Configuring log streaming for Db2 Warehouse

After Db2 Warehouse audit logging is enabled, you can create a log streaming pod to forward the audit logs to the IBM® Software Hub audit service.

Before you begin

Enable audit logging for the Db2 Warehouse service. For more information, see Configuring audit logging for Db2 Warehouse.

Procedure

  1. Create environment variables for your environment.
    1. Run the following command to determine the name of your active Db2uCluster or Db2uInstance: 
      oc get db2ucluster,db2uinstance -n ${PROJECT_CPD_INST_OPERANDS}
    2. Set the db2ucluster-name or db2uinstance-name environment variable to the database instance you want to configure log streaming for: 
      export DB2_CR_ID=<db2ucluster-name/db2uinstance-name>
    3. Run the following command to determine the TLS secret of your database instance: 
      $ oc get secret -n ${PROJECT_CPD_INST_OPERANDS} | grep tls
    4. Set the INSTANCE_TLS environment variable to the TLS secret for the database instance that you want to configure log streaming for: 
      export INSTANCE_TLS=<instance-tls>
      For example, for the DB2WH instance, you can set it to the default secret:
      export INSTANCE_TLS=db2wh-internal-tls
  2. Run the following command for Db2uCluster or Db2uInstance to confirm that audit logging is enabled and the auditlogs PVC has been created for your deployed database. 
    oc get db2ucluster ${DB2_CR_ID} -oyaml
    oc get db2uinstance ${DB2_CR_ID} -oyaml
    Confirm that enableAudit is set to true and auditlogs PVC is added in storage configs.
  3. Create the log stream pod: 
    cat << EOF | oc apply -f -
apiVersion: db2ulog.databases.ibm.com/v1alpha1
kind: Db2uLogStream
metadata:
  name: $DB2_CR_ID
spec:
  configurations:
    - type: audit
      format: cadf
      connection: cp4d
  connections:
    cp4d:
      endpoint: https://zen-audit-svc.${PROJECT_CPD_INST_OPERANDS}:9880/records
      credentials: $INSTANCE_TLS
      authType: tls
  resources: # this field is optional and used to control the resources of the logstreaming pod
    limits:
      cpu: "100m"
      memory: "300Mi"
    requests:
      cpu: "100m"
      memory: "300Mi"
EOF
    Note: You can set resource limits for your log streaming pod by populating the resources fields. Default values are used if you leave the fields empty.
    The log stream pod is created after applying the yaml file. You can run the following commanded to verify that the pod is now active: 
    $ oc get pod | grep logstream
    The command will generate output similar to the following example:
    c-db2wh-audit-test-logstream-6fb596cd5f-5r4xd                   1/1     Running     0            43h