB2® v8.x to v9.4.
Procedure
- Log into a DB2 account with SYSADMIN privilege.
-
Type the following start command to audit a database instance:
db2audit start
For example, the start command response might resemble the following output:
AUD00001 Operation succeeded.
-
Move the audit records from the instance to the audit log:
db2audit flush
For example, the flush command response might resemble the following output:
AUD00001 Operation succeeded.
-
Extract the data from the archived audit log and write the data to .del
files:
db2audit extract delasc
For example, an archive command response might resemble the following output:
AUD00001 Operation succeeded.
Note: Double-quotation marks (") are used as the default text delimiter in the ASCII files, do not change the delimiter. -
Remove non-active records:
db2audit prune all
-
Move the .del files to a storage location where IBM
QRadar can pull the file. The
movement of the comma-delimited (.del) files should be synchronized with the
file pull interval in QRadar.
You are now ready to create a log source in QRadar to collect DB2 log files.