Extracting audit data for DB2 v8.x to v9.4

You can extract audit data when you are using IBM® DB2® v8.x to v9.4.

Procedure

  1. Log into a DB2 account with SYSADMIN privilege.
  2. Type the following start command to audit a database instance:

    db2audit start

    For example, the start command response might resemble the following output:

    AUD00001 Operation succeeded.

  3. Move the audit records from the instance to the audit log:

    db2audit flush

    For example, the flush command response might resemble the following output:

    AUD00001 Operation succeeded.

  4. Extract the data from the archived audit log and write the data to .del files:

    db2audit extract delasc

    For example, an archive command response might resemble the following output:

    AUD00001 Operation succeeded.

    Note: Double-quotation marks (") are used as the default text delimiter in the ASCII files, do not change the delimiter.
  5. Remove non-active records:

    db2audit prune all

  6. Move the .del files to a storage location where IBM QRadar can pull the file. The movement of the comma-delimited (.del) files should be synchronized with the file pull interval in QRadar.

    You are now ready to create a log source in QRadar to collect DB2 log files.